PERSONAL DATA PROCESSING POLICY

 

1. Identity and contact details of the Controller(s) processing personal data and the contact details of the Data Protection Officer

1.1. Personal data will be processed by ECHINOX CAPITAL MARKETS S.R.L., headquartered at Strada Buzesti no. 82-94, 6th floor, Sector 1, Bucharest, J40/15772/2016, VAT no. 36793489, tel. +4 021 310 3100, email: gdprecm@cwechinox.com.

1.2. The contact details of the Data Protection Officer, if one has been appointed, can also be found on the website www.cwechinox.com.

2. Purpose(s) of the processing – Compatible Purposes; Data Subjects; Personal Data

Purpose(s) of the processing – Compatible Purposes

2.1. The Controller will process personal data(“personal data”) of the individual client who wishes the Controller to provide various (intermediation) services, mainly in the real estate sector (referred to in this policy as the “client” or “data subject”) for any purposes necessary to take steps at the client’s request before concluding a contract with the Controller and/or to perform a contract to which the client is party, as applicable, including, without limitation, any actions to connect the client with third parties (with whom the client wishes to enter into contracts) in order for the client to conclude contracts with them, as well as any compatible, related, and associated purposes.

2.2. The Controller will also process personal data (“personal data”) of any natural person (hereinafter referred to as the “data subject” or “data subject from the Partner”) about whom it becomes aware in connection with any person entering into/is in a legal relationship with the Controller (referred to as the “Partner”), regardless of whether the data is provided (fully or partially) by the data subject from the Partner and/or by the Partner, for the purpose of taking steps to establish a legal relationship between the Controller and the Partner (e.g., taking actions to conclude a contract between the Controller and the Partner, including contacting the data subject from the Partner for this purpose, even if the data subject is involved on behalf of the Partner) and/or for the performance of a legal relationship (e.g., contract) between the Controller and the Partner (including if the data subject is involved in this regard on behalf of the Partner), as applicable.

2.3. The Controller will process personal data of the data subject for any other purposes for which the data subject has given their unambiguous consent, as well as any compatible, related, and associated purposes.

2.4. The Controller may also process the data subject’s personal data in any case where processing is necessary for the purposes of the legitimate interests pursued by the Controller or a third party, where such legitimate interests exist, except where those interests are overridden by the data subject’s fundamental rights and freedoms which require personal data protection.

2.5. The Controller will process the data subject’s personal data whenever necessary to comply with legal obligations applicable to the Controller.

2.6. The Controller will only process personal data of the data subject that is adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed.

2.7. Personal data will be collected, recorded, organized, structured, stored, consulted, used, and disclosed by transmission.

2.8. The Controller may process personal data for any compatible, related, and associated purposes, including the compatible, related, and associated purpose of contacting the data subject to confirm and/or update their personal data.

2.9. Data Subjects

2.9.1. Data subjects may include clients and data subjects from the Partner.

2.9.2. Clients are potential and/or existing individual clients who wish to receive various (intermediation) services, primarily in the real estate field.

2.9.3. By way of example, data subjects from the Partner may include, as applicable but not limited to: i) representatives and/or contact persons of the Partners for the purpose of fulfilling any of the previously mentioned purposes; ii) any persons whose personal data is mentioned in documents and/or information provided by the Partners and/or other persons for the Partners, including but not limited to those provided by the data subjects themselves.

2.10. Personal Data

2.10.1. The personal data provided and processed for contact persons from the Partner will mainly be the contact details (provided) of the data subject from the Partner (e.g., name, surname, position, email, phone). For other data subjects from the Partner whose data is provided, all personal data mentioned in the documents and/or information provided by the Partners and/or by other persons for the Partners will be processed, including without limitation data provided by the data subjects from the Partner (e.g., name, surname, address, personal identification number, etc.).

2.10.2. The personal data of clients that will be processed by the Controller are the data provided by the clients, including but not limited to the civil status data in identity documents, in accordance with the legal regulations in force, as well as any other data provided by the clients for the purpose of concluding and/or performing the contract with the Controller and/or third parties.

3. Legal Grounds for Processing

The legal grounds for the processing are/may be, as applicable, Article 6(1)(a), (c), and (f) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (referred to in this policy as the “Regulation” or “GDPR”), namely:

(a) the data subject has given consent to the processing of their personal data for one or more specific purposes;
(b) processing is necessary for the performance of a contract to which the data subject is party or to take steps at the request of the data subject prior to entering into a contract;
…
(c) processing is necessary for compliance with a legal obligation to which the controller is subject;
…
(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.

4. Recipients or Categories of Recipients of the Personal Data

The recipients to whom the personal data of the data subject may be disclosed and transmitted, as applicable, include all those to whom the data must be sent for the fulfillment of the aforementioned purposes and include, as applicable:
a) competent authorities and institutions;
b) employees and/or representatives and/or subcontractors and/or other collaborators of the Controller involved in taking steps to establish a legal relationship between the Controller and the data subject/Partner and/or the performance of a legal relationship and/or compliance with any legal obligations in connection therewith, as applicable;
c) third parties with whom the data subject wishes to conclude a contract;
d) other persons providing services for the performance of the contract between the Controller and the data subject/Partner and/or for compliance with legal obligations.

5. Transfer of Personal Data to a Third Country

5.1. Currently, no personal data is transferred to a third country.

5.2. A potential transfer or set of transfers of personal data to a third country or international organization may take place under one of the following conditions:
(a) the data subject has explicitly consented to the proposed transfer after being informed of the possible risks due to the absence of an adequacy decision and appropriate safeguards;
(b) the transfer is necessary for the performance of a contract between the data subject and the Controller or to implement pre-contractual measures taken at the data subject’s request;
(c) the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the Controller and another person;
(d) there is an adequacy decision or appropriate safeguards according to the Regulation;
(e) any other situation permitted by applicable legal regulations.

6. Storage Period for Personal Data / Criteria for Determining This Period

6.1. Personal data of data subjects from the Partner will be stored by the Controller for the entire period of taking steps to establish a legal relationship between the Controller and the Partner (e.g., steps for concluding a contract, including contacting the data subject), and/or during the performance of the legal relationship and/or for fulfilling legal obligations in this regard, and until the expiry of the statute of limitations for recovering any debts from the Partner, but not less than the period required by applicable legal regulations.

6.2. Personal data of clients will be stored for the entire duration of taking steps to conclude/perform/validate the contract with the data subject, including any statute of limitations for debt recovery and as long as necessary under applicable laws (e.g., for tax, legal archiving, or anti-money laundering obligations).

6.3. If data was also collected for other purposes or legal grounds, personal data will continue to be stored according to the longer applicable period.

7. Obligation to Provide Personal Data and Possible Consequences of Non-Compliance. Updating Personal Data

7.1. Obligation to Provide Personal Data of Data Subjects from the Partner and Consequences of Non-Compliance. Updating Personal Data
Providing personal data of the data subjects from the Partner is not a contractual or legal obligation or necessary for concluding/performing a contract with the Partner, unless the data is collected for other legal grounds or required for the legal relationship with the Partner and/or for compliance with legal obligations. In these cases, providing data is mandatory.

Failure to provide and/or update data may result in the inability to take steps to establish or perform the legal relationship with the Partner and/or to fulfill legal obligations.

If your (contact) data has changed since it was last provided and/or you wish to update it, please send a request through any communication channel, including the email in point 1.

7.2. Obligation to Provide Personal Data of Clients and Consequences of Non-Compliance. Updating Personal Data
Providing personal data of clients is not a contractual or legal obligation or necessary for concluding/performing a contract, except when data is collected for other legal grounds or required for establishing/performing legal relations or fulfilling legal obligations. In such cases, the data subject must provide the data.

Refusal to provide personal data for concluding/performing the contract and/or legal obligations or legitimate interests will result in the inability to fulfill these objectives, including contract conclusion with third parties.

If no other data is provided beyond what’s mentioned above, the consequence is that the intended data processing purposes cannot be fulfilled.

8. Right of Access of the Data Subject

8.1. The data subject has the right to obtain from the Controller confirmation whether or not personal data concerning them is being processed and, if so, access to the data and the following information:

(a) purposes of the processing;
(b) categories of personal data concerned;
(c) recipients or categories of recipients to whom the data has been or will be disclosed, particularly third countries or international organizations;
(d) where possible, the envisaged storage period or, if not possible, the criteria used to determine that period;
(e) the right to request rectification or erasure or restriction of processing or to object to processing;
(f) the right to lodge a complaint with a supervisory authority;
(g) if the data was not collected from the data subject, any available information on the source;
(h) the existence of automated decision-making, including profiling, and meaningful information about the logic involved, significance, and consequences for the data subject.

8.2. If personal data is transferred to a third country or international organization, the data subject has the right to be informed about appropriate safeguards regarding the transfer.

8.3. The Controller provides a copy of the personal data undergoing processing. For any additional copies requested, a reasonable fee based on administrative costs may be charged. If the request is made electronically, and unless otherwise requested, the information will be provided in a commonly used electronic format.

8.4. The right to obtain a copy shall not adversely affect the rights and freedoms of others.

9. Right to Rectification

The data subject has the right to obtain from the Controller, without undue delay, the rectification of inaccurate personal data concerning them. Considering the purposes of the processing, the data subject has the right to have incomplete personal data completed, including by providing a supplementary statement.

10. Right to Erasure (“Right to be Forgotten”)

10.1. The data subject has the right to obtain from the Controller the erasure of personal data concerning them without undue delay, and the Controller has the obligation to erase personal data without undue delay where one of the following grounds applies:

(a) the personal data is no longer necessary for the purposes for which it was collected or otherwise processed;
(b) the data subject withdraws consent on which the processing is based and where there is no other legal ground for the processing;
(c) the data subject objects to the processing and there are no overriding legitimate grounds or the data subject objects to processing for direct marketing purposes;
(d) the personal data has been unlawfully processed;
(e) the personal data must be erased for compliance with a legal obligation in Union or Member State law to which the Controller is subject;
(f) the personal data has been collected in relation to the offer of information society services to a child, under the Regulation.

10.2. If the Controller has made personal data public and is obliged to erase it, the Controller, taking account of available technology and implementation cost, shall take reasonable steps, including technical measures, to inform other controllers processing the data that the data subject has requested erasure of any links to, or copies or replications of, that data.

10.3. Points 10.1. and 10.2. do not apply to the extent that processing is necessary:

(a) for exercising the right of freedom of expression and information;
(b) for compliance with a legal obligation or for the performance of a task carried out in the public interest or in the exercise of official authority;
(c) for reasons of public interest in the area of public health;
(d) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, to the extent that the right to erasure would likely render impossible or seriously impair the achievement of the processing objectives;
(e) for the establishment, exercise or defense of legal claims.

11. Right to Restriction of Processing

11.1. The data subject has the right to obtain from the Controller restriction of processing in the case of one of the following:
(a) the data subject contests the accuracy of the personal data, for a period enabling the Controller to verify the accuracy of the personal data;

(b) the processing is unlawful, and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;

(c) the Controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise, or defense of legal claims; or

(d) the data subject has objected to processing on grounds relating to their particular situation, pursuant to the Regulation, pending the verification whether the legitimate grounds of the Controller override those of the data subject.

11.2. Where processing has been restricted pursuant to paragraph 11.1, such personal data shall, with the exception of storage, only be processed with the data subject’s consent or for the establishment, exercise, or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or a Member State.

11.3. A data subject who has obtained restriction of processing pursuant to paragraph 11.1 shall be informed by the Controller before the restriction of processing is lifted.

 

12. Obligation to Notify Regarding Rectification or Erasure of Personal Data or Restriction of Processing

The Controller shall communicate any rectification or erasure of personal data or restriction of processing carried out in accordance with points 9, 10.1, and 11 to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. The Controller shall inform the data subject about those recipients if the data subject requests it.
 

13. Right to Data Portability

13.1. The data subject has the right to receive the personal data concerning them, which they have provided to the Controller, in a structured, commonly used and machine-readable format and has the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where:
(a) the processing is based on consent or on a contract; and

(b) the processing is carried out by automated means.

13.2. In exercising their right to data portability pursuant to point 13.1, the data subject has the right to have the personal data transmitted directly from one controller to another, where technically feasible.

13.3. The exercise of the right referred to in point 13.1 shall be without prejudice to Article 17. That right shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller.

13.4. The right referred to in point 13.1 shall not adversely affect the rights and freedoms of others.

 

14. Right to Object

14.1. At any time, the data subject has the right to object, on grounds relating to their particular situation, to processing of personal data concerning them which is based on legitimate interests pursued by the Controller or by a third party, including profiling based on those provisions. The Controller shall no longer process the personal data unless the Controller demonstrates compelling legitimate grounds for the processing which override the interests, rights, and freedoms of the data subject or for the establishment, exercise, or defense of legal claims.
14.2. Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning them for such marketing, including profiling to the extent that it is related to such direct marketing.

14.3. Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes. Where the data subject opts for the processing of personal data for direct marketing separately and independently of any other action, including by activating any opt-in button concerning the processing of personal data for direct marketing purposes, the last personal data provided in any manner shall be processed for direct marketing purposes.

14.4. At the latest at the time of the first communication with the data subject, the right referred to in points 14.1 and 14.2 shall be explicitly brought to the attention of the data subject and shall be presented clearly and separately from any other information.

14.5. In the context of the use of information society services and notwithstanding Directive 2002/58/EC, the data subject may exercise their right to object by automated means using technical specifications.

14.6. Where personal data are processed for scientific or historical research purposes or statistical purposes in accordance with the Regulation, the data subject, on grounds relating to their particular situation, shall have the right to object to the processing of personal data concerning them unless the processing is necessary for the performance of a task carried out for reasons of public interest.

15. Right related to automated individual decision-making, including profiling

15.1. The data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them.
15.2. Point 15.1 does not apply where the decision:

(a) is necessary for entering into or performance of a contract between the data subject and a data controller;

(b) is authorized by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject’s rights, freedoms, and legitimate interests; or

(c) is based on the data subject’s explicit consent.

15.3. In the cases referred to in point 15.2 (a) and (c), the data controller implements suitable measures to safeguard the data subject’s rights, freedoms, and legitimate interests, at least the right to obtain human intervention from the controller, to express their point of view, and to contest the decision.

 

16. Right to lodge a complaint with a supervisory authority

16.1. Without prejudice to any other administrative or judicial remedy, any data subject has the right to lodge a complaint with a supervisory authority, in particular in the Member State of their habitual residence, place of work, or place of the alleged infringement, if the data subject considers that the processing of personal data relating to them infringes the Regulation.
16.2. The supervisory authority with which the complaint has been lodged shall inform the complainant about the progress and outcome of the complaint, including the possibility of a judicial remedy under Article 17.

 

17. Right to an effective judicial remedy against a supervisory authority

17.1. Without prejudice to any other administrative or non-judicial remedy, each natural or legal person has the right to an effective judicial remedy against a legally binding decision of a supervisory authority concerning them.
17.2. Without prejudice to any other administrative or non-judicial remedy, each data subject has the right to an effective judicial remedy where the supervisory authority competent under the Regulation does not handle a complaint or inform the data subject within three months about the progress or outcome of the complaint lodged pursuant to Article 16.

17.3. Actions against a supervisory authority shall be brought before the courts of the Member State in which the supervisory authority is established.

17.4. Where actions are brought against a decision of a supervisory authority preceded by an opinion or decision of the committee within the consistency mechanism, the supervisory authority shall forward that opinion or decision to the court.

 

18. Right to an effective judicial remedy against a controller or processor

18.1. Without prejudice to any available administrative or non-judicial remedy, including the right to lodge a complaint with a supervisory authority under the Regulation, every data subject has the right to an effective judicial remedy where they consider that their rights under the Regulation have been infringed as a result of the processing of their personal data in non-compliance with the Regulation.
18.2. Actions against a controller or processor shall be brought before the courts of the Member State where the controller or processor has an establishment. Alternatively, such action may be brought before the courts of the Member State where the data subject has their habitual residence, unless the controller or processor is a public authority of a Member State acting in the exercise of its public powers.

 

19. Representation of data subjects

19.1. The data subject has the right to mandate a body, organization, or association without profit-making purpose, duly constituted under national law, whose statutory objectives are in the public interest and which is active in the field of the protection of data subjects’ rights and freedoms with regard to the protection of their personal data, to lodge the complaint on their behalf, to exercise the rights referred to in Articles 16, 17, and 18 on their behalf, as well as to exercise the right to receive compensation mentioned in the Regulation on behalf of the data subject, if provided for by national law.
19.2. Member States may provide that any body, organization, or association referred to in point 19.1 of this Article, independently of a data subject’s mandate, has the right to lodge a complaint with the supervisory authority competent under Article 16 in the Member State concerned and to exercise the rights referred to in Articles 17 and 18 where it considers that the rights of a data subject under the Regulation have been infringed as a result of processing.

 

20. Right to compensation and liability

20.1. Any person who has suffered material or non-material damage as a result of an infringement of the Regulation has the right to receive compensation from the controller or processor for the damage suffered.
20.2. Any controller involved in the processing operations shall be liable for the damage caused by processing which infringes the Regulation. The processor shall be liable for the damage caused by processing only where it has not complied with obligations of the Regulation specifically directed to processors or where it has acted outside or contrary to lawful instructions of the controller.

20.3. The controller or processor shall be exempt from liability pursuant to point 20.2 if it proves that it is not responsible for the event giving rise to the damage.

20.4. Where more than one controller or more than one processor or a controller and a processor are involved in the same processing operation and are liable pursuant to points 20.2 and 20.3 for the damage caused by processing, each controller or processor shall be held liable for the entire damage in order to ensure effective compensation of the data subject.

20.5. Where a controller or processor has paid full compensation for the damage in accordance with point 20.4, the controller or processor shall be entitled to claim back from the other controllers or processors involved in the same processing operation the respective proportionate part of the compensation corresponding to their share of responsibility for the damage, in accordance with the conditions set out in point 18.2.

20.6. Actions to exercise the right to claim compensation shall be brought before the courts competent under the law of the Member State referred to in point 18.2.

21. Right to Withdraw Consent

When the processing is based on: i) the data subject’s consent given for the processing of their personal data for one or more specific purposes; or ii) the data subject’s consent given for the processing of certain special categories of personal data for one or more specific purposes, except where Union or national law provides that the prohibition on processing special categories of personal data cannot be lifted by the data subject’s consent, the data subject has the right to withdraw their consent at any time, without affecting the lawfulness of the processing carried out based on the consent before its withdrawal; For the avoidance of doubt, withdrawal of consent does not affect the processing of personal data on other grounds.

 

22. (General) Right to Information

Data subjects have the right to receive certain information regarding the processing of their personal data:
22.1. Information to be provided to the data subject when personal data are collected from the data subject

22.1.1. Where personal data relating to a data subject are collected from the data subject, the Controller, at the time of obtaining such personal data, provides the data subject, usually through a policy/information notice, with all of the following information: a) the identity and contact details of the Controller and, if applicable, of the Controller’s representative; b) the contact details of the data protection officer, if applicable; c) the purposes for which the personal data are processed, as well as the legal basis for the processing; d) the recipients or categories of recipients of the personal data; e) where applicable, the Controller’s intention to transfer personal data to a third country or an international organization and the existence or absence of a Commission adequacy decision or reference to appropriate or suitable safeguards and the means to obtain a copy of them, if made available, as applicable; f) the period for which the personal data will be stored or, if that is not possible, the criteria used to determine that period; g) the existence of the right to request from the Controller, concerning personal data relating to the data subject, access to, rectification or erasure of the data, or restriction of processing, or the right to object to processing, as well as the right to data portability; h) the existence of the right to withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal; i) the right to lodge a complaint with a supervisory authority; j) the existence of automated decision-making including profiling, and at least in those cases, meaningful information about the logic involved and the significance and envisaged consequences of such processing for the data subject.

22.1.2. Where the Controller intends to further process the personal data for a purpose other than that for which the personal data were collected, the Controller shall provide the data subject, prior to that further processing, information on that other purpose and any relevant further information, in accordance with points f)–j) of 22.1.1.

22.1.3. The provisions of 22.1.1. and 22.1.2. do not apply if and to the extent that the data subject already has the information.

22.2. Information to be provided to the data subject when personal data have not been obtained from the data subject

22.2.1. Where personal data relating to a data subject have not been obtained from the data subject, the Controller shall provide the data subject, usually through a policy/information notice, with all of the following information: a) the identity and contact details of the Controller and, if applicable, of the Controller’s representative; b) the contact details of the data protection officer, if applicable; c) the purposes for which the personal data are processed, as well as the legal basis for the processing; d) the categories of personal data concerned; e) the recipients or categories of recipients of the personal data; f) where applicable, the Controller’s intention to transfer personal data to a third country or an international organization and the existence or absence of a Commission adequacy decision or reference to appropriate or suitable safeguards and the means to obtain a copy of them, if made available, as applicable; g) the period for which the personal data will be stored or, if that is not possible, the criteria used to determine that period; h) the existence of the right to request from the Controller, concerning personal data relating to the data subject, access to, rectification or erasure of the data, or restriction of processing, or the right to object to processing, as well as the right to data portability; i) the existence of the right to withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal; j) the right to lodge a complaint with a supervisory authority; k) the source from which the personal data originate and, if applicable, whether it came from publicly accessible sources; l) the existence of automated decision-making including profiling, and at least in those cases, meaningful information about the logic involved and the significance and envisaged consequences of such processing for the data subject.

22.2.2. The Controller shall provide the information referred to in 22.2.1: a) within a reasonable period after obtaining the personal data, but no later than one month, taking into account the specific circumstances in which the personal data are processed; b) if the personal data are to be used for communication with the data subject, at the latest at the time of the first communication to the data subject; or c) if disclosure of the personal data to another recipient is intended, at the latest when the personal data are first disclosed.

22.2.3. Where the Controller intends to further process the personal data for a purpose other than that for which the personal data were collected, the Controller shall provide the data subject, prior to that further processing, information on that other purpose and any relevant further information, in accordance with points g)–l) of 22.2.1.

22.2.4. The provisions of 22.2.1. do not apply if and to the extent that: a) the data subject already has the information; b) provision of such information proves impossible or would involve disproportionate effort, in particular for processing for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes, or to the extent that the obligation referred to in points a)–g) of article 22.2.1. is likely to render impossible or seriously impair the achievement of the objectives of that processing. In such cases, the Controller shall take appropriate measures to protect the rights, freedoms and legitimate interests of the data subject, including making the information publicly available; c) obtaining or disclosure is expressly laid down by Union or national law to which the Controller is subject and which provides appropriate measures to protect the data subject’s legitimate interests; or d) where personal data must remain confidential under a statutory obligation of professional secrecy regulated by Union or national law, including a legal obligation to secrecy.

22.3. Information to be provided to data subjects under Articles 22.1 and 22.2 may be provided in combination with standardized icons to give in a concise, transparent, intelligible and easily accessible form, using clear and plain language, a meaningful overview of the intended processing. Where icons are provided in electronic form, they shall be machine-readable.

 

23. Right to be Informed about Personal Data Security Breach

23.1. Where a personal data security breach is likely to result in a high risk to the rights and freedoms of natural persons, the Controller shall inform the data subject without undue delay about the breach.
The information provided to the data subject shall include a description, in clear and plain language, of the nature of the personal data security breach, as well as at least the information and measures regarding:

1. i) the name and contact details of the data protection officer or another contact point where more information can be obtained;
2. ii) a description of the likely consequences of the personal data security breach;

iii) a description of the measures taken or proposed to be taken by the Company to address the personal data security breach, including, where appropriate, measures to mitigate its possible adverse effects;
23.2. The information to the data subject mentioned above is not required if any of the following conditions are met:

1. a) The Controller has implemented appropriate technical and organizational protection measures, and those measures were applied to the personal data affected by the personal data security breach, in particular measures that render the personal data unintelligible to any person who is not authorized to access them, such as encryption;
2. b) The Controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects is no longer likely to materialize;
3. c) It would involve disproportionate effort. In such a case, a public communication or similar measure whereby the data subjects are informed in an equally effective manner is made instead;

Where the Controller has not already communicated the personal data security breach to the data subject, the supervisory authority, after considering the likelihood of the personal data security breach resulting in a high risk, may require the Controller to do so or may decide that any of the above conditions are met.
 

24. Miscellaneous Clauses

24.1. The data subject has all the rights provided by this policy as well as any other rights provided by the applicable mandatory legal regulations concerning the processing of personal data.

24.2. The rights mentioned in this policy may be exercised according to this policy, the Regulation, and any other applicable legal regulations in force.

24.3. Any requests and/or applications submitted by the data subject to the Controller for exercising any of these rights may be made in writing and delivered or sent to the Controller’s registered office, including by registered letter, and/or by email to the Controller’s email address mentioned in point 1 of this policy, and/or by any other means provided/allowed by the applicable legal regulations. Request forms may be obtained from the Company.

24.4. The data subject may request, according to the above, and if applicable, obtain free of charge, in particular, access to personal data, as well as rectification or deletion thereof, restriction of processing, data portability, exercising the right to object, as well as the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning the data subject or similarly significantly affects them, including regarding personal data security breaches.

24.5. Terms used in this policy shall have the meaning defined in the Regulation unless otherwise expressly indicated by the context.