I.

SUBJECT. DEFINITIONS.

1.1. These General Terms and Conditions set out the procedure and rules for the protection of individuals, customers and employees of BOHEMI HOMES Ltd, UIC 206601999, in relation to the processing of their personal data in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation), referred to in these General Terms and Conditions as "Regulations" in connection with the establishment, performance and termination of contractual relations of these individuals with BOHEMI HOME Ltd.

1.2. For the purposes of these Terms and Conditions:

1.2.1. "data subject" - an identifiable natural person;

1.2.2. "personal data" - any information relating to an identified natural person or a natural person who can be identified directly or indirectly, such as by an identifier: name, identification number, location data, online identifier, or by other means pursuant to Article 4(1) of the Regulation;

1.2.3. "processing" - any operation or set of operations which is performed upon personal data or a set of personal data, whether or not by automatic means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

1.2.4. "restriction of processing" - marking of stored personal data in order to restrict its processing in the future;

1.2.5. "pseudonymization" - the processing of personal data in such a way that the personal data can no longer be linked to a specific data subject without the use of additional information, provided that it is kept separately and is subject to technical and organisational measures to ensure that the personal data are not linked to an identified natural person or to an identifiable natural person;

1.2.6. "Profiling" means any form of automated processing of personal data consisting in the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects relating to the performance of that natural person's professional duties, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;

1.2.7. "personal data register" - any structured set of personal data which is accessed according to certain criteria, whether centralised, decentralised or distributed according to a functional or geographical principle;

1.2.8. "administrator" - a natural or legal person, public authority, agency or other body which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its determination may be laid down in Union or Member State law.

The controller of personal data under these GTC is "BOHEMI HOMES" Ltd, hereinafter referred to as "the Company", UIC 206601999, with registered office and registered address. Plovdiv str. "Stefan Stambolov" № 56, represented by the manager Mladen Stoyanov Nastanliev, Tel: 0897474710; e-mail: bohemihomes@abv.bg;

Data Protection Officers of

"BOHEMI HOMES" Ltd., are the following persons:

Mladen Stoyanov Nastanliev, address. Plovdiv ul. "Stefan Stambolov"

№ 56, tel. : 0897474710;

1.2.9. "personal data processor" - an individual appointed specifically for the purpose of storing and controlling the processing of personal customer data;

1.2.10. "recipient" - a natural person, an employee of the controller, to whom personal customer data is disclosed;

1.2.11. "third party" - a natural or legal person, a public authority, an agency or any other body other than the data subject, the controller, the processor and the persons who, under the direct authority of the controller or the processor, are entitled to process the personal data;

1.2.12. "consent of the data subject" - any freely given, specific, informed and unambiguous indication of the data subject's wishes, by means of a statement or a clear affirmative action, which indicates his or her consent to the processing of personal data relating to him or her;

1.2.13. "personal data breach" - a breach of security resulting in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data that is transmitted, stored or otherwise processed.

II. GENERAL RULES FOR PROCESSING PERSONAL DATA.

2.1. The provision of personal data by the subject is a mandatory condition for the conclusion of a contract between him and the Company. If the subject is unwilling to provide the Company with his personal data, the Company shall be entitled to refuse to conclude a contract.

2.2. The Company has the right to process the following personal data:

2.2.1. The main categories of personal data:

(a) names, personal identification number/substitute identification of alien, identity document/passport number;

(b) permanent and current address, if different from the above - correspondence address;

(c) banking information, including: bank name, IBAN, BIC, account holder;

(d) signature;

(e) a telephone number for feedback;

(f) e-mail address.

2.2.2. Data arising from the subject of the contract with the company:

(a) gender, age, nationality, occupation/qualification, length of service;

b) property and ownership, banking, credit, commercial, bond or other legal relationships that are relevant to the order awarded to the Company pursuant to the contract concluded between the parties.

c) special categories of personal data within the meaning of Article 9 of the Regulation - data on the state of health that are relevant to the order assigned to the Company under the contract concluded between the parties;

2.2.3. Additional data:

a) video recording when visiting the Company's office network;

b) correspondence, letters, complaints, requests, complaints and other feedback we receive from you;

(c) a customer number, code or similar identifier.

Profiling

2.3. If the conclusion or the parameters of a particular contract are determined solely on the basis of automated processing of personal data, this circumstance shall be disclosed immediately /within 24 (twenty-four) hours/ to the data subject in order to acquaint him/her with the nature and logic of the algorithms used.

2.4. The processing of personal data is carried out by the Company for the purpose of fulfilling the obligations under the contracts concluded between the Company and the data subject.

2.5. The main legitimate interests for which the Company processes the personal data provided by the subject are as follows:

2.5.1. To carry out in the best possible way the order assigned to the Company pursuant to the contract concluded with the subject, by preparing an individualized and adequate proposal for the purchase, respectively sale and/or lease/rental of the relevant real estate;

2.5.2. In order to provide a high quality and timely service, the Company may share the personal data provided by the subject with other organizations - banks (for the execution of payment orders), lawyers, attorneys, notaries, property valuation companies or other service providers;

2.5.3. To achieve certain internal administrative purposes of the Company, the Company may provide the subject's personal data to archiving companies, technology companies providing IT support, courier service providers, and other service providers that maintain high standards of information security and confidentiality;

2.5.4. For the purpose of exercising the right of defence where the rights and legitimate interests of the Company have been infringed, including by taking enforcement action.

2.6. Where the processing of personal data is carried out for purposes other than those for which it was originally collected, the subject's further consent is not necessary, provided that the controller has taken into account:

2.6.1. any link between the purposes for which the personal data were collected and the purposes of the intended further processing;

2.6.2. the context in which the personal data were collected, in particular in relation to the relationship between the data subject and the controller;

2.6.3. the nature of the personal data;

2.6.4. the possible consequences of the envisaged further processing for the data subjects;

2.6.5. the existence of appropriate safeguards, which may include encryption or pseudonymisation.

2.7 Personal Data within the meaning of these Terms and Conditions should:

2.7.1. are processed lawfully, fairly and in a transparent manner in relation to the data subject;

2.7.2. are collected for specific, explicit and legitimate purposes and are not further processed in a manner incompatible with those purposes;

2.7.3. are appropriate, relevant and limited to what is necessary in relation to the purposes for which they are processed;

2.7.4. are accurate and kept up to date where necessary; all reasonable steps must be taken to ensure that inaccurate personal data is erased or rectified in a timely manner, taking into account the purposes for which it is processed;

2.7.5. shall be kept in a form which permits identification of the data subject for no longer than is necessary for the purposes for which the personal data are processed;

2.7.6. are processed in a manner that ensures an adequate level of security of personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, by implementing appropriate technical or organisational measures.

2.8. The Company, as a personal data controller, has the right to provide personal data in the following persons:

2.8.1. Processors of personal data. The processors of personal data are persons used by the Company for the proper performance of contractual and/or regulatory obligations, most commonly: courier service providers; licensed security service providers; insurance agents; providers of information systems implementation and/or maintenance services, who sometimes need to have access to personal data processed in the relevant systems for the purposes of the provision of a service by the Company; law firms, accountancy firms or other providers of consul

2.8.2. Joint controllers of personal data. This category includes: real estate brokers; commercial banks; law and accounting firms, etc.

2.8.3. Competent state authorities. In the performance of their functions, the following authorities shall have the power to carry out inspections and to require the Company to provide documents and information, including personal data: the Consumer Protection Commission, the Personal Data Protection Commission, the National Revenue Agency, the National Social Security Institute, judicial authorities, the Ministry of the Interior and others.

III. TIME LIMIT FOR PROCESSING PERSONAL DATA.

3.1. The personal data provided shall be stored for the duration of the contract concluded between the parties and for 5 years after termination of the contract. If there is a legal obligation to store the collected personal data for a longer period than that specified in the preceding sentence, the Company shall be entitled to store the personal data for the relevant statutory period.

3.2. In the event that the Company decides to process the personal data for a purpose other than that for which it was collected, it shall provide the data subject prior to such further processing with information about such other purpose and any other necessary information in this respect.

IV. FORM OF CONSENT FOR PROCESSING PERSONAL DATA. RIGHT TO WITHDRAW CONSENT.

4.1. The processing of personal data shall be carried out on the basis of consent given by the data subject in the form of a written declaration (Annex 1).

Withdrawal of consent

4.2 The data subject shall have the right to withdraw his or her consent at any time, without prejudice to the validity of the processing prior to withdrawal. The withdrawal shall be made by written application (Annex 2)submitted in person by the data subject and addressed to the controller, which may concern all or part of the personal data provided. In the event of withdrawal, the controller shall have the right to unilaterally terminate the contract concluded with the data subject in respect of which the personal data are processed.

V. RIGHTS AND OBLIGATIONS OF THE CONTROLLER IN RELATION TO THE PROCESSING OF PERSONAL DATA.

5.1. The data controller shall take the necessary technical and organisational measures to protect the data against accidental or unlawful destruction or accidental loss, against unauthorised access, alteration or dissemination and against other unlawful forms of processing. For this purpose, the controller shall adopt internal rules of conduct and instructions regarding the receipt and processing of personal data to ensure compliance with national and European legislation in this respect. The controller shall put in place appropriate technical and organisational measures to ensure that only personal data necessary for each specific purpose are processed. This obligation relates to the volume of personal data collected, the extent of processing, the period of retention and their accessibility.

5.2. The controller shall process the personal customer data through specially designated employee(s), ensuring that appropriate technical and organisational measures are implemented in such a way that the processing ensures the protection of the rights of data subjects. The processor, the recipients and any person acting under the authority of the controller or the processor who has access to the personal data shall process such data only in accordance with the adopted internal rules of conduct and instructions referred to above.

5.3. In the event of a personal data breach, the controller shall, without undue delay and where practicable not later than 72 hours after becoming aware of it, notify the personal data breach to the Commission for Personal Data Protection, unless the personal data breach is likely to pose a risk to the rights and freedoms of natural persons.

5.4 Where a personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, without undue delay, notify the data subject of the personal data breach. The communication to the data subject shall describe, in clear and plain language, the nature of the personal data breach and shall indicate at least the information and measures taken by the controller.

5.5 No communication shall be sent to the data subject if one of the following conditions applies:

5.5.1. the controller has taken appropriate technical and organisational measures for prevention and those measures have been implemented in relation to the personal data affected by the personal data breach, in particular measures that render the personal data unintelligible to any person not authorised to access it, such as encryption;

5.5.2. the controller has subsequently taken measures to ensure that the high risk to the rights and freedoms of those concerned is no longer likely to materialise;

5.5.3. this would lead to a disproportionate effort. In such a case, a public announcement shall be made or other similar measure taken so that data subjects are equally effectively informed.

VI. RIGHTS OF SUBJECTS IN RELATION TO THE PROCESSING OF THEIR PERSONAL DATA.

Right of access

6.1. Every natural person - customer or employee has the right to access personal data concerning him/her. The right of access shall be exercised by submitting a written application to the personal data controller. In cases where, in exercising the right of access, the personal data of the individual may also be disclosed to a third party, the controller shall provide the individual concerned with access to the part of the personal data relating only to him or her. In exercising his or her right of access, the natural person shall have the right at any time to request the controller:

(a) confirmation of whether data relating to him or her are being processed, information about the purposes of that processing, the categories of data and the recipients or categories of recipients to whom the data are disclosed;

(b) a communication to him in an intelligible form containing his personal data being processed and any available information about their source;

6.1.1. The data controller shall provide the information free of charge. In the event of the death of the natural person, his rights shall be exercised by his heirs, the application under point 7.1. being accompanied by certificate of heirs. The right may also be exercised by a proxy through an attached notarized power of attorney. The information may be provided in the form of an oral or written reference or a review of the data by the individual concerned or by another person expressly authorised by him. The natural person may request a copy of the personal data processed in a preferred medium or provision by electronic means, except where prohibited by law.

6.1.2. The controller shall refuse full or partial access to personal data of the person to whom they relate where:

(a) they do not exist or their provision is prohibited by law;

(b) a danger to defence or national security or to the protection of classified information would arise therefrom and this is provided for in a special law;

(c) it would interfere with the prevention or detection of criminal offences, the conduct of criminal proceedings or the execution of penalties;

(d) it is necessary for the protection of national security, public policy and the data subject.

Right of rectification

6.2. The data subject shall have the right to have inaccurate personal data concerning him or her rectified by the controller without undue delay. Having regard to the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by adding a declaration.

Delete

6.3. The data subject shall have the right to request the controller to erase personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:

6.3.1. the personal data is no longer necessary for the purposes for which it was collected or otherwise processed;

6.3.2. the data subject withdraws his or her consent on which the processing of the data was based prior to the withdrawal of consent;

6.3.3. the data subject objects to the processing and there are no legitimate grounds for the processing which override;

6.3.4. the personal data have been unlawfully processed;

6.3.5. personal data must be erased in order to comply with a legal obligation under international or national law;

6.3.6. Deletion may not be requested to the extent that processing is necessary:

(a) to exercise the right to freedom of expression and the right to information;

(b) for compliance with a legal obligation requiring processing provided for in international or national law applicable to the controller or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

(c) for public health reasons;

(d) for archiving purposes in the public interest, scientific or historical research or statistical purposes;

(e) the establishment, exercise or defence of legal claims.

Right to restriction of processing

6.4. The data subject shall have the right to require the controller to restrict processing where:

6.4.1. the accuracy of the personal data is contested by the data subject, for a period which allows the controller to verify the accuracy of the personal data;

6.4.2. the processing is unlawful, but the data subject does not wish the personal data to be erased but requests instead that their use be restricted;

6.4.3. the controller no longer needs the personal data for the purposes of the processing, but the data subject requires them for the establishment, exercise or defence of legal claims;

6.4.4. the data subject has objected to processing pursuant to a pending check whether the controller's legitimate grounds override the data subject's interests.

6.4.5 Where processing is restricted pursuant to the above paragraph, such data shall be processed, with the exception of their storage, only with the consent of the data subject or for the establishment, exercise or defence of legal claims or for the defence of the rights of another natural person or for important reasons of public interest.

6.4.6. Before revoking the requested restriction in the processing of personal data, the controller shall inform the data subject.

Right to data portability

6.5 The data subject shall have the right to obtain the personal data concerning him or her which he or she has provided to a controller in a structured, commonly used and machine-readable format and shall have the right to transfer those data to another controller without hindrance from the controller to whom the personal data have been provided.

6.6. When exercising his or her right to data portability, the data subject shall have the right to obtain a direct transfer of the personal data from one controller to another, where technically feasible.

Right of appeal to a supervisory authority

6.7. Every data subject shall have the right to lodge a complaint with the Commission for Personal Data Protection (CPDP), as well as to bring an action before a court in case of violation of the rules for processing and protection of personal data. Control over the lawful processing of personal data is exercised by the CPDP. Address of the CPDP. 1592 Sofia Blvd. "1595 Proff. Information and Contact Centre of the CPLD - tel. 02/91-53-518; e-mail: kzld@cpdp.bg; website: www.cpdp.bg.

VII. EXERCISE OF THE RIGHTS OF DATA SUBJECTS.

7.1. The rights under clauses 6.1 to 6.6 inclusive of these Terms and Conditions shall be exercised by written application (Annex 3). In the case of an application by an authorised person, the notarised power of attorney shall be attached to the application. Applications shall be entered in a register by the administrator.

7.1.2. The controller or processor shall explicitly consider applications - Annex 4 and shall give its decision within 14 days of its submission. The time limit for the examination of an application for access under point 6.1 may be extended by the controller or the processor up to 30 days in cases where a longer period is objectively required to collect all the data requested and this seriously hampers the controller's activities.

7.1.3. Within 14 days, the controller or processor shall take a decision to provide the applicant with complete or partial information or shall refuse to provide it on the grounds.

7.1.4. The data controller or processor shall notify the applicant in writing of its decision or refusal within the relevant time limit. The notification shall be made in person against signature or by post with acknowledgement of receipt. Failure to notify shall be deemed a refusal.

Right to object.

7.2 The data subject has the right to:

7.2.1. object to the controller to the processing of his/her personal data where there is a legal basis for doing so. Where the objection is justified, the personal data of the natural person concerned may no longer be processed;

7.2.2. object to the processing of their personal data for direct marketing purposes;

7.2.3. be notified before their personal data is first disclosed to third parties or used on their behalf under these Terms and Conditions, being given the opportunity to object to such disclosure or use.

7.3. The decision of the administrator is inadmissible when:

7.3.1. has legal or other substantial adverse consequences for the individual, and

7.3.2. is based solely on automated processing of personal data designed to assess personal characteristics of the individual.

7.4. It is not an inadmissible decision which is:

7.4.1. taken at the time of the conclusion or performance of a contract, provided that the request made by the individual concerned for the conclusion or performance of the contract has been granted or that appropriate measures exist to safeguard his legitimate interests;

7.4.2. governed by a law which also provides for measures to protect the legitimate interests of the person.

7.5 The natural person shall have the right to request the controller to reconsider the decision where the same is inadmissible within the meaning of par. 7.3 of these Terms and Conditions.

VIII. APPEAL AGAINST THE ACTIONS OF THE CONTROLLER.

8.1. In the event of a breach of his rights under these General Terms and Conditions, any individual shall have the right to refer the matter to the Personal Data Protection Commission within one year of becoming aware of the breach, but not later than five years from the date of the breach.

8.2. In the event of a violation of his rights, any individual may appeal against the actions and acts of the administrator in court before the relevant administrative court or before the Supreme Administrative Court under the general rules of jurisdiction.

8.2.1. In proceedings under the preceding paragraph, any natural a person who has suffered pecuniary or non-pecuniary damage as a result of a breach of the General Terms and Conditions shall be entitled to compensation from the controller or processor for the damage suffered.

8.2.2. The controller involved in the processing of personal data shall be liable for damages arising from the processing carried out in breach of the General Terms and Conditions. The data processor shall only be liable for damages resulting from the processing carried out where it has failed to comply with a legal obligation specifically addressed to data processors or where it has acted outside or contrary to the controller's instructions.

8.2.3. The controller or processor shall be exempt from liability if it proves that it is in no way responsible for the event that caused the damage.

IX. FINAL PROVISIONS.

9.1. The General Terms and Conditions are effective for customers and employees - personal data subjects, from the moment of giving consent to the processing of personal data by completing and signing the declaration in Annex 1.

9.2. In the event of an amendment and/or supplement to these General Terms and Conditions, the Company shall notify the data subjects who have accepted them.

9.3. For matters not covered by these Terms and Conditions, the Regulation, the PDPA and all other national and international legal acts in the field of personal data protection shall apply.

9.4 Bohemi Homes Ltd. does not carry out credit intermediation activities within the meaning of the CCNIP. Our real estate agency only provides information in mortgage financing.