Policy for protection of personal data of visitors to the website SOPHARMA-IMOTI.COM

Thank you for your interest in us!

Data protection is of a particularly high priority for the management of Sopharma Properties REIT.

Browsing the Internet website of Sopharma Properties REIT – SOPHARMA-IMOTI.COM – is possible without any provision of personal data such as name, identification number, email address and special categories of personal data.

Still, any processing of personal data of natural persons must correspond to the General Data Protection Regulation [1], which applies as of May 25th 2018, as well as to the specific regulations for data protection of the Bulgarian legislation, applicable to Sopharma Properties REIT.

The present document aims to introduce the visitors to our website to its policy for personal data protection. In addition, data subjects are informed via this statement of the rights they have. As a controller, Sopharma Properties REIT has implemented technical and organisational measures to ensure the most complete protection of personal data. However, Internet-based applications may, in principle, have security faults, so that absolute protection cannot be guaranteed. Therefore, each data subject is free to provide us, if necessary, with personal data through alternative means, for example by phone.

The present Personal Data Protection Policy is based on the terminology used in the General Data Protection Regulation(GDPR). The Personal Data Protection Policy must be clear and comprehensible for the general public. In regard of the latter, before reviewing the Policy, you could get acquainted with the used terminology here.

Name and contact details of the personal data controller
The controller under the meaning of GDPR is:

Sopharma Properties REIT, UIC 175059266
city of Sofia, 5 Lachezar Stanchev str.,Sopharma Business Towers Complex, Building A, fl. 20
Bulgaria

Phone number: 02 / 4250120
Email: office@sbt.bg

Functionalities of the websiteSOPHARMA-IMOTI.COM

Cookies
The website SOPHARMA-IMOTI.COM utilizes system „cookies“. „Cookies“ are text files which are stored in a computer system via an Internet browser.The cookies used by SOPHARMA-IMOTI.COMare not personally related to you, they do not recognise your individual identity, they do not collect and store your information and via them you cannot be identified; they are necessary for the correct functioning of the website, they allow you to browse it and use its features.These „cookies“ are not used for any other purposes apart from the stipulated herein.Without these „cookies“ we cannot ensure effective functionality of our website.

Every visitor to our website can, at any time, prevent the setting of „cookies“ through our website or by means of a respective setting of the Internet browser used, and can thus permanently deny the setting of „cookies“. Furthermore, already set „cookies“ may be deleted at any time via an Internet browser or other software programs. The latter is possible in all popular Internet browsers. If you deactivate the setting of „cookies“ in the Internet browser used, possibly not all functions of our website will be entirely usable.

List of the cookies used by the website

The cookies listed in the table below are divided into 2 main numbered groups – the group number to which the cookie belongs is stipulated in the third column of the table. Please note that each cookie may belong to more than one group at a time. The categories are as follows:

[1] Absolutely necessary: Without these cookies, you cannot view the full functionality of our website and use its features. Also, without them it is not possible to use the information society services you have requested.

[2] Digital asset enhancing cookies: These cookies collect information about how visitors use the website, such as which pages they access most often. These cookies do not collect information that is specific to a particular visitor. All the information collected by this group of cookies is summarized and therefore anonymous. Their sole purpose is to improve the performance of the website.

Your consent is a prerequisite for attaching a cookie that is not absolutely necessary.

Name Description Category Validity Domain
wfvt_(random numbers) A cookie of the security module of the website. It is used for authentication of the site visit as made by a real user, not a bot or a security threat. [2] Until expiry of the session sopharma-imoti.com
wordfence_verifiedHuman A cookie used by the security module of the websitefor the purpose of protection against malicious attacks on the website. [1] Up to 24 hours sopharma-imoti.com
wordpress_test_cookie A cookie used by the content management system for the purpose of establishing whether the user has activated any cookies. [1] Until expiry of the session sopharma-imoti.com
cc_cookie_accept A cookie used by the cookie notification module to indicate that a user has accepted the use of cookies on the website. [1] 1 month sopharma-imoti.com
cc_cookie_decline A cookie used by the cookie notification module to indicate that a user has refused the use of cookies by the website. [1] 1 month sopharma-imoti.com

Links to internet pages

Hyperlinks may be placed on the internet page of Sopharma Properties REIT via which visitors to Sopharma Properties REIT’s page may connect to other internet pages. Sopharma Properties REIT must remind you that by following such hyperlinks the visitor transfers directly to third party pages which apply their own personal data protection policies. Sopharma Properties REIT shall not be liable for the personal data protection policy of such internet pages and the information (incl. personal data) collected by them.In view of the latter, Sopharma Properties REITstrongly recommends to the visitors of its website to get acquainted with the personal data protection policy of such internet pages.

Collection of generaldata and information

When you visit SOPHARMA-IMOTI.COM the website collects information from your browser only, necessary so that we can technically display our website to you, namely:

  • the browser types and versions used; • the operating system used by the accessing system; • the website from which an accessing system reaches our website (so-called referrers); • the sub-websites; • the date and time of access to the Internet site; • an Internet protocol address (IP address); • the Internet service provider of the accessing system, and • other similar data and information that may be used in the event of attacks on our information technology systems.

After your visit to our website such general data and information are stored in the registration log files of the server, separate from all personal data provided by you (via sending an email for example). Upon storing such general data and information the websiteSOPHARMA-IMOTI.COM derives no conclusions as to the identity of the data subject.This information is stored solely for the aim of increasing the defences of the website and data security, and assisting law enforcement in the event of a cyber-attack.

Contact option via the website

The website SOPHARMA-IMOTI.COM contains contact details for the company Sopharma Properties REIT, including for its Director of Investors Relations, as per the legal requirements, via which direct communication with us may be established, including via electronic mail (e-mail address). If a data subject gets in contact with the controller via email, the personal data, transferred by the data subject at its discretion (like email address), are received and stored automatically, for the purpose of receiving of the thereby sent by it electronic correspondence. Such personal data transferred voluntarily by the data subject to the controller shall be processed (including stored) solely for the purposes for which they were provided as per the aim of the correspondence stipulated by the data subject, including for contact with the data subject for the purpose of supplying them with a response to their email or of providing them with the information they have inquired about.In case it is necessary for accomplishing said purposes that (additional) personal data be provided, we shall notify the data subject, where we shall stipulate whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data. In respect of the specific legal statute of the controller Sopharma Properties REIT as a stockholding company with a special investment purpose (under the meaning of the Special Purpose Investment Companies Act – SPICA) and depending on the goal pursued by the data subject with their particular email, the provided personal data may be submitted for processing to its servicing company via which the controller conducts its activities as per art. 18 of SPICA, which would act as a processor of such personal data.Any processing shall be conducted in accordance with the applicable legislation, including GDPR, and the principles of lawfulness, fairness and transparency.

Categories of personal data we process

The separate categories of personal data which we may process, if such are provided to us by the data subject (via sending us an email for example), are stipulated above in the description of the respective functionalities of the website.Sopharma Properties REIT adheres to the principle of minimising data processing.

Purposes of personal data processing

The purposes of the processing of personal data connected to the use of the website, if such are provided to us by the data subject (via sending us an e-mail for example), are stipulated above in the description of the respective functionalities of the website. Such personal data shall not be processed for commercial purposes and shall not be shared with commercial organizations.

Legal grounds for personal data processing

The website SOPHARMA-IMOTI.COM is created and is maintained by Sopharma Properties REIT infulfilment of the statutory duty of the controller as a public company to maintain its own web page under art. 110в, par. 2 of the Public Offering of Securities Act.The legal basis for the processing of personal data provided by data subjects who have contacted the company through the contact details disclosed on the website, depending on the goal pursued by the data subject through the correspondence, may be:(1) fulfilment of a contract to which the data subject is party, or in order to take steps at the request of the data subject prior to entering into a contract; (2) compliance with a legal obligation to which the controller is subject; (3) the legitimate interest pursued by the controller to conduct its activities in favour of the welfare of its stockholders and to act as a responsible public company.

If the processing of personal data is necessary but there are no other grounds for such processing, we shall obtain the explicit prior consent of the data subject.

Receivers of personal data

The recipients of personal data relating to the use of the website if provided by the subject (for example by sending an email) are stipulated above in the description of the respective functionalies of the website. Only upon necessity, personal data may be shared with certain trusted third parties engaged by us to perform certain functions and provide services to us but only to the extent necessary for the performance of such functions and the provision of such services and only subject to compliance with the statutory requirements. If the company is subject to a change of ownership (e.g. transformation), your information may be transferred as part of such action, subject to legal requirements.

Outside of the above, such personal data shall not be shared with recipients, third parties, third countries and/or international organizations, except for the competent public authorities, provided there is a legal basis for it and in exercising their authority and in fulfilling legal obligations the controller.

Term for storing personal data

The controller shall store the personal data of the data subject only for the period, necessary for fulfilling the purpose of the processing, but no less than the required by the applicable Bulgarian and/or European legislation storage period.

The criteria used for defining the personal data storage period is the respective legally set storage period, including for the purpose of securing the ability of regulatory bodies to exercise their authority, and the statutory limitation period related to the purpose of the processing. The company’s general policy is to store personal data for a period of not more than 10 years as of the year following the year of conclusion of the relationship in respect of which the personal data has been collected and provided there is no other reason for processing the data.After the expiry of said period, the respective data is routinely blocked or erased, provided it is no longer necessary.

Necessity of personal data provision

The reasons for provision of personal data, related to the use of the website, if any, are stipulated above in the description of the respective functionalities of the website. As described above, the use of the website of Sopharma Properties REIT is possible without provision of personal data.

Automated decision-making
As a responsible company, we do not utilize automated decision-making or profiling.

Rights of the data subjects

Right of access to information:You have the right to obtain confirmation from us on whether, how and for what purposes we process personal data of yours and what data, as well as to receive a copy thereof.

Right to rectification:In case we are processing incomplete/inaccurate personal data of yours, you have the right to obtain from us without undue delay their rectification or completion, if the latter corresponds to the above described purposes of the processing.

Right to erasure:You have the right to obtain from us the erasure of personal data concerning you, if:

Þ it is no longer necessary in relation to the purposes for which they were processed; or

Þ you withdraw your consent on which the processing is based and there is no other legal ground for the processing; or

Þ you object to the processing and there are no overriding legitimate grounds for the processing, or you object to the processing for the purposes of the direct marketing; or

Þ the personal data have been unlawfully processed; or

Þ the personal data have to be erased for compliance with a legal obligation to which the controller is subject; or

Þ the personal data have been collected in relation to the offer of information society services to children.

Please, bear in mind that there may be reasons for the erasure not to be executed immediately, in regard of a legal requirement for keeping such data.

Right to restriction of the processing: You have the right to obtain from the controller restriction of processing where one of the following applies:

Þ the accuracy of the personal data is contested by you – for the period enabling us to verify the accuracy thereof;

Þ the processing is unlawful but you do not want the erasure of the personal data but rather request the restriction of their use instead;

Þ we no longer needs the personal data (for the particular purposes), but they are required by you for the establishment, exercise or defence of legal claims;

Þ you have objected to processing of such data (as stipulated below) pending the verification whether the legitimate grounds of the controller override those of your own.

Right to data portability:You have the right to receive the personal data concerning you and which you have provided to Sopharma Properties REIT, in a structured, commonly used and machine-readable format and have the right to transmit such data to another controller without hindrance from the controller to which the personal data have been provided, where:

Þ the processing is based on consent or on a contract; and

Þ the processing is carried out by automated means.

Right to object:In case we are processing personal data concerning you, where we have stipulated as a basis for it our legitimate interests and/or the performance of a task carried out in the public interest, including profiling on those grounds, you can object to such processing.

Right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you, unless:

Þ is necessary for entering into, or performance of, a contract between you and us; or

Þ is authorised by European Union or Member State law to which we are subject and which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests; or

Þ is based on the data subject’s explicit consent.

Right to withdraw consent, when the processing is based on consent, at any time, without affecting the lawfulness of processing based on consent before its withdrawal.

Right to lodge a complaint with a supervisory authority and to an effective judicial remedy against a controller or processor:In case you believe that we are in breach of the Bulgarian or European legislation, we kindly ask you to contact us to clarify the situation and allow us to take immediate measures. In all cases and without being obliged to notify us under the previous sentence, you have the right to lodge a complaint with a supervisory authority in the Member State of your habitual residence, place of work or place of the alleged infringement. In Bulgaria this supervisory authority is the Commission for Personal Data Protection, address: Sofia 1592, 2 Prof. Tsvetan Lazarov (www.cpdp.bg).

You have the right to an effective judicial remedy when you consider that your rights to protection of your personal data have been infringed as a result of the unlawful processing of your personal data by us.

You are entitled to the stipulated rights without prejudice to any other administrative or judicial remedy you might have under the applicable legislation.

The controller shall review each request, addressed to it,for exercise of the abovecited rights, shall assess its legal merit and legitimacy, in regard of which the controller shall conceit to it or not, replying to the data subject within 1 month of receipt of the request, unless there is reason to extend said period but by no more than 2 more months of which the data subject shall be notified.

Amendments of the Personal Data Protection Policy

Sopharma Properties REITshall endeavour to improve and update its Personal Data Protection Policyin correspondence with the legal requirements and the good practices. In regards of this, we may amend this Policywhere necessary. All amendments shall be published on this internet page and shall enter into force as of their publication. In regard of the latter, we recommend regular review of the published Policy by the visitors to our Internet page

Definitions

We use the following terminology in the present policy:

Personal data

Personal data means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Data subject

Data subject is any identified or identifiable natural person, whose personal data is processed by the controller, responsible for the processing.

Processing
Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction

Restriction of processing

Restriction of processing means the marking of stored personal data with the aim of limiting their processing in the future.

Profiling
Profiling means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.

Controller
Controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.

Processor of personal data

Processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

Recipient
Recipient means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing.

Third party

Third party means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.

Consent of the data subject

Consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

[1]Regulation (EU) 2016/679 of the European parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).