Policy Notice.

PRIVACY POLICY

For users of instant messaging groups operated for mystery evaluators

1. Joint data controllership

1.1. Joint data controllers

BARE International Inc., Belgium Branch

Office: Borsbeeksebrug 34 – bus 305, Antwerpen 2600, Belgium registration number: USA 314809

tax number: BE 0829 488 075

e-mail address: BAREeurope@bareinternational.com website: https://www.bareinternational.eu/

Data Controller hereafter;

and

BARE International Hungary Korlátolt Felelősségű Társaság

short name: BARE International Hungary Kft. headquarters: 47, Váci Street, 1134 Budapest, Hungary business registration: 01-09-962318

tax number: 23368743-2-41

e-mail address: BAREeurope@bareinternational.com website: https://www.bareinternational.eu/

Data Controller hereafter;

Hereinafter together: Data Controllers.

1.2. Data protection officer:

In connection with joint data management the duties of the data protection officer are performed by the data protection officer of BARE International Hungary Kft:

BARE International Hungary Kft.

Data Protection Officer

E-mail address: dataprivacy@barienternational.com Postal address: 47, Váci Street, 1134 Budapest, Hungary

1.3. The instant messaging groups operated for mystery evaluators are operated jointly by Data Controllers. Both Data controllers take part of organising and operating the groups, they define the operating rules of the groups together.

1.4. During joint data management, BARE International Hungary Kft. performs the tasks related to the individual information of the interested parties and the exercise of their rights.

1.5. The joint data controllers have appointed BARE International Hungary Kft. as contact in connection with data protection issues related to joint data management. Data protection issues can be addressed to the joint Data Controllers primarily at the following contact details:

BARE International Hungary Kft.

E-mail address: dataprivacy@barienternational.com Postal address: 47, Váci Street, 1134 Budapest, Hungary

In addition, the Data Subject can indicate his/her needs and exercise his/her rights in relation to joint data management to any Data Controller.

1.6. With regard to data transmissions to third countries to BARE International Inc. during the joint data management, the joint Data Controllers comply with the European Commission (EU) on the general contractual conditions for the transfer of personal data to third countries in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council) the contract conditions defined by EXECUTIVE DECISION 2021/914 (June 4, 2021) are applied. The joint Data Controllers have put into effect the terms of the referenced general contract with respect to each other and comply with the conditions of application.

2. Legal requirements concerning processing, scope of present policy

2.1. For the purpose of easier contact with their mystery evaluator partners (Evaluator hereafter) operating in the territory of the European Union and outside of its territory Data Controllers create groups (hereinafter groups) on popular messaging platforms (WhatsApp, Telegram, Viber, Facebook Messenger, Facebook) so that offering new orders for evaluators can be easier and also to promote the exchange of professional experience of evaluators in order to increase the efficiency of their work.

2.2. Data controllers provide their services from the territory of the European Union. Pursuant to this, European law applies to the provision of the service and to the handling of personal data of the Data Subjects during the use of the service. The following legislation primarily applies to the activities of Data Controllers related to the management of personal data:

– Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), (GDPR hereafter).

2.3. The scope of this information sheet applies to data processing during participation in instant messaging groups (hereinafter: group) operated by Data Controllers for test customers.

2.4. Pursuant to this information, Data Subject: the natural person joining the group as a member (hereinafter: User)

3. Details of data management related to participation in the group

3.1. Posts placed in the group and names given in comments will be visible for every member of the group.

3.2. Concerned parties in data management: Users entering the group; i.e. evaluators connected to one of the Data Controllers, or administrators representing the Data Controllers.

3.3. Legal basis of data management:

As for Evaluators: User’s consent according to GDPR Article 6, Paragraph (1), Point (a).

User has the right to withdraw his/her consent anytime. Withdrawal of the consent does not affect the legality of data management before the withdrawal.

Joining the group is voluntary. The Evaluator can access the information received in the group from the Data Controllers at the same time through traditional information channels. Being left out of the group does not mean a more disadvantageous situation for the Evaluator compared to the group members.

As for Administrators: according to Article 6 (1) point b) of the GDPR, data processing necessary to fulfil the contract between the Data Controller and the Administrator. Data controllers define the group administrator tasks as job duties/mandatory tasks for the administrators they employ/mandate.

3.4. Scope of managed data: User’s comments and posts are visible to other users on such way that the name User has already given can be identified, data in his/her comments and posts are recognisable so User’s identification can be identified.

If User has also set a profile picture on the given platform, it is also visible to the other members of the group.

3.5. Purpose of data management: enabling Users to participate in the group. Data Controller created several messaging groups in order to make it easier to offer new orders for evaluators related to them and also to promote the exchange of professional experience of evaluators in order to increase the efficiency of their work.

3.6. Duration of data management: Duration of data management on the above described way lasts until User who placed the comment asks for cancellation. Furthermore, data management can be ended in case Controller cancel the comment. User has the right to ask for cancellation anytime from Controller which application will be carried out immediately.

The name, phone number, and profile picture of the member who has left the group will remain visible to the other members of the group for 60 days after leaving. Your comments and submitted content in the group will remain visible to group members for as long as the group exists.

With regard to administrators, the Data Controllers may retain the data generated in the group until the claims related to the performance of the job/assignment tasks expire.

3.7. Method of data storage: in the IT system of the messaging platform used, electronically.

4. Forwarding data

4.1. The data will not be forwarded apart from using the Data controllers.

4.2. Data Controllers forward information only to official bodies in accordance with legal requirements beyond the above-mentioned cases.

5. Using data processing

5.1. Scope of those involved in data procession: those who are marked in present notice.

5.2. Data Controllers use:

WhatsApp Ireland Limited (WhatsApp)

registration number: 607470 tax number: IE 3480619JH

headquarters: 4 GRAND CANAL SQUARE, GRAND CANAL HARBOUR DUBLIN 2, DUBLIN

2, Ireland

postal address: 4 GRAND CANAL SQUARE, GRAND CANAL HARBOUR DUBLIN 2,

DUBLIN 2, Ireland

message: https://www.whatsapp.com/contact/?eea=1&subject=messenger website: https://www.whatsapp.com/

or

Viber Media S.à rl (Viber)

registration number: B184956

headquarters: 2, rue du Fossé, L-1536, Luxembourg, Grand Duchy of Luxembourg, postal address: 2, rue du Fossé, L-1536, Luxembourg, Grand Duchy of Luxembourg

message: https://help.viber.com/en/contact website: https://www.viber.com/

or

Meta Platforms Ireland Ltd. (Facebook Messenger and Facebook group)

registration number: 462932 tax number: IE 9692928F

headquarters: 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland site: 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland

postal address: 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland telephone number: +001 650 543 4800

message: https://facebook.com/help/contact/540977946302970 website: https://www.facebook.com/privacy/explanation

or

Telegram FZ-LLC (Telegram)

registration number: 94349

headquarters: Sh Zayed Road, Business Central Towers, Tower A, Office 2301, Dubai,

United Arab Emirates

postal address: P.O. Box 501919, Dubai, United Arab Emirates telephone number: +971 4 7707810

website: https://telegram.org/

business organization as Data Processor depending on the messaging platform of the specific group as the hosting provider and software developer for the group operating on the platform indicated above in addition to its company name (hereinafter Data Processor).

5.3. Defining the scope of data involved in data processing: this relates to all information mentioned in present policy.

5.4. Purpose of using data processor: ensuring the operation of the group.

5.5. Duration of data processing: according to point 3.6.

5.6. Nature of data processing: Messages are stored in a software environment provided by Controller during retention time, therefore data management exists during this period.

5.7. Controller makes use no other Data managers apart from those described above.

5.8. Controller enters into data processing contracts with mandatory content with data processors used by Controller in order to comply with relevant legislation and to guarantee an adequate level of data security.

6. Data protection, data safety

6.1. Controller (in relation to this chapter, it refers to both joint Data Controllers) assures the safety of data and through technical and organizational actions, as well as internal rules of procedure ensures that laws and other data and secret protection rules are kept. Controller protects data especially against illegal access, change, forwarding, making public, deletion or effacement of data, moreover, it protects against accidental effacement and damage, as well as inaccessibility of data as a result of change in applied technology.

6.2. Processing takes place to reach articulated and legal goals described in present policy to a necessary and proportional degree, based on relevant laws and recommendations, keeping appropriate safety measures.

6.3. In order to achieve these, Controller stores information in encrypted data stocks on separate lists insulated from each other based on processing goals to which certain Controller employees – performing tasks indicated in present policy – have access to, who have to protect data and it is their responsibility to handle this policy and relevant laws in an appropriate manner.

7. User’s rights concerning data management

7.1. Right to access: Controller gives information for User’s request about data being handled by itself and by Data Processor, their sources, goals of data processing, its legal basis, period, name and address of Data Processor, its activities related to data processing, consequences and effects of a possible data protection incident and actions done in order to avoid such cases, furthermore, in case of forwarding concerned person’s personal data, about the legal basis and addressee of data forwarding. Controller provides information without any unreasonable delay, within maximum one month after the arrival of the request.

Within the framework of the right to access, Controller provides User with a copy of personal data involved in processing, within maximum one month after the arrival of the request. For further demands from User, Controller calculates a reasonable fee based on administrative costs (see Chapter 8).

7.2. Right to portability of data: User has the right to get personal data about themselves in an articulate, widely used format, readable on devices, furthermore, has the right to forward these pieces of information to another Controller without the obstruction of Controller that has User’s data according to User’s consent, if:

a)   processing is based on User’s consent or contract; and

b)   processing is automatized.

Practising the right to portability of data, User has the right – if it is technically practicable – to ask Controllers to forward information between each other directly.

7.3. Right to correction: User has the right to ask for correction of their data, which Controller fulfils without any unreasonable delay, within maximum one month after the arrival of the request. Considering the goal of processing, User has the right to ask for completing their missing personal data – for example through an additional declaration.

7.4. Right to limitation of processing: Controller marks personal data in order to limit processing. User may ask for such limitation if one of the following cases occur:

a)  User disputes accuracy of personal data, in this case limitation exceeds for the period that enables Controller to check the accuracy of personal data;

b)      processing is illegal, and User objects against deleting their data and asks for limitation of use;

c)    Controller does not need personal data for processing, however, concerned party lays claim to them in order to propose, realize or protect legal demands; or

d)     User has objected to legal processing done by Controller; in such cases limitation exceeds over a period in which it becomes clear whether Controller’s legal interests dominate over concerned party’s legal interests.

7.5. Right to erasure (‘right to be forgotten’): Controller deletes information if:

a)   personal data is no longer needed for reasons they were recorded, or were handled differently;

b)    User withdraws their consent to processing, and there are no other legal bases for it;

c)   User objects to processing and there are no prior rightful reasons for processing, or User objects to processing with direct sales objectives;

d)   personal data was handled illegally;

e)   personal data must be deleted to fulfil legal obligations claimed by European Union or member state laws;

f)      User requests deletion or objects to processing, and data was recorded to offer services related to information technological society directly to children.

If Controller made personal data public – and according to cases mentioned above – has to erase them and must take reasonable steps, including technical ones – considering technology available and costs of realization – in order to inform Controllers involved about User requesting their personal data and the links referring to them or copies of personal data to be deleted.

7.6. Obligation of noticing: Controller informs User and all Controllers that are provided with information about the correction, limitation and deletion. Notification might be neglected if it seems to be impossible, or requires unreasonable efforts. Controller informs User on demand about these addressees.

7.7. Right to objection: User has the right to object to their data being managed rightfully by Controller at any time because of personal reasons. In such cases, Controller cannot handle personal information any longer, except when Controller proves that there are obligatory rightful reasons for processing, having priority over concerned person’s interests, rights and freedoms, or reasons that are related to proposal, enforcement or defence of legal demands.

8. Fulfilling of User’s requests

8.1. During joint data management, BARE International Hungary Kft. performs the tasks related to informing the interested parties and exercising their rights.

8.2. Controller offers notification and taking actions for free, as described in Point 7. If User’s

request is obviously unfounded, or – especially for its repeated nature – exaggerated,

Controller

a)   might charge a reasonable price, or

b)    might deny taking actions based on request,

considering data requested, or administrative costs of measures to be taken to fulfil request.

8.3. Controller informs User without any unreasonable delay, but maximum one month after receiving the request about actions that has been taken, including issuing copies of data. If necessary, considering the complexity of request and numbers of requests this deadline can be made longer with additional two months. Controller informs User about elongation of deadline together with indicating reasons of delay within one month after receiving the request. If concerned User sends their request electronically, Controller provides information electronically, except when concerned User asks for it in a different way.

8.4. If Controller does not take any steps as reaction to User’s request, without delay but within maximum of one month after receiving the request, Controller informs User about reasons why there have been no actions taken, and about the possibility of filing a complaint to the data protection authority competent in his place of residence and can have the right to legal remedy.

8.5. User can hand in their request to Controller in any way that identifies them. Identifying Users who hand in a request is necessary because Controller can deal with only those requests that are entitled. If Controller has justified doubts about the identity of natural person handing in a request it can ask for other pieces of information to assure the identity of concerned User.

8.6. User can send their requests to Controller to the address 47, Váci Street, 1134 Budapest, Hungary or to the e-mail address dataprivacy@bareinternational.com Controller considers requests sent in e-mail genuine only if it was sent from an e-mail address registered at Controller’s database. However, using another e-mail address does not mean in observance of such requests. Time of receiving e-mails is the first day after the e-mail was sent.

9. Prosecution of rights

9.1. The joint Data Controllers have appointed BARE International Hungary Kft. as contact in connection with data protection issues related to joint data management. Data protection issues can be addressed to the joint Data Controllers primarily at the following contact details:

BARE International Hungary Kft.

E-mail address: dataprivacy@barienternational.com Postal address: 47, Váci Street, 1134 Budapest, Hungary

In addition, the Data Subject can indicate his/her needs and exercise his/her rights in relation to joint data management to any Data Controller.

9.2. User can contact Data Controllers with any complaints regarding the handling of User’s data, also at the above contact details.

9.3. Those concerned may exercise their legal rights in court, and they can apply to the Data Protection Authority operating in the Member State of their residence within the EU.

Among themselves, the joint Data Controllers have appointed BARE International Hungary Kft. to handle data protection issues. Data protection authority according to the place of operation of the appointed data controller:

National Authority for Data Protection and Freedom of Information

(Nemzeti Adatvédelmi és Információszabadság Hatóság)

Address: 9-11. Falk Miksa Street, Budapest 1055, Hungary Postal address: P.O. Box 9 Budapest 1363, Hungary Telephone: +36 1 391 1400

Fax: +36 1 391 1410

E-mail: ugyfelszolgalat@naih.hu Website: http://www.naih.hu/

In case of choosing a process involving a courthouse, the lawsuit – based on concerned User’s choice – can be initiated at the court in concerned person’s residence or place of stay.

5 December 2023

BARE International Inc., Belgium Branch BARE International Hungary Kft.