Data Protection Policy

Abagy Limited
(the "Company")

Adopted by Written Resolutions of the Director of the Company on 22 January 2021
1. General

1.1. The purpose of this Data Protection Policy is to protect personal data by design and by default and to ensure that data Processing is performed by the Company in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the Processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), hereinafter – the "GDPR", and to be able to demonstrate the lawfulness of such Processing.

1.2. The GDPR and this policy apply to all of the Company's Personal Data Processing functions, including those performed on customers', clients', employees', suppliers' and partners' Personal Data, and any other Personal Data the Company processes from any source.

1.3. The Company's Director is the Responsible Officer for reviewing the Record of Processing Activities annually in the light of any changes to the Company's activities and to any additional requirements identified by means of data protection impact assessments. This Record needs to be available on the supervisory authority's request.

1.4. This policy applies to all employees and interested parties of the Company such as outsourced suppliers. Any breach of the GDPR or this policy will be dealt with under the Company's disciplinary policy and may also be a criminal offence, in which case the matter will be reported as soon as possible to the appropriate authorities.

1.5. Partners and any third parties working with or for the Company, and who have or may have access to Personal Data, will be expected to have read, understood and to comply with this policy. No third party may access Personal Data held by the Company without having first entered into a data confidentiality agreement which gives the Company the right to audit compliance with the agreement.

2. Definitions

"Data Subject" means an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

"Personal Data" means any information relating to a Data Subject;

"Processing" means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

"Personal Data Breach" means a breach of security leading to the accidental, or unlawful, destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. There is an obligation on the controller to report Personal Data Breaches to the supervisory authority and where the breach is likely to adversely affect the Personal Data or privacy of the Data Subject.

"Record of Processing Activities" means an internal electronic record of all the categories of Processing activities under the responsibility of the Responsible Person;

"Responsible Officer" means the Director of the Company;

3. Data protection principles

The Company is committed to Processing data in accordance with its responsibilities under the GDPR.

Article 5 of the GDPR requires that personal data shall be:

  1. processed lawfully, fairly and in a transparent manner in relation to individuals;
  2. collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further p
  3. Processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
  4. adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
  5. accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
  6. kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and
  7. processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful Processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.

4. Lawful, fair and transparent Processing

  1. To ensure its Processing of data is lawful, fair and transparent, the Company shall maintain a Record of Processing Activities.
  2. Data Subjects have the right to access their Personal Data and any such requests made to the Company shall be dealt with in a timely manner. The GDPR includes rules on giving private information to Data Subjects in Articles 12, 13, and 14. These are detailed and specific, placing an emphasis on making privacy notices understandable and accessible. The information must be communicated to the Data Subject in an intelligible form using clear and plain language. The Company's Privacy Notice is set out as Appendix A hereto.

5. Lawful purposes

  1. All data processed by the Company must be done on one of the following lawful bases: consent, contract, legal obligation, vital interests, public task or legitimate interests.
  2. The Company shall note the appropriate lawful basis in the Record of Processing Activities.
  3. The Company shall satisfy itself that Processing is necessary for the relevant purpose, and that there is no other reasonable and less-intrusive way to achieve that purpose.
  4. Where consent is relied upon as a lawful basis for Processing Personal Data, evidence of opt-in consent shall be kept with the Personal Data.
  5. Where communications are sent to Data Subjects based on their consent, the option for the Data Subject to revoke their consent should be clearly available and systems should be in place to ensure such revocation is reflected accurately in the Company's procedures.

6. Data minimization

6.1 The Company shall ensure that Personal Data are adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.

6.2 The Responsible Officer is responsible for ensuring that the Company does not collect information that is not strictly necessary for the purpose for which it is obtained.

6.3 All data collection forms (electronic or paper-based), including data collection requirements in new information systems, must include a fair Processing statement or link to privacy statement and approved by the Responsible Officer.

6.4 The Responsible Officer will ensure that, from time to time all data collection methods are reviewed by internal audit or external experts to ensure that collected data continues to be adequate, relevant and not excessive.

7. Accuracy

  1. The Company shall take reasonable steps to ensure Personal Data is accurate.
  2. Where necessary for the lawful basis on which data is processed, steps shall be put in place to ensure that Personal Data is kept up to date.

8. Archiving / removal

  1. Personal data will be retained in line with the Record of Processing Activities and, once its retention date is passed, it must be securely destroyed as set out in this procedure.
  2. The Responsible Officer shall review the Record of Processing Activities from time to time and consider what data should/must be retained, for how long, and why.
  3. The Responsible Officer must specifically approve any data retention that exceeds 5 (Five) years, and must ensure that the justification is clearly identified and in line with the requirements of the data protection legislation. This approval must be written.
  4. Where personal data is retained beyond the Processing date, it will be minimized and/or pseudonymised in order to protect the identity of the Data Subject in the event of a Personal Data Breach.
  5. When Personal Data is deleted this should be done safely such that the data is irrecoverable.

9. Security

9.1 The Company shall ensure that Personal Data is stored securely using modern software that is kept-up-to-date.

9.2 Access to Personal Data shall be limited to personnel who need access and appropriate security should be in place to avoid unauthorised sharing of information.

9.3 Personal Data must be kept in a form such that the Data Subject can be identified only as long as is necessary for Processing.

9.4 Appropriate back-up and disaster recovery solutions shall be in place.

9.5 When assessing appropriate technical measures, the Responsible Officer will consider the following:

- Password protection;
- Automatic locking of idle terminals;
- Removal of access rights for USB and other memory media;
- Virus checking software and firewalls;
- Role-based access rights including those assigned to temporary staff;
- Encryption of devices that leave the Company's premises such as laptops;
- Security of local and wide area networks;
- Privacy enhancing technologies such as pseudonymisation and anonymisation;
- Identifying appropriate international security standards relevant to the Company.

9.6 When assessing appropriate organizational measures the Responsible Officer will consider the following:

- The appropriate training levels throughout the Company;
- Measures that consider the reliability of employees (such as references etc.);
- The inclusion of Data Protection in employment contracts;
- Identification of disciplinary action measures for Personal Data Breaches;
- Monitoring of staff for compliance with relevant security standards;
- Physical access controls to electronic and paper-based records;
- Adoption of a clear desk policy;
- Storing of paper-based data in lockable fire-proof cabinets;
- Restricting the use of portable electronic devices outside of the workplace;
- Restricting the use of employee's own personal devices being used in the workplace;
- Adopting clear rules about passwords;
- Making regular backups of personal data and storing the media off-site;
- The imposition of contractual obligations on the importing organisations to take appropriate security measures when transferring data outside the EU.

9.7 All employees of the Company are responsible for ensuring that any Personal Data that the Company holds and for which they are responsible, is kept securely and is not under any conditions disclosed to any third party unless that third party has been specifically authorised by the Company to receive that information and has entered into a confidentiality agreement.

9.8 All Personal Data should be accessible only to those who need to use it. All Personal Data should be treated with the highest security and must be kept:

· in a lockable room with controlled access; and/or
· in a locked drawer or filing cabinet; and/or
· if computerised, password protected in line with corporate requirements; and/or
· stored on (removable) computer media which are encrypted in line with corporate requirements.

9.9 Care must be taken to ensure that PC screens and terminals are not visible except to authorised employees of the Company.

9.10 Manual records may not be left where they can be accessed by unauthorised personnel and may not be removed from business premises without explicit authorisation. As soon as manual records are no longer required for day-to-day client support, they must be disposed of securely.

9.11 Hard drives of redundant PCs are to be removed and immediately destroyed as required before disposal.

10.
Data Subject's Rights

10.1 Data Subjects have the following rights regarding data Processing, and the data that is recorded about them:

10.1.1 To make requests regarding the nature of information held and to whom it has been disclosed;

10.1.2 To prevent Processing likely to cause damage or distress.

10.1.3 To prevent Processing for purposes of direct marketing.

10.1.4 To be informed about the mechanics of automated decision-taking process that will significantly affect them.

10.1.5 To not have significant decisions that will affect them taken solely by automated process.

10.1.6 To sue for compensation if they suffer damage by any contravention of the GDPR.

10.1.7 To take action to rectify, block, erase, including the right to be forgotten, or destroy inaccurate data.

10.1.8 To request the supervisory authority to assess whether any provision of the GDPR has been contravened.

10.1.9 To have Personal Data provided to them in a structured, commonly used and machine-readable format, and the right to have that data transmitted to another controller.

10.1.10 To object to any automated profiling that is occurring without consent.

11. Consent

11.1 The Company understands 'consent' to mean that it has been explicitly and freely given, and a specific, informed and unambiguous indication of the data subject's wishes that, by statement or by a clear affirmative action, signifies agreement to the Processing of personal data relating to him or her.

11.2 The Data Subject can withdraw their consent at any time.

11.3 Consent cannot be inferred from non-response to a communication. The Company must be able to demonstrate that consent was obtained for the Processing operation.

11.4 In most instances, consent to process personal data is obtained routinely by the Company using standard consent documents e.g. when a new client signs a contract, or during induction for participants on the Company's programs, etc.

12. Personal Data Breach

In the event of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data, the Company shall promptly assess the risk to Data Subjects' rights and freedoms and if appropriate report this breach to the Office of the Commissioner for Personal Data Protection:

http://www.dataprotection.gov.cy

Email: commissioner@dataprotection.gov.cy


Appendix A

Form of Privacy Policy Notice

Privacy Notice

Adopted by Written Resolutions of the Director of the Company on 22 January 2021

1. Terms and Definitions

"Company" means Abagy Limited, a private limited liability company incorporated in accordance with the laws of the Republic of Cyprus under registration number ΗΕ 401087, having its registered office at 1 Poseidonos street, LEDRA BUSINESS CENTRE, Egkomi, CY-2406 Nicosia, Republic of Cyprus ;

"Data Subject" means an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

"GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation);

"Group Company" means the Company and/or any of its subsidiaries;

"Personal Data" means any information relating to a Data Subject;

"Privacy Notice" means this document with any additions and modifications hereto made from time to time;

2. Collected Data

The Company acts in compliance with its Data Protection Policy adopted by Written Resolutions of the Director on 22 January 2021.

The Company collects the following Personal Data: personal identification information (name, passport and/or ID details including number, date of issue, date and place of birth, etc., utility bills containing your name, residential address, postal address, email address, phone number, employment information, CV, etc.).

3. Purpose and means of collecting data

The Data Subjects directly provides the Company with most of the data the Company collects, otherwise the Data Subject's explicit consent must be given to the Company to enable the Company to collect and process such Data Subject's Personal Data. The Company collects data and processes data, each time in the scope necessary for the purposes of collection and processing, when the Data Subject, for example:

  • Acts as a counterparty under an agreement/contract/ other engagement with the Company;
  • Becomes an employee of a Group Company;
  • Applies for participation in the Company's Share Option Program; or
  • Accedes to the Company's website.
The Company may also receive Personal Data indirectly, for example, from the Data Subject's employer if it is a Group Company.

The Company may request the Data Subject to update their Personal Data from time to time, in order to have up-to-date information on the record.

4. How the data may be used

The Company collects and processes Personal Data so that we can:

  • Protect the Company's legitimate interests in connection with compliance, legal and statutory regulations, claims, audit functions, etc.;
  • Disclose information, as may be necessary, in connection with acquisition, merger or sale of the Company's business;
  • Carry out obligations or exercising the specific rights of the Company or the Data Subject in connection with employment;
  • Process applications for the Share Option Program, operate the register of the Share Option Program, handle the relevant paperwork, provide the Data Subjects with other services and otherwise protect their legitimate rights and interests;
  • Contact the Data Subject by post or email with important notices or other essential information relating to the nature of our engagement.
Our Company will not share Personal Data with any third parties other than the Group Companies and its partner entities or individuals for the purposes described in paragraph 3 above. Prior to sharing Personal Data with such partners, the Company will procure binding non-disclosure and data protection obligations to be undertaken by such partners. Such partners are:

· Christodoulos G. Vassiliades & Co. LLC and/or other entities providing legal, compliance, corporate and fiduciary services;

· Cube Audit Ltd and/or other entities providing accounting, banking, payroll, audit, tax advice services;

· Companies providing Cyprus migration services and advice;

· Consultants, advisors, potential purchasers, as necessary, in connection with the sale, merger or transfer of all or a portion of the Company's shares or business;

1.1

Data Subjects have the right at any time to stop the Company from sharing their Personal Data with third parties under certain conditions by sending a relevant notice by email or by post to the registered address of the Company, however, this may affect the services provided to such Data Subjects.

In limited circumstances, the Company may be required to share Personal Data with government authorities, or others, to protect the interests of the Company or others, or as required by applicable law or court order.

5. How the Personal Data is stored

The Company stores Personal Data on its local server at the Company's office in Cyprus, taking appropriate technical and organizational security measures to protect the security of Personal Data against loss, misuse, unauthorised access, disclosure or alteration.

The Company ensures confidentiality of the Personal Data.

If Data Subject is located outside of Cyprus, provision of Personal Data to the Company constitutes the transfer of such data to Cyprus, a jurisdiction that may not provide a level of data protection equivalent to the laws in the home country of the Data Subject.

The Company will keep Personal Data for 5 years upon termination of the rights and obligations arising out of our engagement. Once this time period has expired, we will delete Personal Data of the relevant Data Subject from the relevant folders on the server.

6. Data protection rights

The Company would like to make sure Data Subjects are fully aware of all of their data protection rights. Every user is entitled to the following:

a. The right to be informed – You have the right to know what Personal Data is being processed and why, who else the Personal Data can be transferred to.

b. The right to access – You have the right to request the Company for copies of your Personal Data.

c. The right to rectification – You have the right to request that the Company correct any information you believe is inaccurate. You also have the right to request the Company to complete the information you believe is incomplete.

d. The right to erasure – You have the right to request that the Company erase your Personal Data, under certain conditions.

e. The right to restrict processing – You have the right to request that the Company restrict the processing of your Personal Data, under certain conditions.

f. The right to object to processing – You have the right to object to the Company's processing of your Personal Data, under certain conditions.

g. The right to data portability – You have the right to request that the Company transfer the data that we have collected to another organization, or directly to you, under certain conditions.

h. The rights in relation to automated decision making and profiling – You have the right not to be subject to a decision based solely on automated processing.

The Company has one month to respond to a request by a Data Subject. If you would like to exercise any of these rights, please contact us.

7. Governing law and changes to our privacy policy

This Privacy Notice is governed by the laws of the Republic of Cyprus. The Company keeps its Privacy Notice under regular review and places any updates on this web page. This Privacy Notice was last updated on 22 January 2021.

8. Contact information

If you have any questions about the Company's privacy policy, the data we hold on you, or you would like to exercise one of your data protection rights, please do not hesitate to contact us.

Email us at: office@abagy.com

9. How to contact the appropriate authority

Should you wish to report a complaint or if you feel that the Company has not addressed your concern in a satisfactory manner, you may contact the Office of the Commissioner for Personal Data Protection:

http://www.dataprotection.gov.cy

Email: commissioner@dataprotection.gov.cy