COMPANY'S POLICY FOR PROCESSING OF PERSONAL DATA

1. GENERAL PROVISIONS

This Policy delineates the procedure for processing personal data and measures to ensure the security of personal data within LUCEBRA LIMITED (hereinafter referred to as the "Operator"). The primary objective is to protect the rights and freedoms of individuals during the processing of their personal data, including the protection of rights to privacy, personal and family secrets.

Definitions:

• Automated Processing: Handling personal data using computer facilities.
• Blocking of Personal Data: Temporary cessation of personal data processing.
• Information System of Personal Data: A set of personal data contained in databases and the information technology and technical means ensuring their processing.
• Depersonalization: Actions making it impossible to determine the personal data's subject without additional information.
• Personal Data Processing: Any operation or set of operations performed with personal data, with or without automation tools.
• Operator: An entity or individual organizing and/or carrying out personal data processing, defining the purposes, and actions performed with personal data.
• Personal Data: Information relating to an identifiable individual.
• Provision of Personal Data: Actions aimed at disclosing personal data to specific persons or groups.
• Distribution of Personal Data: Actions aimed at disclosing personal data to an indefinite group, including through media or telecommunication networks.
• Cross-Border Transfer of Personal Data: Transfer of personal data to foreign entities or states.
• Destruction of Personal Data: Actions rendering personal data irretrievable.

LUCEBRA LIMITED is committed to compliance with Regulation (EU) 2016/679 (GDPR).

2. PRINCIPLES AND CONDITIONS OF PERSONAL DATA PROCESSING

2.1 Principles:

• Legality and Fairness: Processing is conducted lawfully and fairly.
• Purpose Limitation: Data processing is limited to specific, legitimate purposes.
• Data Minimization: Only relevant and necessary data are processed.
• Accuracy: Personal data must be accurate and kept up-to-date.
• Storage Limitation: Data is kept in a form that permits identification of subjects for no longer than necessary.
• Integrity and Confidentiality: Personal data is processed securely to protect against unauthorized access, loss, or destruction.

2.2 Conditions for Processing:

• Consent: Processing occurs with the subject's consent.
• Legal Obligations: Processing is necessary for compliance with legal obligations.
• Contract Performance: Processing is required for the performance of a contract.
• Legitimate Interests: Processing serves the legitimate interests of the operator or third parties without violating the subject's rights.
• Public Interest: Processing is necessary for tasks carried out in the public interest or in the exercise of official authority.

2.3 Confidentiality: Personal data is not disclosed to third parties without the subject's consent, except as required by law.

2.4 Public Sources: Public sources may contain personal data with the subject's written consent. Subjects can request the removal of their data from these sources at any time.

2.5 Special Categories: Processing of sensitive personal data (e.g., race, health, political beliefs) is only allowed with explicit consent or under specific legal conditions.

2.6 Biometric Data: Processing biometric data is permitted only with the subject's written consent.

2.7 Third-Party Processing: The Operator may delegate processing to a third party with the subject's consent, ensuring compliance with this Policy.

2.8 Cross-Border Transfers: Transfers to foreign entities are allowed if adequate data protection measures are in place or with the subject's written consent.

3. RIGHTS OF THE PERSONAL DATA SUBJECT

3.1 Consent: Subjects provide consent freely and can withdraw it at any time.

3.2 Rights: Subjects have the right to:

• Access: Request information about the processing of their data.
• Rectification: Request corrections to inaccurate or incomplete data.
• Erasure: Request deletion of data under certain conditions.
• Restriction: Request restriction of processing under certain conditions.
• Data Portability: Receive their data in a structured format.
• Object: Object to data processing on certain grounds.
• Automated Decision-Making: Not be subject to decisions based solely on automated processing.

Subjects can file complaints with regulatory authorities if they believe their data protection rights are violated.

4. ENSURING THE SECURITY OF PERSONAL DATA

The Operator ensures data security through:

• Organizational Measures: Appointing responsible officials, restricting access, and educating employees.
• Technical Measures: Using secure storage, threat modeling, access control, and monitoring systems.

5. FINAL PROVISIONS

The Operator's additional rights and obligations regarding personal data processing are governed by applicable laws.

By adhering to this Policy, LUCEBRA LIMITED ensures the protection and security of personal data, upholding the highest standards of privacy and data integrity.