Privacy Policy

PRIVACY POLICY OF BO COMPANIES

This is a combined privacy policy and information document in accordance with the Data Protection Act and the General Data Protection Regulation of the European Union (2016/679/EU).

CONTROLLER

Bo Homes & Villas SL (”Bo”)

REGISTER NAME AND DATA CONTENT

Customer Register of Bo Homes & Villas SL (“Customer Register”)

LEGAL BASIS FOR PROCESSING PERSONAL DATA / WHY DOES BO COLLECT YOUR INFORMATION?

General information on data processing

To the extent that the Customer Register contains personal data, the processing of said data complies with data protection laws and other applicable laws, regulations, directives, and official guidelines concerning the processing of personal data. Personal data means information that can be linked to a specific individual. This document describes in detail the procedures for collecting, processing, and disclosing personal data, as well as the rights of the data subject, i.e., the customer.

Purpose of collecting personal data

Contractual, customer, or equivalent relationship

The purpose of the Customer Register is for the controller to:

– manage a contractual or customer relationship with the principal (e.g., seller or landlord);

– manage a relationship related to the performance of an assignment with the counterparty to the principal (e.g., buyer or tenant);

– manage a contractual relationship with an appraisal assignment or other expert service user;

– manage a relationship based on customer-provided marketing consent, which includes multichannel marketing communication to the customer, such as via email, online, telemarketing, or postal mail.

The controller may also collect information from individuals present at property viewings to prevent, monitor, and investigate crimes or misconduct, or by other means to ascertain the interests of potential customers for establishing a future customer relationship or providing services and marketing.

The individuals mentioned in section a) are referred to in this document as Customers.

Legislation concerning privacy and anti-money laundering and supervision

· “D.I.A.” (Decree 218/2005, Regulation regarding consumer information in the purchase and sale and rental of properties in Andalucía)

· “Ley 10/2010” (Prevention of Money Laundering and Monetary Infractions)

· “LOPD” (Spanish Organic Law Regarding Data Protection)

Customer identification data and other personal data as required by law are stored, retained, and may be used for the prevention, detection, and investigation of money laundering and terrorist financing, as well as for initiating investigations into the crime of money laundering or terrorist financing and the property or proceeds of crime involved therein. Customer identification data or other personal data obtained solely for the purpose of preventing and detecting money laundering and terrorist financing shall not be used for a purpose incompatible with these purposes.

Consent-based data storage

If the right to register based on the aforementioned laws or circumstances exceeds, or if there is no other legal basis mentioned, the Customer’s consent is requested separately for the storage, processing, and retention of personal data. Assignment data is also used for contractual relationships related to evaluations and other expert services and is retained similarly to the Assignment Diary. In addition to the legal or circumstantial right to register, the Customer may be separately requested to consent to the analysis of provided information and customer behavior for marketing purposes (such as direct marketing by email or similar online, postal, or telemarketing).

Consequences of not providing information

If the controller does not receive the information referred to in points a), b), and c), a customer relationship cannot be initiated or continued, or other agreements entered into, or participation in legal transactions with the Customer. If sufficient information to identify visitors is not obtained during a property viewing, the viewing for the visitor may not be possible.

Purpose of data usage

The information in the Customer Register may be used for the following main purposes:

– managing and developing customer relationships

– providing, offering, developing, improving, and protecting services

– billing, collection, and verification of customer transactions

– targeted advertising

– analysis and statistics related to services

– customer communication, marketing, and advertising

– targeting marketing and advertising content (e.g., by email) based on customer provided information and behavior

– protecting the rights and/or property of the controller and other parties involved in assignments

– fulfilling the legal obligations of the controller, and

– other similar purposes.

DATA CONTENT OF THE CUSTOMER REGISTER / WHAT INFORMATION DOES BO COLLECT?

Bo processes information in Assignments, in the registry information concerning anti-money laundering, and in the customer contact list.

The following information may be processed in the Assignments :

– Customer’s basic information, such as full name, address, language, nationality, travel document details

– personal identification number and potentially business identification number for a person acting on behalf of a company for reliable identification

– information related to invoicing and collection

– information related to customer relationship and contractual relationship, such as services offered to the customer, their usage date, initial reservation agreement, its acceptance, date of conclusion of lease or sale agreements (PPC, escritura pública), property information, brokerage fee, seller information and other similar information

– permission and prohibition data, such as direct marketing permissions and prohibitions

– interests and other information provided by the Customer

– other transaction information related to services

– complaints and their processing information

– tenant credit information and other financial information for assessing rental payment capability.

The registry information concerning anti-money laundering may process or may process the following customer-related information:

– name, date of birth, and personal identification number

– representative’s name, date of birth, and personal identification number

– complete name of the legal person, registration number, registration date, and registering authority

– complete names, dates of birth, and nationalities of members of the board of directors or equivalent decision-making body of the legal person

– business sector of the legal person

– names, dates of birth, and personal identification numbers of actual beneficiaries

– name of the document used for identification, document number, or other identification information and issuer of the document

– document, or if the customer has been identified remotely, information about the identification procedure or sources used for identification

– information about the customer’s activities, nature, and scope of business, financial position, reasons for using the service or transaction, information about the origin of assets, and other necessary information obtained for knowing the customer as required by Section 4(1) of the Anti-Money Laundering Act

– information related to the investigation of the origin of funds according to Section 4(3) of the AML Act and necessary information obtained to fulfill the obligation of enhanced due diligence related to politically exposed persons according to Section 13 of the AML Act

– for foreign customers without a Finnish personal identification number, information about the customer’s nationality and travel document details.

The customer contact list may process or may process the following customer-related information:

– Name, address, nationality

– purpose of contact and interests of the customer

– information about contacting the customer and the time of contact, as well as follow-up actions.

DATA RETENTION PERIOD

Information in the Assignment Diary is retained for ten (10) years from the end of the assignment.

Information according to the AML Act is retained for five (5) years, unless the continued retention of this information is necessary for the prevention of crime, ongoing legal proceedings, or to protect the rights of the controller or its employees. The need for further retention of data and documents is reviewed at least every five (5) years.

Information on the customer contact list is retained for two (2) years.

In addition to the foregoing, information may be retained and used if the customer has consented to this for marketing purposes, or if otherwise provided for by law.

Other customer data will be removed, when it is no longer necessary to retain data. In case the retention has solely been based on customer consent, will the personal data be removed upon request.

REGULAR DATA SOURCES / WHERE DOES BO COLLECT INFORMATION?

Personal data is collected from the customer themselves in connection with the assignment agreement, purchase or rental offer, and other assignment-related events, fulfilling the due diligence obligations, and drafting documents, when using the controller’s services otherwise, or directly from the customer, for example, in property and target presentations, contact forms on the controller’s website, as well as customer satisfaction surveys and competitions. Personal data may also be collected and updated, for example, from official registers.

Consent-based information is collected directly from the customer or with their consent from registers or sources maintained by authorities or third parties.

DATA DISCLOSURE / WHERE CAN BO PROVIDE YOUR INFORMATION?

The controller may disclose personal data within the limits permitted and required by applicable law, and to fulfill the agreement between the parties or when a relevant connection exists.

Personal data may be disclosed, for example, to authorities, in connection with transactions and at various stages of the assignment, to the parties’ legal advisors.

Information is not routinely transferred outside the European Union or the European Economic Area. However, data may be transferred or disclosed outside the European Union or the European Economic Area in accordance with the law, if the data is transferred to a country where the European Commission has deemed the level of data protection to be adequate, or through contractual arrangements ensuring an adequate level of data protection. Temporary transfers outside the EU may also occur in connection with the use of various cloud services, such as OneDrive, iCloud, or Dropbox.

Information is disclosed to authorities in cases required by law.

In connection with the outsourcing of the controller’s information management, the processing of personal data may also be carried out by subcontractors on behalf of the controller, but only on behalf of the controller. Such subcontractors may include, for example, providers of real estate agency systems and marketing systems, as well as entities maintaining housing sales advertisement portals and companies conducting customer satisfaction surveys. Subcontractors of Bo companies include Inmoba Networks SL (real estate software Inmobalia), privacy policy https://www.inmoba.com/legal; real estate property portal Resales Online, privacy policy https://www.resales-online.com/en/privacy-policy.html; real estate property portal Kyero, privacy policy https://www.kyero.com/en/docs/privacy/; real estate property portal Idealista, privacy policy (in English): https://www.idealista.com/ayuda/articulos/privacy-policy/?lang=en

PRINCIPLES OF REGISTER PROTECTION / HOW DOES BO PROTECT YOUR PERSONAL DATA?

Access to the register requires a permission granted by the main user of the Customer Register. Only those employees of the controller and subcontractors who require access to the data for the performance of their work-related tasks have access to the data. The data is collected in databases protected by firewalls, passwords, and other technical means. The databases are located in locked and guarded premises, and only certain predefined individuals have access to the data. Customer data is stored electronically. If personal data containing personal identification numbers is transferred from Bo, for example, by email, it is done securely.

Insofar as personal data is processed by a subcontractor on behalf of the controller, agreements between the controller and the subcontractor ensure that appropriate security measures are in place and that the processing of personal data complies with data protection legislation.

CUSTOMER RIGHTS / HOW CAN YOU ACT TO ENSURE THE LEGALITY OF PROCESSING?

9.1 Examination, Access, and Transfer of Data

The customer has the right to examine what information concerning them is stored in the Customer Register. The customer must submit a request for inspection to the controller in writing in person in a handwritten format or in an equivalent authenticated document, or by email.

Notwithstanding the above, the customer does not have the right to inspect information obtained to fulfill the notification or due diligence obligations under the Anti-Money Laundering Act (Section

4:3). However, upon the customer’s request, the Data Protection Supervisor may inspect the legality of the processing of this information.

The controller shall provide the aforementioned information to the customer within 30 days of the request for inspection.

The customer has the right to receive the customer information they have provided themselves transferred to a third party in a structured and commonly used machine-readable format. However, the controller retains the transferred information in accordance with this privacy notice.

9.2 Correction of Incorrect Information

The customer has the right to correct information concerning themselves stored in the personal register to the extent that it is incorrect.

9.3 Opposition to or Restriction of Data Processing and Data Deletion

The customer has the right to object to the processing of data concerning themselves for direct marketing, distance selling, and other direct marketing, as well as market and opinion research and business development by the controller, and to restrict the processing of data concerning themselves, and the right to have their registered personal data stored for the aforementioned purpose deleted, even if there is otherwise a basis for processing the data.

9.4 Withdrawal of Consent

If the information in the register is based on the customer’s consent, the consent can be withdrawn at any time by notifying the representative of the controller mentioned in this notice. Upon request, all data that is not required to be retained or cannot be retained based on a law or other grounds mentioned in this privacy notice will be deleted.

9.5 Procedure for Exercising Rights

A request for inspection, correction, or other request can be made by contacting the controller’s customer service using the contact details provided in this notice.

9.6 Disputes

The customer has the right to bring the matter to the attention of the Data Protection Supervisor if the controller does not comply with the customer’s request for correction or other request.

PROFILING AND AUTOMATED DECISION-MAKING

The controller does not engage in profiling or use automated decision-making based on personal data concerning the customer.