Personal Data Protection Policy

Pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, repealing Directive 95/46/EC (General Data Protection Regulation), and the Act on the Implementation of the General Data Protection Regulation (Official Gazette 42/18), the company Roel Real Estate d.o.o., Ulica Frana Bošnjakovića 6, 10000 Zagreb, Croatia, OIB: 83280759774, represented by Director Dina Ajel

on 10 September 2025 adopts the following:

PERSONAL DATA PROTECTION POLICY

I GENERAL PROVISIONS

Article 1

1.1. In the process of personal data processing and the protection of individuals with regard to the processing of personal data and the rules related to the free movement of personal data, the company Roel Real Estate d.o.o. (hereinafter: the Agency) is obliged to apply the General Data Protection Regulation (EU) 2016/679 (hereinafter: the GDPR) and the Act on the Implementation of the General Data Protection Regulation (hereinafter: the Implementation Act).

1.2. Prior to entering into contractual relations, during their duration, and after their termination, the Agency is obliged to process certain data of the data subject/client for the purpose of reporting required by competent supervisory authorities and public institutions.

1.3. In accordance with the above, and for the purpose of responsible business operations of the Agency, there is a legitimate interest in processing certain personal data. The collected data is used exclusively for real estate brokerage services (sale/rent/lease).

1.4. In accordance with Art. 4(7) of the GDPR, the Agency is the controller of personal data processing.

Article 2

2.1. In accordance with the valid Anti-Money Laundering and Counter-Terrorist Financing Act, which also applies to the Agency, the collected personal data may be used for conducting due diligence and identifying the ultimate beneficial owner of the client, as well as for determining whether the data subject/client is a politically exposed person (which requires copies of identification documents, extracts from public registers, information on the origin of funds, and transaction confirmations).

2.2. This verification may concern the identity of the data subject/client, the identity of authorized representatives/proxies, ultimate beneficial owners, and includes an assessment of the nature of the business relationship being established, determining the origin of funds, as well as continuous monitoring of the business relationship if a high risk of money laundering or terrorist financing has been assessed.

Article 3

3.1. Certain terms and expressions used in this Policy, in accordance with the GDPR and the Implementation Act, have the following meaning:

Personal data means any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

Processing means any operation or set of operations performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Lawfulness of processing – processing shall be lawful only if and to the extent that at least one of the following applies: the data subject has given consent to the processing of his or her personal data; processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; processing is necessary for compliance with a legal obligation to which the controller is subject; processing is necessary in order to protect the vital interests of the data subject or of another natural person; processing is necessary for the performance of a task carried out in the public interest; processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

Controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law; the controller is Roel Real Estate d.o.o.

Recipient means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not.

Third party means a natural or legal person, public authority, agency or body other than the data subject, controller, processor, and persons who, under the direct authority of the controller or processor, are authorized to process personal data.

Consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

Data subject/client means an individual to whom personal data relate, and whose identity can be identified or has been identified during the business process.

Identification data – full name, date, place and country of birth, address, nationality, OIB (personal identification number), identification document (type, number, date of issue, issuing authority).

Proof of identity – a copy of an identity card or passport.

Contact details – phone number, mobile phone, e-mail.

Contractual data – data concerning brokerage services, data relating to purchase/sale/rent/lease, contract date.

Financial data – bank account number (IBAN) for concluding purchase agreements and rental/lease agreements, origin of funds only in exceptional circumstances prescribed by the Anti-Money Laundering and Counter-Terrorist Financing Act.

Creditworthiness data – credit rating data and other data necessary for obtaining loans.

Real estate data – name of the cadastral municipality, land registry file and sub-file number, cadastral parcel number, owner, property address, location, building and occupancy permit, cadastral plan, extract from the land register, extract from the register of deposited contracts, possession list.

Accounting data – legally required invoice elements, and records of payments made in accordance with applicable accounting regulations.

Filing system means any structured set of personal data which are accessible according to specific criteria, whether centralized, decentralized or dispersed on a functional or geographical basis.

Pseudonymisation means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.

Personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.

II PROCESSING OF PERSONAL DATA

Article 4

4.1. The data of the data subject/client are processed in accordance with applicable regulations (the GDPR, the Implementation Act), whether the business cooperation with the Agency is in the capacity of a buyer / seller / landlord / tenant / lessor / lessee, an authorized representative/proxy, and include, but are not limited to, cases of personal data provided in any request submitted in writing, orally or electronically, in a beneficial ownership document, business entity document, or purchase agreement.

4.2. The Agency processes the personal data of natural persons lawfully, fairly, and transparently. Only adequate and relevant personal data are processed, and solely for specific, explicit, and lawful purposes, and are not further processed in a manner incompatible with those purposes.

4.3. The personal data processed by the Agency are accurate and are updated as necessary. Personal data that are inaccurate are deleted or corrected without delay.

4.4. The Agency processes personal data exclusively in a way that ensures appropriate security of personal data, including protection against unauthorized or unlawful processing, and against accidental loss, destruction, or damage, by applying appropriate technical and organizational measures.

4.5. The Agency retains personal data only for as long as necessary for the purposes for which the personal data are processed, and subsidiarily in accordance with specific legal regulations binding upon the Agency. Exceptionally, personal data may be stored for longer periods, but only if they will be processed exclusively for archiving purposes in the public interest, for scientific or historical research purposes, or for statistical purposes.

Article 5

5.1. Any further processing of data, on the stated grounds, is permitted only for purposes that are compatible with the original purpose of data collection, namely actions and procedures related to the purchase and sale of real estate, the rental or lease of real estate, or procedures related to seeking real estate for a client (data subject) for purchase/rent/lease. In such cases, no separate legal basis for processing is required, as such processing constitutes a lawful basis for further processing.

Article 6

6.1. Pursuant to the GDPR and the Implementation Act, the controller keeps a record of processing activities for which it is responsible. This record contains the following information:

Name and contact details of the controller
Purpose of processing
Categories of data subjects and categories of personal data
Categories of recipients to whom personal data have been or will be disclosed
Transfers of personal data to third countries, if applicable
Intended time limits for erasure, if applicable
Technical and organizational measures for the protection of personal data

Article 7

6.1. Pursuant to the GDPR and the Implementation Act, the Agency keeps records of personal data processing activities, establishes and maintains records containing basic information on the filing system, according to the following categories (if applicable to the individual category):

Name of the filing system – records of personal data processing activities, namely:

Filing system “Record of personal data processing activities – purchase/sale – natural persons selling real estate”
Filing system “Record of personal data processing activities – purchase/sale – natural persons seeking real estate”
Filing system “Record of personal data processing activities – rent/lease – natural persons owning real estate rented/leased out”
Filing system “Record of personal data processing activities – rent/lease – natural persons seeking real estate”

Name of the filing system – records of personal data processing activities, namely:

Filing system “Record of personal data processing activities – purchase/sale – legal persons selling real estate”
Filing system “Record of personal data processing activities – purchase/sale – legal persons seeking real estate”
Filing system “Record of personal data processing activities – rent/lease – legal persons owning real estate rented/leased out”
Filing system “Record of personal data processing activities – rent/lease – legal persons seeking real estate”
Name of the filing system: “Record of personal data processing activities – Agency employees” (if applicable)

6.2. Filing systems may be added, modified, and deleted depending on business needs.

III CATEGORIES OF DATA SUBJECTS

Article 8.

8.1. The personal data collection applies to all clients who are in a business relationship with the Agency, namely to all sellers, landlords and lessors of real estate as well as buyers, tenants and lessees thereof.

8.2. Additionally, if applicable, a special collection of personal data also applies to all employees of the Agency.

IV TYPES OF DATA CONTAINED IN THE DATA COLLECTIONS

Article 9.

9.1. The collections contain the following types of data:

1. DATA ABOUT A LEGAL ENTITY OR AN EQUIVALENT SUBJECT

1.1. Name / company
1.2. Legal form
1.3. Registered office/business address (street and number)
1.4. City
1.5. Country
1.6. Identification number
1.7. Financial data – bank account number
1.8. Data about the authorized representative (name, surname, address, identification number, contact details – email, mobile/phone number)
1.9. Data about the property (city, address, cadastral plot no., land registry file no., cadastral municipality, land registry department, competent court, land registry extract, cadastre extract, etc.)

2. DATA ABOUT A NATURAL PERSON

2.1. Name and surname
2.2. Residence/usual address (street and number)
2.3. Place of residence/usual address
2.4. Country of residence/usual address
2.5. Citizenship
2.6. Identification number
2.7. Date of birth
2.8. Place and country of birth
2.9. Identification document (type, number, date of issue and issuing authority)
2.10. Whether the client is a politically exposed person (YES / NO)
2.11. Financial data – bank account number
2.12. Contact details – email, mobile/phone number
2.13. Data about the property (city, address, cadastral plot no., land registry file no., cadastral municipality, land registry department, competent court, land registry extract, cadastre extract, etc.)

3. DATA ABOUT THE INTENDED NATURE OF THE BUSINESS RELATIONSHIP OR TRANSACTION

3.1. Type of business relationship
3.2. Purpose of the business relationship
3.3. Type of transaction (cash, non-cash, etc.)

4. ADDITION FOR ENHANCED DUE DILIGENCE (if applicable)

4.1. If the client is a politically exposed person
4.1.1. Data on the source of funds and assets that are or will be the subject of the business relationship or transaction
4.2. If the client is not present when establishing the business relationship
4.2.1. Additional documents, data or information based on which the client’s identity has been verified

V PURPOSE OF DATA PROCESSING

Article 10.

10.1. Personal data are collected for the purpose of fulfilling the Agency’s legal obligations, i.e. the processing of personal data by the Agency is necessary for the performance of a contract to which the data subject is a party, or in order to take steps at the request of the data subject prior to entering into a contract, namely for the performance of a brokerage agreement in the purchase/sale/rent/lease of real estate, whether the data subject appears as the owner of the property to be sold, rented or leased out, or as a client seeking a property to purchase, rent or lease.

VI LEGAL BASIS FOR ESTABLISHING THE DATA COLLECTION

Article 11.

11.1. The legal basis for establishing the personal data collection primarily arises from Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, repealing Directive 95/46/EC (General Data Protection Regulation), and the Act on the Implementation of the General Data Protection Regulation (NN 42/18), and furthermore from the Anti-Money Laundering and Terrorist Financing Act, the Real Estate Brokerage Act, the Real Estate Transfer Tax Act, the Real Estate Valuation Act, the Land Registry Act, the Ownership and Other Real Rights Act, the Construction Act, the Apartment Lease Act, the Housing Loans Subsidy Act, and the Civil Obligations Act.

VII PROCESSING OF SPECIAL CATEGORIES OF PERSONAL DATA

Article 12.

12.1. The Agency does not process special categories of personal data.

VIII RIGHTS OF THE DATA SUBJECT / CLIENT

Article 13.

13.1. In the process of personal data processing, the Agency shall provide the data subject with all information related to the processing of their personal data, in an appropriate manner (in writing or directly verbally), in particular about the purpose of data processing, the legal basis for processing, the Agency’s legitimate interests, the intention to disclose personal data to third parties, the period in which personal data will be stored, the existence of the right of the data subject to access personal data and to rectification or erasure of personal data and restriction of processing, the right to object, etc.

13.2. With regard to the processing of personal data, data subjects/clients may exercise the following rights:

Right of access – Data subjects/clients may request confirmation from the Agency whether their personal data are being processed and to what extent, provided that the identity of the data subject/client is unquestionably established by checking a photo ID.

Right to rectification – If incomplete or inaccurate personal data are processed, their correction or supplementation may be requested at any time by the data subject/client, by providing an additional statement and provided that their identity is unquestionably established by checking a photo ID.

Right to erasure – Data shall be erased if the data subject/client proves that the reasons for which the personal data are being processed are no longer permissible or necessary considering the purpose for which they were collected, or if the data subject/client withdraws their consent.

Right to restriction of processing – The restriction of processing does not apply to: storage of personal data, or if personal data are necessary for the establishment, exercise or defense of legal claims, or for the protection of the rights of another natural or legal person. The data subject/client may request the temporary blocking of personal data processing if they dispute the accuracy of such data. During the period of restricted processing, until the restriction is lifted, the data concerned may be processed only based on the consent of the data subject/client.

Right to withdraw consent – The data subject/client has the right to withdraw the consent given for the collection and processing of their personal data at any time, in writing, provided that their identity is unquestionably established by checking a photo ID.

Right to lodge a complaint – The data subject/client has the right at any time to file a written complaint, stating the reasons, and the Agency is obliged to inform whether specific interests, rights, and freedoms of the data subject/client have been violated.
Right to lodge a complaint with a supervisory authority – Complaints by the data subject/client are submitted to the Croatian Personal Data Protection Agency (hereinafter: AZOP), or to a supervisory authority within the EU.

13.3. The Agency is obliged to act on the request submitted by the data subject/client, their legal representative, or proxy within no later than 30 days from the date of the request.

IX STORAGE SYSTEM

Article 14.

14.1. The Agency’s statutory obligations also include the obligation to archive the documentation of the data subject/client, as well as to properly store the data in secure processing systems in order to fulfill the statutory obligations for archiving and data storage.

X DATA CONTROLLER

Article 15.

15.1. The Data Controller is obliged to ensure the protection of personal data in a fair and lawful manner so that their protection/confidentiality is guaranteed, which means that personal data are processed for a specific and lawful purpose, with the existence of a legal basis prescribed by the Personal Data Protection Act.

Article 16.

16.1. Prior to collecting personal data, the Data Controller is obliged to inform the data subjects/clients of their identity, the purpose of processing personal data, and the legal basis for processing personal data.

Article 17.

17.1. At the request of the data subject/client, or their legal representative/authorized person, the Data Controller is obliged to enable the exercise of the right to access the use of their personal data or the right to rectify inaccurate data.

Article 18.

18.1. The Data Controller shall take appropriate technical, personnel, and organizational measures to protect personal data from unauthorized access and possible misuse.

Article 19.

19.1. The Data Controller shall act in accordance with the instructions of the Croatian Personal Data Protection Agency (AZOP) as the supervisory authority in the field of personal data protection, and shall enable AZOP to access all personal data files and other documentation, as well as data processing tools.

Article 20.

20.1. The Data Controller shall establish Records of personal data files it maintains and, if necessary, submit such Records to the central register kept by the Croatian Personal Data Protection Agency. Records of personal data processing activities are classified into categories described in Article 7 of this Policy, totaling 8 categories.

Article 21.

21.1. By means of an internal Decision, the Data Controller may appoint a Data Protection Officer, if applicable and if the need arises.

XI RETENTION PERIOD OF DATA

Article 22.

22.1. All data of the data subject/client, on the basis of which identification can be made, shall be stored for a limited period of time, i.e., in accordance with special regulations applicable to the Agency. If necessary, the data shall be anonymized after the purpose ceases, and permanently deleted in accordance with statutory regulations. Personal data collected on the basis of consent shall be deleted at the moment of withdrawal of such consent, except where another legal basis for processing exists.

XII MEASURES FOR THE PROTECTION OF PERSONAL DATA

Article 23.

23.1. Personal data processed by the Agency are appropriately protected from accidental or intentional misuse, unauthorized alteration or access, and technical, personnel, and organizational measures have been taken to protect personal data.

23.2. Persons responsible for the processing of personal data are accountable for protecting personal data from accidental loss or destruction, from unauthorized access or unauthorized alteration, unauthorized disclosure, and any other misuse.

Article 24.

24.1. Technical measures for the protection of personal data include:

the computer and the assigned email address in the Agency are used exclusively for official purposes
if more than one agent is employed in the Agency, each agent has their own login password for the PC
all documents, upon expiry of the period or purpose, are destroyed physically or with a shredder
all data in written form are stored in binders, in locked cabinets
any subcontractors and employees are obliged to keep the passwords they use in their work safe from unauthorized access
any subcontractors and employees are familiar with the internal Personal Data Protection Policy, with a signed Confidentiality Statement
any external associates of the Agency (e.g. lawyers, appraisers, court experts, etc.) are and will be acquainted with the internal Personal Data Protection Policy, and with the need
to permanently treat the provided data as confidential, with a signed Confidentiality Statement

Article 25.

25.1. Organizational measures for the protection of personal data include:

creation of records of processing activities regarding personal data files (records of personal data, as specified in Art. 7 of this Policy)
defining information provided to the data subject,
drafting of an internal Personal Data Protection Policy,
drafting of a Confidentiality Statement for employees and subcontractors, as well as for other possible associates of the Agency
where applicable, drafting of a Non-Disclosure Agreement
drafting of an online Privacy Policy

Article 26.

26.1. Personnel measures for the protection of personal data include (if applicable):

access to data is granted only to authorized persons employed by the Data Controller, or subcontractors, depending on the type of work they perform (with the appropriate Confidentiality Statement)
authorized persons have different levels of access to processing, depending on the type of work they perform, i.e., the amount of data they enter into the application
the Data Controller has access to advertising on the website

XIII REPORTING IN CASE OF PERSONAL DATA BREACH

Article 27.

27.1. The Data Controller shall, without undue delay and no later than 72 hours after becoming aware of a personal data breach, notify the supervisory authority (AZOP) of the breach of personal data, unless it is unlikely that the breach will result in a risk to the rights and freedoms of the individual.

Article 28.

28.1. For reasons of delay in reporting within 72 hours, it is necessary to:

describe the nature of the personal data breach;
state the name and contact details of the Data Controller;
describe the possible consequences of the personal data breach;
describe the measures taken by the Data Controller to resolve the personal data breach.

Article 29.

29.1. In the event of a personal data breach, the Data Controller shall, without undue delay, notify the data subject/client of the breach of personal data. The notification shall state the nature of the personal data breach in clear and plain language.

XIV PROCEDURE IN CASE OF PERSONAL DATA PROCESSING BREACH

Article 30.

30.1. In the event of a personal data processing breach, it is necessary to:

verify the purpose and scope of personal data collection
verify the source from which the personal data were processed
inform the data subject/client in writing about the breach of their personal data
the Data Controller shall report the breach to the supervisory authority (AZOP) in writing

XV FINAL PROVISIONS

Article 31.

31.1. This Policy is harmonized with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance) (OJ L 119, 4.5.2016), as well as with the Act on the Implementation of the General Data Protection Regulation (Official Gazette 42/18), and entered into force on the date of its adoption, from which date it shall apply.

Roel Real Estate d.o.o.

represented by/director Dina Ajel

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.