CLIENT PRIVACY POLICY OF PORT ONE

01. January 2022

1. Application of Privacy Policy

1.1 This Client Privacy Policy (hereinafter referred to as the Privacy Policy) applies to all cases where
Osaühing Port One (hereinafter referred to as Port1) sa the responsible data controller processes
the personal data listed in clause 3.3 of its existing or future clientclients (hereinafter referred to
as the Data Subject) when concluding client contracts and during the provision of services. By
entering into a client contract, the client gives Port1 their consent for the collection and
processing of the personal data given by the client to Port1 by contract, e-mail and verbally.
1.2 The Privacy Policy is effective from the date indicated above. Port1 reserves the right to
unilaterally modify and amend the Privacy Policy. The Data Subjects are notified regarding
amendments to the Privacy Policy via e-mail or in any other manner.
1.3 Personal data protection and the privacy of Data Subjects are important to Port1. Port1 asks all
Data Subjects to carefully read this Privacy Policy.
1.4 By signing the Client Contract, the Data Subject confirms that they have read this Privacy Policy.

2. Controller and processor

2.1. The controller of the personal data of the Data Subjects is Osaühing Port One, registration code
10640605, address Siduri 3, Kesklinn, 11313 Tallinn, Harju County.
2.2. Port1 can be contacted in all matters related to the Privacy Policy and personal data processing
by e-mailing a query to the address info@port1.ee.
2.3. To the extent where the Data Subject provides Port1 with personal data (e.g. 3.2(d)), the Data
Subject is the data controller and Port1 is the data processor.
2.4. When visiting the websites of the cooperation partners of Port1, we recommend that you also
read the privacy policies of these other websites.

3. Purposes of personal data processing and processed personal data

3.1. Port1 processes personal data for the purposes and to the extent of service provision and in the
manner necessary to provide the service.
3.2. Port1 processes the personal data of the Data Subject for the following purposes:
(a) to identify the client when entering into client contracts;
(b) to identify beneficial owners:
(c) to issue loyalty cards at the Port One office;
(d) to prepare French minimum wage statements;
(e) for day-to-day communication with the client;
(f) to prevent money laundering and financing of terrorism;
(g) for technical purposes, e.g. to ensure the stability and security of the use of the Port1
website and to collect information in which the client has expressed an interest on the
website (cookies);
3.3. Port1 may collect and process the following personal data:
(a) for the purposes provided for in point 3.2(a): the first name and surname, personal
identification code, residential address, e-mail address, telephone number, details of identity
document and a copy of the identification document of management board members;
(b) for the purposes set out in point 3.2(b): first name and surname, date of birth/personal
identification code, place of residence, identity document details and a copy of the
identification document of the beneficial owners, data of politically exposed persons (first
name and surname, profession, represented country, country of residence);
(c) for the purposes set out in point 3.2(c): the first name and surname of the person who came
to collect the loyalty card, a copy of the identification document;
(d) for the purposes set out in point 3.2(d): first name and surname, nationality, place of birth,
date of birth, place of residence, date of conclusion of employment contract, qualifications,
gross hourly wage during the period of employment in France of the Data Subject’s
employee(s);
(e) for the purposes set out in point 3.2(e): data obtained as a result of ordinary communication
with the Data Subject, such as the first name and surname, e-mail address, telephone
number of the Data Subject’s employee(s);
(f) for the purposes set out in point 3.2(f): in the case of higher risk factors, information on
origin of income and assets;
(g) for the purposes of point 3.2(g): the IP address of the person who visited the website.
3.4. Port1 collects the personal data specified in clause 3.3 directly from the Data Subject
themselves, in the course of provision of the service or from public registers. The submission of
the personal data required from the Data Subject to Port1 is to a certain extent necessary for
entering into and performance of the contract entered into with the Data Subject. Failure to
provide personal data means that a contract will not be concluded with the Data Subject.
3.5. Port1 does not knowingly collect personally identifiable information from anyone under the age
of 18.
3.6. Port1 processes the personal data of the Data Subjects in Estonia, including when data are
transmitted from foreign servers.

4. Legal grounds personal data processing

4.1. Port1 processes the personal data of the Data Subject:
(a) for the performance of the contract entered into with the Data Subject;
(b) for the performance of obligations arising from law;
(c) due to legitimate interest.

5. Transmission of personal data to third parties

5.1. Port1 only forwards the personal data of the Data Subject if it is necessary for the achievement
of any of the objectives specified above. Port1 only transfers personal data to the following third
parties (including partners outside the Republic of Estonia):
(a) to companies in the same group as Port1 to the extent necessary to perform or secure a
contract entered into with the Data Subject – for example, State Port Group UAB and Port
One Polska Sp.z.o.o. (located in Poland and Lithuania), or to DKV Mobility Group;
(b) to partners to the extent that it is necessary for the provision of services to the Data Subject.
The list of partners is available online at www.port1.ee.
(c) to service providers who provide professional advisory services to Port1 (e.g. law firms,
auditors, accountants, consultants);
(d) to service providers that provide Port1 with IT support and cloud services (where the data of
Port1 are stored) – e.g. Tautar OÜ, G-Mail, Google LCC and Dropbox (Dropbox, Inc., Dropbox
International Unlimited Company). The model clauses adopted by the European Commission
are applied to the transmission of data to Google and Dropbox. The data transmitted to
Google are only stored on servers located in the European Union;
(e) to cloud server service providers to the extent that Port1 uses such service providers to
securely store data (for example – Dropbox (Dropbox, Inc., Dropbox International Unlimited
Company)). The model clauses adopted by the European Commission are applied to the
transmission of personal data to Dropbox. The Data Subject has the right to request from
Port1 a full list of the cloud service providers to which Port1 transmits personal data.
(f) to the Financial Intelligence Unit in the event of suspicion of money laundering and financing
of terrorism. Port1 is obliged to notify the Financial Intelligence Unit of any new potential
clients with whom a business relationship is established or any transaction or attempted
transaction where Port1 suspects that the transaction may involve a party or be related to
money laundering or financing of terrorism;
(g) to the public authorities of the European Community, Norway and the United Kingdom to
the extent necessary for the provision of services to the Data Subjects.
5.2. All of the above third parties ensure the protection of personal data as provided for in the
legislation governing the protection of personal data.
5.3. The Data Subject hereby grants Port1 general permission to engage additional sub-processors at
its discretion. In the event that Port1 wishes to add a sub-processor, Port1 will inform the Data
Subject thereof in writing. The Data Subject has the right to object to the new sub-processor
within two weeks of the notification. In the event of an objection, the Parties enter into
negotiations to add a new sub-processor. In the event that Port1 wants to add a new subprocessor
and the Data Subject maintains its objection, the Data Subject must cease to provide
personal data to Port1 and both Parties have the right to cancel the service agreement by giving
the other Party written notice thereof 14 days in advance.
5.4. Port1 has entered into and will enter into contracts with new sub-processors that provide
adequate guarantees that appropriate technical and organisational measures are implemented
to ensure the compliance of personal data processing with the legislation governing the
protection of personal data. If a sub-processor fails to comply with its data protection
obligations, Port1 will be liable to the Client for the performance of the sub-processor’s
obligations.
5.5. In addition to the aforementioned parties, Port1 also has the right to disclose the Data Subject’s
personal data to third parties in cases provided for by law.

6. Retention of personal data

6.1. Port1 processes the personal data of a Data Subject only for as long as it is necessary for the
purposes for which the data are processed. The personal data of the Data Subject will be
retained in accordance with the legal requirements. In a situation where the objective has been
achieved and the retention period has expired, the personal data of the Data Subject are erased
or made anonymous.
6.2. The personal data of the Data Subject will be retained as follows:
(a) Port1 will retain personal data until the termination of the service contract or until the Data
Subject submits a request to Port1 to cease personal data processing (unless the retention of
the personal data is mandatory under applicable law);
(b) the data required for the performance of contractual obligations are retained for up to three
years after the termination of the legal relationship;
(b) the accounting source documents containing personal data are retained for seven years as of
the end of the financial year to which they pertain;
(c) the original anti-money laundering and counter-terrorist financing data will be retained for
five years after the termination of the legal relationship;
(d) the data received from the website (e.g. IP address) are retained for up to 18 months as of
the collection of the data with cookies (the date of visiting the website).

7. Rights of Data Subject upon personal data processing

7.1. The Data Subject has the right to e-mail the respective unattested and free-format request to
Port1 at info@port1.ee in order to:
(a) request access to personal data relating to the Data Subject;
(b) request rectification of personal data;
(c) request erasure of personal data;
(d) restrict the processing of personal data;
(e) object to the processing of personal data;
(f) request transfer of personal data;
(g) request that no decision based on automated processing is taken in relation to the Data
Subject;
(h) withdraw the consent to personal data processing;
(i) lodge a complaint with a supervisory authority (the Data Protection Inspectorate).

8. Privacy policy principles of Port1

8.1. Port1 represents and warrants that:
(a) Port1 processes personal data only on behalf of the Data Subject and in accordance with its
instructions and the Privacy Policy, incl. in connection with the transfer of personal data to a
third country or an international organisation, unless Port1 is required to do so under
applicable laws. In such case, Port1 shall inform the Data Subject of this legal requirement
before personal data processing, unless such notification is prohibited by applicable law due
to material public interest (e.g. in the case of prevention of money laundering and financing
of terrorism);
(b) in the event that Port1 is unable to ensure personal data processing in accordance with point
8.1(a), Port1 will notify the Data Subject thereof, in which case the Data Subject will have the
right to suspend the provision of personal data and the Data Subject and/or Port1 will have
the right to unilaterally terminate the service agreement by giving the other Party advance
written notice 14 days thereof;
(c) there are no circumstances that prevent or preclude the capability of Port1 to comply with
the instructions received from the Data Subject and the obligations of Port1 arising from this
Privacy Policy;
(d) Port1 ensures that the persons authorised to process personal data are required to comply
with the confidentiality requirement;
(e) Port1 takes all measures required under Article 32 of the General Data Protection
Regulation;(GDPR) and Port1 has implemented technical and organisational security
measures to protect personal data against accidental or unlawful destruction or accidental
loss, alteration, unauthorised disclosure or access, in particular where processing involves
the transmission of personal data over a network, and against all other unlawful forms of
processing;
(f) Port1 will promptly notify the Data Subject of the following:
i. the legally binding requests for disclosure of personal data by law enforcement
authorities;
ii. cases of accidental and unauthorised access; and
iii. requests received directly from data subjects;
(g) considering the nature of personal data processing, Port1 helps the Data Subject, where
possible, with the appropriate technical and organisational measures to comply with the
Data Subject’s obligation to comply with the lawful requirements of a data subject set out in
the GDPR;
(h) Port1 will assist the Data Subject in complying with the obligations set out in the GDPR,
taking into account the nature of the processing and the information available to Port1;
(i) Port1 will make available to the Data Subject all information necessary to demonstrate
compliance with the obligations laid down in the GDPR andshall allow, at the Data Subject’s
request, an audit of its own means, procedures and place of personal data processing, which
will be organised by the Data Subject or by a checking authority chosen by the Data Subject,
where necessary, such choice having been agreed with the supervisory authority. Such
checking authority shall consist of independent members who have the required professional
skills and who are bound by the confidentiality obligation. The costs of the audit are paid by
the Data Subject. Port1 will inform the Data Subject immediately if it finds that the Data
Subject’s instructions given in relation to this clause conflict with applicable law;
(j) Port1 will deal promptly and correctly with all information requests from the Data Subject
relating to personal data processing and will comply with the supervisory authority’s advice
on the processing of personal data to be transmitted.

9. Right to file a complaint

The Data Subject also has the right to turn to the supervisory authority of the Member State in
which they are located, resident or where the alleged infringement took place.
The supervisory authority of Port One in respect of data protection is: the Data Protection
Inspectorate (telephone: 627 4135; e-mail: info@aki.ee).