The following privacy policy is applicable in the course of Inovalis REIT’s activities relating to the processing of your personal data.

Inovalis REIT endeavors to ensure the protection, confidentiality and security of personal data it collects or processes, in accordance with the provisions of the European General Data Protection Regulation (“GDPR”).

 

Reasons we collect and use your personal data include the following purposes (the “identified purposes”):

• providing you with the services you have requested (for example, information for which you have subscribed);

• researching, developing, managing, protecting and improving our services, including conducting surveys that provide us with feedback on our service standards;

• conducting market research and/or providing tailored messages and interest based advertisements;

• tracking website usage, transaction history and patterns, monitoring use of web based digital platforms while on our properties (for example, WiFi hotspots);

• maintaining appropriate business records;

• facilitating business transactions, including evaluating, effecting, monitoring and managing investments;

• responding to your inquiries;

• facilitating safety and security;

• performing functions required or authorized by law; and

• for any other purpose to which you consent.

 

While we strive to be transparent in our collection, use and disclosure of personal data, consent will not always be directly obtained.

However, we will only collect and use your personal data as reasonably necessary for the identified purposes, and only do so where there is a lawful basis. Sometimes this will be on the basis of consent. At other times it will be on the basis of a contractual obligation, legal obligation, our legitimate interests or vital interests, but in each case only to the extent necessary to fulfill that obligation or interest.

 

Where we do obtain your consent, subject to legal requirements, it can be withdrawn for Inovalis REIT’s collection, use or disclosure of your personal data by notifying our Privacy Officer in writing. If you withdraw your consent, this does not affect the lawfulness of any processing that we carried out prior to that withdrawal. Once we have received notification that you have withdrawn your consent, we will no longer process your personal data for the purpose or purposes you originally agreed to, unless we have another legitimate basis for doing so in law.

 

We have set out below further information on our collection, use and disclosure of personal data. Whenever we collect, use and disclose your personal data, there is a lawful basis for doing so.

 

Personal data collected are stored on our servers located in the European Union. Your personal data may be transferred to, and stored at, a destination within or outside of this area. When such transfer takes place, it may also be processed by staff operating outside of the jurisdiction who work for us or for one of our service providers. When this transfer takes place, personal data may be subject to the laws of those other jurisdictions, and in certain circumstances, the courts, law enforcement agencies, regulatory agencies or security authorities in those other jurisdictions may be entitled to access your personal data. Data will not be transferred to any country outside the European Union that is not offering an adequate level of protection except where the processing itself offers that level of protection. We will always ensure that your personal data is adequately protected and transferred in compliance with applicable privacy laws.

 

Data collected that is not processed within a three years period is deleted. In some circumstances we may anonymize your personal data so that it can no longer be associated with you, in which case we may use such data without further notice to you.

 

Whether in electronic or paper-based format, we implement appropriate technical and organizational measures to ensure an appropriate level of security, keeping in mind the nature, scope, context and purpose of processing, cost, and the potential risk to you. We use industry standard technology and efforts to safeguard your personal data from loss, theft and unauthorized access, use or disclosure. These include secure servers and firewalls. Physical access to those areas where information is gathered, processed or stored is restricted to authorized employees who require the information to perform a specific function. Appropriate controls are in place over

computer systems and data processing procedures and these controls are reviewed on an ongoing basis to ensure compliance with our security and privacy requirements.

 

We require our service providers and agents to protect personal data processed on our behalf.

 

We try to ensure that the personal data we collect about you is accurate, complete and up-to-date. However, we rely on you to provide accurate information in the first instance, and to notify us when there is a change in your personal data. In certain circumstances we may verify personal data, or obtain additional personal data through third-parties.

In some jurisdictions, you have a right to access, correct, transfer or delete your personal data in our possession or control, or to object to our processing of your personal data. This may be done by writing or emailing our Privacy Officer.