This document contains an information notice for suppliers and potential suppliers and recipients of HREIT S.A. goods and services (counterparties/customers of the Data Controller who are natural persons, legal persons or organisational entities without legal personality)

INFORMATION

on the processing of your¹ personal data

To fulfil the obligations set out in Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) (EU.L.2016.119.1 of 2016.05.04), hereinafter GDPR, the following information is hereby provided:

1. The Controller of your personal data is HREIT Spółka akcyjna with its registered office in Warsaw, ul. Księdza Ignacego Jana Skorupki 5, 00-546 Warszawa, entered in the Register of Entrepreneurs of the National Court Register under KRS no.: 0000741906, REGON (National Business Registry Number): 380873593, NIP (Tax ID): 5252757857. You may contact the Controller by writing to the following address for correspondence: ul. Księdza Ignacego Jana Skorupki 5, 00-546 Warszawa, or via electronic mail at: rodo@hreit.pl

2. The Controller will process your¹ personal data for one or more of the following purposes:

Processing of data in connection with acquisition of premises:

1. in order to take steps to conclude a contract concerning products or services provided by the Controller - legal basis - Article 6(1)(b) GDPR,

2. in order to perform a contract concerning products or services purchased from the Controller - legal basis - Article 6(1)(b) GDPR,

3. in order to fulfil the legal obligations incumbent on the Controller in connection with the conclusion and performance of a contract resulting from the applicable legislation (tax, accounting, bookkeeping, archiving obligations, financial settlements - incoming and outgoing invoices) - legal basis: Article 6(1)(c) GDPR,

4. for marketing purposes, in particular of its own products or services, as well as for customer satisfaction surveys and for determination of service and product quality, which is a legitimate interest of the Controller - legal basis: Article 6(1)(f) GDPR,

5. for the purpose of possibly establishing, pursuing or defending against claims arising from a concluded contract, which is a legitimate interest of the Controller - legal basis: article 6(1)(f) GDPR,

6. for archival (evidential) purposes in order to safeguard information in the event of a legal need to prove facts, which is a legitimate interest of the Controller - legal basis: Article 6(1)(f) GDPR,

7. for internal administrative purposes of the Controller, including the Controller’s statistics and internal reporting and reporting within the HREIT Group - legal basis: Article 6(1)(f) GDPR,

8. in order to enable the Controller to perform a contract concerning the disclosure of personal data concluded with data recipients in order to enable the data recipient to undertake marketing activities, by means of electronic communication or telephone contact, including in order to enable you to benefit from discounts/preferential conditions for the purchase of goods and services from the data recipients’ Stores and Outlets, whereas these activities shall take place only on the basis of obtained consents, on the basis of Article 6(1)(a) GDPR,

9. for the continuous and uninterrupted conduct of the Controller’s business by ensuring integrity of archived/back-up copies - legal basis: Article 6(1)(f) GDPR.

Processing of data in connection with purchase of real property:

1. for the purpose of making contact and assessing the possibility of potential property acquisition - legal basis: consent - Article 6(1)(a) GDPR,

2. for the purpose of taking action in connection with the conclusion of a contract (pre-contractual activities) and for the performance of that contract - Article 6(1)(b) GDPR,

3. in order to fulfil the legal obligations incumbent on the Controller in connection with the conclusion and performance of a contract resulting from the applicable legislation (tax, accounting, bookkeeping, archiving obligations, financial settlements - incoming and outgoing invoices) - legal basis: Article 6(1)(c) GDPR,

4. for the purpose of possibly establishing, pursuing or defending against claims arising from a concluded contract, which is a legitimate interest of the Controller - legal basis: article 6(1)(f) GDPR,

5. for archival (evidential) purposes in order to safeguard information in the event of a legal need to prove facts, which is a legitimate interest of the Controller - legal basis: Article 6(1)(f) GDPR,

6. for internal administrative purposes of the Controller, including the Controller’s statistics and internal reporting and reporting within the HREIT Group - legal basis: Article 6(1)(f) GDPR.

Processing of data in connection with the bidding process:

1. to establish a business relationship - processing is necessary for the legitimate purposes of the Controller to consider the purchase of goods and services necessary for business activity - legal basis: Article 6(1)(f) GDPR,

2. to consider a bid which will be or has been made to the Controller - legal basis: Article 6(1)(f) GDPR,

3. for the purpose of possibly establishing, pursuing or defending against claims arising from a concluded contract, which is a legitimate interest of the Controller - legal basis: article 6(1)(f) GDPR,

4. for archival (evidential) purposes in order to safeguard information in the event of a legal need to prove facts, which is a legitimate interest of the Controller - legal basis: Article 6(1)(f) GDPR,

5. for internal administrative purposes of the Controller, including the Controller’s statistics and internal reporting and reporting within the HREIT Group - legal basis: Article 6(1)(f) GDPR.

Processing of data in connection with the recruitment process:

1. in order to carry out the recruitment process for the position you are applying for - legal basis - Art. 6(1)(c) GDPR in connection with Art. 22(1) of the Labour Code - in case of employment on the basis of an employment contract, or in case of data not required by law - consent - Art. 6(1)(a) GDPR, and in case of applying for cooperation on the basis of civil law contracts - legal basis Art. 6(1)(b) GDPR, and with regard to data provided voluntarily - Art. 6(1)(a) GDPR,

2. in order to carry out future recruitment processes - legal basis: Article 6(1)(a) GDPR,

3. for the purpose of possibly establishing, pursuing or defending against claims arising from a concluded contract, which is a legitimate interest of the Controller - legal basis: article 6(1)(f) GDPR.

Processing of data in connection with acquisition of goods and services by the Controller or provision of services by the Controller:

1. to establish a business relationship - processing is necessary for the legitimate purposes of the Controller to consider the purchase of goods and services necessary for business activity - legal basis: Article 6(1)(f) GDPR,

2. in order to conclude and perform the Contract to which you are or are a party and to take the necessary steps prior to the conclusion of the Contract and the performance of its provisions (negotiation, submitting an enquiry/response to an enquiry, contact relating to a bid), as well as to take action at the request of the data subject - legal basis: Article 6(1)(b) GDPR,

3. for marketing purposes, in particular of its own products or services, which is a legitimate interest of the Controller - legal basis: Article 6(1)(f) GDPR,

4. in order to fulfil the legal obligations incumbent on the Controller in connection with the conclusion and performance of a contract resulting from the applicable legislation (tax, accounting, bookkeeping, archiving obligations, financial settlements - incoming and outgoing invoices) - legal basis: Article 6(1)(c) GDPR,

5. for the purpose of possibly establishing, pursuing or defending against claims arising from a concluded contract, which is a legitimate interest of the Controller - legal basis: article 6(1)(f) GDPR,

6. for archival (evidential) purposes in order to safeguard information in the event of a legal need to prove facts, which is a legitimate interest of the Controller - legal basis: Article 6(1)(f) GDPR,

7. for internal administrative purposes of the Controller, including the Controller’s statistics and internal reporting and reporting within the HREIT Group - legal basis: Article 6(1)(f) GDPR,

8. for the continuous and uninterrupted conduct of the Controller’s business by ensuring integrity of archived/back-up copies - legal basis: Article 6(1)(f) GDPR,

9. in order to enable the Controller to perform contracts concerning the disclosure of personal in order to enable the data recipient to undertake marketing activities, by means of electronic communication or telephone contact, including in order to enable you to benefit from discounts/preferential conditions for the purchase of goods and services from the Stores / Outlets or via the websites of such entities, whereas these activities shall take place only on the basis of obtained consents, legal basis - Article 6(1)(a) GDPR.

3. In connection with the processing of data for the purposes indicated above, your personal data may be shared with other recipients of personal data. Your personal data will be communicated to the following categories of data recipients:

1. entities authorised to process personal data on behalf of the Controller, i.e. the Controller’s employees and/or persons employed on a basis other than an employment relationship maintained with the Controller (providing work on the basis of civil law contracts and on the basis of a conducted business activity),

2. entities authorised to receive your personal data on the basis of relevant legal provisions, mainly public authorities and entities performing public tasks or acting on commission of public authorities, to the extent and for the purposes arising from the provisions of generally applicable law (e.g. Tax Office, Courts, Public Prosecutor’s Office, Police, enforcement authorities),

3. HRE Investment Group entities,

4. entities that process your personal data on behalf of the Controller (entities whose services are used by the Controller in the performance of its tasks) on the basis of an agreement concluded with the Controller for personal data processing outsourcing (so-called processors), i.e. entities providing IT services, document archiving services, legal assistance services, debt collection services, marketing services, translations, entities providing postal, courier, tax, audit, banking, insurance, subcontracting services,

5. in the scope of the provision of services by the Controller - on the basis of obtained consents - legal basis Article 6(1)(a) GDPR, your personal data may be transferred to entities that process your personal data on the basis of a contract concluded with the Controller for the disclosure of personal data, i.e. in particular: Firma Handlowa MAX-FLIZ Kurleto spółka komandytowa with its registered office in Kraków, address: 30-418 Kraków, ul. Zakopiańska 58, registered with the District Court for Kraków - Śródmieście in Kraków, XI Commercial Division, in the Register of Entrepreneurs of the National Court Register under KRS no. 0000440238, NIP (Tax ID): 6790025640, REGON (National Business Registry Number): 350253750 (hereinafter: MAX -FLIZ Kurleto Sp.k.), with these activities taking place only on the basis of obtained consents, on the basis of Article 6(1)(a) GDPR.

4. Your personal data will be processed for the period necessary for the purposes of the processing indicated in point 2, i.e.:

1. with regard to the performance of the Contract under which and in connection with which your personal data are processed, for the period of conclusion and performance of the Contract (until the termination of the performance of the Contract), and thereafter for the assertion of possible claims until the expiry of the period of limitation prescribed by the Civil Code or other provisions (as a general rule, up to 6 years after the termination of contract performance). The indicated deadline may be extended to enable the pursuit of any claims arising from the Contract;

2. for internal administrative purposes and for the fulfilment of the legitimate interests of the Controller until the Controller’s legitimate interests forming the basis for such processing have been fulfilled or until you object to such processing;

3. with regard to the fulfilment of legal obligations incumbent upon the Controller in connection with the conclusion and performance of the Contract (if national or EU regulations or international law oblige the Controller to retain data, e.g. obligations set out in tax law, accounting and bookkeeping regulations) - for the periods indicated in these regulations or until such obligations have been fulfilled by the Controller (as a rule, up to 5 years calculated from the end of the calendar year in which the Contract was terminated or expired),

4. in the scope of the recruitment process - until the end of the ongoing recruitment process, and in the scope in which data are processed on the basis of consent to data processing for the needs of future recruitment processes - no longer than 1 year from the date of completion of the recruitment process for which consent was given, or until the date of withdrawal of consent,

5. in the scope related to the provision of services by the Controller - personal data will be stored for the duration of the concluded contract, and after this period until the expiry of the limitation period for claims under the concluded contract. Personal data recorded in accounting records will be kept for the period indicated in the applicable legislation, including tax legislation. Personal data processed on the basis of your consent will be stored until you withdraw your consent.

5. In accordance with GDPR, you have the following rights:

1. the right to access your data, based on Article 15 GDPR,

   the right to obtain from the Controller confirmation as to whether or not your personal data are being processed and, if so, the right to obtain access to that data (including a copy thereof) and in particular to the following information: (i) information about the purposes of the processing of your personal data, (ii) information about the categories of personal data processed, (iii) information about the recipients or categories of recipients to whom the Controller has disclosed or intends to disclose your personal data, (iv) where possible, information about the intended period of storage of your personal data, and, where this is not possible, the criteria for determining this period, (v) information about the possibility to exercise your data protection rights and how to exercise these rights, (vi) information about your right to lodge a complaint with a supervisory authority, (vii) information about profiling, as well as the consequences of such processing for you;

2. the right to correct your data, based on Article 16 GDPR,

   the right to request the Controller to rectify without delay your personal data that is inaccurate and to request that incomplete personal data is supplemented;

3. the right to delete your data, based on Article 17 GDPR,

   the right to request from the Controller immediate erasure of your personal data (“the right to be forgotten”) if one of the following circumstances applies: (i) the personal data are no longer necessary for the purposes for which they were collected or otherwise processed, (ii) the consent on which the processing is based has been withdrawn and the Controller has no other legal basis for the processing, (iii) where an objection has been lodged under Art. 21 (1) GDPR against the processing, unless there are overriding legitimate grounds for the processing, or where an objection is raised under Article 21(2) GDPR against the processing, (iv) personal data has been unlawfully processed, (v) personal data must be erased in order to comply with a legal obligation.

   It is not possible to exercise the right to erasure of personal data where the Controller is obliged by law to continue to process personal data to the extent specified by the relevant law or for the purposes necessary to establish, assert or defend claims.

4. the right to limit the processing of your data, based on Article 18 GDPR,

   the right to limit the processing of your data, based on Article 18 GDPR, the right to request the Controller to limit processing where: (i) you contest the accuracy of your personal data - for a period of time allowing the Controller to verify the accuracy of the data, (ii) the processing of your personal data is unlawful and you object to the erasure of your personal data, requesting instead the restriction of its use (iii) the Controller no longer needs your personal data for the purposes of the processing, but you need them to establish, assert or defend your claims (iv) if you object under Art. 21(1) GDPR against the processing - until it is determined whether the legitimate grounds on the part of the Controller override those of your objection;

5. the right to transfer your data, based on Article 20 GDPR,

   the right to receive, in a structured, commonly used machine-readable format, your personal data which you have provided to the Controller, and the right to request that this personal data be sent to another controller, where technically possible. This right applies if the data are processed on the basis of consent or in connection with a contract;

6. the right to object to the processing of your data, based on Article 21 GDPR,

   the right to object at any time to the processing of personal data based on Article 6(1)(e) or (f) GDPR, including profiling. The Controller shall no longer be permitted to process that personal data unless the Controller demonstrates compelling legitimate grounds for the processing which override your interests, rights and freedoms, or grounds for the establishment, exercise or defence of claims.

   The right to object to the processing of data does not apply if: (i) the processing of your personal data is based on your consent - in which case you may instead withdraw your consent, (ii) the processing is necessary for the performance of a contract to which you are a party, (iii) the processing is necessary for the performance of a legal obligation by the Controller;

7. the right to withdraw consent

   the right to withdraw consent to the processing of personal data where the processing is based on Article 6(1)(a) GDPR or Article 9(2)(a) GDPR. Withdrawal of consent will not affect the lawfulness of processing carried out on the basis of consent before its withdrawal.

6. The provision of personal data by you is voluntary; however, the consequence of failing to provide data is that it is not possible to conclude and perform the Contract and that the Controller is not able to fulfil the purpose of processing in relation to the activities in which the personal data obtained from you are processed.

7. Your personal data will not be transferred to third countries (outside the European Economic Area) or to international organisations.

8. If you believe that the Controller’s processing of your personal data violates the provisions of GDPR, you have the right to lodge a complaint with the supervisory authority, which is the President of the Office for Personal Data Protection.

9. Your personal data may be subject to automated decision-making, including profiling for direct marketing purposes. Profiling has no legal effect and does not significantly affect the data subject in any other way.

¹ In the case of counterparties who are legal persons or organisational entities without legal personality, the processing may concern personal data provided by you relating to your representatives, owners, agents or employees or other contact persons. Due to the fact that personal data of reported contact persons is sometimes not directly obtained by us, we ask that you share this information with all persons you have reported or will report as contact persons to the Data Controller.