PRIVACY NOTICE

regarding the processing of personal data

– survey-

Adopted on 18.03.2025 

We, Masterange Romania S.R.L., headquartered in 24-26 Nordului Road, District 1, Bucharest, registered at the Trade Register under no. J2003003330402, having the Tax registration code RO15262492, (“Masterange”), as the data controller, through this Privacy notice (“Privacy notice”) hereby provide you with all the relevant information about how and why we process your personal data in the context of participating in the “Stejarii Restaurant delivery menu survey” (“Survey”), according to the provisions of art. 13, respectively 14 of the General Data Protection Regulation (“GDPR”).

For any other information or requests regarding the processing of your personal data, or to exercise your rights according to the GDPR, you can contact our Data protection officer using the following contact details:

ITH Management Office S.R.L.

• Address: 24-26 Nordului Road, District 1, Bucharest
• Email to: dataprotection@tiriacimobiliare.ro
• Phone: 0040214312149

Please read this Privacy notice carefully, as it contains important information for you!

Your personal data is obtained by us directly from you, as a resident (lessee or occupant) of Stejarii Residential Club or Stejarii Collection.

I.      PERSONAL DATA PROCESSED, PURPOSES AND GROUNDS OF THE PROCESSING

Personal data is processed as follows:

1. For the purpose of sending the invitation to participate in the Survey, we process identification data (name, surname), contact data (e-mail address), as well as the data related to the use of the Stejarii mobile Application, based on art. 6 para. (1) letter a) of the GDPR, in case you have given consent to receive invitations to participate in surveys.
2. 2.     The invitation to participate in the Survey includes the survey form. By accessing the form and answering the questions, you will be able to express your opinion in the form of detailed feedback regarding the delivery menu of Stejarii Restaurant, and you can also provide comments or suggestions related to the delivery service of Stejarii Restaurant.

When necessary, after completing the survey form, we may contact you by phone to better understand the feedback you have expresed, so that we can improve the services provided.

Subsequently, we will aggregate the responses provided in order to identify and implement the necessary measures to improve the services offered by Stejarii Restaurant and to ensure a high level of satisfaction among residents, as well as to provide you with the best experience within the Stejarii community.

Therefore, we will process the following personal data: identification data (name, surname, name of the residential complex, block, staircase, apartment), contact data (e-mail address, phone number), data related to the use of the Stejarii mobile Application, as well as the answers provided to the questions in the Survey.

The legal basis for processing your personal data is your consent expressed by completing the received form, according to art. 6 para. (1) letter a) of the GDPR.

In addition to the previously indicated purposes, we will process personal data for the following subsequent and/or later purposes, if and as the case may be:

1. for compliance with the legal norms that regulate different segments of our activity, such as: obligation related to providing you with the necessary information about the manner in which we process data, as well as any other obligations that may derive from the normative acts in force at a given time and which are applicable to us, according to art. 6 para. (1) letter c) of the GDPR;
2. for the exercise and defence of our rights, including before public authorities and courts or arbitration, according to art. 6 para. (1) letter f) of the GDPR;
3. for managing IT systems, networks and equipments (information technology), such as ensuring maintenance and carrying out security audits on them, pursuant to 6 para. (1) letter f) of the GDPR, in order to achieve our legitimate interest in ensuring the security and proper functioning of IT systems and the entire infrastructure.

II.    CATEGORIES OF RECIPIENTS

Personal data may be disclosed, only to the extent necessary for the purposes detailed above or in cases required by law, to the following categories of recipients who may act as independent controllers, joint controllers, or processors, as follows:

1. service providers:
   • business administration and management services;
   • marketing services;
   • cloud services;
   • communication services;
   • audit services;
   • archiving services;
   • maintenance services;
   • IT systems;
   • outsourced data protection
2. judicial or arbitral tribunals and/or other public authorities, related to the activity of these authorities to the extent that the transmission of data to them is required by law and/or is necessary in case of litigation or settlement of a dispute, as well as in case of controls or legal requests in which we have the obligation to make them available (for example National Supervisory Authority for Personal Data Processing – “ANSPDCP”, police, prosecutor’s office, others);
3. lawyers, specialists in the fields of audit, legal, tax consultancy,;
4. third parties expressly indicated by you;
5. third party acquirers, to the extent that the activity of Masterange would be transferred (in whole or in part) to another entity, and the data of the data subjects would be part of the assets that are the subject of such a transaction, based on a legitimate development interest and adaptation of our business

The disclosure of the personal data to our service providers who act as processors is limited to the information strictly necessary for the provision of those services, these providers having the contractual obligation not to use the personal data processed on behalf of Masterange for no other purpose.

III.  TRANSFERS TO THIRD COUNTRIES OR INTERNATIONAL ORANIZATIONS

As a rule, we will not transfer personal data outside the European Economic Area, respectively in countries that are not agreed as ensuring an adequate level of data protection. In exceptional situations and only if necessary, the transfer of the personal data outside the area described above will be made only by applying adequate guarantees and protection measures (i.e. adequacy decisions of the European Commission) according to the specific legal provisions on the protection of personal data and with your appropriate information.

IV.  RIGHTS REGARDING PERSONAL DATA

Except the cases in which Romanian law or GDPR provides otherwise, you have the following rights:

1. Right to be informed, according to 13 and art. 14 of the GDPR, as per this document.
2. Right of access, according to 15 of the GDPR.
3. Right to rectification, according to 16 of the GDPR.
4. Right to erasure/right to be forgotten, according to 17 of the GDPR.
5. Right to restriction of processing, according to 18 of the GDPR.
6. Right to data portability, according to 20 of the GDPR.
7. Right to object, according to 21 of the GDPR.
8. Right not to be subject to a decision based solely on automated processing, including profiling, according to art. 22 of the GDPR. The personal data referred to in this Privacy notice is not subject to automated decision-making processes.
9. Right to withdraw your consent, according to art. 13 para. (2) letter c) and art. 14 para. (2) letter d) of the GDPR.
10. Right to lodge a complaint with the supervisory authority, according to 13 para. (2) letter d) and art. 14 para. (2) letter e) of the GDPR.

Without prejudice to your right to contact ANSPDPC at any time, please contact us in advance in relation to the exercise of the rights mentioned above.

If you consider that we have not resolved all your requests or you are not satisfied with our responses, you can contact the ANSPDCP, to file a complaint by using the following contact details:

• headquarters: Bucharest, 28-30 Gheorghe Magheru Bvd., District 1, CP 010336,
• telephone: +40.318.05.92.11
• fax: +40.318.05.96.02
• e-mail: anspdcp@dataprotection.ro
• website: dataprotection.ro

or you can address a complaint to the competent court.

Please note the following in relation to the exercise of your rights, as data subject:

• How to exercise: you can contact us using the contact details available
• The period of time for providing a response: we will try to resolve the request within one month, which may be extended with two months for specific reasons related to the complexity of the request. In all cases, if this time limit is extended, we will inform you of the length of the extension and the reasons for it.
• Identification: please provide us with the data necessary to identify you (name, surname, e-mail address), with the understanding that, to the extent that we cannot identify you on the basis of this information alone, we will ask you to provide additional information that will allow us to identify

V.    STORAGE OF PERSONAL DATA

Personal data will be processed only for the period necessary to fulfill the purposes mentioned in this Privacy notice, in accordance with the applicable general or special statutory limitation periods, or, in the case of processing based on your consent, until the withdrawal of that consent.

Subsequently, we will delete/remove the personal data from our systems and records and/or take measures to anonymize them so that you can no longer be identified. We will take all reasonable measures to ensure the deletion of personal data transmitted to recipients for the purposes mentioned above.

In the case of personal data processed for subsequent and/or later purposes, the data will be kept according to internal policies of Masterange.