Consent to the processing of personal data 

under Art. 7 of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC

(hereinafter referred to as the “GDPR“)

This privacy policy provides an overview about how we process personal data in L.D. REFLECT FESTIVAL LTD., with registered seat at Riga Fereou Street, S. Socratous, Building Apt. 101, 3500 Limassol, Cyprus, company ID no. : ΗΕ 389649, (hereinafter referred to as “we“, “us“ or „Reflect“). 

If you have any questions concerning how we process your personal data, you can contact us at [email protected] or by post using our registered seat address above. Being an EU-based company, we must comply with the EU general data protection regulation (the “GDPR“) when processing the personal data., 1 specific provisions of Act no. 18/2018 on Coll. on the protection of personal data (mainly sec. 78 and sec. 79) and other legislation governing the issues of data protection or privacy. 

Why do we process your personal data? Generally, we need to process personal data in order to: ▪ provide our services and products and for that purpose process personal data of our clients, suppliers, business partners, employees and other persons; ▪ meet our legal and contractual obligations; ▪ pursue our own legitimate interests and legitimate interests of our clients.

What are our purposes of processing of personal data? Based on our relationship and position according to the GDPR (controller or processor) we process personal data for the following purposes: Purpose Legal ground according to the GDPR Our position and explanation of the purpose Organization of conferences and events Legitimate interest pursuant to the Art. 6(1)(f) of the GDPR Our main activities include the organization of conferences and various smaller events where personal data about visitors and speakers are processed especially in the registration process or on the venue of a conference or an event. We typically organize conferences as the controller, but we can organize some smaller events together as joint controllers or on behalf of partners as the processor. We consider organizing conferences and events to be our legitimate interest. 1 See Articles 12-22 of the GDPR: http://eur-lex.europa.eu/legal-content/SK/TXT/HTML/?uri=CELEX:32016R0679&from=EN Consent with publishing a photo of speakers or to make a video recording. While organizing conferences and events it may happen that we need to obtain your consent e.g. when publishing a photograph or making a video or video recordings at the venue of a conference or event that involves the processing of personal data. Typically, we provide more organizational information about obtaining consents on the tickets or at the venue. Direct marketing communication (newsletter) Consent pursuant to the Art. 6(1)(a) of the GDPR or Legitimate interest pursuant to the Art. 6(1)(f) of the GDPR in connection with sec. 62 (3) Act on electronic communications. When sending marketing newsletters, we rely on your prior consent or the statutory exemption from obtaining the consent provisioned in Section 62 (3) of the Act on Electronic Communications (so-called marketing of similar goods and services). When sending a marketing communication, we process your personal information as the controller. You can withdraw your consent at any time. Raising awareness about Reflect Festival in the online environment (marketing purposes) Legitimate interest pursuant to the Art. 6(1)(f) of the GDPR If we operate our own company profile on (LinkedIn, Twitter, Facebook, YouTube, Instagram) and communicate via those profiles we are in the position of the controller and we rely on our legitimate interest being : raising awareness about Reflect Festival in the online environment. For this purpose we also use various marketing analytics tools such as Google Analytics or tools to better target or boost our advertisements. Contractual obligations and precontractual relationships. Contract pursuant to the Art. 6(1)(b) of the GDPR for natural persons as contractual parties. and Legitimate interest pursuant to the Art. 6(1)(f) of the GDPR for legal persons as contractual parties. If we are with you in a contractual relationship or you seek to conclude a contract with us – irrespective of the nature of the contract – we process your personal data or personal data of your employees for the purpose of entering into and performing contractual obligation as the controller. This may be the case of different types of contracts that we conclude with you for example sponsorship agreements, marketing or barter cooperation agreements, mandate contracts, employment contracts or consultancy agreements, etc. Tax, Billing & Accounting Legal obligation pursuant to the Art. 6(1)(c) of the GDPR. It is our obligation to process personal data deriving from the accounting and tax administration included in accounting documents, records or other documents (such as invoices) as the controller. Legal enforcement Legitimate interest pursuant to the Art. 6(1)(f) of the GDPR in connection with the Article 9 (2) (f) of the GDPR From time to time, we might need to pursue a legal claim, ask for compensation or off-court settlement, keep evidence for potential dispute, manage, keep and perform legal contracts, request legal advice from external advisors, report illegal activity to law enforcement authorities or otherwise protect our legitimate legal interests. In doing so, we act as the controller. Security of property (CCTV system) Legitimate interest pursuant to the Art. 6(1)(f) of the GDPR At Reflect we use the CCTV system to protect the legitimate interest of us and our sublessees – security of property. If we are using a camera system to process personal data we are in the position of the controller. This does not affect the right of the owner or manager of the building to use another camera system. Statistics Article 89 of the GDPR In compliance with conditions of Art. 89 GDPR we process the personal data collected for the above purposes on the above legal grounds as the controller for statistical purposes. The result of such processing is never personal data but aggregated / anonymous information (such as how many customers we have or economic statistics). If you are our employee, we process your personal data for the following purposes: Purpose Legal ground according to the GDPR Our position and explanation of the purpose Personnel & payroll purposes Legal obligation pursuant to the Art. 6(1)(c) of the GDPR. If you are our employee or applicant for a job on an open position at Reflect, we process personal data necessary about you to fulfill the typical obligations and exercise of the employer’s rights under labor law. Employee benefits Legitimate interest pursuant to the Art. 6(1)(f) of the GDPR If you are our current employee we provide your personal data (if you are interested) to providers of employee benefit (e.g. Multisport Card). Who are recipients of your personal data? Your personal data are available to our recipients on need-to-know basis maintaining the confidentiality of the data recipients. Depending on the purpose of processing and particular circumstances typical recipients of your personal data are: – Accounting and payroll companies; – Postal companies and shipping companies; – Professional advisors (e.g. attorneys); – Providers of standard software (e.g. Microsoft and Google) or technical (IT) support; – Providers of cloud and hosting services; – Providers of marketing analytics tools (e.g. Analytics, Mouseflaw, Hotjar) – Providers of social media platforms; – Sponsors and business partners at the events; We also use sub-contractors to support us in providing services who might process personal data for us. We ensure that selection of our subcontractors and any processing of personal data by them is compliant with the GDPR. If we are requested by the public authorities to provide your personal data we examine the conditions laid down in the legislation to accept the request and to ensure that if conditions are not met, we do not adhere to the request. What countries do we transfer your personal data to? By default, we seek not to transfer your personal data outside the EU and/or European Economic Area where not necessary. However, some of our sub-contractors or the above-mentioned recipients of personal data might be based or their servers might be located in the United States of America (U.S.). As such, US is regarded a third party not ensuring adequate level of protection. However, companies certified under the EU-US Privacy Shield mechanism according to the Commission (EU) are regarded as ensuring adequate level of protection. Any transfer of personal data outside the European Economic Area is done by us only under strict compliance with the GDPR. We ensure the third-party recipients are either certified under the EU-US Privacy Shield, concluded EU model clauses with us or follow equivalent safeguards in place. How long do we store your personal data? We must not and we do not want to store your personal data for longer than necessary for the given purpose of processing. Due to this legal requirement but also due to technical and financial aspects of data storage we actively delete data where no longer necessary. Retention periods are either provisioned in respective laws or are set out by us in our internal policies. General retention periods for the above purposes of processing are as follows: Purpose General retention period Organization of conferences and events During the conference and generally after 6 months. Direct marketing communication (newsletter) Until the acceptance of the objection against processing or sign-out from the newsletter performed by data subject. Raising awareness about Reflect Festival in the online environment (marketing purposes) Contractual obligations and pre-contractual relationships. During the duration of the contractual relationship Tax, Billing & Accounting 10 years. Legal enforcement Until the limitation of the legal claim. Security of property (CCTV system) 1 month Statistics During the existence of other purposes of processing. Personnel & payroll purposes For the duration of the employment relationship and later, within the statutory time limits (typically 10 years). Employee benefits During your use of benefit. The above retention periods only represent general periods of processing of personal data for the respective purposes. In fact, we proceed to liquidation or anonymization of personal data before the expiration of these general periods if the personal data are deemed unnecessary in view of the above-mentioned processing purposes. If you are interested in knowing whether we are currently processing your personal data for specific purposes, please contact us with a request to confirm whether we process personal information with reference to Art. 15 (1) of the GDPR. How do we collect your personal data? Generally, we collect your personal data directly from you. Provision of personal data by you is voluntary and does not present a requirement to enter into a contract or a contractual requirement. You can provide your personal data to us by different means e.g.: ▪ communication with you (e.g. messaging via our web, e-mail or social media); ▪ registration on our or partner website; ▪ presence on conferences and events (purchasing a ticket); ▪ activity on our profiles on social media; ▪ in the process of concluding or negotiating the contract; ▪ entering our premises or areas designated for photography (at conferences); ▪ completing and submitting a contact form with your comments, queries or questions. However, we may also obtain your personal information from your employer or from the company in relation to which we process your personal data. This is typically the case when we conclude or negotiate a contractual relationship with the company or its terms. If the collection of personal data relates to a contractual relationship it is often a contractual requirement or a requirement that is required for the conclusion of a contract. Failure to provide personal data (whether yours or your colleagues) may have negative consequences for the company you represent, as this may result in failure to conclude or performance of a contractual relationship. If you are a member of a statutory body of an organization that is a contracting party to us or with whom we are negotiating a contractual relationship, we may obtain your personal data from publicly available sources and registers. In any case we do not systematically process any random personal data obtained to any of the purposes for processing personal data. What rights do you have? You have the right to withdraw your consent at any time. You also have a right to object to any direct marketing processing of your personal data including profiling. You have right to object to any processing that is based on legitimate interest including to profiling based on such legitimate interest pursuant to the Article 21 GDPR. In case of exercising the right we will gladly demonstrate to you how we have evaluated these legitimate interests as compelling over the rights and freedoms of data subjects. The GDPR lays down general conditions for the exercise of your individual rights. However, their existence does not automatically mean that they will be accepted by us because in a particular case exception may apply. Some rights are linked to specific conditions that do not have to be met in every case. Your request for an enforcing specific right will always be dealt with and examined in terms of legal regulations and applicable exemptions. Among others, you have: ▪ Right to request access to your personal data according to Article 15 of the GDPR. This right includes the right to confirm whether we process personal data about you, the right to access to personal data and the right to obtain a copy of the personal data we process about you if it is technically feasible. ▪ Right to rectification according to Article 16 of the GDPR, if we process incomplete or inaccurate personal data about you. ▪ Right to erasure of personal data according to Article of the 17 GDPR, if one of the conditions for erasure is fulfilled and no exception applies. ▪ Right to restriction of processing according to Article 18 GDPR, if one of the conditions for restriction is fulfilled. ▪ The right to data portability according to Article 20 of the GDPR, the processing is based on consent pursuant to point (a) of Article 6(1) or point (a) of Article 9(2) or on a contract pursuant to point (b) of Article 6(1). You have a right to lodge a complaint related to personal data to the relevant data protection supervisory authority or apply for judicial remedy. Please note that our competent data protection authority is the Office for Protection of Personal Data of the Republic of Cyprus. In any case we advise to primarily consult us with your questions or requests. Do we process your personal data via automated means which produces legal effects concerning you? We do not currently conduct processing operations that would lead to the decision which produces legal effects or similarly significantly affects concerning you based solely on automated processing of your personal data. Cookies Cookies are small text files that improve website usage e.g. by allowing us to recognize previous visitors when logging in to a user environment, remembering a user’s choice when opening a new window, measuring website traffic, or how evaluation of usage of the website for the improvement. Our website uses cookies in particular to measure its traffic. You can always stop storing these files on your device by setting up your web browser. Setting up your browser is within the meaning of Section 55 (5) of the Act on Electronic Communications considered as your consent to the use of cookies on our site. You can review and / or delete cookies at your discretion via tools that are part of your internet browser or thirdparty add-ons. You can clear all cookies stored on your computer and majority of browsers allow to set the browsers to prevent them from being stored. In this case you may have to manually modify some settings during each site visit and some services and features will not work. Social networks Please read relevant privacy policies to better understand processing of your personal data by providers of social media platforms. We only have a typical admin control over the personal data processed by us via our own company profile. We assume that by using these social media platforms, you understand that your personal data might be processed for other purposes and that your personal data might by transferred to other third countries and third parties by providers of social media platforms. How we protect your personal data? It is our obligation to protect your personal data in an appropriate manner and for this reason we focus on the questions related to protection of personal data. Our company has implemented generally accepted technical and organizational standards to preserve the security of the processed personal data, especially taking into account the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored or otherwise processed. In situations where special categories of data are processed we use encryption technologies e.g. during communication with the payment gateway. Your personal data are stored on our secure servers or servers of our web site providers located in data centers in the Republic of Cyprus. If third-party analytics tools are used data are stored on third-party servers (see cookies). Changes to this privacy policy We may change this privacy policy from time to time by posting the most current privacy policy and its effective date on our website. In case we change this privacy policy substantially, we may bring such changes to your attention by explicit notice, on our websites or by email.