HOUZIT PRIVACY POLICY

Worldom Limited (“the Company”) is strongly committed towards compliance with Maltese and EU

data protection and privacy laws and regulations, particularly the GDPR1 and the Data Protection

Act.2

The nature of the Company’s business necessitates the processing of personal data and special

categories of personal data pertaining to clients, employees, prospective employees, suppliers,

service providers and other identifiable individuals. As such, this Privacy Policy (“Policy”) is applicable

to the Company’s entire operations and to all its clients, officers, staff, contractors and consultants.

All Company employees and officers must familiarise themselves with this Policy and apply its

provisions in relation to all processing of personal data carried out in the course of the Company’s

business. Failure to do so could amount to misconduct, which is a disciplinary matter that could

ultimately lead to dismissal.

I. Scope

The Policy extends to all processing of personal data, relating to an identified or identifiable person

connected with the Company’s operations.

Additional data protection policies can be created at the Company’s discretion, in compliance with

the GDPR. This Policy can be amended in coordination with the Company’s Data Protection Officer

(the “DPO”).

II. National Laws

This Policy supplements national and EU data privacy laws, which will take precedence in the event

of conflict with this Policy or where it has stricter requirements. The content of this Policy must also

be observed in the absence of corresponding national legislation. Reporting requirements and

analogous obligations related to data processing under national laws must be observed. If there is

reason to believe that legal obligations contradict the duties under this Policy, one must inform the

DPO for further guidance and direction. In the event of conflict between national legislation and the

Policy, the Company and its DPO will work to find a practical solution that meets the purpose of this

Policy.

III. Principles for Processing

All processing carried out by the Company or its employees shall be carried out in accordance with

the principles enshrined in the GDPR, being the following:

1 General Data Protection Regulation - Regulation (EU) 2016/679

2 Chapter 586 of the Laws of Malta

1. Fairness and lawfulness:

Personal data will be collected and processed in a legal and fair manner.

2. Purpose Limitation:

Personal data will be processed only for the purpose set out prior to the collection of the

personal data. .

3. Transparency:

You will be informed about how your data is being handled.

4. Data minimisation

Processing of data takes place only to the extent that it is necessary in order to achieve the

purpose for which processing is undertaken. Where the purpose allows and where the

expense involved is proportional to the goal pursued; anonymised, pseudonymised or

statistical data must be used.

5. Storage Limitation & Deletion

Personal data that is no longer needed after the expiration of legal or business

process-related periods will be deleted. There may be an indication of interests that merit

protection, retention or historical significance of this data in individual cases. If so, the data

will remain on file until the interests that merit protection have been clarified legally to

determine whether it must be retained.

6. Factual accuracy

Personal data processed must be correct, complete, and – if necessary – kept up to date.

Suitable steps will be taken to ensure that inaccurate or incomplete data is deleted,

corrected, supplemented or updated.

7. Confidentiality and integrity of Personal Data

Personal data is subject to data secrecy. It will be treated as confidential on a personal level

and secured with suitable organizational and technical safeguards intended to prevent

unauthorized access, illegal processing or distribution, as well as to protect against accidental

loss, modification or destruction.

8. Accountability

The Company will not only adhere to these principles, but will also implement strong

technical and organisational measures to be able to demonstrate compliance with such

principles.

IV. Categories of Data

Depending on who you are and how you interact with us we may collect different categories of

data by either (i) requesting such date directly from you; (ii) collecting data from third parties;

(iii) using “cookies”; (iv) web analytics; and (v) web beacons.

The categories of data and the reason for processing such data are detailed below:

1. Agent, Supplier, Service Provider or Business Partner Data

1.1 If you are an agent, supplier, service provider or business partner, the Company may, without

limitation, request, collect and process the following data:

- Your name, address, date of birth, identity card number, passport number, contact

number, email address;

- Your curriculum vitae, education certificates, real estate licence, certificate of good

standing;

- Emergency contact information;

- Payment account details;

- Information related to your performance, evaluations, complaints and communications

with the Company;

- Information obtained from third parties, including without limitation regulatory

authorities;

- Information you willingly provide to the Company from time to time;

- Business information related to the company where you work.

1.2 Processing of the data referred to in clause IV(1.1) above may be required to:

- Review your performance;

- Consider your continued affiliation with the Company;

- Communicate with you any changes to our terms of business and any other information

related to the Company’s business and/or services;

- Pay commission, revenue share or other payments due to you;

- Comply with our obligations towards you and with applicable law or regulations;

- Offer training and other resources to you;

- Safeguard the Company’s legitimate interests;

- Prevent fraud;

- Respond to your requests or complaints.

2. Client Data

2.1 If you are a client, the Company may, without limitation, request, collect and process the

following data:

- Your name, address, date of birth, identity card number, passport number, contact

number, email address, all of which can be provided directly to the Company or received

by the Company from any of our agents, suppliers, partners, or service providers;

- Your search and browsing history, including without limitation, keywords related to

property search, specific properties saved or marked as favourite and usage information

from devices while on the Company’s online platforms;

- Information you willingly provide to the Company or our agents, suppliers, partners or

service providers from time to time, including any communications and interactions.

2.2 Processing of the data referred to in clause IV(2.1) above may be required to:

- To establish, execute and terminate your account with the Company;

- To provide support, products, or services to you;

- To analyse your use of our services and to customise the services in accordance with

your particular preferences or interests;

- To improve our products and services

- To prepare contracts, to fulfil regulatory obligations or to fulfil other requests of the

prospective client that relate to contract conclusion.

- To send information about existing and new services, products and special offers;

- For advertising purposes or market and opinion research, provided that this is consistent

with the purpose for which the data was originally collected;

- Comply with applicable statutory provisions;

- Safeguard the legitimate interests of the Company;

- Prevent fraud, monitor suspicious activity and enhance the security of the Company’s

online platforms;

- Respond to your requests or complaints.

3. Employee data

3.1 If you are an employee or a prospective employee, the Company may, without limitation,

request, collect and process the following data:

- Your name, address, date of birth, identity card number, passport number, social

security number, contact number, email address;

- Photograph, passport, visas, marital status, beneficiaries;

- Your curriculum vitae, education certificates, residence status;

- Emergency contact information;

- Your remuneration details, tax information and payment account details;

- Information related to your holiday and leave entitlement usage

- Information related to your performance, evaluations, complaints and communications

with the Company;

- Information obtained from third parties, including without limitation credit agencies and

professional references;

- Information you willingly provide to the Company from time to time;

- Information related to your performance at work, Company data, equipment and other

assists made available to your during your employment.

3.2 Processing of the data referred to in clause IV(3.1) above may be required to:

- Consider you for employment and make an offer for employment;

- To initiate, carry out and terminate the employment agreement;

- Provide employment related benefits to you

- Consider you for continued employment with the Company;

- To comply with the employment agreement and with applicable law or regulations;

- Manage our business;

- Prevent fraud, monitor suspicious activity and enhance the security of the Company’s

online platforms;

- Respond to your requests or complaints.

V. Disclosure of Data

Your personal data will be treated as confidential and the Company will not pass on or use any of

such data in a manner that contravenes the terms of this Policy.

Any personal data benefits from this full protection and will only be disclosed to third parties such as

administrative or judicial authorities if the Company is compelled to do so pursuant to applicable law,

or if the data subject has given written consent to such disclosure.

Without prejudice to the above, the Company can disclose, transfer or make available the following

information:

● The data set out in clause IV(2.1) of this Policy may be disclosed to agents, suppliers or business

partners of the Company in connection with the provision of the service to you and to third

parties carrying out administrative and back-office related tasks for the Company.

● The data set out in clause IV(1.1), (2.1) and (3.1) may be transferred in connection with a merger,

sale or other disposition of all or part of the Company’s business and/or assets.

VI. Data Subject Rights

As a data subject, you have the following rights and any related requests will be handled immediately

by the responsible unit within the Company, or alternatively by the DPO.

1. You may request information as to which personal data relating to you has been stored, how

the data was collected, and for what purpose.

2. If personal data is transmitted to third parties, you may request information about the

identity of the recipient or the categories of recipients.

3. If personal data is incorrect or incomplete, you can demand that it be corrected,

supplemented, or record additional statements.

4. You have an absolute right to object to the processing of your data for purposes of

advertising or market or opinion research, in which case the data will be restricted from

these types of uses.

5. You may request that your data be deleted or restricted if the processing of such data has no

legal basis, or if the legal basis has ceased to apply. The same applies if the purpose behind

the data processing has lapsed or ceased to be applicable for other reasons. Existing

retention periods and conflicting interests meriting protection must be observed. Where

processing is based on the Company’s legitimate interests and you have requested it to be

deleted, it shall be restricted until the grounds for processing are verified, and subsequently

if no grounds are found for continued processing based on the Company’s legitimate

interests, the data will be deleted.

6. You have a right to object to your data being processed. This does not apply if alternative

legal grounds for processing exist, as indicated under clause IV.

If you have any questions or concerns in this regard, you can contact the DPO as indicated under

clause XI.

VII. Confidentiality of Processing

Personal data is subject to data secrecy. Any unauthorised collection, processing, or use of such data

by employees is prohibited. The “need to know” principle applies3. Employees may have access to

personal information only insofar as it is appropriate for the type and scope of task in question.

Employees are forbidden from using personal data for private or commercial purposes, to disclose it

to unauthorised persons, or to make it available in any other way. This obligation shall remain in

force even after the termination of employment relationships. Any employee who does not comply

with such, will be liable to a serious breach of their relative employment contract, and would thus be

liable to immediate termination, save any other relevant action which may be vested in the

Company.

3 Access to the relevant information must be necessary for one to conduct one's official duties.

VIII. Processing Security

The Company will use its best endeavours to safeguard personal data from unauthorised access and

unlawful processing or disclosure, as well as accidental loss, modification or destruction. We limit

access to your data to those who a legitimate business need to access.

The Company does not warrant that transmissions of data will be secure, free from delay,

interruption, interception or error, and consequently and any provision of data to the Company is

being made at your own risk. The Company shall not be liable for any unauthorised disclosure of your

data occurring as a result of any unauthorised act of third parties.

You are responsible for ensuring the security of your credentials which include without limitation any

username, passwords, and account information, from unauthorised access, use or disclosure to third

parties. You agree to: (a) immediately notify the Company of any unauthorised use of your

credentials; (b) undertake to take appropriate preventative measure to safeguard your credentials

and user account.

IX. Data protection incidents

You must immediately inform the DPO (as defined hereunder) upon becoming aware of any

violations or suspected violations of this Policy or applicable data protection law.

X. Your Consent to this Policy

By using the Company’s services, you consent to the collection and processing of your data in

accordance with this Policy.

Changes to this Policy will be communicated to you using the data you have provided to the

Company for the purposes of communicating with you. The updated Policy will be posted on the

Company’s online platforms. Your continued use of the Company’s services will indicate your consent

to the updated terms and conditions of this Policy. If you do not consent to any changes or updates

to this Policy, you are requested to immediately cease the use of the Company’s online platforms and

services.

It is your responsibility to regularly review this Policy to keep track of any applicable changes.

XI. Data Protection Officer (the “DPO”)

The Data Protection Officer (the “DPO”) is the contact person within the Company who is responsible

for data protection.

You shall promptly inform the DPO of any data protection risks, breaches or any other issues relevant

to data protection. You may approach the DPO, at any time to raise concerns, ask questions, request

information or make complaints relating to data protection or data security issues. If requested,

concerns and complaints will be handled confidentially. Decisions made by the DPO to remedy data

protection breaches will be upheld by the Company.

The DPO may be contacted as follows:

Email:

Address:

Telephone Number:

Last update: March 14, 2022