Privacy Notice and Consent Form

Chapter III - Organizational Security Obligations and Measures

Section 3.1

Data Privacy Principles - All Processing of Personal Data within Brankas will be conducted in compliance with the following data privacy principles:

1. the collection of Personal Data is limited and specific, legally valid, appropriate, and transparent;
2. the processing of Personal Data is carried out in accordance with its purposes;
3. the processing of Personal Data is carried out by guaranteeing the rights of the Data Subject;
4. the processing of Personal Data is accurate, complete, not misleading, current, and accountable;
5. the processing of Personal Data is done by protecting the security of Personal Data from unauthorized access, unauthorized disclosure, unauthorized alteration, misuse, destruction, and/or loss of Personal Data;
6. the processing of Personal Data is carried out by notifying the purposes and activities of the processing, as well as the failure to protect personal data;
7. the processing of Personal Data is carried out responsibly by fulfilling the implementation of the principles of protection of Personal Data and can be clearly proven;
8. the destruction and/or deletion after the retention period ends or at the request of the Data Subject unless otherwise provided by the legislation;

Section 3.2

Data Processing Records – We will maintain adequate and up-to-date records of Personal Data Processing activities at all times. These records shall include, at the minimum:

1. Information about the purpose of the Processing of Personal Data, including any intended future Processing or data sharing;
2. A description of all categories of Data Subjects, Personal Data, and recipients of such Personal Data that will be involved in the Processing;
3. General information about the data flow within Brankas, from time of collection and retention, including the time limits for disposal or erasure of Personal Data;
4. A general description of the organizational, physical, and technical security measures in place within Brankas; and
5. The name and contact details of any staff accountable for ensuring compliance with the applicable laws and regulations for the protection of data privacy and security.

Brankas will annually conduct a privacy impact assessment relative to all activities, projects, and systems involving the Processing of Personal Data in line with our internal policies. We will periodically review security policies, conduct vulnerability assessments, and perform penetration testing, as applicable, within Brankas on a regular schedule to be prescribed by our IT Team.

Section 3.3

Personal Data Management – We will develop and implement measures to ensure that all Brankas staff who have access to Personal Data will strictly process such data in compliance with applicable laws and regulations. These measures may include drafting new or updating relevant policies of Brankas and conducting learning and development programs or sponsoring training programs to educate our stockholders, directors, officers, employees, agents, and other interested parties on data privacy-related concerns.

We will obtain your informed consent, evidenced by written, electronic, or recorded means, concerning:

1. The Processing of your Personal Data, for purposes of maintaining Brankas' records;

2. The sharing of your Personal Data with a third party, if necessary, is subject to the requirement that you will be provided with the following information before your Personal Data is shared:

   1. Identity of the third party that will be given access to the Personal Data;
   2. Purpose of the data sharing;
   3. Categories of Personal Data concerned;
   4. Intended recipients or categories of recipients of the Personal Data;
   5. Existence of your rights as Data Subject, including the right to access and correction, and the right to object; and
   6. Other information that would sufficiently notify you of the nature and extent of data sharing and the manner of Processing.

A continuing obligation of confidentiality is imposed on our stockholders, directors, officers, employees, agents, or other interested parties in connection with the Personal Data that they may encounter during the period of which they are such with Brankas. This obligation will still apply after they cease to work with Brankas for whatever reason.

Section 3.4

Data Collection Procedures – We will document our Personal Data Processing procedures. We ensure that these procedures are updated and that your consent is properly obtained when required by law and evidenced by written, electronic, or recorded means. These procedures will also be regularly monitored, modified, and updated to ensure that your rights as a Data Subject are respected and that we process your Personal Data according to law.

Section 3.5

Delays and Restrictions on Data Processing – We will delay and restrict the processing of Personal Data in part or whole no later than 2 (two) working days from the time we receive the request for delay and restriction of processing of Personal Data from the Data Subject.

Section 3.6

Internal Monitoring – Brankas will regularly supervise any party involved in the processing of Personal Data under the control of Brankas.

Section 3.7

Provision of Personal Data access – Brankas provides the Data Subject with access to the processed Personal Data along with a track record of processing Personal Data in accordance with the period of retention of the Personal Data. The provision of such access is granted no later than 3 (three) working days from the date the Personal Data Controller receives the access request.

Section 3.8

Denial of access to Personal Data – Brankas may refuse to grant personal data access to data in the event of known or should be expected:

1. jeopardize the safety or physical health or mental health of data subjects and/or others;
2. impact on the disclosure of other people’s Personal Data; and/or
3. contrary to national defense and security interests.

Section 3.9

Personal Data Update and Correction – Brankas will update and/or correct any errors and/or inaccuracies in Personal Data within three (3) working days from the time Brankas receives a request for updating and/or repairing personal data via privacy@brankas.com or chat, through the widget in the lower right corner, with our Support Team at https://brankas.com.

Section 3.10

Guarantees for the accuracy, completeness, and consistency of Personal Data – Brankas guarantees the accuracy, completeness, and consistency of Personal Data in accordance with the provisions of the laws and regulations under which it operates. Brankas conducts verification of such processed Personal Data.

Section 3.11

Termination of processing of Personal Data – Brankas will terminate the processing of Personal Data if:

1. has reached retention period;
2. the purpose of processing Personal Data has been achieved; or
3. there is a request from Data Subject.

Section 3.12

Deletion or destruction of Personal Data – Brankas will delete Personal Data if:

1. Personal Data is no longer necessary for the achievement of the purposes for which personal data is processed;
2. the Data Subject has withdrawn consent to the processing of Personal Data;
3. there is a request from the Data Subject
4. the retention period has lapsed; or
5. Personal Data is obtained and/or processed unlawfully.

Section 3.13

Appointment of a Data Protection Officer – Brankas may appoint an officer or officer who performs the functions of personal data protection and has the following obligations and responsibilities:

1. inform and advise Brankas as the controller/processor, as may be applicable of Personal Data to comply with the provisions in the prevailing laws and regulations;
2. monitor and ensure compliance with applicable laws and regulations and privacy policies, including assignment, responsibility, awareness-raising, and training of parties involved in the processing of Personal Data, and related audits;
3. provide advice on assessing the impact of processing activities and monitoring the performance of Brankas as a personal data controller and personal data processor; and
4. coordinate and act as a contact person for issues relating to the processing of Personal Data, including consulting on risk mitigation and/or other matters.

The Data Protection Officer performing the protective function of such Personal Data shall be appointed based on professional quality, knowledge of the laws and practices of personal data protection, and the ability to fulfill its duties, as well as pay attention to risks associated with the processing of Personal Data, taking into account the nature, scope, context, and purpose of processing.