GDPR

REGULATION
on the manner of processing and using personal data


GENERAL PROVISIONS
Article 1

With the aim of providing protection, this Regulation regulates categories of personal data, including the purpose, processing and protection of personal data.

This Regulation, in terms of its obligatory content, applies to users, clients, employees, and third parties (as data subjects) who have a legal relationship with the company Best Buy Commercial Brokers L.L.C (hereinafter: Best Buy) with its headquarters in the UAE, registration number 1367822 from the Dubai Chamber of Commerce and Industry, UAE, and other persons (data subjects) whose personal data is processed by BEST BUY in terms of processing personal data and in terms of which provisions of the particular agreements do not prescribe otherwise.

This Regulation does not apply to the processing of data relating to legal persons, including their form and contact data.

An integral part of this Regulation comprises appendices relating to the processing of persona data from particular categories of data subjects.

For all relationships not regulated by this Regulation, the provisions of the General Data Protection Regulation (GDPR) and the Act on Implementation of General Provisions on Data Protection will apply.

Article 2

BEST BUY as the controller shall process personal data in a legal, fair and transparent manner.

Basic information on the controller:

Best Buy Commercial Brokers L.L.C (hereinafter: Best Buy), with headquarters in UAE, and registration number 1367822 from the Dubai Chamber of Commerce and Industry, UAE
Article 3

For the purpose of this Regulation, the follows terms have specific meanings:

1. ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
2. ‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
3. ‘restriction of processing’ means the marking of stored personal data with the aim of limiting their processing in the future;
4. ‘profiling’ means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;
5. ‘controller’ is the company BEST BUY;
6. ‘data subject’ means buyers, employees, business partners, third parties in a contractual relationship, and persons whose personal data is processed by the company BEST BUY
7. ‘recipient’ means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not.
8. ‘third party’ means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;
9. ‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
10. ‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;
11. ‘biometric data’ means personal data resulting from specific technical processing relating to the physical, physio­ logical or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data;
12. ‘data concerning health’ means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status;
13. ‘main establishment’ of the company BEST BUY is the UNITED ARAB EMIRATES
14. ‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
15. ‘enterprise’ means a natural or legal person engaged in an economic activity, irrespective of its legal form, including partnerships or associations regularly engaged in an economic activity;
16. ‘group of undertakings’ means a controlling undertaking and its controlled undertakings;
17. ‘supervisory authority’ means an independent public authority which is established by a Member State pursuant to Article 51;
18. 'regulation' means the General Data Protection Regulation.
19. ‘relevant and reasoned objection’ means an objection to a draft decision as to whether there is an infringement of this Regulation, or whether envisaged action in relation to the controller or processor complies with this Regulation, which clearly demonstrates the significance of the risks posed by the draft decision as regards the fundamental rights and freedoms of data subjects and, where applicable, the free flow of personal data within the Union;
20. ‘employee’ – a person employed in the company (including those based on work agreements, service contracts, royalty agreements, student contracts, and other legal forms).


PRINCIPLES FOR PROCESSING PERSONAL DATA
Article 4

1. Personal data shall be:

(a) processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);
(b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes (‘purpose limitation’);
(c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);
(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);
(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; except for the case of processing in scientific, statistical or research purposes;
(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).

Article 5

The lawfulness of processing is ensured such that during the processing of personal data, the data subject must satisfy at least one of the following grounds for processing:

(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
(c) processing is necessary for compliance with a legal obligation to which the controller is subject;
(d) processing is necessary in order to protect the vital interests of the data subject or of another natural person;
(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

Article 6

In the event that the controller performs processing for a purpose different from the purpose for which the data was first collected, and if that processing complies with the initial purpose, the controller will deem that the legal basis for the initial processing is adequate for subsequent processing of data.

Where the processing for a purpose other than that for which the personal data have been collected is not based on the data subject's consent, in order to ascertain whether processing for another purpose is compatible with the purpose for which the personal data are initially collected, take into account, inter alia:

(a) any link between the purposes for which the personal data have been collected and the purposes of the intended further processing;
(b) the context in which the personal data have been collected, in particular regarding the relationship between data subjects and the controller;
(c) the nature of the personal data, in particular whether special categories of personal data are processed; (d) the possible consequences of the intended further processing for data subjects;
(e) the existence of appropriate safeguards.


CONSENT
Article 7

Where processing of the data subject’s personal data is based on consent, the processor must provide proof the existence of such consent.

The data subject may provide the consent in terms of a document relating to other questions, but the request relating to the consent must be distinguishable from the remainder of the text as clearly as possible and be understandable for the data subject.

The data subject shall have the right to withdraw his or her consent at any time in the same form the consent was given.

The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. If the data subject’s consent is only one of the grounds for processing personal data, BEST BUY is authorised to continue processing personal data on other legal grounds.


PROCESSING OF SPECIAL CATEGORIES OF PERSONAL DATA
Article 8

1. Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation shall be prohibited.

2. Paragraph 1 shall not apply if one of the following applies:

(a) the data subject has given explicit consent to the processing of those personal data for one or more specified purposes, except where Union or Member State law provide that the prohibition referred to in Paragraph 1 may not be lifted by the data subject;
(b) processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject;
(c) processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent;
(d) processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects;
(e) processing relates to personal data which are manifestly made public by the data subject;
(f) processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity;
(g) processing is necessary for reasons of substantial public interest, on the basis of relevant law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject;
(i) processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy;
(j) processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes and is proportional to the aim pursued, while respecting the essence of the right to data protection and providing for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.


PROCESSING OF BIOMETRIC DATA
Article 9

The processing of biometric data may be performed out of necessity for the protection persons, assets, classified data, trade secrets or for individual and secure identification of users of services, taking into account that they the data subject’s interest not prevail which may be contrary to the processing of biometric data referred to in this Article.

The legal basis for the processing of biometric data belonging to data subjects for secure identification of users of service is the data subject’s explicit consent.

The processing of biometric data belonging to employees is permitted for the purpose of recording working hours as well as the entering and exiting official premises if stipulated by law or if such processing is performed as an alternative to another solution for recording work hours as well as the entering and exiting from official premises under the condition that the employee provides explicit consent for such processing of biometric data in accordance with the provisions of the General Data Protection Regulation.


VIDEO SURVEILLANCE
Article 10

1. Video surveillance in terms of the provisions of this Regulation relates to the collecting and further processing of personal data which includes the creation of recordings which are intended to be part of the storage system.

2. The processing of personal data using video surveillance may be performed only for a purpose which is essential and justified for protecting persons and property, while taking into account that the interests of the data subject do not prevail which are contrary to the processing of data using video surveillance.

3. Video surveillance may cover only premises or parts of premises for which surveillance is essential in order to achieve the purpose referred to in paragraph 2 of this article.

4. The controller or processor is obliged to place a sign that the building or particular premises in it is under video surveillance, and the sign should be visible no later than upon entering into the perimeter under video surveillance.

5. The notice referred to in Paragraph 4 of this Article should contain all the relevant information, especially a simple and easy to understand picture along with text providing data subjects the following information:

  • That the premises are under video surveillance,
  • Information on the controller,
  • Contact information based upon which the data subject may exercise his or her rights.
  • 6. The right of access to personal data collected using video surveillance is given to the controller’s or processor’s person responsible and/or persons whom they authorise.

    7. Persons referred to in Article 6 of this Article may not use recording from the video surveillance system contrary to the purpose determined in Paragraph 2 of this Article in this Regulation.

    8. The video surveillance system must be protected against access by unauthorised persons.

    Article 11

    Recordings obtained using video surveillance may be kept at most for 6 months unless another law stipulates a longer period for keeping or if they become evidence in court, administrative, arbitration or other equivalent procedures.

    Video surveillance of work premises
    Article 12

    1. The processing of personal data belonging to employees using video surveillance systems may be performed if in addition to conditions determined by this law, conditions stipulated by laws regulating work safety are also fulfilled and if employees are notified beforehand of such measures and if the employer informs employees prior to making the decision to install the video surveillance system.

    2. The video surveillance of premises may not include premises for rest, personal hygiene or changerooms.


    INFORMATION AND ACCESS TO PERSONAL DATA
    Article 13

    1. Where personal data relating to a data subject are collected from the data subject, the controller shall, at the time when personal data are obtained, provide the data subject with all of the following information:

    (a) the identity and the contact details of the controller and, where applicable, of the controller's representative;
    (b) the contact details of the data protection officer, where applicable;
    (c) the purposes of the processing for which the personal data are intended as well as the legal basis for the processing;
    (d) where the processing is based on point (f) of Article 5(1), the legitimate interests pursued by the controller or by a third party;
    (e) the recipients or categories of recipients of the personal data, if any;
    (f) where applicable, the fact that the controller intends to transfer personal data to a third country or international organisation
    (g) the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;
    (h) the existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject or to object to processing as well as the right to data portability;
    (i) where the processing is based on consent, the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;
    (j) the right to lodge a complaint with a supervisory authority;
    (k) whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data;
    (g) the existence of automated decision-making, including profiling, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

    Where the controller intends to further process the personal data for a purpose other than that for which the personal data were collected, the controller shall provide the data subject prior to that further processing with information on that other purpose and with any relevant further information as referred to in the previous paragraph.

    Obligations of the controller referred to in this Article are not applicable where and in so far as the data subject already has at his or her disposal the respective information.

    Information referred to in Article 13 and Article 14 of this Regulation is provided in a short and intelligible manner, and in written form or using other means, and if appropriate, via electronic means. If demanded by the data subject, information may be provided orally, under the condition that the identity of the data subject is determined by other means.

    Article 14

    1. Where personal data have not been obtained from the data subject, the controller shall provide the data subject with the following information

    (a) the identity and the contact details of the controller and, where applicable, of the controller's representative;
    (b) the contact details of the data protection officer, where applicable;
    (c) the purposes of the processing for which the personal data are intended as well as the legal basis for the processing;
    (d) the categories of personal data concerned;
    (e) the recipients or categories of recipients of the personal data, if any;
    (f) where applicable, that the controller intends to transfer personal data to a recipient in a third country or international organisation
    (g) the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;
    (h) where the processing is based on point (f) of Article 5(1), the legitimate interests pursued by the controller or by a third party;
    (i) the existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject and to object to processing as well as the right to data portability;
    (j) where processing is based on the consent, the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;
    (k) the right to lodge a complaint with a supervisory authority;
    (l) from which source the personal data originate, and if applicable, whether it came from publicly accessible sources;
    (m) the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

    The controller shall provide the information referred to in previous paragraph:

    (a) within a reasonable period after obtaining the personal data, but at the latest within one month, having regard to the specific circumstances in which the personal data are processed;
    (b) if the personal data are to be used for communication with the data subject, at the latest at the time of the first communication to that data subject; or
    (c) if a disclosure to another recipient is envisaged, at the latest when the personal data are first disclosed.

    Where the controller intends to further process the personal data for a purpose other than that for which the personal data were obtained, the controller shall provide the data subject prior to that further processing with information on that other purpose and with any relevant further information as referred to in previous paragraph.

    The controller’s obligations referred to in this article do not apply where and insofar as:

    (a) the data subject already has the information;
    (b) the provision of such information proves impossible or would involve a disproportionate effort, in particular for processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes;
    (c) obtaining or disclosure is expressly laid down by the relevant authority and which provides appropriate measures to protect the data subject's legitimate interests; or
    (d) where the personal data must remain confidential subject to an obligation of professional secrecy regulated by Union or Member State law, including a statutory obligation of secrecy.


    THE DATA SUBJECT’S RIGHT TO ACCESS
    Article 15

    1. The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:

    (a) the purposes of the processing;
    (b) the categories of personal data concerned;
    (c) the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
    (d) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
    (e) the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
    (f) the right to lodge a complaint with a supervisory authority;
    (g) where the personal data are not collected from the data subject, any available information as to their source;
    (h) the existence of automated decision-making, including profiling, referred to in Article 23(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

    2. Where personal data are transferred to a third country or to an international organisation, the data subject shall have the right to be informed of the appropriate safeguards relating to the transfer.

    3. The controller shall provide a copy of the personal data undergoing processing. For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form.


    RIGHT TO RECTIFICATION
    Article 16

    The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.


    RIGHT TO ERASURE
    Article 17

    1. The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:

    (a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
    (b) the data subject withdraws consent on which the processing is based and where there is no other legal ground for the processing;
    (c) the data subject objects to the processing pursuant to Article 21 of the Regulation and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2);
    (d) the personal data have been unlawfully processed;
    (e) the personal data have to be erased for compliance with a legal obligation;

    2. Where the controller has made the personal data public and is obliged pursuant to Paragraph 1 to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data

    3. Paragraphs 1 and 2 shall not apply to the extent that processing is necessary:

    (a) for exercising the right of freedom of expression and information;
    (b) for compliance with a legal obligation which requires processing or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
    (c) for reasons of public interest in the area of public health in accordance with the provisions of the General Data Protection Regulation;
    (d) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes;
    (e) for the establishment, exercise or defence of legal claims.


    RIGHT TO RESTRICTION OF PROCESSING
    Article 18

    1. The data subject shall have the right to obtain from the controller restriction of processing where one of the following applies:

    (a) the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
    (b) the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
    (c) the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;
    (d) the data subject has objected to processing pursuant to Article 21(1) of this Regulation pending the verification whether the legitimate grounds of the controller override those of the data subject.

    2. Where processing has been restricted under paragraph 1, such personal data shall, with the exception of storage, only be processed with the data subject's consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the relevant country.

    3. A data subject who has obtained restriction of processing pursuant to Paragraph 1 of this Article shall be informed by the controller before the restriction of processing is lifted.

    Article 19

    The controller shall communicate any rectification or erasure of personal data or restriction of processing carried out in accordance with Article 16, Article 17(1) and Article 18 of this Regulation to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. The controller shall inform the data subject about those recipients if the data subject requests it.


    RIGHT TO DATA PORTABILITY
    Article 20

    1. The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where:

    (a) the processing is based on consent or contract;
    (b) the processing is carried out by automated means.

    2. In exercising his or her right to data portability pursuant to Paragraph 1, the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible. The right referred to in Paragraph 1 of this Article may not influence the rights and freedom of others


    RIGHT TO OBJECT
    Article 21

    1. The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data if it is based on a task of public interest, for the execution of public powers by the controller or based on legitimate interests of the controller.

    The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.

    2. Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing.

    3. Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.

    4. At the latest at the time of the first communication with the data subject, the right referred to in paragraphs 1 and 2 shall be explicitly brought to the attention of the data subject and shall be presented clearly and separately from any other information.

    5. Where personal data are processed for scientific or historical research purposes or statistical purposes pursuant to provisions of the General Data Protection Regulation, the data subject, on grounds relating to his or her particular situation, shall have the right to object to processing of personal data concerning him or her, unless the processing is necessary


    SUBMITTING REQUESTS AND OBJECTIONS BY THE DATA SUBJECT
    Article 22

    All requests and objections envisaged by the provisions of Articles 15-22 of this Regulation and the General Data Protection Regulation are submitted by the data subject to the company BEST BUY, as well as to the controller, in written form (registered mail with a return receipt) to the following address:

    Best Buy Commercial Brokers L.L.C with headquarters in the UAE, and registration number 1367822 from the Dubai Chamber of Commerce and Industry, UAE

    or

    via electronic email at the following email address: info@50-pct.com

    BEST BUY will undertake actions at the data subject’s request within a period of 30 days of orderly receipt of the request.

    The deadline referred to in the previous paragraph may be extended by an additional two months if taking into account the complexity of the request. If it is not possible to act in accordance with the request, BEST BUY will inform the data subject of the matter.

    If the requests of the data subject are obviously unfounded or excessive, and too frequent, the controller may reject to act according to such requests from the data subject or seek prior payment of a fee for taking action accordingly. The fee will be determined by decision of company’s person responsible.

    If the controller has justified suspicions as to the identity of the applicant submitting the request, the controller may seek additional information to verify the data subject’s identity.

    In the event of changes to contact information for BEST BUY, the new information will be published on the official website (www.50-pct.com) and/or on BEST BUY’s notice board.


    AUTOMATED INDIVIDUAL DECISION-MAKING, INCLUDING PROFILING
    Article 23

    1. The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.

    2. Paragraph 1 shall not apply if the decision:

    (a) is necessary for entering into, or performance of, a contract between the data subject and a data controller;
    (b) is authorised by Union or Member State law to which the controller is subject, and which also lays down suitable measures to safeguard the data subject's rights and freedoms and legitimate interests; or
    (c) is based on the data subject's explicit consent.

    3. In the cases referred to in points (a) and (c) of Paragraph 2, the data controller shall implement suitable measures to safeguard the data subject's rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision

    4. Decisions referred to in Paragraph 2 shall not be based on special categories of personal data referred to in Article 8(1), unless point (a) or (g) of Article 8(2) apply and suitable measures to safeguard the data subject's rights and freedoms and legitimate interests are in place.


    RESPONSIBILITY OF THE CONTROLLER
    Article 24

    1. Taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation and the General Data Protection Regulation. Those measures shall be reviewed and updated where necessary.

    2. Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation, the General Data Protection Regulation, implemented law and protect the rights of data subjects.

    3. The controller shall, in accordance with opportunities, implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility.

    4. Based on a special general act, the controller may specify the protocol, technical, physical and organisational security measures which the controller undertakes in applying this Article of this Regulation.


    PROCESSOR
    Article 25

    For the purpose of processing the data subject’s personal data, the controller may engage the services of the processor.

    Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.


    RECORDS OF PROCESSING ACTIVITIES
    Article 26

    1. Each controller and, where applicable, the controller's representative, shall maintain a record of processing activities under its responsibility.

    That record shall contain all of the following information:

    (a) the name and contact details of the controller and, where applicable, the joint controller, the controller's representative and the data protection officer;
    (b) the purposes of the processing;
    (c) a description of the categories of data subjects and of the categories of personal data; (d) the categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organisations;
    (e) where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 35(1), the documentation of suitable safeguards;
    (f) where possible, the envisaged time limits for erasure of the different categories of data;
    (g) where possible, a general description of the technical and organisational security measures referred to in Article 28(1) of this Regulation.

    2. Each processor and, where applicable, the processor's representative shall maintain a record of all categories of processing activities carried out on behalf of a controller, containing:

    (a) the name and contact details of the processor or processors and of each controller on behalf of which the processor is acting, and, where applicable, of the controller's or the processor's representative, and the data protection officer;
    (b) the categories of processing carried out on behalf of each controller;
    (c) where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the General Data Protection Regulation on suitable safeguards; (d) where possible, a general description of the technical and organisational security measures referred to in Article 28(1).

    3. The records referred to in paragraphs 1 and 2 shall be in writing, including in electronic form.

    4. The controller or the processor and, where applicable, the controller's or the processor's representative, shall make the record available to the supervisory authority on request.

    5. The obligations referred to in this paragraph shall not apply to an enterprise or an organisation employing fewer than 250 persons unless the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data as referred to in Article 8(1) or personal data relating to criminal convictions and offences.


    Article 27

    The controller and the processor and, where applicable, their representatives, shall cooperate, on request, with the supervisory authority in the performance of its tasks.


    Article 28

    Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.

    In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.


    NOTIFICATION TO THE SUPERVISORY AUTHORITY
    Article 29

    1. In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with the General Data Protection Act, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.

    2. The processor shall notify the controller without undue delay after becoming aware of a personal data breach, in accordance with the General Data Protection Regulation.

    3. The controller shall document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken.


    COMMUNICATION OF A PERSONAL DATA BREACH TO THE DATA SUBJECT
    Article 30

    1. When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.

    2. The communication to the data subject referred to in paragraph 1 of this Article shall describe in clear and plain language the nature of the personal data breach.

    3. The communication to the data subject referred to in paragraph 1 shall not be required if any of the following conditions are met:

    (a) the controller has implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorised to access it;
    (b) the controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects referred to in paragraph 1 is no longer likely to materialise;
    (c) it would involve disproportionate effort. In such a case, there shall instead be a public communication or similar measure whereby the data subjects are informed in an equally effective manner.


    DATA PROTECTION IMPACT ASSESSMENT
    Article 31

    1. Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data, except in cases foreseen in Article 35(10) of the General Data Protection Regulation. A single assessment may address a set of similar processing operations that present similar high risks.

    2. The controller shall seek the advice of the data protection officer, where designated, when carrying out a data protection impact assessment.

    3. The controller shall consult the supervisory authority prior to processing where a data protection impact assessment under Article 35 indicates that the processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk.


    DATA PROTECTION OFFICER
    Article 32

    The controller and processor may appoint a data protection officer in accordance with the provisions of the General Data Protection Regulation.

    If appointed, data subjects may contact the data protection officer for any questions relating to the processing of their personal data and exercising their rights from this Regulation.

    In the event of appointing a data protection officer, BEST BUY will inform of the matter, as well as publish contact information on its website, and information supervisory body of the matter.


    RIGHT TO LODGE A COMPLAINT WITH A SUPERVISORY AUTHORITY
    Article 33

    Every data subject shall have the right to lodge a complaint with a supervisory authority, if the data subject considers that the processing of personal data relating to him or her infringes this Regulation, the General Data Protection Regulation and Act on Implementation of the General Data Protection Regulation.


    TRANSFER OF DATA TO A THIRD COUNTRY OR INTERNATIONAL ORGANIZATION
    Article 34

    The transfer of data to a third country or international organisation is permitted after, in accordance with the General Data Protection Regulation, based on an adequacy decision, the Commission determines that it involves a subject that ensures the proper level of security.

    In the absence of a decision pursuant to the previous article, a controller or processor may transfer personal data to a third country or an international organisation only if the controller or processor has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available.

    2. The appropriate safeguards referred to in Paragraph 2 may be provided for, without requiring any specific authorisation from a supervisory authority, by:

    (a) a legally binding and enforceable instrument between public authorities or bodies
    (b) binding corporate rules
    (c) standard data protection clauses adopted by the Commission in accordance with the General Data Protection Regulation
    (d) standard data protection clauses adopted by a supervisory authority and approved by the Commission pursuant to the General Data Protection Regulation
    (e) an approved code of conduct
    (f) an approved certification mechanism.

    3. Subject to the authorisation from the competent supervisory authority, the appropriate safeguards referred to in Paragraph 2 may also be provided for, in particular, by:

    (a) contractual clauses between the controller or processor and the controller, processor or the recipient of the personal data in the third country or international organisation; or
    (b) provisions to be inserted into administrative arrangements between public authorities or bodies which include enforceable and effective data subject rights.

    Article 35

    1. In the absence of an adequacy decision pursuant to Article 45(3), or of appropriate safeguards pursuant to Article 46, including binding corporate rules, a transfer or a set of transfers of personal data to a third country or an international organisation shall take place only on one of the following conditions:

    (a) the data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards;
    (b) the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken at the data subject's request;
    (c) the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person;
    (d) the transfer is necessary for important reasons of public interest;
    (e) the transfer is necessary for the establishment, exercise or defence of legal claims;
    (f) the transfer is necessary in order to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent;
    (g) the transfer is made from a register which according to Union or Member State law is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate a legitimate interest, but only to the extent that the conditions laid down by Union or Member State law for consultation are fulfilled in the particular case.

    Where a transfer cannot be based on a provision in Article 34, including the provisions on binding corporate rules, and none of the derogations for a specific situation referred to in the first Paragraph of this paragraph is applicable, a transfer to a third country or an international organisation may take place only if the transfer is not repetitive, concerns only a limited number of data subjects, is necessary for the purposes of compelling legitimate interests pursued by the controller which are not overridden by the interests or rights and freedoms of the data subject, and the controller has assessed all the circumstances surrounding the data transfer and has on the basis of that assessment provided suitable safeguards with regard to the protection of personal data. The controller shall inform the supervisory authority of the transfer. The controller shall, in addition to providing the information referred to in Articles 13 and 14, inform the data subject of the transfer and on the compelling legitimate interests pursued.


    OBLIGATIONS OF THE EMPLOYEE
    Article 36

    When processing personal data, employees of the company BEST BUY are obliged to adhere to the principles of confidentiality and security in managing such data. Employees will process personal data in accordance with the provisions of this Regulation and instructions of the Employer. The data will be used solely for the purposes for which processing is intended, and they will not be made accessible to persons who do not have authorisation for such purposes.


    FINAL PROVISIONS
    Article 37

    Rights and obligations stemming from and based upon this Regulation will be achieved, when necessary, by providing special declarations/contracts/annexes with clients, employees, or third parties to whom this Regulation applies.

    In the event when special declarations/contracts are not concluded, and in cases not regulated by separate legal documents relating to the processing of personal data, the provisions of this Regulation and the General Data Protection Regulations shall be applied directly.

    Article 38

    This Regulation comes into force on the eighth day from the date it is published on the notice board.

    Article 39

    This Regulation may be amended in the manner stipulated for its adoption.

    BEST BUY

    Company Director

    Dubai, 03/06/2019