PERSONAL DATA PROCESSING AND PROTECTION POLICY FOR THE WEBSITE

Limassol
Version dated 30 May 2026

1. GENERAL PROVISIONS

1.1. This Personal Data Processing Policy (hereinafter referred to as the “Policy”) establishes the procedure for processing and protecting personal data of users of the website operated by BFC Project (Cyprus) LTD (hereinafter referred to as the “Operator”), available on the Internet at: https://lawittburo.com (hereinafter referred to as the “Website”).
1.2. This Policy has been developed in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (GDPR), as well as other applicable legal acts governing personal data protection.
1.3. To comply with applicable legal requirements, this Policy is published and made freely available on the Website.
1.4. This Policy applies exclusively to the Website. The Operator does not control and shall not be responsible for third-party websites that the User may access through links posted on the Website.
1.5. The terms “personal data”, “processing of personal data”, “data subject”, “controller” and other terms used herein shall have the meanings established by the applicable personal data protection legislation.
1.6. For the purposes of this Policy, the following definitions shall apply:
“User” – any individual visiting the Website and using the materials, services, and feedback forms available on it.
“Website” – a collection of software tools, databases, graphical elements, and other information available on the Internet at the address specified in Clause 1.1.
“Website Services” – interactive functions of the Website, including contact forms, consultation booking forms, event and webinar registration forms, newsletter subscription services, and other related services.

1.1. RIGHTS AND OBLIGATIONS OF THE OPERATOR

1.1.1. The Operator shall:
·process personal data solely for the purposes specified in this Policy;
·ensure the lawful processing of personal data;
·implement the necessary organisational and technical measures to protect personal data;
·review requests submitted by data subjects;
·provide data subjects with information regarding the processing of their personal data where required by law;
·ensure that processed data remains accurate and up to date;
·cease processing and delete personal data where required by law.
All personal data processing is carried out by the Operator without the use of additional servers and in a manual (non-automated) manner. Accordingly, the Operator is not required to obtain any additional registration as a personal data controller with a competent governmental supervisory authority.

1.1.2. The Operator shall have the right to:
·independently determine the composition and scope of measures required to ensure personal data security;
·continue processing personal data after withdrawal of consent where permitted by law;
·obtain from the User documents and information necessary for the provision of services and compliance with legal obligations.

1.1.3. Due to the nature of its activities, the Operator shall have the right to:
·conduct client identification procedures (KYC);
·perform AML/CFT checks;
·carry out sanctions screening;
·request information regarding the source of funds and source of wealth;
·transfer data to banks, registrars, governmental authorities, notaries, auditors, and other parties involved in providing services to the User.

1.2. RIGHTS AND OBLIGATIONS OF THE USER

1.2.1. The User shall:
·provide accurate information;
·promptly notify the Operator of any changes to the information provided.

1.2.2. The User shall have the right to:
·receive information regarding the processing of their personal data;
·access their personal data;
·request rectification, restriction, blocking, or deletion of personal data;
·withdraw previously given consent;
·request restriction of processing;
·object to the processing of personal data;
·request data portability where provided by the GDPR;
·lodge complaints with competent data protection authorities;
·challenge the actions of the Operator in court.

2. PURPOSES OF PERSONAL DATA PROCESSING

2.1. Personal data shall be processed exclusively for legitimate purposes.
2.2. Personal data may be processed for the following purposes:
2.2.1. Identification of the User and communication with the User.
2.2.2. Provision of legal, corporate, tax, immigration, compliance, and consulting services.
2.2.3. Incorporation of companies, foundations, trusts, and other legal structures.
2.2.4. Opening bank, payment, and investment accounts.
2.2.5. Conducting KYC, AML/CFT, and sanctions screening procedures.
2.2.6. Preparation of agreements, powers of attorney, corporate documents, and other legal documentation.
2.2.7. Organisation of events, webinars, educational programmes, and consultations.
2.2.8. Processing User requests and enquiries.
2.2.9. Compliance with legal and regulatory requirements of various jurisdictions.
2.2.10. Distribution of informational and marketing materials where the User has provided the relevant consent.
2.2.11. Ensuring the functionality, security, and improvement of the Website.

3. LEGAL BASIS FOR PROCESSING

3.1. The legal grounds for processing personal data include:
·Regulation (EU) 2016/679 (GDPR);
·other applicable legal acts;
·consent of the data subject;
·contracts concluded with the User;
·compliance with legal obligations;
·the legitimate interests of the Operator;
·anti-money laundering and counter-terrorist financing legislation.

4. SCOPE AND CATEGORIES OF PERSONAL DATA PROCESSED

4.1. The Operator may process personal data relating to the following categories of individuals:
·website visitors;
·clients;
·client representatives;
·prospective clients;
·event participants;
·newsletter subscribers;
·counterparties;
·job applicants and internship candidates.

4.2. The Operator may process the following categories of personal data:
·full name;
·date of birth;
·citizenship;
·residential address;
·telephone number;
·email address;
·employment and position details;
·passport information;
·tax residency information;
·beneficial ownership information;
·source of funds and source of wealth information;
·AML/KYC screening results;
·sanctions screening results;
·IP address;
·cookie data;
·browser and device information;
·Website browsing history;
·other information necessary to achieve the purposes of processing.

4.3. The Operator ensures that the scope of processed data corresponds to the stated purposes of processing.
4.4. Special categories of personal data and biometric personal data are not processed unless expressly required by law or necessary for the provision of services to the User.

5. PROCEDURE AND CONDITIONS OF PROCESSING

5.1. Personal data is processed manually (non-automated processing).
5.2. The Operator may collect, record, organise, store, update, use, transfer, anonymise, restrict, delete, and destroy personal data.
5.3. Processing is carried out on the basis of the User’s consent or other lawful grounds.
5.4. The User independently decides whether to provide personal data.
5.5. Personal data shall be retained no longer than necessary to achieve the purposes of processing or as otherwise required by law.
5.6. Consent may be withdrawn by submitting a written request using the contact details provided in Section 9 of this Policy.
5.7. The Operator shall not disclose personal data to an indefinite number of persons without separate consent unless otherwise required by law.
5.8. The Operator implements the necessary legal, organisational, and technical measures to protect personal data.
5.9. Personal data shall be stored in a form that allows identification of the data subject for no longer than necessary to achieve the purposes of processing.
5.10. When processing personal data, the Operator complies with applicable international legislation.
5.11. The Operator ensures the confidentiality of personal data.
5.12. Due to the international nature of the Operator’s activities, personal data may be transferred to foreign countries, including Member States of the European Union, the United Kingdom, the United Arab Emirates, Armenia, and other jurisdictions where such transfer is necessary for the provision of services, performance of a contract, compliance with legal obligations, or protection of the Operator’s legitimate interests.
5.13. In the event of a personal data breach, the Operator shall take measures required under applicable law.
5.14. The User acknowledges and agrees that part of the data processing may be carried out through software products, CRM systems, cloud services, electronic communication tools, and other information systems used by the Operator in the course of its business activities.
5.15. For compliance with anti-money laundering and counter-terrorist financing legislation, the Operator may conduct checks on clients, beneficial owners, and client representatives, including identity verification, source of funds verification, and sanctions screening.
5.16. The Website uses cookies and similar technologies to ensure proper Website functionality, analyse traffic, improve services, and for marketing purposes. Users may modify cookie settings through their browser settings or through cookie management tools available on the Website.

6. RESTRICTION, RECTIFICATION, AND DELETION OF DATA

6.1. Where unlawful processing of personal data is identified, the Operator shall restrict processing for the duration of the investigation.
6.2. If inaccurate data is confirmed, the Operator shall rectify such data within a reasonable period.
6.3. If unlawful processing is identified, the Operator shall cease such processing and take measures to delete the relevant data within the timeframes established by law.
6.4. Upon achievement of the processing purposes, personal data shall be deleted or destroyed unless otherwise required by law.
6.5. Following withdrawal of consent, personal data shall be deleted unless another lawful basis for processing or retention exists.
6.6. The User may submit a request for access to, rectification of, or deletion of personal data.
6.7. Requests shall be considered within the timeframes established by applicable legislation.

7. LIABILITY OF THE PARTIES

7.1. The Operator shall be liable for violations of personal data protection legislation to the extent established by applicable law.
7.2. The User shall be responsible for the accuracy of the information provided.

8. DISPUTE RESOLUTION

8.1. All disputes relating to personal data processing shall first be resolved through negotiations.
8.2. If a dispute cannot be resolved through negotiations, it shall be resolved in accordance with applicable legislation.
The jurisdiction for dispute resolution shall be Cyprus.

9. OPERATOR CONTACT DETAILS

Company Name: BFC Project (Cyprus) LTD
Registration Number: HE 388917
Address: Osias Xenis, 5, Office 101, 4001 Limassol, Cyprus
Telephone: +357 97 632717
Email: info@bfcons.com

10. FINAL PROVISIONS

10.1. The Operator may amend this Policy without obtaining separate consent from Users.
10.2. Any new version of the Policy shall become effective upon publication on the Website unless otherwise specified therein.
10.3. The current version of the Policy shall always be available on the Website.
10.4. Continued use of the Website after publication of a new version of the Policy constitutes acceptance of the relevant amendments by the User.