PRIVACY POLICY

INTRODUCTION

The company “Agi Kons” shpk invites you to familiarize yourself with the personal data processing policy (referred to as the privacy policy). This Privacy Policy explains how the company “Agi Kons” shpk collects, uses, stores, and protects the personal data of clients, employees, partners, and other parties, in accordance with Law no. 124/2024 "On the Protection of Personal Data."

Whether you are a client, a person seeking information for a specific issue or service (visitor), a partner, a shareholder/partner, a job applicant, or an employee, we recommend that you read the "Privacy Policy" carefully, as it contains important information regarding your "Personal Data," particularly regarding its use, data categories, processing purposes, security measures, as well as the rights and protective means available to you.

The processing of personal data is carried out by the authorized staff of the company, in accordance with Law no. 124/2024 "On the Protection of Personal Data," guaranteeing their protection from any violation.

THE CONTROLLER

The controller is the natural or legal person and any public authority which, alone or jointly with others, determines the purposes and means of the processing of personal data, as defined in Article 5, point 8 of the Law "On the Protection of Personal Data."

Personal data subjects:

• Clients (sellers, buyers, lessors or lessees, land owners, etc.)
• Potential clients
• Employees
• Job candidates
• Partners/collaborators
• Shareholders/partners
• Interested persons (website visitors)
• Visitors to the company's premises

Within the framework of its activity, the company “Agi Kons” shpk processes personal data as follows:

For clients and their representatives

The company “Agi Kons” shpk, in the framework of the implementation of agreements and with their consent, will manage the necessary documentation (Ownership Certificate and property documentation, photocopy of the identification document – passport or ID card, declaration of the source of income) and will process the personal data and information provided by the client, including general data (name, father's name, surname, date of birth, place of birth), address, personal identification number, phone number, email address, signature, financial/banking data serving the contract. This data is accessed manually through the property documentation and electronically, and is processed only by the authorized staff of the company.

For employees

Data such as name, father's name, surname, date of birth, place of birth, email, phone number, contact details of family members used in cases of emergency (their names, surnames), educational data, signature, salary, bank account number, ID, data on professional training and experience, data on work ability and health, blood group, residential address, civil status, criminal record, photos, and biometric data only for accessing the work premises are processed. The data is accessed manually and electronically by authorized employees of the company.

For job candidates

Through the website where vacancies are published, and through the job announcement link, every candidate submits their CV. Job announcements may be published on LinkedIn, and on pages such as www.agikons.com, www.duapune.al, and www.njoftime.com. In the initial phase, the following data will be processed: name, surname, email, phone number, date of birth, as well as data related to professional qualifications and experience and the information included by them in the CV, which is necessary to evaluate the individual's suitability for employment and does not use this data for any other purpose. The data is processed through the submitted documentation and electronically only by the recruitment specialist and the director of the Human Resources Department, responsible for selection and interviewing, reviewing documentation, and communicating with successful candidates. At the moment of selection of their CV, it is processed by the director of the respective department where the candidate seeks to be employed.

For interested persons/visitors, through the website "contact" section, which enables them to receive information on services, submit complaints, or request professional service, data such as IP address, Cookies and technical data, name, surname, email, phone, and the message they convey are collected. Processing is done only by the authorized staff of the company.

For partners/collaborators and their representatives, through cooperation contracts that are physically managed in the company's archives, data such as name, surname, position, contact number, signature email, financial/banking data are processed. Processing is done only by the authorized staff of the company.

For employees and visitors to the company's offices, data is also processed through the CCTV camera system. Processing is done in accordance with Instruction no. 3, dated 30/04/2025 "On the processing of personal data by video surveillance systems." The company has placed camera surveillance information signs in its premises. Processing is done only by the authorized staff of the company.

Potential clients are persons who express interest and call or contact via email, website, or social networks or appear at the company's offices. With their consent, they provide data such as name, surname, phone number, or email. The processing of their data is done only with their consent and by authorized staff of the company.

For shareholders/partners, data such as name, surname, contact number, signature email, financial/banking data are processed. Processing is done only by the authorized staff of the company.

PURPOSE OF PERSONAL DATA PROCESSING:

The purpose of personal data processing depends on the relationship created between the data subject and the company “Agi Kons” shpk.

Contractual relationship with clients:

• The personal data of clients and the information managed through the respective legal documentation submitted by the client is processed for the purposes of managing the legal relationship created and providing a quality and correct service to the client.
• For purposes of implementing the legislation in force that regulates the activity exercised by the company and tax legislation, that for the prevention of money laundering and terrorist financing, etc.).
• The personal data of job candidates: processed within the framework of the selection and interviewing process, with the aim of employing prepared individuals and professionals in this sector.
• The personal data of employees: processed within the framework of the employment contractual relationship, their continuous training, compliance with obligations between the parties and the legislation regulating these relationships.
• The personal data of interested persons (website visitors): processed within the framework of informing them about the company's services, information on projects and real estate of interest, handling potential requests and complaints related to services.
• The personal data of partners/collaborators and their representatives are processed within the framework of specific contractual relationships and services received between the parties.
• The personal data of potential clients are processed for the purposes of entering into a legal relationship.
• The personal data of shareholders/partners are processed for the purpose of the relationship created between the controller and them.
• The data provided by the CCTV system in the company's premises for visitors and employees is processed within the framework of guaranteeing the physical security of the individual, property, and assets of the company.

LEGAL BASIS OF THE PERSONAL DATA PROCESSED:

We inform you that the processing of personal data is done in accordance with Law no. 124/2024 "On the Protection of Personal Data." Personal data is processed in accordance with Article 7 of the law, specifically if at least one of the criteria below is met:

a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
b) processing is necessary for the performance of a contract to which the data subject is a party, or for taking steps at the request of the data subject prior to entering into a contract;
c) processing is necessary for compliance with a legal obligation to which the controller is subject;
ç) processing is necessary to protect the vital interests of the data subject or of another person;
d) processing is necessary for the performance of a task carried out in the public interest by the controller or when the controller is given the right to exercise public functions, duties or powers based on the legislation in force;
dh) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a minor. This letter does not apply to processing carried out by public authorities in the performance of their tasks, according to letter "d" of this point.

The data subject provides personal data with their consent, and is informed in advance of the possibility of withdrawing this consent. Personal data arising from the legislation in force, the terms of the contract, or entry into a contractual relationship are mandatory for the purpose of the relationship created, where the failure to provide them results in the inability to provide the service and to create the intended legal relationship. Personal data serves only the purpose for which the relationship is created.

RETENTION PERIOD OF PERSONAL DATA

Personal data is stored for a defined period serving the necessary storage period in accordance with legal and contractual requirements.

• Client data is stored for a term of 5 years from the date of the end of the business relationship between the client and the subject or from the date of the occasional transaction in accordance with Law no. 9917, dated 19.5.2008 "On the prevention of money laundering and terrorist financing" and fiscal laws in force.
• Employee data will be stored throughout the employment relationship and for a term of 3 years from the moment of termination of the employment relationship with reference to Article 203 of the Labor Code, which serve the realization of the protection of the rights of the parties against each other in court. While biometric data (entry-exit system) is stored throughout the period that the employment relationship lasts, which are destroyed immediately at the moment of termination of the employment relationship, making the respective minutes available to the employee.
• Job candidate data will be stored for up to 3 months from the submission of the job application, which will be used during this period only if there is a vacant position for the applicant's requested position.
• Data of interested persons/visitors, through the website, data such as IP address, Cookies and data related to requests or complaints, will be stored as long as the purpose of their treatment exists (i.e. they will be stored as long as the clarification of the request or complaint is completed), then they will be deleted, destroyed. These cases are treated within a term of 30 days from the date of receipt of the request. This period may be extended up to 60 (sixty) days, when necessary, taking into account the complexity and number of requests received. The controller reasonably informs the data subject of any extension of the term within 30 (thirty) days of receipt of the request together with the reasons for the delay.
• Data for partners/collaborators and their representatives will be stored as long as the cooperation relationship exists and up to five years after its end, within the framework of potential civil legal claims.
• Data provided by the video surveillance system (CCTV) are stored for a period of 30 (thirty) days from the moment of their recording.
• Data of potential clients and interested persons through websites, phone and social networks, are stored for a term of 30 days, if the legal relationship with them is not finalized.
• Data of shareholders/partners will be stored as long as the relationship between them exists and up to five years from its end (in case we are in the conditions of termination of the relationship).

After the end of the above-mentioned terms, data stored manually are destroyed through the paper shredder and data stored in the electronic system will be deleted irretrievably, also keeping the respective documentation.

RECIPIENTS OF PERSONAL DATA

The recipients of personal data are:

• Authorized employees of the company “Agi Kons” shpk, in accordance with the job duties and who are authorized to process the data only for the above-mentioned purposes.
• Competent public institutions (Tax Directorate, ISSH, Labor Inspectorate, etc.), judicial ones, in the circumstances provided in the specific legislation in force and with a reasoned request from them.
• The banks with which the company cooperates.
• In case the company will process personal data with subjects who will be in the quality of data processor, their recipients will also be the processors with whom a contract for the processing of personal data will be entered into, in implementation of the provisions of Article 26 of Law no. 124/2024 "On the protection of personal data," the list of which will be updated in this privacy policy.

The company “Agi Kons” shpk guarantees you that it respects the privacy policy in accordance with Law no. 124/2024 "On the protection of personal data." Employees process personal data in full confidentiality and have signed the confidentiality declaration.

Personal data will be processed only on the basis of the purpose set out above and for no other purpose. Personal data will not be the subject of commercial transactions with third parties.

RIGHTS OF THE PERSONAL DATA SUBJECT

In accordance with Articles 14-20 of Law no. 124/2024 "On the protection of personal data," you have these rights:

• the right of access within a term no later than 30 days from the date of submission of the request
• the right to request rectification or erasure
• the right to be forgotten
• the right to restriction of processing
• the right to data portability
• the right to object
• the right not to be subject to automated decisions
• the right to file a complaint with the Commissioner
• the right to compensation

The controller provides the data subject with any information and develops any communication related to their rights for data processing in a concise, transparent, understandable and easily accessible form, using clear and simple language. The controller informs the data subject regarding the fulfillment of the request or the reason for its rejection as soon as possible and, in any case, no later than 30 (thirty) days from the date of receipt of the request. This period may be extended up to 60 (sixty) days, when necessary, taking into account the complexity and number of requests received. The controller reasonably informs the data subject of any extension of the term within 30 (thirty) days of receipt of the request together with the reasons for the delay. In cases where the request is not handled or its fulfillment is refused, the controller, no later than 30 (thirty) days from the date of receipt of the request, informs the data subject of the reasons for non-handling or refusal of fulfillment of the request, as well as the possibility of filing a complaint with the Commissioner, with the address Rr. “Abdi Toptani”, Nd.5, Postal Code 1001, Tirana and a lawsuit in court.

You can address a written request to the personal data protection officer at the address Kodra e Diellit 2 Farke, Tirana, Property No. 51/256+1-N2, 51/256+1-N3, 51/256+1-N4, or with an electronic request at the address info@agikons.com

If the data processing is carried out on the basis of consent and the legitimate interest of the controller or the third party, when the processing is carried out on the basis of a legitimate interest, you have the right to withdraw the consent at any time.

To withdraw consent, you can contact us by addressing a request to the address Kodra e Diellit 2 Farke, Tirana, Property No. 51/256+1-N2, 51/256+1-N3, 51/256+1-N4, or with an electronic request at the address info@agikons.com

The company does not use automated decision-making or profiling that produces legal effects on individuals.

Personal data will not be transferred to foreign countries. In case transfers to foreign countries are made in the future, you will be notified before their transfer by updating this privacy policy, also providing for the guarantee of proper protection and information on the appropriate protection measures, the way in which a copy of them can be obtained or the place where they are offered.

SECURITY MEASURES

The company “Agi Kons” shpk, in the framework of compliance with Law no. 124/2024 "On the protection of personal data," implements technical and organizational measures to ensure an appropriate level against the risk, including among others, when applicable:

a) pseudonymization and encryption of personal data;
b) the ability to ensure the confidentiality, integrity, availability and resilience of processing systems and services;
c) the ability to restore the availability and access to personal data within a reasonable time in the event of a physical or technical incident;
ç) a process for regularly testing, reviewing and evaluating the effectiveness of technical and organizational measures to ensure the security of processing.

The company “Agi Kons” shpk exercises its work activity in accordance with the legislation in force for the protection of personal data and has established the necessary policies and systems for this purpose.

We have implemented strict security measures to reduce the risk of data breach and misuse of your personal data, such as unauthorized disclosure and unauthorized access to your data.

We ensure the privacy and protection of personal data by storing your data, as well as by ensuring your informed consent before data collection. Personal information will not be disclosed to any person outside the company. Individuals have rights arising from the legislation in force as defined above.

To protect personal data and maintain the integrity of processing processes, we have undertaken the following measures:

Data storage – we use encrypted storage solutions and databases with limited access to protect personal data.
Access control – we implement strict access controls to restrict access to personal data, ensuring that only authorized personnel can see/access, change or delete specific information or data.
Secure communication channels – we use secure channels for the exchange/communication of information, including encrypted email service to prevent data interception.
The devices/environments in which we store personal data are located in a secure environment with limited physical access (locked room).
The company uses firewalls, strong passwords, antivirus programs and other measures to protect personal data (such as encryption and pseudonymization), in accordance with international standards.
Data retention policy – we have adopted rules for data retention duration and secure disposal to mitigate the risk of unauthorized access to outdated data (that have just passed the retention period) or unnecessary ones.
Data security training – employees who are authorized to have access to and process personal data are trained in the field of personal data protection before starting the duty and are updated continuously regarding data security rules.

For any future update of it, you will be notified on the official website of the company.