Personal Data Protection

INFORMATION ON THE PROCESSING OF PERSONAL DATA OF THE BANK EUROBANK A.D. PURSUANT TO THE LAW ON PERSONAL DATA PROTECTION (“OFFICIAL GAZETTE OF RS” NO.87/2018)

The Bank Eurobank Direktna a.d. (hereinafter the “Bank”) informs you that, pursuant to Law on Personal Data Protection and other relevant legislation on personal data protection, under its capacity as controller, processes your personal data, collected either with the submission of an application/receipt of an offer for the provision of a product or a service, or at a later date, including data derived from the conclusion of contract(s) with the Bank, or data derived from the formation and performance of business relationship with the Bank, as set out below.

1.What personal data does the Bank collect and from which sources?

The personal data that the Bank collects and processes may indicatively be the following and not all of them necessarily concern you:

a) Identification data: name and surname, father’s name, mother’s maiden name, identity card or passport, Unique Citizen`s Number (JMBG), date and place of birth, sex, citizenship, signature data etc. The aforementioned data are provided directly by you and are updated with your assistance.

b) Contact data: postal address, e-mail address, fixed and mobile telephone number etc. The data are received directly by you and are verified/updated with your assistance.

c) Data concerning your economic and financial situation: profession, remuneration, dependent family members, marital status, salary statements, documentation regarding acquisition or transfer of immovable or movable property. Said data are collected/verified/updated either directly from you or from other sources, such as land registries, cadaster offices, courts, tax authorities, etc.

d) Data concerning your creditworthiness: debts towards financial institutions arising from loans, credits, credit cards etc. collected from the Credit Bureau.

e) Data produced as a result of credit analysis from the relevant systems of the Bank and/or other credit and/or financial institutions.

f) Data deriving from the performance of your contract(s) with the Bank, the performance of transactions (including the type of transaction, date and place of the transaction).

g) Data related to recorded communications provided you have been previously informed pursuant to the legal preconditions.

h) Data related to your electronic identification and connection with electronic banking services (i.e. e-banking, mobile banking) and applications

i) Image data collected from the video recording systems of the Bank’s premises, where signs have been placed pursuant to the law.

j) Data for the assessment of the risk of money laundering and/or terrorism financing that are collected directly from you, your executed transactions, authorities and bodies that are in charge of the prevention and repression of the aforementioned offences.

k) As a rule, the Bank does not collect and process special categories of personal data, we do it only in exceptional cases and after applying appropriate security measures and only as long as necessary legal conditions have been met.

l) The Bank collects and processes minors’ data only when the legal preconditions have been met. m) Data from your answers on the Bank’s surveys, your reaction to advertising campaigns when these are not anonymized.

The abovementioned data may be provided directly by you. This includes the data collection from a third party, natural or legal person, acting on your behalf. Also, the data may be collected/verified/updated by the Bank, where this is allowed and appropriate, and via publicly available sources such as land registries, cadastral offices, courts, registers, web, open social media profiles, mass media, etc.

2.Why does the Bank collect your data and for which purposes?

The Bank collects and processes your personal data that are necessary:

A. For the execution of a contract and in order to carry out pre-contractual measures at your request

The processing of your data as described in Section 1 above serves purposes such as:

a) Your identification, verification of your data and the communication with you during the pre-contractual and contractual stage, as well as during any other transaction between you and the Bank.

b) The evaluation of your requests, the formation of a contract with you, its execution and smooth operation, the fulfillment of each counterparty’s obligations and the defense of interests and exercise of the Bank’s rights.

c) The service, support execution and monitoring of your transactions including the ones via electronic banking (e.g. e-banking, mobile banking).

e) In case of granting any loan or credit for:

·the assessment of the credit risk the Bank will be or has already been exposed to;

·the prevention or mitigation of the possibility of a failure by your part to fulfill your obligations arising from the contract you will enter into with the Bank;

·the pursuing of the collection of any possible debts to the Bank due to the performance of your contract you will sign.

f) The communication with you, your information on the best use of the Bank’s products and/or services (i.e. new features or functionalities of these products or new opportunities to use products/services to your benefit, etc).

B. For the Bank’s compliance with its legal obligations

The processing of your data as described in Section 1 above also serves purposes such as:

a) The Bank’s compliance with obligations imposed by the legal and other relevant framework in force, as well as with authorities’ decisions (supervisory, independent, prosecution etc).

b) The prevention and repression of money laundering and terrorism financing, as well as the prevention, detection and repression of frauds against the Bank or its clients, as well as of any other illegal act.

c) The protection of the Bank’s clients, personnel and visitors and their property as well as the Bank’s facilities and property in general.

d) The Bank’s compliance with obligations imposed by legislation or international agreements regarding the exchange or provision of financial information (e.g. FATCA).

C. For serving the Bank’s or third parties’ legitimate interests

The processing of data under Section 1 serves, additionally, purposes such as indicatively the security and safety of the Bank’s information systems, facilities and assets, the prevention and deterrence of criminal acts or frauds against the Bank or a third party, the defense of the Bank’s or third parties’ legal rights and interests (third parties being indicatively Eurobank Group Companies, cooperating with the Bank companies, etc.), the management of your complaints, the Bank’s compliance with obligations arising from contracts with co-financing or guarantee institutions/organizations or third parties in general, sending you or submitting of questionnaires in order for the Bank to establish your satisfaction level from its products and services, and your transactional relationship in general.

D. Processing based on your consent

In cases where we have received your consent, especially when the processing cannot be based on any of the abovementioned (2.A. – 2.C.) legal bases the processing of your data under Section 1 is based on this consent (see in particular the below mentioned cases of product and services promotion, automated decision-making, transfer of data outside Republic of Serbia, as well as in cases where you fill out printed or electronic application forms to receive information on products and services, actions of the Bank or other cooperating companies). In such cases you have the right to withdraw your consent at any time. However, the processing based on your consent prior to its withdrawal remains unaffected.

E. Promotion of products and services

In case you have provided us with your consent, the Bank may process your data in promotion activities for new products/services that fit your habits and interests, other than the ones that you have already used.

F. Profiling - Automated decision-making

Profiling

a) For purposes of promotion activities, the Bank may carry out profiling by using combined data, mentioned above under 1 (indicatively your commercial behavior analysis, response level to the Bank’s promotion activities, answers to surveys etc). Said processing within the framework of your information and/or participation to promotion activities for new products/services, other the ones you have already received from the Bank, its Group companies or cooperating companies is based on your consent.

b) For the risk assessment of money laundering and terrorism financing the Bank compiles your profile using internationally acknowledged models for the combined evaluation of data. Said processing is carried out for the Bank’s compliance with its legal obligations.

Automated decision-making

The Bank may carry out solely automated individual decision-making, including profiling, in cases where:

§this is deemed necessary for the signing and execution of your contract with the Bank,

§this is allowed from national law,

§you have provided us with your explicit consent for said processing, especially in cases where automated decision-making cannot be based on any of the above-mentioned legal bases.

The Bank conducts said processing because it considers that automated individual decision-making, including profiling, leads to fair, impartial and responsible decisions. The Bank ensures by such a process fairness and transparency by applying appropriate statistical and mathematical methods for profiling, appropriate technical and organizational measures to correct any factors that could lead to inaccuracies on personal data, to minimize errors and secure the data.

The purpose for which the Bank may take a decision based solely on automated individual decision-making is the credit risk assessment for providing consumer loans, before the signing but also during such contracts in case the necessity of evaluation of your credit rating arises (i.e. in cases of increase in the credit limit, debt restructuring etc). In such cases, the Bank carries out solely automated individual decision-making that includes the combined evaluation of your financial data, your economic behavior that results to the approval or rejection of your application for loan, increase of your credit limit, debt restructuring etc. Solely automated individual decision-making in this case is necessary for the signing or execution of the contract with the Bank.

3.Who are the recipients of your data?

In order for the Bank to fulfill its contractual, legal and regulatory obligations, serve its or third parties’ legitimate interests as well as in cases where the Bank is authorized or has received your consent, recipients of the necessary, according to the processing purpose, personal data may for example be the following:

a) The Bank`s employees and persons engaged by the Bank.

b) Eurobank Group companies, meaning the banking Group and the Group of the Bank’s parent company Eurobank Ergasias Services and Holdings S.A.

c) Call centers

d) Companies conducting customer satisfaction surveys or market surveys in general.

e) Companies for the promotion of products and/or services - advertising companies.

f) Companies responsible for storage, management and destruction of files, records and data.

g) Natural or legal persons processing data in order to update them (including the update of your contact data in case you have omitted to notify the Bank of said amendment).

h) Lawyers, law firms, notaries, auditors, consulting providers (such as financial consultants etc.) within the framework of their duties, public executors.

i) Services providers (including cloud services providers), and/or information and electronic systems and network support providers of any kind, including but not limited to online systems and platforms. Electronic communication and information society services providers (telecommunication providers, e-mail, web hosting, messaging applications).

j) Security companies.

k) Insurance companies.

l) Public company Pošta Srbije.

m) Commercial agents, products and services suppliers, intermediaries acting on your or our behalf, your legal consultants or representatives

n) Credit bureau of the Association of Serbian Banks, Fraud prevention Forum of the Chamber of Commerce and Industry of Serbia, credit and/or financial institutions, electronic money institutions, service payment providers or providers that are involved for the execution of contracts with you or transactions that you asked for or activated such as SWIFT, VISA, MASRTERCARD, etc.

o) Authorities, entities or parties that are responsible for the supervision/monitoring of the Bank’s activities within their competence (National Bank of Serbia, external auditors, Administration for the Prevention of Money Laundering etc).

p) State authorities.

q) Lawyers and, if permitted by valid legislation, debt collection agencies – in case of debt collection or initiation of proceedings. In case of assignment of claims that the Bank has against you, your data will be delivered to the acquirers of claims, provided that the prescribed protection of your data is ensured.

r) Companies responsible for the issuance of digital certificates and digital signatures.

q) Any third parties that submit a request for information to the Bank, when the legal conditions have been met.

4.Is the Bank entitled to transfer your data to third countries (outside Republic of Serbia)?

The Bank can transfer your personal data to third countries or international organizations outside Republic of Serbia under the following circumstances:

a) if the third country, territory or one or more specified sectors within that third country or an international organization ensures an adequate level of protection; or

b) if appropriate safeguards for data processing have been provided, pursuant to the law.

c) In the absence of the abovementioned circumstances a transfer may take place in following cases:

§You have explicitly consented to the transfer;

§The transfer is necessary for the execution of a contract between you and the Bank, such as for the execution of orders (i.e. transfer to a bank account of a third country) or for the implementation of pre-contractual measures pursuant to your request or for the signing or execution of a contract that was made for your benefit;

§The transfer is necessary for the establishment, exercise or defense of legal claims; or

§The transfer is necessary for important reasons of public interest.

5.For how long will the Bank maintain your personal data?

The Bank will keep personal data for the time necessary for the fulfillment of their processing purpose, otherwise for the time required by the relevant legal and/or regulatory framework (Law on the PreventionofMoneyLaunderingand the Financing of Terrorism etc.) or the time necessary for the exercise of claims or defense of rights and legitimate interests.

More precisely and indicatively:

- In case you enter a contract with the Bank, your personal data will be stored for as long as the contract stands.

- In case data processing is imposed by law, personal data will be stored for the period provided by the relevant legal or regulatory provisions and in any case for the time necessary for the exercise of claims or defense of rights and legitimate interests (e.g. at least 10 years from the date of the end of business relationship, performed transaction, or access to the safe deposit box, in accordance with the Law on the PreventionofMoneyLaunderingand the Financing of Terrorism).

- Data and documentation may be stored for longer than certain periods, for the purposes of conducting judicial, extrajudicial, administrative and other proceedings before state authorities, arbitrations and third parties, regardless of whether the proceedings were initiated by you, the Bank or third parties, and to protect the legitimate interest of the Bank or third parties.

6.What are your rights regarding the protection of your personal data?

You have the following rights:

a) To demand to know the purposes for which we process your personal data, the categories of the data that we store and process, where they come from, the categories of their recipients (especially the recipients in third countries or international organizations), the period of storage as well as your relevant rights (right of access).

b) To demand the rectification or/and amendment to your data completed so that they are complete and accurate (right to rectification) by providing any necessary document justifying the need for rectification.

c) To ask for a restriction of the processing of your personal data (right to restriction of processing).

d) To object to any further processing of your stored personal data (right to object).

e) To obtain the erasure of your personal data from the records we keep (right to erasure).

f) To ask for the transfer of your data kept by the Bank to any other controller (right to data portability).

g) In case of solely automated individual decision making, including profiling which produces legal effects concerning you or significantly affecting you in a similar way, the Bank implements suitable measures and safeguards for the protection of your rights, freedom and legitimate interests and offers you meaningful intervention carried out by humans, the right to express your opinion and ask for a justification οf the decision based within this framework as well as the right to contest such a decision. These rights can be exercised within a limit of 30 days from the day such decision was made known.

h) To withdraw your consent at any time. The legality of the processing based on your consent before its withdrawal remains unaffected.

i) Right to complain to the Commissioner: In case you consider that your rights are in any way violated, you have the right to lodge a complaint with the Commissioner for Information of Public Importance and Personal Data Protection. The address of the Commissioner is: Bulevar Kralja Aleksandra 15, 11000 Beograd, tel: +381 11 3408 900.

7.How can you exercise your rights?

For the exercise of your rights you may contact in writing the Clients Relations Department, Vuka Karadžića Street 10, Beograd or send an email to office@eurobank-direktna.rs. The Bank shall use its best endeavors to address your request within 30 days of its receipt. The abovementioned period may be prolonged for 60 more days, if deemed necessary, at the Bank’s absolute discretion taking into consideration the complexity and the number of the requests. The Bank shall inform you within 30 days of the request’s receipt in any case of prolongation of the abovementioned period. The abovementioned service is provided by the Bank free of charge. However, in case the requests manifestly lack foundation and/or are excessive and repeated, the Bank may, after informing the client, impose a reasonable fee or refuse to address your requests.

8.Data Protection Officer

You may contact the Data Protection Officer for any matter regarding the processing of your personal data at the address Ulica Vuka Karadžića 10, Beograd or by sending an email to dpo@eurobank-direktna.rs.

9.How does the Bank protect your personal data?

In accordance with the nature, extent, circumstances and purpose of the processing, as well as the probability of occurrence of risks and the level of risk to the rights and freedoms of individuals, the Bank implements protection measures in order to achieve an appropriate level of security in relation to the risks.

We implement appropriate organizational, technical and staff-related measures to ensure the security and confidentiality of your personal data, and their protection from accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access and any other form of unlawful processing.

Access to personal data in the Bank is protected by a series of measures that include physical protection and technical protection systems. Banking applications and databases are protected by adequate protection systems to guarantee confidentiality, integrity and availability. Access to data is allowed only to authorized users.

Access to data is allowed only to authorized users, processes or programs, with authentication and authorization. Each employee who accesses banking applications has his own username and password. In case of data transfer abroad or in case the Bank engages sub-processors, the protection measures prescribed by law are applied in order to achieve an adequate level of data protection.

10.Amendments of this Information

The Bank may amend the present Information. In such case the Bank will notify you accordingly via posting on its website.