Poseidon Financial Investor Designated Activity Company

This is the Privacy Policy (hereinafter the “Policy”) of the company under the corporate name “Poseidon Financial Investor Designated Activity Company” (hereinafter the “Company”, “we” or “us”). The Policy provides details in relation to the way in which we Process Personal Data in line with our obligations under the Data Protection Law.

Capitalised terms used in this Policy shall have the meaning given to them in the Glossary attached as Appendix 1.

The purpose of this Policy is to explain what Personal Data we process, how and why we process it and to describe our duties and responsibilities regarding the protection of such Personal Data. The manner we process Personal Data may evolve from time to time. Therefore, this Policy will need to be updated in order to reflect changing practices accordingly.

In order to meet our transparency obligations under the Data Protection Law, we will incorporate this Policy by reference to various points of collection of data used by us.

In accordance with the provisions of the Private Agreement for the Servicing of Receivables dated 18.04.2022, the Company has appointed the company under the corporate name “doValue GREECE LOANS AND CREDITS CLAIM MANAGEMENT SOCIÉTÉ ANONYME”, with the distinctive title “doValue Greece”, a Greek law 4354/2015 Servicer incorporated and registered under the laws of the Hellenic Republic, registered with the Greek General Commercial Registry (GEMI) under no. 121602601000 (hereinafter the “Servicer”) to service certain receivables of part of a portfolio of Greek law loans owned by the Company.

The Company will act as a Data Controller in respect of Personal Data provided to us by: (a) various individuals in connection with the management, operation and administration of the Company; and (b) the Servicer in respect of borrowers and their related persons within the context of debt management. Indicatively, such individuals are the following:

• members of the administration, employees and officers of the Company;
• employees who provide services to the Company; and
• borrowers that have entered into lending arrangements with Alpha Bank S.A. (or related entities) as well as any third parties that have provided guarantees/securities for the relevant arrangements as well as individuals related to the borrowers - legal entities

(each a “Data Subject”).

Personal Data is processed by the Company for the following purposes:

The Company will engage specific service providers to perform certain services on its behalf which may involve activities with processing of Personal Data. To the extent that such Processing is undertaken based on the instructions of the Company and gives rise to a Data Controller and Data Processor relationship, the Company will ensure that such relationship is governed by an agreement which includes the data protection provisions prescribed by the Data Protection Law.

The Servicer acts as a separate and independent controller in relation to the personal data of the borrowers, the guarantors and any individual related to borrowers - legal entities. The Servicer’s Privacy Policy should also be consulted for information on the processing of the personal data of the borrowers, the guarantors and any individual related to the borrowers - legal entities.

As part of our record keeping obligations under Article 30 of the GDPR, the Company retains a record of the Processing activities under its responsibility in accordance with the provisions of the said Article.

The Company will not ordinarily obtain or process Special Categories of Data. Nevertheless, in the very limited circumstances where it does so, it shall process such Personal Data in accordance with the provisions of the Data Protection Law.

The Data Protection Law provides specific rights in favour of data subjects. These rights are the following (hereinafter the “Data Subject Rights”):

• the right of a data subject to receive detailed information on the processing (by virtue of the transparency obligations on the Controller);
• the right of access to Personal Data;
• the right to amend, rectify and complete any inaccuracies related to the Personal Data;
• the right to erase Personal Data (right to be forgotten);
• the right of data portability;
• the right to restrict Processing;
• the right to object to Processing based on legitimate interests; and
• the right to object to automated decision making, including profiling.

These Data Subject Rights may be exercised subject to limitations provided for in the Data Protection Law. In certain circumstances it may not be feasible for the Company to fulfill relevant rights. Data Subjects may address a written request to the Company relating to the management of their personal data, by addressing their request in writing to the Servicer’s Customer Service and Complaints Management Unit at 27 Kyprou and Archimidous Streets, 18346, Moschato, Greece or via email at [email protected] Relevant requests shall be dealt with in accordance with the provisions of the Data Protection Law.

The Company undertakes to hold confidential any Personal Data provided by the Servicer in accordance with the provisions of the Data Protection Law.

Respectively, we and our service providers use and apply technical and organizational measures in order to protect Personal Data from unlawful or unauthorized destruction, loss, change, disclosure, acquisition or access. Personal Data is held securely using a range of appropriate security measures.

Data Controllers must notify the Data Protection Authority and affected Data Subjects in case of certain types of personal data security breaches. Personal Data Breach means the breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Personal Data transmitted, stored or otherwise processed. A Data Breach incident that may occur regarding Personal Data under the control of the Company will be dealt with in accordance with the provisions of the Data Protection Law.

We may disclose Personal Data (a) to third parties or allow third parties to access Personal Data we process for the purposes of complying with applicable law; and (b) to authorized persons, consultants, service providers, bodies, statutory auditors, providers technology services, and to any affiliated companies or subsidiaries of the foregoing for the same or respective purposes.

We will keep Personal Data:

• throughout the duration of the Data Subjects’ relationship with the Company and after its expiry in accordance with the Company’s legal and regulatory obligations and any applicable record retention policy of the Company;
• for such period as may be deemed by us to be necessary in light of applicable statutory limitation periods; and
• in any other case, only for as long as the retention of such Personal Data is deemed necessary for the purposes for which that Personal Data is Processed.

From time to time, the Company may transfer Personal Data to countries outside the EEA which may not have the same or equivalent Data Protection Law as Ireland or an equivalent Data Protection Law. If such transfer occurs, the Company will ensure that such processing of Personal Data is carried out in compliance with the provisions of the Data Protection Law.

For further information about this Policy and / or the Processing of Personal Data by or on behalf of the Company, you may address your requests in writing to the Servicer’s Customer Service and Complaints Management Unit of doValue Greece at 27 Kyprou and Archimidous Streets, 18346, Moschato, Greece or via email at [email protected] and thereafter, if you wish, to the competent Authority.

“Data Controller” means the entity which, alone or jointly with others, determines the purposes and the means of the processing of Personal Data.

“Data Protection Law” means the General Data Protection Regulation 2016/679 (the “GDPR”) and the Data Protection Act 2018 as well as any other laws which may apply to the Company in relation to the Processing of Personal Data.

“European Economic Area” or “EEA” means Austria, Belgium, Bulgaria, Croatia, the Republic of Cyprus, the Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, the Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, Iceland, Liechtenstein and Norway.

“Personal Data” means any information relating to a living individual which allows the identification of that individual. Personal Data can include: (a) the name and identification information; (b) details about an individual’s location; or (c) any other information that is specific to that individual.

“Processing” means each action or set of actions performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. The terms “Process” and “Processing” are interpreted accordingly.

“Special Categories of Personal Data” are types of Personal Data that reveal any of the following information relating to an individual: racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership. Special Categories of Personal Data also include the Processing of genetic data, biometric data (for example, fingerprints or facial images), health data or data concerning sex life and any Personal Data relating to criminal convictions or offences.

“Types of Personal Data” means for the borrowers and their related parties-individuals, the name, the postal and residential address, the e-mail address, the telephone number, the name of the beneficiary, the nationality, the date of birth, the account number, the bank account details, the debt details, the tax identification number, etc.