Data protection

Announcement regarding the documentation update starting from 30.10

Announcement regarding the documentation update starting from 26.05

Announcement regarding the documentation update starting from 15.05

Information notice regarding the processing of personal data

(“Information Notice”)

UniCredit Bank S.A. (''Bank'' or "Data Controller"), a company managed under a dual system, with headquarters in Romania, 1F Expozitiei Bvd, Bucharest, 1^st sector, registered within the Trade Register under no. J1991007706408, EUID: ROONRC.J1991007706408 and within the Bank Register under no. RB- PJR-40-011/18.02.1999, unique registration code 361536, tax attribute RO, subscribed and paid-up capital 589.955.162,70 RON, as Data Controller, processes your personal data in good faith and in achieving the purposes specified in this Information Notice, in accordance with the provisions of Regulation (EU) no. 679 of April 27, 2016 regarding the protection of natural persons with regard to the processing of personal data and regarding the free movement of such data and the repeal of Directive 95/46/EC ("the Regulation"), hereinafter referred to as "GDPR".

This personal data, belonging to you as a data subject (“Data Subject”), are provided to the Bank either by you or, if you are authorized/additional user/legal representative, by the owner of the banking product/service or they are obtained by the Bank, when necessary, from other available external sources (such as, but not limited to: payment or transaction processors, card organizations, third-party payment service providers (third-party PSPs), third parties (as defined in Article 18 (1) of Law No. 129/2019), the General Directorate for Personal Records, the National Agency for Fiscal Administration (ANAF), the National Trade Register Office, the Romanian court portal, Credit Bureau SA, other companies within the UniCredit Group, public or private databases (including entities specialized in data aggregation), the land registry office, the media, your employer, authorities) at the conclusion date of the contract with the Bank and/or of an insurance policy and/or the date of a request regarding providing services by the Bank and/or during the course of the contractual/business relationship and/or by a third party provider of payment services PSP contracted by you.

1. The personal data processed by the Bank are:

1.1. Identification data such as: surname and name, pseudonym, mother's maiden name, client code, address, personal identification number - CNP (or parts of it in the case of authentication procedures) or NIF (fiscal identification number), date and place of birth, citizenship, other data present in the ID documents, signature, voice, image;

1.2. Contact data such as: postal address, e-mail address, telephone/fax number;

1.3. Financial-banking data such as: (i) income (amount, categories), professional status (function, occupation, workplace, employer, professional history, if applicable), family situation (single/married, number of dependents), information products/services requested and/or owned and bank transactions, liquidity data, tax residency as appropriate; (ii) membership of a Related Customer Group; in this case, the Bank processes the name, first name and PIN of individuals that are part of the Group of related clients and have an exposure to the Bank or a current account opened at the Bank; (iii) data regarding risk management aria/data modeling such as general data (bank account/client identifier), socio-demographic data (e.g.: education, profession), limits and durations of the loans granted, existing balances of the loans granted, outstanding amounts, information regarding the restructuring/blocking of accounts (e.g.: garnishment), risk class; (iv) if you apply for a loan at Unicredit Consumer Financing IFN SA (“UCFin”), the Bank will be able to provide UCFin with the following data, with the aim of analyzing your eligibility for granting a financial product by UCFin and carrying out the statistical modeling activity*: data regarding the current account and credit relationship that the Data Subject has with UniCredit Bank SA such as: account balances and credit balances at certain intervals, information on credit transactions, information on accounts openings and closings; credit card limit and usage; debt collection data; the existence of seizures/other similar measures instituted on bank accounts; other similar data;

*Statistical modeling is a method that uses mathematical formulas to analyze data and find relationships between them, so that the financial institution can manage risks, make informed decisions, and improve the overall performance of credit portfolios.

1.4. Data related to the compliance analyzes (which also include data on convictions/sanctions) such as: (i) relevant information regarding the transactions and operations carried out by the Data Subject using the Bank's products or services, the real beneficiary, authorized representatives, the economic and financial situation, the data regarding the assets owned, the source and destination of the funds, data on the political exposure, if applicable, and public office held, information on accusations, investigations and committed acts such as the name of the act committed, the sanction applied (e.g. convictions, related measures), the duration of the sanction, the authority that applied the sanction, the status of the file and other similar data (for reasons related to compliance with the legislation on the prevention and combating of money laundering and the financing of terrorism, as well as compliance with the legislation on combating fraud and fraudulent conduct), the status of a publicly exposed person, according to the definition contained in Law no. 129/2019 on the prevention and combating of money laundering and the financing of terrorism, as well as for the modification and completion of some normative acts, as this legal definition may be modified from time to time; (ii) data on international sanctions such as the type and content of the sanction, the competent authority, the duration of the sanction, the description of the object of the sanction (e.g.: the asset category, value, location, data from the land register, the authority responsible for implementation/monitoring of the sanction, the measures carry out on this asset) and, to the extent that international sanctions involve the processing of data about acts committed by the Data Subjects, data such as the name of the act committed, the sanction applied and its duration, the competent authority, any other similar information may be processed, according to the legislation regarding the implementation of the international sanctions;

1.5. Special health data such as: information resulting from the documentation related to insurance policies, necessary for providing specific insurance services, if applicable;

1.6. Data regarding communications such as: (i) electronic communications in any form between the Bank and the Data Subject, their (recorded) content, transmission dates and times, voice (if it is a recorded call), image (if recorded), including biometric (facial) data, ID image, audio and/or video session duration, related calendar date and time slot, logs, any documents and/or information presented in video and/or audio interactions; (ii) data derived from the use of the Bank's applications such as: Online B@nking/ Mobile B@nking username, also used to access the Virtual Mailbox, data regarding the token device – DIGIPASS (serial) or Mobile Token (phone number, in order to activate Mobile Token/ Mobile B@nking applications), other data necessary to access and use these electronic payment instruments (identification/registration/authentication/connection/authorization codes[1]¹); (iii) data regarding the electronic signature, issuing the digital certificate (qualified) in this sense;

1.7. Data regarding the proxies/additional users/legal representatives/Data subject’s husband or wife: the categories of data above may also concern these persons in relation to the specifics of the banking product/service and the law;

1.8. other similar categories Data Subject’s personal data from the Bank's evidencies, related to the contractual relationship with the Bank derived, mainly, from the signed contractual documentation and from the information collected by the Bank, arising from law enforcement.

2. The purposes and grounds of processing Personal Data.

2.1 performance of a contract to which you are a party or taking steps before concluding the contract, according to the Article 6, 1^st pararapph, letter b) of the GDPR:

(i) analyzing, signing and executing the contractual documentation with the Bank, based on your request, among which we mention the opening a bank account, setting up a term deposit, providing Online B@nking and Mobile B@nking services, issuing the debit card, the device token – DIGIPASS, providing Info SMS service, providing safe deposit box rental service, the distribution of investment funds, bonds, structured deposits, according to your request; (ii) recovery of debts and assets brought as a guarantee; (iii) issuance, execution, payment of the insurance policy; (iv) recording of communications by fax, digital channels (eg: Online B@nking, Mobile B@nking, e-mail, Virtual Mailbox), telephone conversations through Contact Center. The Data Subject is always in control, respectively he/she can address to the Bank through other channels, if he/she does not choose to record the communication, having been informed in this regard beforehand through voice services or written messages; (v) execution of the payment services, providing account information to your requests submitted to the Bank through an account information service provider, execution of the payment orders initiated by you through an payment initiation service provider, confirmation of the availability of the funds (if an amount required to execute a card-based payment operation is available in online accessible payment account), at the request of a third-party payment service provider that issues card-based payment instruments; (vi) for the purpose of updating your documents, data and information held by the Data Controller, this will process contact person’s data, only if you have provided such data to the Data Controller. The Data Subject has the obligation to inform the contact person about the data processing carried out by the Data Conroller, either by sending the Information Notice (via e-mail, physical remittance) or by indicating its consultation on www.unicredit.ro, Personal Data Protection section; (vii) providing electronic signature services attached to Data Controkker’s products and services and requested by the Data Subject, through Data Controller’s channels.

2.2. fulfillment of a legal obligation/requirement, according to Artcile 6, 1st oaragraph, letter c) of the GDPR such as:

(i) Conducting analyses and implementing measures for customer due diligence (“Know Your Customer”), prevention and combating money laundering and terrorist financing (Law no. 129/2019, BNR Regulation no. 2/2019) or applying international sanctions. This category also includes (a) conducting face-to-face and/or remote identification through audio and/or video means (such as video-selfie, authentication on an electronic platform), (b) collecting and using data provided in compliance with legal provisions by public authorities/institutions, for the purpose of prudential monitoring/updating the data/activity of the data subject and/or comparing by the Cotroller for the same purposes of the data held in its own systems (such as those provided by clients), with data provided by public authorities/institutions, and (c) processing personal data obtained by the Data Controller from other entities within the Group or from third parties (according to the meaning given to this notion in article 18 (1) of Law no. 129/2019), for the same purpose, such as: contact data (e-mail address, telephone number and residence address), data from identity documents and copies of these documents, the information and documents related to the risk analysis according to the Law no. 129/2019 and the normative acts issued in its execution etc. Thus, the Data Controller obtainment updated information of the Data Subject in this way may also lead to the updating of similar data existing in the Data Controller's records, if the latter are different; (ii) reports to various authorities/institutions, according to the law, such as Nationa Bank of Romania (NBR), National Agency for Fiscal Administration (NAFA), National Authority for Consumers Protection (NACP), National Authority for Supervision of the Personal Data Processing (NSAPDP), including for FATCA reports (Fiscal Compliance Law applicable to the Foreign Accounts) when the Data Subject is a US citizen and CRS reports ( ommon Reporting Standard) to combat tax evasion; (iii) carrying out of forced executions of the amounts owed as well as the administration of confiscations and sequestrations; (iv) meeting legal requirements in the area of the payments/payment services; (v) adopting appropriate measures against internal or external fraudulent behavior and breach of discipline, such as breach of internal procedures, breach of limits, as provided by the NBR Regulation no. 5/2013; (vi) for the monitoring, security and guarding of people, spaces, goods, through the video cameras located in the Bank's premisses, based on Law no. 333/2003 regarding the protection of objectives, goods, values and persons protection;

2.3 achieving a Bank legitimate interest based on the Article 6, 1st paragraph, letter f) of the GDPR: (i) debt collection, prejudice of any kind caused to the Bank, assets brought under guarantee and the implementation of any necessary actions/requests, the legitimate interest of the Bank being represented by the appropriate and necessary measures taken by Bank to ensure its solvency and sustainable management of liabilities; (ii) carrying out reports within the UniCredit Group which may include data regarding the person, property, activity, business or business relationships or with persons within the same group of clients who constitute or may constitute a single risk, respectively for the account/accounts transactions at the Bank, based on the legitimate interest, namely to ensure a prudent risk management at Group level; (iii) for the monitoring, security and guarding of people, spaces, goods, through the video cameras located in the Bank's premises, based on Law no. 333/2003 the legitimate interest being represented by the appropriate and necessary measures taken by the Bank to ensure the evidential means related to the settlement of any complaint/request from the entitled persons/authorities, thus maintaining the Data Controller's adequate reputation in the market; (iv) to verify the satisfaction of the Data Subject and the quality of the services and products purchased, as well as the collection of the Data Subject's opinions/feedback on situations derived from the Bank's current activity (such as sustainability, environmental protection, actions regarding different communities such as the local community), based on the legitimate interest of the permanent improvement of the Bank's services/products, as well as the implementation/consolidation/development of the Bank's strategies in various areas derived from the current activity such as sustainability, environmental protection, actions regarding different communities such as the local community; (v) fulfilling an obligation stipulated in the relevant regulations of the UniCredit Group, applicable to the Data Controller, regarding the fight against and prevention of money laundering and the financing of terrorism, the application of various regimes of international sanctions, based on the legitimate interest in ensuring prudent risk management at the level of the UniCredit Group (including the sharing of information between Group entities arising from the customer due diligence process, from the process of identifying persons and activities suspected of money laundering or terrorist financing or violation of international sanctions regimes); (vi) the execution by the Bank, as a third party (according to the meaning given to this notion in article 18 (1) of Law no. 129/2019), of specific customer due diligence activities for another reporting entity/third party or the provision by the Bank to a reporting entity/third party of information regarding the Data Subject obtained by the Bank in the customer due diligence process; (vii) prevention, investigation and limiting the consequences of fraud derived from any area concerning the current activity of the Bank: (a) payment services. Thus, in collaboration with Transfond, the Bank will provide the Beneficiary Name Display Service (SANB), together with other payment service providers in Romania, as participants in the service. As a result, your data (full first name, initial of last name and IBAN code) are transferred to the database managed by Transfond to prevent transactional fraud and non debt obligations (payments); (b) financial services. Thus, it is envisaged the transmission of information messages that do not contain personal data to the former telephone number and/or former e-mail address of the Data Subject and, respectively, on a communication channel (such as e-mail address/SMS) existing in the Bank's records, simultaneously with updating the phone number and/or email address). The legitimate interest is represented by the necessary and appropriate measures to prevent and combat (potentially) fraudulent conduct, including through mechanisms that ensure a high degree of maintenance of security and confidentiality of data processing; (viii) the communication of information regarding the functionalities, standard contractual-operational advantages/benefits, the operating mechanisms of the products and services owned by the Data Subject, of the complementary products and services (provided by the Bank) that optimize the use of the products and services already owned, through methods such as programs payment in (equal) installments, loyalty programs, programs regarding the use of products and services, through means of communication, such as automatic calling systems that do not require the intervention of a human operator, respectively e-mail, SMS, fax, post office, telephone conversation (e.g.: Call Center), Online/Mobile B@nking, Virtual Mailbox [e.g.: notifications, messages including "push notification" type (notifications/instant messages)], based on the legitimate interest of providing adequate, correct and complete information to the Data Subjects regarding the products and services owned or complementary to them, conducting educational campaigns for the data subjects, so that the data subjects have access to and/or maintain the services and products appropriate to their needs and interests; (ix) the proper functioning of the Bank's internal systems/applications (whatever their name may be), through activities (which may also be preliminary) such as testing (e.g.: use of personal data in test environments), design, development, so that the Bank should be able to optimally carry out its current activity, including in areas such as preventing and combating money laundering and terrorist financing, applying international sanctions, combating tax evasion (e.g.: for the purpose of FATCA), considering that such activities can be essential in the future operation of the Bank's systems/applications, based on the Bank's legitimate interest in ensuring the proper functioning of its systems/applications, by taking the necessary measures (such as prior use of personal data in test, design, development environments) and ensuring appropriate administration of the related risks; (x) carrying out analyzes and studies at the Bank’s level regarding aspects such as the use of products and services, payment or credit standards for the development of analytical models and their periodic review in order to optimize the business strategy and the Bank's products and services, based on legitimate interest to take appropriate measures such as studies, analyzes to anticipate the needs and interests of customers, improve the Bank's services and products in line with the needs and expectations of the clientele and trends in the relevant market; (xi) the undertaking by the Data Controller of the necessary measures to carry out, in a prudent manner, the consolidated supervision over the entities within the Group (e.g.: UCFin), by transmitting to UCFin (on request) the data on common customers, so that the Data Controller (operational leader of the Group): (a) to maintain within the optimal parameters of efficiency and effectiveness the credit, financing, model and strategic risks, at the Group level, according to the relevant legislation; (b) to create for UCFin the necessary conditions for the integrated credit analysis and statistical modeling, by capitalizing the data held by the Data Controller, in order to estimate the probability of the non-payment; (c) to avoid the risk of insolvency for joint customers; (d) to ensure compliance with the relevant legislation and thus reduce the possibility of risks for the Data Controller and entities in the Group (which may indirectly affect the Data Controller); (xii) carrying out the defense, performing, ascertainment, without limitation, of a right/claim/request, etc. in court, in front of another authority/institution/natural or legal person, auditors, without limitation, based on the legitimate interest to take all necessary and appropriate measures (such as documentation, defense, exercise, ascertainment) to protect his rights and interests and ensure compliance with applicable legislation; (xiii) the recording of communications through digital channels, of telephone conversations made through the contact center, the legitimate interest being represented by the improvement of the Bank's products and services and the provision of evidentiary material for the effective resolution of any complaints/requests. The Data Subject is always in control, respectively he/she can address to the Bank through other channels, if he/she does not choose to record the conversation, having been informed in this regard beforehand through voice services or written messages; (xiv) for statistical purposes, the legitimate interest being represented by the achievement of anticipatory analyses/studies that serve to improve the current activity, also referred by the Article 89 of the GDPR; (xv) the Controller's legitimate interest in complying with the prudential norms and requirements to which credit institutions are subject to (know your customer and updating customer data, in order to prevent and combat money laundering, terrorist financing, and fraudulent behavior) and ensuring the accuracy of data by providing the General Directorate for Personal Records (Rom: DGEP) with data from the identity cards (IDs) of existing customers of credit institutions, as well as information related to the death of a customer (if applicable) in the following scenarios: a) Continuous updating of the data provided by the Controller to DGEP by supplying information about the new IDs of existing customers, b) Querying the DGEP database when initiating a business relationship with a customer by the Controller, c) Querying the DGEP database for existing customers in specific situations (e.g., fraud suspicions); (xvi) The legitimate interest of UniCredit Bank SA to achieve an efficient post-merger integration with and Alpha Bank SA, while identifying best practices and improving efficiency. In this context, access to the personal data of Alpha Bank SA customers is essential for the alignment of systems, processes, products and services, the migration of customer accounts, transaction history and other important information to a unified system, ensuring a smooth transition, minimizing any disruptions and maintaining continuity of service in the relationship with customers. The aforementioned processing is also based on the legal obligation of the Controller to ensure business continuity and to assess the merger risks (point xvi is applicable to the processing of Alpha Bank Romania SA customers data in the pre-merger period); (xvii) Controller’s compliance with the obligations assumed within the National Payment Schemes in relation to the return of the amounts in case of operational errors/technical problems due to the payment service provider of the person having made payments to your accounts or the return/blocking of the amounts due to fraud. In such cases, the Controller has the right to cooperate and provide the payer's payment service provider with the necessary support in any claims, petitions or legal actions, including by disclosing your data. related to these operations.

2.4 fulfilling of a public interest, according to the Article 6, 1^st paragraph, letter e) of the GDPR, as the processing activities carried out by the Controller in the areas of know your customer, prevention of money laundering, terrorism, international sanctions (Law no. 129/2019, Emergency Ordinance no. 202/2008), judicial organization (Law no. 304/2022) are defined.

2.5. the Data Subject's consent, according to the Article 6, 1^st paragraph, letter a of the GDPR: (i) carrying out analyzes that can lead to the profiling of the account holder for marketing purposes (such as the assessment of eligibility in order to grant standard or customized products and services from the Group's portfolio, including by calculating some indicators in the assessment of solvency, of credit risk and establishment of the degree of the indebtedness) and direct marketing, by using the means of communication selected for receiving communication regarding the products and services of the Data Controller, entities within the Group (financing/crediting/other types) and their contractual partners (outside the Group), according to the options expressed in within the direct marketing agreement contained in the annex to this Information Notice, which is an integral part of it; (ii) the processing of biometric data in the remote identification process carried out by the Bank by video means, without direct interaction with a representative of the Data Controller, but by providing a video-selfie, a method of capturing a personal image in the form of a video (biometric facial data) and an identity document, situation in which there will be an automated decision-making process that produces legal effects on you, such as to proceed or not with the process of requesting a financial product. The Data Controller will be able to make decisions based partly or exclusively on automated processing to establish that the identity document belongs to you. In the automated decision-making process, elements of the identity document provided will be checked (eg: format, security elements, comparison of the physiognomy in the picture with the physiognomy in the video-selfie, etc.), as well as the validity of the data provided. Depending on the points obtained from the checks mentioned above, the decision-making process can be based exclusively or only partially on the automatic basis, in this last situation the intervention of the human factor beeing necessary. The Data Controller has measures to protect the rights, freedoms and legitimate interests of the Data Subjects, at least the human right to obtain intervention from the Data Controller, to express their point of view and to challenge the decision.

3. Duration of processing:

a) during the validity period of the contracts concluded with the Controller, to which is added 10 years from the termination of the contractual relationship according to the provisions of Law no. 82/1991, Law no. 129/2019 and based on the legitimate interest of the Bank to take the appropriate and necessary measures to preserve the contractual documentation in order to properly defend its rights in relation to any natural or legal person, such as courts, auditors, supervisory authorities, in line with the applicable legislation, according to the Article 6, 1^st paragraph, letter c) and f) from GDPR; the exceptions are the situations when, by an applicable legal provision, it is necessary to keep it for a longer period of time or when the Bank justifies a legitimate interest, in which case the duration of the processing can be extended until that legitimate interest is achieved; b) for a period of 5 years, to which a period of max. 5 years, at the request of the competent authority, in the event that a contractual relationship has not been concluded in order to render/provide some banking services/products to you, according to the law (Law no. 129/2019 and NBR Regulation no. 2/2019); c) regarding the area of direct marketing: (i) if the Data Subject's options are "NO", upon the termination of the last contractual relationship with the UniCredit Group entities (in the event that there are contractual relationships with several entities), participating in the direct marketing agreement (according to the appendix to the Information Notice), the Data Subject will no longer receive commercial communications, and the related data will be kept for another 3 years; (ii) if the Data Subject's option is "YES", upon the termination of the last contractual relationship with the UniCredit Group entities (assuming there are contractual relationships with several entities), participating in the direct marketing agreement, the Data Subject will receive commercial communications 1 year, after which the Data Subject's option will be "NO" in the Bank's systems, and the related data will be kept for another 3 years; d) regarding FATCA and CRS reporting, according to the applicable tax legislation (e.g. : the Law no. 207/2015, revised by the Emergency Gobern ordinance no. 202/2022): Related personal data are kept for 10 years from the expiry of the reporting period to the tax authorities, which runs from May 15 inclusive of the current calendar year for the information related to the previous calendar year); e) if you have chosen to carry out a remote identification process, by video means, and this process will not be completed, the data regarding the reasons for the interruption of the identification process (including the images) will be stored for a period of 3 years, according to the rules issued by to the Authority regarding the Digitization of Romania, approved by Decision no. 564/2021.

4. Data Controllers/ Authorized Persons and Recipients of Personal Data:

Personal data can be transmitted to the following categories of recipients: a) the Data Subject, representatives of the Data Subject, b) entities from the UniCredit Group, c) contractual partners of the Bank from all areas necessary for the optimal performance of the Bank's current activity (e.g.: insurers, debt recovery agencies, lawyers, notaries, bailiffs, evaluators, auditors, consultants, companies in the IT/payments area, providers of fraud investigation and documentation services, postal and courier services d) international organizations (e.g. of cards - Visa , Mastercard, etc.), e) providers of technical payment processing services (e.g.: Romcard, Transfond, Society for Worldwide Interbank Financial Telecommunication, etc.), f) public authorities in Romania (eg National Bank of Romania, ANAF, the National Office for the Prevention and Combating of Money Laundering, etc.) and from abroad (e.g. the European Commission, tax authorities, etc.; g) other institutions of public and private law (e.g. General Directorate for Personal Records - DGEP, the National Registry of Securities Advertising, the National Credit Guarantee Fund for SMEs; h) the employer of the Data Subject; i) other banks (including correspondent banks) or other financial entity/payment service provider, card organizations, including third-party PSPs (such as payment initiation service providers, account information service providers, and payment service providers payment services that issue card-based payment instruments) to perform certain payment services, cash withdrawals and cashbacks, in case of operational errors/technical problems or fraud; i) any other categories of contractual partners necessary to carry out the current activity of the Bank.

5. International Transfer:

Personal data will be transferred to SWIFT (Society for Worldwide Interbank Financial Telecommunication), having the capacity of data controller, in case the performance of credit transfer - payment operations requested by you includes processing through the SWIFT system. In this sense, there is a possibility that the data transferred to SWIFT, as the data controller, is accessible to the US Treasury Department. In the situation where you are a citizen of the United States of America (USA) or resident on the territory of the USA, we inform you that, according to FATCA, the legal provisions regarding the tax regime of the US state are directly applicable to you, the data being transmitted by the Bank to the tax authorities in Romania, who can later send them to the US tax authorities. In all situations where the international transfer of data will be necessary, this will only be achieved if an adequate level of personal data protection recognized by decision of the European Commission is ensured in the recipient country, such as member countries of the European Economic Union (EEA). In the absence of such a decision of the European Commission, the Bank will be able to transfer personal data to a third country only if the person who will process the data has offered adequate guarantees provided by law in order to protect personal data, such as, without limit to the use of mandatory corporate rules, standard data protection clauses adopted by the European Commission, standard data protection clauses adopted by a supervisory authority, contractual clauses authorized by a supervisory authority, adherence to an approved code of conduct by the supervisory authority. The Bank can be contacted for additional information on the guarantees offered for the protection of personal data in the case of each transfer of data abroad, through a written request in this regard.

6. The need to process Personal Data:

In the situation where you refuse the processing of the mentioned Personal Data, for the requested products and services that are limited to the purposes stipulated in art. 2.1, 2.2, 2.3 (points i-iii, v, vi, viii-xiii), 2.4 above – the Bank will be unable to initiate or continue legal relations with you, as it is unable to comply with the legislation applicable and to conclude the requested contract. If you do not agree to the processing of your personal data for direct marketing purposes, the contractual relationship between you and the Bank will not be affected in any way. In the situation when you were or are an exclusive customer of UCFin you only had/have the right to view in Mobile B@nking and given that the Data Controller has the control of the Mobile B@nking application, we inform you that it is possible that in Mobile B@nking the new direct marketing agreement becomes available to you from the Data Controlletr based on the Daya Cotroller's legitimate interest in strengthening the business relationship with Mobile B@nking users according to the Article 6,1^st paragraph, letter f) of the GDPR.

7. Rights of the data subject:

a) the right to access data; b) the right to rectify the data; c) the right to delete data; d) the right to data processing restriction; e) the right to data portability; f) the right to object to the processing; g) the right not to be subject to an automated individual decision, including profiling; h) the right to address to the National Authority for the Supervision of the Processing of Personal Data (NASPPD) and justice. We mention that, according to the Article 7, 3^rd paragraph of the GDPR, you have the right to withdraw your consent at any time only in the case of processing based on consent while maintaining the validity of the processing carried out until the date of withdrawal of consent. With the exception of the rights provided for in letter h) which are exercised through written requests addressed to the NASPPD and the competent court, for the exercise of the other rights, you can apply with a written request, dated and signed, sent to UniCredit Bank SA, at the address: 1F Expozitiei Bvd, no. 1 F, 1^st sector, Bucharest, postal code 012101, or by e-mail at infocenter@unicredit.ro, respectively by calling the number +40 21 200 2020 (call with normal rate in the Telekom Romania landline network) or *2020 ( normal rate call in Telekom Romania, Orange, RCS&RDS, Vodafone mobile networks). If you make a request regarding the exercise of your data protection rights, the Bank will respond to this request within one month, which can be extended by two months, under the conditions provided by the GDPR. In case you want to make a request regarding the exercise of the above rights, in relation to the joint-controller - the insurance company - that issued the insurance policy, you can address it according to what is mentioned in the insurance policy. Within the Bank, the data protection officer has the following contact details: 1F, Expozitiei Bvd, 1^st sector, Bucharest, postal code 012101, e-mail dpo@unicredit.ro. Since the Bank may periodically modify this document, we recommend that you periodically consult the Bank's website, at www.unicredit.ro, Personal data protection section, to be constantly up to date with the latest changes.

THE CONSENT FOR DIRECT MARKETING (Annex to the Information Notice)

I. The present consent for Direct marketing has as scopes (i) the integrated promotion of the services & products (banking, non-banking financial, leasing, insurance etc) belonging to members of the UniCredit Group Romania (as defined below and called below the „UniCredit Group Romania”) and (ii) the promotion of the products belonging to the their contractual partners, out of UniCredit Group Romania, so as you to have available multiple options aiming to better fit to your needs & interests and your final decision to be an informed one.

II. The situation described in section A. below considers the transmittal of the commercial communications by the legal entity (hereinafter referred to as “Unicredit”) which collects your options regarding the direct marketing, as well as by the other entities from the UniCredit Romania Group.

Thus, based on your agreement, UniCredit will send you commercial communications regarding its own products and services and the products and services of the other entities from UniCredit Romania Group, that are intermediated/promoted by UniCredit and you will also be able to receive commercial communications directly from the other entities of the UniCredit Romania Group services and products, which involves : (i) prior transmittal by UniCredit, based on your agreement, to these entities, of your contact details as provided by the Information Notice namely name & surname and/or email address and/or phone number and/or postal address;(ii) that prior to the transmittal of the commercial communications, based on your consent, UniCredit or the entities from UniCredit Group Romania may perform your profiling for direct marketing scope based on the held or previously transferred data within the Group based on your consent expressed by you for letter A like the type of the held products & services, the contractual tenor, the lending history, the number of the held products & services following the data processing principles a provided by the GDPR especially the data minimisation and the limitation by scope principles so as you receive communications suitable to your interests.

III. The situation described in section B below refers to products and services of third parties (outside the UniCredit Romania Group), contractual partners of UniCredit and of the entities from UniCredit Romania Group.

Thus, based on your agreement you will be able to receive commercial communications directly from UniCredit and entities from UniCredit Romania Group about the products and services of their contractual partners and you will also be able also to receive commercial communications directly from UniCredit's contractual partners (about products and services of these partners), which involves: (i) the prior transmittal by UniCredit of your contact data like the name & surname and/or phone number and/or email address and/or postal adreess to its contractual partners and to the contractual partners of the entities from UniCredit Group Romania (ii) that prior to the transmittal of the commercial communications, UniCredit, UniCredit's contractual partners and the entities from UniCredit Romania Group may perform your profiling for direct marketing purpose based on the held data or previously transferred data based on the agreement expressed by you at section B, such as the type of the held products and services, the contractual duration, the lending history, the number of the held products and services following the data processing principles a provided by the GDPR especially the data minimisation and the limitation by scope principles so as you receive communications suitable to your interests.

IV. The situation described in section C below considers the channels through which you will receive communications according to the options selected within letter A and B.

You may anytime update your direct marketing options by Mobile B@nking, Online B@nking (if you hold these products), Call Center, email (the email address existing within UniCredit evidences) or by written request submitted to any entity of UniCredit Group Romania. Please note that the latest update of the communication channels option regarding any of the entities from UniCredit Romania Group will have as effect the transmittal of the commercial communications related to any of the entities from UniCredit Group Romania on the updated channels, if you are a customer of several entities from the Group UniCredit Romania.

Withdrawal of the consent may be performed by Mobile Banking, Online Banking (if you hold these products), Call Center, email (the email address existing within UniCredit evidences) or by written request submitted to any entity of UniCredit Group Romania. If you decide to withdraw your consent, the effect is that you will NOT receive commercial communications about products & services belonging to (i) UniCredit and other entities from UniCredit Romania Group and / or (ii) the partners of UniCredit and partners of the entities from UniCredit Group Romania.

V. Other aspects. The transmittal of the commercial communications to the clients who have expressed their consent on the receipt of commercial communications from UniCredit prior to 21.06.2022 will be performed in compliance with their direct marketing options in force at the date of granting the consent, if these options were not updated after 21.06.2022 according to the provisions of this document.

Regarding the clients of Alpha Bank Romania SA:

- If they are common clients (meaning clients of at least one of the UniCredit Group companies in Romania other than Alpha Bank Romania SA) at the date of the merger (18.08.2025), the options considered for commercial communications will be those provided to UniCredit and in force at the date of the merger;

- If they are not common clients (as defined above), the options provided to Alpha Bank SA, in force at the date of the merger, will be adopted in the relationship with UniCredit, with the applicability of the integrated approach described in this document.

Clients will be able to update these options at any time in accordance with the provisions of this information notice.

We recommend you that, prior to the granting and updating the direct marketing options (sections A, B, C below), to consult the List of the member entities of the UniCredit Romania Group and the List of Partners of each related entity, available at www.unicredit.ro, www.ucfin.ro, www.unicreditleasing.ro, www.unicreditinsurancebroker.ro, https://www.unicreditleasing.ro/ro/home.html#UniCredit_Leasing_Fleet_Management or in any UniCredit Bank SA branch, so that your decision is informed and to avoid the transmittal of the unsolicited communications to you. The member entities of the UniCredit Romania Group reserve the right to revise this list of contractual partners, in which sense we recommend that you periodically consult this list through the channels mentioned above.

A.☐ I agree / ☐ I do not agree that my personal data to be processed for the scope of direct marketing performed in the following modalities: (i) the transmittal by UniCredit* of the communications about the products and services of the UniCredit itself and products & services belonging to the entities of the Group UniCredit Romania**, (ii) the direct transmittal of the communications by the other entities from the Group UniCredit Romania about their products & services fact that previously requires the transfer by UniCredit of my contact data and these data regarding the contractual relations with UniCredit (like the type of the held products, the contractual tenor) to the other entities from the Group UniCredit Romania, (iii) the performance of the profiling for direct marketing scope by the UniCredit and/or by the entities of the Group UniCredit Romania based on the categories of data mentioned with po. (ii) above for the operations set-out within po. (i) & (ii) above.

B. ☐ I agree / ☐ I do not agree that my personal data to be processed for the scope of direct marketing performed in the following modalities: (i) the transmittal by the UniCredit and by the entities from the UniCredit Group Romanians about the products and services of their contractual partners (outside the Group UniCredit Romania), fact that previously requires the transfer of my contact data and/or these data regarding the contractual relation with UniCredit (like the type of the held products, the contractual tenor) by UniCredit to the entities of UniCredit Group Romania; (ii) the direct transmittal of the communications by the contractual partners of UniCredit about the products & services belonging to them fact that previously requires the communication by UniCredit of my contact data and/or these data regarding the contractual relation with UniCredit (like the type of the held products, the contractual tenor) to the UniCredit contractual partners, (iii) the performance of the profiling for direct marketing scope by UniCredit and/or UniCredit contractual partners and/or the entities from UniCredit Group Romania based on the categories of data mentioned with the po. (i) & (ii) above for the operations set-out within po. (i) & (ii) above.

C.The direct marketing communications derived from the options expressed in points A, B above will be sent through the following channels:

SMS: ☐ Yes ☐ No

Email: ☐ Yes ☐ No

Telephone call (including by automatic means that do not require human intervention): ☐ Yes ☐ No

Mobile Banking and Online Banking: ☐ Yes ☐ No

Physical mail: ☐ Yes ☐ No

*UniCredit- the legal entity which collects the data subject’s direct marketing options

**Group UniCredit Romania means the entities from the UniCredit Romania Group, respectively UniCredit Bank SA, Alpha Bank Romania SA (until the merger with UniCredit Bank SA), UniCredit Consumer Financing IFN SA, UniCredit Leasing Corporation IFN SA, UniCredit Insurance Broker SRL, UniCredit Leasing Fleet Management SRL and their legal successors.

I understand that the application of my signature on this document (electronic or handwritten signature) has the meaning of reading and understanding in full and in advance this Information Notice.

Date

Name and surname Signature

[1] If you choose to use your fingerprint or facial image as the authentication method in Mobile B@nking/Mobile Token, the Bank does not process the biometric data from the biometric system installed on your mobile device. This data is subject to the processing rules established and communicated through the respective device.

OPERATING MECHANISM OF THE DIRECT MARKETING AGREEMENT

Annex to the Information Note on the processing of personal data

To facilitate the informed understanding and expression of options for direct marketing purposes, please consider the following:

The purpose of this direct marketing agreement is (i) the integrated promotion of services and products (banking, non-banking financial, leasing, insurance, etc.) belonging to the member companies of the UniCredit Romania Group (defined below and hereinafter referred to as the "UniCredit Romania Group"), as well as (ii) the promotion of the products of their contractual partners, outside the UniCredit Romania Group, so that you have multiple options available that correspond as best as possible your needs and interests and your final decision is informed;

· The hypothesis described in lit. The following refers to the transmission of commercial communications by the legal entity (hereinafter referred to as "UniCredit") that collects your direct marketing options, as well as by the other entities of the UniCredit Romania Group.

Thus, based on your agreement: UniCredit will send you commercial communications regarding its own products and services and the products and services of the other entities of the UniCredit Romania Group, and you will also be able to receive commercial communications directly from the other entities of the UniCredit Romania Group about their services and products, which involves:

(i) the prior communication by UniCredit, based on your consent, to these entities, of your contact details mentioned in the Information Note on the processing of personal data, namely: name and surname and/or telephone number and/or email address and/or postal address;

(ii) that, prior to the sending of commercial communications, based on your consent, UniCredit or the entities of the UniCredit Romania Group may carry out your profiling for direct marketing purposes based on the data held or transferred within the group in advance, based on the agreement expressed by you in lit. A, such as: the type of products and services held, the duration of the contract, the credit history, the number of products and services held, in compliance with the principles of data processing, according to the GDPR, in particular the principles of data minimization and purpose limitation, so that you receive communications appropriate to your interests.

· The hypothesis described in letter B below refers to products and services of third parties (outside the UniCredit Romania Group), contractual partners of UniCredit and of the entities of the UniCredit Romania Group.

Thus, based on your agreement, you will be able to receive commercial communications directly from UniCredit and from the entities of the UniCredit Romania Group about the products and services of their contractual partners, and you will also be able to receive commercial communications directly from the contractual partners of UniCredit Bank (about the products and services of these partners), which involves:

(i) the prior communication by UniCredit to its contractual partners, respectively to the entities of the UniCredit Romania Group, of your contact data, respectively name and surname and/or telephone number and/or email address and/or postal address;

(ii) prior to the sending of commercial communications, UniCredit, UniCredit's contractual partners and the entities of the UniCredit Romania Group may carry out your profiling for direct marketing purposes based on the data held or that will be transferred in advance based on the agreement expressed by you in letter B, such as: type of products and services held, contractual duration, credit history, the number of products and services owned, in compliance with the principles of data processing, according to the GDPR, in particular the principles of data minimization and purpose limitation, so that you receive communications appropriate to your interests.

· The hypothesis described in letter C below takes into account the channels through which you will receive communications according to the options selected in letter C. A and B.

You can update your marketing options directly at any time through.

You can update your marketing options directly at any time through the channels indicated in the Information Notice on the processing of personal data (e.g. Mobile Banking, Online Banking, Call Center, by written request submitted to any of the entities of the UniCredit Romania Group). Please note that the last update of the options regarding the communication channels at any of the entities of the UniCredit Romania Group will have the effect of transmitting the commercial communications related to any of the entities on the updated channels, if you are a customer of more than one entity of the UniCredit Romania Group. Options provided to Alpha Bank Romania SA prior to the merger are not taken into account here.

· The withdrawal of the agreement can be made through Mobile Banking, Online Banking (if you have these services), Call Center or email (the email address existing in UniCredit's records) or by written request submitted to any of the entities of the UniCredit Romania Group, except Alpha Bank Romania SA.

· If you decide to withdraw the agreement, the effect is that you will NO longer receive commercial communications about the products and services of (i) UniCredit and the other entities of the UniCredit Romania Group and/or (ii) UniCredit partners and the entities of the UniCredit Romania Group.

Other aspects

The sending of commercial communications to customers who have expressed their agreement regarding the receipt of commercial communications from UniCredit prior to 21.06.2022 will be done in compliance with their direct marketing options in force on the date of the agreement, if they have not been updated after 21.06.2022 in accordance with the provisions of this document.

Regarding Alpha Bank Romania SA customers:

- If they are common customers (meaning customers of at least one of the companies of the UniCredit Romania Group apart from Alpha Bank Romania SA) on the date of the merger (15.08.2025), the options considered for commercial communications after the merger will be those provided to UniCredit and in force on the date of the merger;

- If they are not common customers (within the meaning above), the options provided to Alpha Bank SA, in force at the date of the merger, will also be taken over in relation to UniCredit, with the applicability of the integrated approach described in this document.

- Until the time of the merger, the updating and/or withdrawal of the agreement for commercial communications by the clients of Alpha Bank Romania SA is carried out only through this entity and only in connection with the agreement provided to this entity;

- After the merger date, customers will be able to update these options at any time in relation to UniCredit according to the provisions of the information note.

We recommend that, prior to expressing and updating the direct marketing options (lit. A, B, C below), to consult the List of member entities of the UniCredit Romania Group and the List of Partners of each related entity, available at www.unicredit.ro, www.ucfin.ro, www.unicreditleasing.ro, www.unicreditinsurancebroker.ro, UniCredit Leasing Fleet Management, so that your decision is informed and in order to avoid sending you unsolicited communicationstag. The member entities of the UniCredit Romania Group reserve the right to revise this list of contractual partners, in which sense we recommend that you periodically consult this list through the channels mentioned above.

A. ☐ I agree / ☐ I do not agree that my personal data will be processed for direct marketing purposes, in the following ways: (i) the transmission by UniCredit* of communications about its own products and services and those belonging to other entities of the UniCredit Romania Group**, (ii) direct transmission by any of the other entities of the UniCredit Romania Group of communications regarding their products and services, which requires the prior transfer of my contact details and those regarding the contractual relationship with UniCredit (such as the type of products held, contractual duration, etc.) by UniCredit to the other entities of the UniCredit Romania Group, (iii) profiling for direct marketing purposes by UniCredit and/or the entities of the UniCredit Romania Group, based on the categories of data mentioned in point (ii) above for the performance of the operations indicated in points (i) and (ii) above.

B. ☐ I agree / ☐ I do not agree that my personal data will be processed for direct marketing purposes in the following ways: (i) the transmission by UniCredit and by the UniCredit Romania Group entities of communications about the products and services of their contractual partners (outside the UniCredit Romania Group), which requires the prior transfer of my contact details and/or those regarding the contractual relationship with UniCredit (such as the type of products held, the duration of the contract, etc.) by UniCredit to the entities of the UniCredit Romania Group; (ii) the direct transmission by UniCredit's contractual partners of communications regarding the products and services of these partners, which requires the prior transfer of my contact details and/or those regarding the contractual relationship with UniCredit (such as the type of products held, contractual duration, etc.) by UniCredit to its contractual partners, (iii) profiling for direct marketing purposes by UniCredit and/or by the entities of the UniCredit Romania Group and/or by UniCredit's contractual partners, based on the categories of data mentioned in points (i) and (ii) above for the performance of the operations indicated in points (i) and (ii) above.

C. Direct marketing communications derived from the options expressed in item A and B above will be sent through the following channels:

SMS: ☐ Yes ☐ No

Email: ☐ Yes ☐ No

Call (including by automatic means that do not require the intervention of the human factor):

☐ Yes ☐ No

Mobile Banking and Online Banking: ☐ Yes ☐ No

Physical mail: ☐ Yes ☐ No

*UniCredit - UniCredit Bank SA.

**UniCredit Romania Group designates the entities of the UniCredit Romania Group, namely UniCredit Bank Romania SA, Alpha Bank Romania SA (until the merger with UniCredit Bank SA), UniCredit Consumer Financing IFN SA, UniCredit Leasing Corporation IFN SA, UniCredit Insurance Broker SRL, UniCredit Leasing Fleet Management SRL and their legal successors.

Annex to the Application for Junior Current Account and associated services

Information notice on the processing of personal data

("Information Notice")

UniCredit Bank S.A. ("Bank" or "Controller"), a company managed in a dualist system, headquartered in Romania, 1F Exhibition Blvd., Bucharest, Sector 1, registered in the Trade Register under no. J1991007706408, EUID: ROONRC.J1991007706408 and in the Banking Register under no. RB-PJR-40- 011/18.02.1999, unique registration code 361536, tax attribute RO, subscribed and paid-up share capital 589.955.162,70 lei, as a Personal Data Controller, processes your personal data in good faith and in order to achieve the purposes specified in this Information Notice, in accordance with the provisions of Regulation (EU) no. 679 of 27 April 2016 on the protection of natural persons with regard to the processing of data with personal nature and on the free movement of such data and repealing Directive 95/46/EC (the "Regulation") hereinafter referred to as the GDPR.

This Personal Data, belonging to you as a customer and/or legal representative of the customer, hereinafter referred to as the 'Data Subject' is either provided to the Bank by you or is retrieved by the Bank, where appropriate, from other available external sources (such as, but not limited to: payment or transaction processors, card organizations, third-party payment service providers (third-party PSPs), third parties (according to the meaning given to this notion in Article 18 (1) of Law no. 129/2019), the General Directorate for Persons Records, the National Agency for Fiscal Administration (ANAF), the National Trade Register Office, the portal of the courts of law in Romania, other companies within the UniCredit Group, public or private databases (including entities specialized in data aggregation), land registry office, mass media, your employer, authorities).

With reference to minors, they will sign this Information Notice, if they are 14 years old on the day of signing, together with their legal representative(s) respectively the parents; if the minor is under 14 years old, the Information Notice will be signed only by the minor's parents/parent. In any case, if clarifications are necessary, in particular for minors, regarding the content of the Information Notice, they should consult their parents or the Bank beforehand, at any time, by the means indicated in Article 7 below.

1. The personal data processed by the Bank are:

A. Data of the minor applicant:

1.1. Identification and socio-demographic data such as: name and surname, place and date of birth, mother's name before marriage, marital status, gender, customer code, image, voice, date and place of birth, personal national identification number - CNP, NIF, jurisdiction of tax residence, studies, profession, place of work, nationality, citizenship, other data derived from the birth certificate (e.g. series and number, issuer, date of issue), and in the case of the minor who has reached the age of 14, additionally, data related to the CI, signature;

1.2. Contact data such as: postal address (domicile and correspondence address), email address, telephone/fax number;

1.3. Financial-banking data such as: (i) information on products/services requested and/or owned and banking transactions (e.g. volume and frequency of banking transactions with and without cash, currency of transactions), data on liquidity, tax residence, as the case may be, information regarding judicial/administrative acts that go beyond the area of maintenance acts of the minor, according to the law (e.g.: documents/opinions issued by the guardianship court/family council), the content of the declarations contained in the documentation signed with the Bank; (ii) membership of a related Customer Group; in this case, the Bank processes the name, surname and CNP of the natural persons who are part of the related Customer Group and who have an exposure to the Bank or a current account opened with the Bank; (iii) data regarding the area of risk management/data modeling such as general data (bank/customer account identifier), socio-demographic data (e.g. studies, profession), outstanding amounts, information on account restructuring/blocking (e.g. garnishment), risk class;

1.4.Data related to compliance reviews (including data on convictions/sanctions) such as: (i) relevant information on transactions and operations carried out by the Data Subject using the Bank's products or services, beneficial owner, processors, economic and financial situation, data on assets held, source and destination of funds, data on public exposure, if any, and public function held, information on the accusations, investigations and acts committed, such as the name of the act committed, the sanction applied (e.g. convictions, related measures), the duration of the sanction, the authority that applied the sanction, the status of the file and other similar data (for reasons related to compliance with the legislation on preventing and combating money laundering and terrorist financing, as well as compliance with the legislation on combating fraud and fraudulent conduct), the status of exposed person public, according to the definition contained in Law no. 129/2019 for preventing and combating money laundering and terrorist financing, as well as for amending and supplementing certain normative acts, as this legal definition may be amended from time to time; (ii) data on international sanctions such as the type and content of the sanction, the competent authority, the duration of the sanction, the description of the asset subject to the sanction (e.g. asset category, value, location, land register data, the authority responsible for implementing/monitoring the sanction, the measures ordered on this asset) and, to the extent that international sanctions involve the processing of data on acts committed by the Data Subject, data such as the name of the act committed, the sanction applied and its duration, the competent authority, any other similar information, according to the legislation on the implementation of international sanctions, may be processed;

1.5. Communications data such as: (i) electronic communications in any form between the Bank and the Data Subject, their (recorded) content, including voice (if recorded calls), image (if transmitted electronically), image of the identity document, dates and times of transmission, duration of the audio session, logs, any other information presented in the course of interactions between the Bank and the Data Subject; (ii) data derived from the use of the Bank's applications such as: Online B@nking/ Mobile B@nking username, also used to access the Virtual Mailbox, data regarding the token device – DIGIPASS (serial) or Mobile Token (phone number, in order to activate the Mobile Token/ Mobile B@nking applications), other data necessary for accessing and using these electronic payment instruments (identification/registration/authentication/login/authorization codes)1; (iii) data regarding the electronic signature, the issuance of the digital certificate (qualified) in this regard;

1If you choose the use of your fingerprint or facial image as a method of authentication in Mobile B@nking/Mobile Token, the Bank does not process the biometric data from the biometric system installed on your mobile device. This data is subject to the processing rules established and communicated through the respective device.

1.6. Data regarding the data subject's proxies/additional users/legal representatives: the above categories of data may also concern these persons in relation to the specifics of the banking product/service and the law;

1.7. Other similar categories of personal data of the Data Subject from the Bank's records, relating to the contractual relationship with the Bank, derived, mainly, from the signed contractual documentation and from the information collected by the Bank, from the execution of the law.

B. Data of the minor's legal representative

1.1. Identification and socio-demographic data such as: name and surname, pseudonym, mother's name before marriage, date and place of birth, citizenship, education, professional status (position, occupation, job, employer), marital status, gender, customer code, address, CNP (or portions thereof in the case of authentication procedures) or NIF (tax identification number), other data from CI/passport, signature, voice, image;

1.2. Contact data such as: postal address (domicile, correspondence address), email address, telephone/fax number;

1.3. Financial-banking data such as: (i) information on products/services requested and/or owned and banking transactions (e.g.: volume and frequency, currencies, recipient countries), data on liquidity, tax residence as the case may be, economic and financial situation, information regarding judicial/administrative acts that go beyond the area of the minor's maintenance acts, according to the law (e.g.: documents/opinions issued by the guardianship court/family council), the content of the declarations contained in the documentation signed with the Bank; (ii) membership of a related Customer Group; in this case, the Bank processes the name, surname and CNP of the natural persons who are part of the related Customer Group and who have an exposure to the Bank or a current account opened with the Bank; (iii) data regarding the area of risk management/modeling data such as general data (bank/customer account identifier), socio-demographic data (e.g. studies, profession), limits and durations of loans granted, existing balances of loans granted, outstanding amounts, information on account restructuring/blocking (e.g. garnishment), risk class; (iv) if you apply for a loan from Unicredit Consumer Financing IFN SA ("UCFin"), the Bank will be able to provide UCFin with data such as those below, in order to carry out the analysis of your eligibility for the granting of a financial product by UCFin and to carry out the statistical modelling activity2: data regarding the current account and credit relationship that the Data Subject has with the Bank, such as: the balance of accounts and the balance of loans at certain intervals, information on credit transactions, information on account openings and closings; limit and use of the credit card; data on debt collection; the existence of garnishments/other similar measures instituted on bank accounts; other similar data;

2Statistical modeling is a method that uses mathematical formulas to analyze data and find relationships between them, so that the financial institution can manage risks, be able to make informed decisions and improve the overall performance of loan portfolios.

1.5. Communications data such as: (i) electronic communications in any form between the Bank and the Data Subject, their (recorded) content, including voice (in the case of recorded calls), the image of the Data Subject (if transmitted electronically), the image of the identity document, the dates and times of transmission, the duration of the audio session, logs, any other information presented in the course of interactions between the Bank and the Data Subject (ii) data derived from the use of the Bank's applications such as: Online B@nking/ Mobile B@nking username, also used to access the Virtual Mailbox, data on the token device – DIGIPASS (serial) or Mobile Token (phone number, in order to activate the Mobile Token/ Mobile B@nking applications), other data necessary for accessing and using these electronic payment instruments (identification/registration/authentication/login/authorization codes)3; (iii) data regarding the electronic signature, the issuance of the digital certificate

(qualified) in this regard;

3If you choose the use of your fingerprint or facial image as a method of authentication in Mobile B@nking/Mobile Token, the Bank does not process the biometric data from the biometric system installed on your mobile device. This data is subject to the processing rules established and communicated through the respective device.

1.6. Data regarding the data subject's representatives/additional users/legal representatives and/spouse: the above categories of data may also concern these persons in relation to the specifics of the banking product/service and the law;

Purposes and grounds for processing Personal Data.

2.1. execution of a contract to which you are a party or taking steps before the conclusion of the contract, according to art. 6, paragraph 1, letter b of the GDPR: (i) analysis, signing and execution of the contractual documentation with the Bank, based on your request, among which we mention the opening of the bank account, setting up a term deposit, providing Online B@nking and Mobile B@nking services, issuing the debit card, the token device – DIGIPASS, providing the Info SMS service, providing the safe deposit box rental service, distributing investment funds, bonds, structured deposits, according to your request; (ii) the recovery of debts and collateral; (iii) issuance, execution, payment of the insurance policy; (iv) recording of communications by fax, digital channels (e.g.: Online B@nking, Mobile B@nking, email, Virtual Mailbox), telephone conversations through Contact Center. The data subject is always in control, i.e. he can address the Bank through other channels, if he does not choose to record the communication, being informed in this regard beforehand through voice services or written messages; (v) executing payment services, providing account information in case of your requests submitted to the Bank through an account information service provider, executing payment orders initiated by you through a payment initiation service provider, confirming the availability of funds (if an amount necessary to execute a card-based payment transaction is available in the payment account accessible online), at the request of a third-party payment service provider issuing card-based payment instruments; (vi) for the purpose of updating your documents, data and information held by the Controller, the Controller will process the contact person's data, only if you have provided the Controller with such data. The data subject has the obligation to inform the contact person about the data processing carried out by the Controller, either by sending the Information Note (by email, physical submission) or by indicating its consultation on the www.unicredit.ro Personal Data Protection section; (vii) the provision of electronic signature services attached to the products and services provided by the Controller and requested by the data subjects, through the channels made available by the Controller.

2.2. fulfillment of a legal obligation/requirement, according to art. 6, para. 1, letter c of the GDPR such as:

(i) carrying out analyses and applying KYC measures, prevention, combating money laundering and terrorist financing (Law no. 129/2019, NBR Regulation no. 2/2019) or applying international sanctions. This category also includes (a) the collection and use of data provided in compliance with the legal provisions by public authorities/institutions, for the purpose of knowledge/prudential monitoring/updating of data/activity of the data subject and/or comparison for the same purposes by the Controller of the data held in its own systems (such as those made available by customers), with the data provided by public authorities/institutions and (b) data processing obtained by the Controller from other entities within the Group or from third parties (according to the meaning given to this notion in Article 18 (1) of Law no. 129/2019), for the same purpose such as: contact details (email address, telephone number and home address), data from identity documents and copies of these documents, information and documents related to the risk analysis according to Law no. 129/2019 and the normative acts issued in its execution, etc. Thus, obtaining from the Controller in this way updated information of the Data Subject may also lead to the updating of similar data existing in the Controller's records, if the latter are different; (ii) reporting to various authorities/institutions, according to the law, such as BNR, ANAF, ANPC, ANSPDCP, including for FATCA reporting

(Foreign Account Tax Compliance Act) when the Data Subject is a U.S. citizen and CRS (Common Reporting Standard) reports to combat tax evasion; (iii) carrying out the forced executions of the amounts owed as well as the administration of garnishments and seizures; (iv) fulfilment of legal requirements in the area of payments/payment services; (v) the adoption of appropriate measures against internal or external fraudulent conduct and breaches of discipline, such as breach of internal procedures, breach of limits, as provided for by NBR Regulation no. 5/2013; (vi) for the monitoring, security and security of persons, spaces, goods, through the video cameras located in the Bank's premises, based on Law no. 333/2003 on the security of objectives, goods, values and protection of persons.

2.3 the achievement of a legitimate interest of the Bank based on Article 6, paragraph 1, letter f of the GDPR: (i) the recovery of receivables, damages of any kind caused to the Bank, the assets brought as collateral and the realization of any necessary actions/requests, the legitimate interest of the Bank being represented by the appropriate and necessary measures taken by the Bank to ensure its solvency and a sustainable management of liabilities; (ii) carrying out reports within the UniCredit Group that may include data on the person, property, activity, business or business relationships or with persons within the same group of clients that constitute or may constitute a single risk, respectively to the transactions of the account(s) opened with the Bank, based on the legitimate interest, namely to ensure prudential risk management at Group level; (iii) for the monitoring, security and security of persons, spaces, goods, through the video cameras located in the Bank's premises, based on Law no. 333/2003, the legitimate interest being represented by the appropriate and necessary measures taken by the Bank to ensure the evidentiary means related to the resolution of any complaint/request from the entitled persons/authorities, thus maintaining the appropriate reputation of the Controller in the market; (iv) to verify the satisfaction of the Data Subject and the quality of the services and products purchased, as well as to collect the Data Subject's opinions/evaluations on situations related to/resulting from the Bank's current activity (such as sustainability, environmental protection, actions concerning different communities such as the local community), based on the legitimate interest of the permanent improvement of the Bank's services/products, as well as the implementation/consolidation/development of the Bank's strategies in various areas derived from the current activity such as sustainability, environmental protection, actions regarding different communities such as the local community; (v) fulfilling an obligation laid down in the UniCredit Group regulations, applicable to the Controller, relating to the combating and prevention of money laundering and terrorist financing, the application of the various international sanctions regimes, based on the legitimate interest in ensuring prudential risk management at the level of the UniCredit Group (including the sharing of information between the entities of the Group deriving from the process of knowing the customers, from the process of identifying persons and activities suspected of money laundering or terrorist financing or violation of international sanctions regimes); (vi) the execution by the Bank, as a third party (as understood in Article 18 (1) of Law no. 129/2019), of specific KYC activities for another reporting entity/third party or the provision by the Bank to a reporting entity/third party of information regarding the Data Subject obtained by the Bank in the KYC process; (vii) preventing, investigating (thorough research) and limiting the consequences of fraud arising from any area of the Bank's day-to-day business: (a) payment services. Thus, in collaboration with Transfond, the Bank will provide the Beneficiary Name Display Service (SANB), together with other payment service providers in Romania, as participants in the service. As a result, your data (first name, initial, surname and IBAN code) are

transferred to the database managed by Transfond in order to prevent transactional fraud and undue payments; (b) financial services. Thus, it is envisaged to send information messages that do not contain personal data to the old telephone number and/or e-mail address of the Data Subject and, respectively, on a communication channel (e-mail address/SMS type) existing in the Bank's records, at the same time as updating the telephone number and/or e-mail address). The legitimate interest is represented by the necessary and appropriate measures to prevent and combat (potentially) fraudulent conduct, including through mechanisms that ensure a high degree of maintenance of the security and confidentiality of data processing; (viii) communicating information on the functionalities, standard contractual-operational advantages/benefits, operating mechanisms of the products and services owned by the Data Subject, complementary products and services (provided by the Bank) that optimize the use of the products and services already owned, through modalities such as payment programs in (equal) installments, loyalty programs, programs regarding the use of products and services, through through means of communication, such as automatic calling systems that do not require the intervention of a human operator, namely e-mail, SMS, fax, physical mail, telephone conversation (e.g.: INFOCenter), Online/Mobile B@nking, Virtual Mailbox (e.g.: notifications, messages including "push notifications)", based on the legitimate interest of obtaining adequate, correct and complete information of the data subjects regarding the products and services owned or complementary to them, carrying out campaigns to educate the data subjects, so that the data subjects have access to and/or maintain the services and products appropriate to their needs and interests; (ix) the proper functioning of the Bank's internal systems/applications (whatever they may be called), through activities (which may also be preliminary) such as testing (e.g. use of personal data in test environments), design, development, so that the Bank can optimally carry out its current activity, including in areas such as the prevention and combating of money laundering and terrorist financing, applying international sanctions, combating tax evasion (e.g. for FATCA purposes), given that such activities may be essential in the future functioning of the Bank's systems/applications, based on the Bank's legitimate interest in ensuring the proper functioning of its systems/applications, by taking the necessary measures (such as prior use of personal data in test environments, design, development) and ensuring proper risk management; (x) conducting analyses and studies at the level of the Bank on aspects such as the use of products and services, payment or lending standards for the development of analytical models and their periodic review in order to optimize the business strategy and the Bank's products and services, based on the legitimate interest in taking appropriate measures such as studies, analyses to anticipate the needs and interests of customers, improvement of the Bank's services and products in line with the needs and expectations of customers and trends in the market; (xi) the undertaking by the Controller of the necessary measures to carry out, in a prudential manner, the enhanced supervision of the entities within the Group (e.g. UCFin), by transmitting to UCFin (upon request) the data on mutual customers, so that the Controller (operational leader of the Group): (a) maintains in the optimal indicators of efficiency and effectiveness the credit risks, financing, model and strategic, at Group level, in accordance with the relevant legislation; (ii) to create the UCFin the necessary conditions for the integrated credit analysis and statistical modeling, by capitalizing on the data held by the Controller, in order to estimate the probability of non-payment; (c) avoid the risk of insolvency for joint clients; (d) to ensure compliance with the relevant legislation and thus to reduce the possibility of risks for the Controller and the Group entities (which may indirectly affect the Controller); (xii) defending, enforcement, ascertaining, without limitation, a right/claim/claim, etc. in court, before another authority/institution/natural or legal person, auditors, without limitation, based on the legitimate interest to take all necessary and appropriate measures (type of documentation, defense, exercise, finding) to protect its rights and interests and ensure compliance with the applicable legislation; (xiii) recording communications through digital channels, telephone conversations made through the Contact Center, the legitimate interest being represented by the improvement of the Bank's products and services and the provision of evidentiary material for the efficient resolution of any complaints/requests. The data subject is always in control, i.e. he can address the Bank through other channels, if he does not choose to record the call, being informed in this regard beforehand through voice services or written messages; (xiv) for statistical purposes, the legitimate interest being represented by the performance of anticipatory analyses/studies that serve to improve the current activity, also in relation to art. 89 of the GDPR; (xv) the legitimate interest of the Controller in complying with the prudential rules and requirements to which credit institutions are subject (know your customers and updating customer data, in order to prevent and combat money laundering, terrorist financing and fraudulent behaviour) and to ensure the accuracy of the data by the Directorate General for Persons Records ("DGEP") of the identity card (CI) data of the existing customers of the credit institutions. as well as the information related to the death of a customer (if applicable) in the following cases: a) Continuous updating of the data made available by the Controller to the DGEP by providing information on the new CIs of the existing customers, b) Querying the DGEP database on the occasion of the initiation of a business relationship with a customer by the Controller c) Querying the DGEP database for existing customers in certain specific situations (e.g. suspicions of fraud); (xvi) UniCredit Bank SA's legitimate interest in achieving an effective integration with Alpha Bank SA, while identifying best practices and improving efficiency. In this context, access to the personal data of Alpha Bank SA customers is essential for aligning systems, processes, products and services, migrating customer accounts, transaction history and other important information to a unified system, ensuring a smooth transition, minimizing any interruptions and maintaining continuity of service in the relationship with customers. The mentioned processing is also based on the Controller's legal obligation to ensure business continuity and to assess the risks in the event of a merger (the mentions in point xvi are applicable for the processing of Alpha Bank Romania SA's customer data in the pre-merger period). (xvii) Controller’s compliance with the obligations assumed within the National Payment Schemes in relation to the return of the amounts in case of operational errors/technical problems due to the payment service provider of the person having made payments to your accounts or the return/blocking of the amounts due to fraud. In such cases, the Controller has the right to cooperate and provide the payer's payment service provider with the necessary support in any claims, petitions or legal actions, including by disclosing your data. related to these operations.

2.4 fulfillment of a public interest, according to art. 6, paragraph 1, letter e of the GDPR, thus the processing carried out by the Controller in the areas of know-your-customer, money laundering, terrorism, international sanctions (Law no. 129/2019, GEO no. 202/2008), judicial organization (Law no. 304/2022) are classified.

3. Duration of processing:

(a) during the validity period of the contracts concluded with the Bank, to which is added 10 years from the termination of the contractual relationship in relation to the provisions of Law no. 82/1991, Law no. 129/2019 and based on the legitimate interest of the Company to take the

appropriate and necessary measures to preserve the contractual documentation in order to properly defend its rights in relation to any natural or legal person, such as courts, auditors, supervisory authorities, in line with the applicable legislation, according to art. 6, paragraph 1, letters c) and f) of the GDPR; exceptions are situations when, by an applicable legal provision, it is necessary to keep it for a longer period or when the Bank justifies a legitimate interest, in which case the duration of the processing may be extended until that legitimate interest is achieved; b) for a period of 5 years, to which a period of max. 5 years may be added, at the request of the competent authority, if a contractual relationship has not been concluded in order to provide/provide some banking services/products to you, according to the law (Law no. 129/2019 and NBR Regulation no. 2/2019); c) regarding FATCA and CRS reporting, according to the applicable tax legislation (e.g.: Law no. 207/2015, revised by GEO no. 102/2022): the related personal data are kept for 10 years from the expiry of the reporting deadline to the tax authorities, which runs from May 15 inclusive of the current calendar year for the information related to the previous calendar year).

4. Controllers/Processors and Recipients of Personal Data:

Personal data may be transmitted to the following categories of recipients: a) the data subject, the representatives of the data subject, b) entities of the UniCredit Group, c) contractual partners of the Bank in all areas necessary for the optimal performance of the Bank's current activity (e.g.: insurers, debt collection agencies, lawyers, notaries, bailiffs, appraisers, auditors, consultants, IT/payment companies, suppliers of fraud investigation and documentation services, postal and courier services) d) international organizations (e.g. cards – Visa, Mastercard, etc.), e) providers of technical payment processing and facilitation services (e.g. Romcard, Transfond, Society for Worldwide Interbank Financial Telecommunication, etc.), f) public authorities in Romania (e.g. the National Bank of Romania, ANAF, the National Office for the Prevention and Combating of Money Laundering, etc.) and abroad (e.g. the European Commission, tax authorities, etc.; g) other public and private law institutions (e.g.: General Directorate for Persons Records, National Register of Movable Publicity, National Credit Guarantee Fund for SMEs); h) the employer of the Data Subject; i) other banks (including correspondent banks) or other financial entity/payment service provider, Card Organisations, including third party PSPs (such as payment initiation service providers, account information service providers, and payment service providers issuing card-based payment instruments) to perform certain payment services, cash withdrawals or cashbacks in case of operational errors/technical problems or fraud; j) any other categories of contractual partners necessary for the current activity of the Bank.

5. International Transfer:

Personal data will be transferred to SWIFT (Society for Worldwide Interbank Financial Telecommunication), as controller, if the performance of credit transfer operations - payments requested by you includes processing through the SWIFT system. In this regard, there is a possibility that the data transferred to SWIFT, as controller, may be accessible to the US Department of the Treasury. If you are a citizen of the United States of America (USA) or resident on the territory of the USA, we inform you that, according to FATCA, the legal provisions regarding the tax regime of the US state are directly applicable to you, the data being transmitted by the Bank to the tax authorities in Romania, which can subsequently send them to the US tax authorities. In all situations where international data transfer will be necessary, this will only be achieved if an adequate level of protection of personal data recognized by decision of the European Commission is ensured in the recipient country, such as the member countries of the European Economic Union (EEA). In the absence of such a decision by the European Commission, the Bank will only be able to transfer personal data to a third country if the person processing the data has provided appropriate safeguards provided by law for the protection of personal data, such as, without limitation the use of binding corporate rules, standard data protection clauses adopted by the European Commission, standard data protection clauses adopted by a supervisory authority, contractual clauses authorised by a supervisory authority, adherence to a code of conduct approved by the supervisory authority. The Bank may be contacted for further information on the safeguards offered for the protection of personal data in the case of each data transfer abroad, by means of a written request to that effect.

Necessity of processing Personal Data:

In the event that you refuse the processing of the said Personal Data, for the requested products and services that fall within the purposes stipulated in art. 2.1, 2.2, 2.3 (items i-iii, v, vi, viii-xv), 2.4 above – the Bank will be unable to initiate or continue legal relations with you, as it is unable to comply with the applicable legislation and conclude the requested contract. If you do not consent to the processing of your personal data. for direct marketing purposes, the contractual relationship between you. and the Bank will not be affected in any way. In the event that you have been or are an exclusive customer of UCFin you have had/have only the right to view in Mobile B@nking and considering that the Controller has control of the Mobile B@nking application, we inform you that it is possible that in Mobile B@nking the new direct marketing agreement will become available to you from the Controller based on the legitimate interest of the Controller in strengthening the business relationship with Mobile users B@nking according to art. 6, paragraph 1, letter f of the GDPR.

Rights of the Data Subject:

a) the right of access to data; b) the right to rectify data; c) the right to erasure of data; d) the right to data restriction e) the right to data portability; f) the right to object to processing; g) the right not to be subject to an automated individual decision, including profiling; h) the right to address the National Authority for the Supervision of Personal Data Processing ("ANSPDCP") and the courts. Please note that, according to Art. 7(3) GDPR, you have the right to withdraw your consent at any time only in the case of processing based on consent with the validity of the processing carried out until the date of withdrawal of consent. Except for the rights provided for in letter h) which are exercised through written requests addressed to ANSPDCP and to the competent court, for the exercise of the other rights, you can address with a written, dated and signed request, sent to UniCredit Bank SA, at the address: 1F Expozitiei Boulevard, sector 1, Bucharest, postal code 012101, or by email at infocenter@unicredit.ro, respectively by calling +40 21 200 2020 (call with normal rate in the Telekom Romania fixed network) or *2020 (normal rate call in Telekom Romania, Orange, RCS&RDS, Vodafone mobile networks). If you make a request regarding the exercise of your rights, regarding data protection, the Bank will respond to this request within one month, a period that can be extended by two months, under the conditions provided by the GDPR. If you wish to submit a request regarding the exercise of the above rights, in relation to the associated operator - the insurance company - which issued the Insurance Policy, you can address it in accordance with what is mentioned in the Insurance Policy. Within the Bank, the Data Protection Officer has the following contact details: 1F Expozitiei Boulevard, sector 1, Bucharest, postal code 012101, e-mail

dpo@unicredit.ro. As the Bank may periodically modify this document, we recommend that you periodically consult the Bank's website, at www.unicredit.ro Personal Data Protection section, in order to be permanently informed of the latest changes.

Information notice on the processing of personal data

UniCredit Bank S.A. (''The Bank'' or ''Controller''), a company managed in a dualist system, with its registered office in Romania, 1F Exposicioni Blvd., Bucharest, Sector 1, registeredin the Trade Register under no. J40/7706/1991 and in the Banking Register under no. RB- PJR-40-011/18.02.1999, unique registration code 361536, fiscal attribute RO, subscribed and paid-up share capital 455,219,478.30 lei, as a Personal Data Controller, processes your personal data in good faith and in the fulfillment of the purposes specified in this Information Notice, in accordance with the provisions of Regulation (EU) no. 679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (the "Regulation"), hereinafter referred to as the "GDPR".

These personal data belonging to you as a borrower/guarantor/grantor or data subject ("Data Subject"), are either provided to the Bank by you or are taken over by the Bank, where applicable, from other external available sources (such as would be, but not limited to: payment or transaction processors, card organisations, third-party payment service providers (third-party PSPs), third parties (according to meaning given to this notion in Article 18 (1) of Law no. 129/2019), the General Directorate for the Registration of Persons (DGEP), the National Agency for Fiscal Administration (ANAF), the National Office of Trade Register, the portal of the Romanian courts, the Credit Bureau SA, other companies within the UniCredit Group, public or private databases (including entities specialized in data aggregation), the land registry office, media, your employer, authorities) on the date of conclusion of the contract with the Bank and/or of an insurance policy and/or on the date of formulating a request requesting the provision of services by the Bank and/or during the course of the contractual/business relationship and/or by a third-party payment service provider contracted by you.

1. The personal data processed by the Bank are:

1.1. Identification data such as: name and surname, pseudonym, mother's name before marriage, customer code, CNP (or portions of it in the case of authentication procedures) or NIF (tax identification number), date and place of birth, address, citizenship, other data from the ID/passport, signature, voice, image;

1.2. Contact data such as: postal address, email address, telephone/fax number;

1.3. Financial-banking data such as (i) income (amount, categories), professional status (position, occupation, job, employer, professional history, studies, professional certifications, if applicable), family situation (unmarried, number of dependents), information on products/services requested and/or held and banking transactions, liquidity data, as the case may be, data on other financial obligations, which may be positive data (e.g. type of product, term of grant, date of granting, due date, amounts granted, amounts due, status of the account, date of closure of the account, currency of the loan, frequency of payments, amount paid, monthly installment, name and address of the employer) and/or negative (e.g. type of product, term of granting, date of granting, due date, loans granted, amounts due, outstanding amounts, number of outstanding installments, due date of the arrears, number of days of delay in repaying the loan, account status) and information related to the guarantor/grantor/borrower or beneficiary of the insurance policy of the Data Subject in relation to the product granted; (ii) membership of a related Customer Group; in this case, the name, surname and CNP of the individuals who are part of the Group of clients in connection and who have an exposure to the Bank or a current account opened with the Bank are processed;(iii) data regarding the area of risk management/data modeling such as general data (bank account identifier/customer), socio-demographic data (e.g. studies, profession), limits and durations of loans granted, existing balances of loans granted, outstanding amounts, information on account restructuring/blocking (e.g. garnishment), risk class; (iv) if you apply for a loan from Unicredit Consumer Financing IFN SA ("UCFin"), the Bank may provide UCFin with data such as the following, in order to carry out the analysis of your eligibility for granting a financial product by UCFin: data regarding the current account and credit relationship that the Data Subject has with the Bank, such as: account balances at certain intervals (e.g. 3 months), information about credit transactions; information on account openings and closures; the level of installments, the credit card limit; the use of the credit card; data on the collection of receivables; the existence of garnishments/other similar measures instituted on bank accounts; other similar data;

1.4. Data related to compliance analyses (which also include data on convictions/sanctions) such as: (i) relevant information regarding the transactions and operations carried out by the Data Subject using the Bank's products or services, the beneficial owner, the proxies, the economic and financial situation, the data on the assets held, the source and destination of the funds, the public exposure, if applicable, and the public function detention, information on the charges, investigations and acts committed, the name of the act committed, the sanction applied (e.g. convictions, related measures), the duration of the sanction, the authority that applied the sanction, the status of the case and other similar data (for reasons related to compliance with the legislation on preventing and combating PHmoney laundering and terrorist financing, as well as compliance with the legislation on combating fraud and fraudulent conduct), the quality of publicly exposed person, according to the definition contained in Law no. 129/2019 for the prevention and combating of money laundering and terrorist financing, as well as for the amendment and completion of certain normative acts, as this legal definition may be amended from time to time; (ii) data on international sanctions such as the type and content of the sanction, the competent authority, the duration of the sanction, the description of the asset subject to the sanction (e.g. category, value, location, data in the land register, the authority responsible for the implementation/monitoring of the sanction, the measures ordered on this asset) and, to the extent that international sanctions involve the processing of data on acts committed by Data subject, data such as the name of the act committed, the sanction applied and its duration, the competent authority, any other similar information, according to the legislation on the implementation of international sanctions, may be processed;

1.5. Special data regarding the health status such as: the information resulting from the documentation related to the insurance policy, necessary for the provision of specific insurance services, if applicable;

1.6. Data regarding communications such as: (i) electronic communications in any form between the Bank and the Data Subject, their content, transmission dates and times, voice, image, any documents and/or information presented in video and/or audio interactions; (ii) data resulting from the use of the Bank's applications such as: Online B@nking/ Mobile B@nking username, also used to access the Virtual Mailbox, data regarding the token device – DIGIPASS (serial) or Mobile Token (phone number, in order to activate the Mobile Token/ Mobile B@nking applications), other data necessary for accessingand the use of these electronic payment instruments (identification/registration/authentication/login/authorisation codes)¹; (iii) data regarding the electronic signature, the issuance of the digital certificate (qualified) in this regard;

¹If you choose to use your fingerprint or facial image as your authentication method in Mobile B@nking/Mobile Token, the Bank does not process biometric data within the system biometric installed on your mobile device. This data is subject to the processing rules established and communicated via the respective device.

1.7. Data regarding the proxies/spouse of the Data Subject: the above categories of data may also concern these persons in relation to the specifics of the banking product/service and the law;

1.8. other similar categories of personal data of the Data Subject from the Bank's records, relating to the contractual relationship with the Bank, derived, mainly, from the signed contractual documentation and from the information collected by the Bank, from the execution of the law.

2. Purposes and grounds for the processing of personal data

2.1. the execution of a contract to which you are a party or taking steps before the conclusion of the contract, according to art. 6, para. 1, letter b of the GDPR

(i) the conclusion of the contractual relationship with the Bank, based on the loan application, respectively for the supply of banking products, according to the request of the borrower/guarantor/settlor. This purpose involves the performance, within the concrete relationship with each client, of all activities related to the conclusion and/or modification and/or execution of the financing contract, respectively of the guarantee, in the case of the guarantor, among which we mention: (i) the evaluation of the Data Subject's possibilities to obtain the requested product or another product or service (ii) the evaluation of the Data Subject's possibilities to pay, not to give rise to debts to the Bank, to the entities of the Group and possibly to other partners – associated operators, the analysis that is carried out and the course of the execution of the contract concluded with the Data Subject, which presuppose the existence of an automated decision-making process. In order to conclude or execute the contract related to the financial product or service, as well as for the purpose of reducing the credit risk, the Bank may make decisions based partially or exclusively on automated processing. In the automated decision-making process, the Bank's eligibility criteria are implemented, established in accordance with the internal and legal lending regulations in force. The Controller processes the personal data provided by the borrower/guarantor/grantor, as well as the data resulting from the contracts concluded with it or with an entity of the Group, the data provided by the National Agency for Fiscal Administration, and, respectively, data from public sources (such as the Trade Register, the Ministry of Public Finance, the Insolvency Proceedings Bulletin, as the case may be), as the case may be, by means of computer techniques and/or algorithms that produce legal effects on the Data Subject, such as granting or rejecting the loan. Depending on the processed data, the decision-making process may be exclusively or only partially based on automated processing, in the latter situation the intervention of the human factor being necessary to make a decision on the credit application in question. The Bank has appropriate measures to protect the rights, freedoms and legitimate interests of the Data Subject, at least the right to obtain human intervention from the Bank, to express his or her point of view and to challenge the decision; (ii) the recovery of debts and assets brought as collateral; (iii) issuance, execution, payment of the insurance policy; (iv) recording of fax communications, digital channels (e.g. Online B@nking, Mobile B@nking, email, Virtual Mailbox), telephone conversations through the Contact Center, for the purpose of concluding and executing contracts, carrying out telephone and online transactions. The data subject is always in control, i.e. he/she can address the Bank through other channels, if he/she does not choose to record the communication, being informed in this regard in advance by voice services or written messages; (v) for the purpose of updating your documents, data and information held by the Controller, it will process the contact person's data, only if you have provided the Controller with such data. The data subject has the obligation to inform the contact person about the data processing carried out by the Controller, either by sending the Information Note (by email, physical submission) or by indicating its consultation on the www.unicredit.ro, Personal Data Protection section; (vi) the provision of electronic signature services attached to the products and services provided by the Controller and requested by the data subjects, through the channels made available by the Controller.

2.2. fulfilling a legal obligation/requirement, according to art. 6, para. 1, lit. c of the GDPR, as well as (i) carrying out analyses and applying measures related to know-your-customer, preventing and combating money laundering and terrorist financing (Law no. 129/2019, NBR Regulation no. 2/2019) or applying international sanctions. This category also includes a) the collection and use of data provided in compliance with the legal provisions by public authorities/institutions, for the purpose of knowing/prudential monitoring/updating the data/activity of the data subject and/or comparing for the same purposes by the Controller the data held in its own systems (such as those made available by customers), with the data provided by public authorities/institutions and b) the processing of data obtained by the Controller from other entities within the Group or from third parties (according to the meaning given to this notion in Article 18 (1) of Law no. 129/2019), for the same purpose such as: contact data (email address, telephone number and home address), data from identity documents and copies of these documents, the information and documents related to the risk analysis according to Law no. 129/2019 and the normative acts issued in its execution, etc. Thus, obtaining from the Controller in this way updated information of the Data Subject may also lead to the updating of similar data existing in the Controller's records, if the latter are different; (ii) reports to various authorities/institutions, according to the law, such as the NBR, ANAF, ANPC, ANSPDCP, including for FATCA (Rom: Law on Tax Compliance applicable to Foreign Accounts) reports when the Data Subject is a US citizen and CRS reports (Rom: Common Reporting Standard) for combating tax evasion; (iii) carrying out forced executions of the amounts owed as well as the administration of garnishments and seizures; (iv) meeting the requirements in the area of payments/payment services; (v) adopting appropriate measures against internal or external fraudulent conduct and breach of discipline, such as violation of internal procedures, violation of limits, as provided for in NBR Regulation no. 5/2013; (vi) for the monitoring, security and security of persons, spaces, goods, through video cameras placed in the Bank's premises, based on Law no. 333/2003 on the protection of objectives, goods, values and protection of persons

2.3 the achievement of a legitimate interest of the Bank based on art. 6, paragraph 1, letter f of the GDPR: (i) the recovery of debts, damages of any kind caused to the Bank, the assets brought as collateral and the performance of any necessary actions/requests, the legitimate interest of the Bank being represented by the appropriate and necessary measures taken by the Bank to ensure its solvency and a sustainable management of liabilities; (ii) reporting within the UniCredit Group that may include data on the person, ownership, activity, business or business relationships or with persons within the same group of customers that constitute or may constitute a single risk, respectively to the transactions of the account(s) opened with the Bank, based on the legitimate interest of the Operator to ensure prudential measures at Group level; (iii) for the monitoring, security and security of persons, spaces, goods, through video cameras placed in the Bank's premises, in Law no. 333/2003 on the protection of objectives, goods, values and protection of persons, the legitimate interest being represented by the appropriate and necessary measures to ensure the evidentiary means related to the settlement of any complaint/request from the persons/authorities entitled, thus maintaining the reputation the Operator in the market; (iv) to verify the customer's satisfaction and the quality of the services and products purchased, as well as to collect the opinions/evaluations of the Data Subject with referenceto situations resulting from/in relation to the Bank's current activity (such as sustainability, environmental protection, actions regarding different communities such as the local community), based on the legitimate interest of the permanent improvement of the Bank's services/products, as well as the implementation/consolidation/development of the Bank's strategies in various areas derived from the current activity such as sustainability, environmental protection, actions regarding different communities such as the;(v) fulfilling an obligation provided for in the relevant regulations of the UniCredit Group, applicable to the Operator regarding the fight against and prevention of money laundering and terrorist financing and for the application of the various international sanctions regimes, based on the legitimate interest in ensuring prudential risk management at the level of the UniCredit Group (including the sharing of information between Group entities arising from the KYC process, the identification of persons and activities suspected of money laundering or terrorist financing or violation of international sanctions regimes); (vi) the execution by the Bank, as a third party (as defined in Article 18 (1) of Law no. 129/2019), of specific know-your-customer activities for another reporting entity/third party or the provision by the Bank to a reporting entity/third party of information regarding the Data Subject obtained by the Bank in the KYC process; (vii) the prevention, investigation and prevention of fraud derived from any area concerning the Bank's current activity: (a) payment services. Thus, in collaboration with Transfond, the Bank will provide the Beneficiary Name Display Service (SANB), together with other payment service providers in Romania, as participants in the service. As a result, your data will be (full first name, initial surname and IBAN code) are transferred to the database managed by Transfond in order to prevent transactional fraud and undue payment; (b) financial services. Thus, it is envisaged to send information messages that do not contain personal data to the old telephone number and/or e-mail address of the Data Subject and, respectively, on a communication channel (e-mail address/SMS type) existing in the Bank's records, at the same time as updating the telephone number and/or e-mail address. The legitimate interest is represented by the necessary and appropriate measures to prevent and combat (potentially) fraudulent conduct, including through mechanisms that ensure a high degree of maintenance of the security and confidentiality of data processing; (viii) communication of information regarding the functionalities, standard contractual-operational advantages/benefits, mechanisms of operation of the products and services owned by the Data Subject, complementary products and services (provided by the Bank) that optimize the use of the products and services already owned, through modalities such as payment programs in (equal) installments, payment programs loyalty, programs regarding the use of products and services, through means of communication, such as automatic calling systems that do not require the intervention of a human operator, respectively e-mail, SMS, fax, physical mail, telephone conversation (e.g.: INFOCenter), Online/Mobile B@nking, Virtual Mailbox [e.g.: notifications, messages including "push notification" (notifications/instant messages)), based on the Bank's legitimate interest in providing information adequate, correct and complete of the data subjects regarding the products and services owned or complementary to them, carrying out education campaigns for data subjects, so that the data subjects have access to and/or maintain the services and products appropriate to their needs andinterests; (i) the proper functioning of the Bank's internal systems/applications(whatever their name), through activities (which may also be prior) such as testing (e.g. use of personal data in test environments), design, development, so that the Bankcan carry out its day-to-day activity optimally, including in areas such as preventing and combating money laundering, applying international sanctions, combating tax evasion (e.g. for FATCA purposes) considering that such activities may be essential in the future functioning of the Bank's systems/applications, based on the Bank's legitimate interest in ensuring the proper functioning of its systems/applications, by taking the necessary measures (such as prior use of personal data in test, design, development environments) and ensuring proper management of the related risks; (x) carrying out analyses and studies at the level of the Bank on aspects such as the use of products and services, payment or lending standards for the development of analytical models and their periodic review in order to optimize the Bank's business strategy and products and services, based on the Bank's legitimate interest in taking appropriate measures such as studies, analyses to anticipate the needs and interests of customers, improving the Bank's services and products, in line with the needs and expectations of customers and the evolutions/trends in the profile market; (xi) the undertaking by the Operator of the measures necessary to carry out, in a prudential manner, the consolidated supervision of the entities within the Group (e.g.: UniCredit Consumer Finacing IFN SA hereinafter referred to as "UCFin"), by transmitting to UCFin (upon request) the data on common customers, so that the Operator (operational leader of the Group): (a) to maintain within the optimal parameters of efficiency and effectiveness the risks of loan, financing, model and strategic, at Group level, in accordance with the relevant legislation; (b) to create UCFs in the necessary conditions for integrated credit analysis and statistical modelling, by capitalising on the data held by the Operator, in order to estimate the probability of non-payment; (c) to avoid the risk of insolvency for joint customers; (d) to ensure compliance with the relevant legislation and thus to reduce the possibility of risks for the Controller and the entities in the Group (which may indirectly affect the Operator); (xii) carrying out the defense, execution, finding, without limitation, of a right/claim/demand, etc. in court, before another authority/institution/natural or legal persons, auditors, without limitation, based on the legitimate interest of the Operator to take all necessary and appropriate measures(documentation, defense, exercise, finding) to protect its rights and interests and ensure compliance with the applicable legislation; (xiii) recording communications through digital channels, telephone conversations made through the Contact Center, the legitimate interest being represented by the improvement of banking products and services and the provision of evidentiary material for the efficient resolution of any complaints/requests. The data subject is always in control, i.e. he/she can address the Bank through other channels, if he/she does not choose to record the conversation, being informed in this regard in advance through voice services or written messages; (xiv) for statistical purposes, the legitimate interest being represented by the performance of anticipatory analyses/studies that serve to improve the current activity, also in relation to art. 89 of the GDPR; (xv): questioning the Credit Bureau, based on the legitimate interest of carrying out an integrated risk analysis, in order to prevent excessive indebtedness and ensure the stability of the financial system. For clarity, the Bank does not question the Credit Bureau in the case of Data Subjects, guarantors for loans granted to SMEs and Corporate; (xvi) the legitimate interest of the Controller to comply with the prudential rules and requirements to which credit institutions are subject (knowing your customers and updating customer data, in order to prevent and combat money laundering, terrorist financing and fraudulent behavior) and ensuring the accuracy of the data by providing the General Directorate for Persons Records ("DGEP") of the data from the identity cards (ID) of existing customers of credit institutions, as well as information related to the death of a customer (if applicable) in the following cases: a) Continuous updating of the data made available by the Controller to the DGEP by providing information about the new IDs of existing customers, b) Querying the DGEP database on the occasion of initiating a business relationship with a customer by the Controller, c) Querying the DGEP database for existing customers in certain specific situations (e.g. suspicions of fraud); (xvii) The legitimate interest of UniCredit Bank SA to achieve an effective integration with Alpha Bank SA, while identifying best practices and improving efficiency. In this context, access to the personal data of Alpha Bank SA customers is essential for aligning systems, processes, products and services, migrating customer accounts, transaction history and other important information to a unified system, ensuring a smooth transition, minimizing any interruptions and maintaining continuity of service in the customer relationship. The mentioned processing is also based on the legal obligation of the Controller to ensure business continuity and to assess the merger risks (point xvii ais applicable for the processing of Alpha Bank Romania SA customers' data in the pre-merger period).

2.4 the fulfillment of a public interest, based on art. 6, paragraph 1, letter e of the GDPR: as the processing carried out by the Controller is framed in the legislation in the areas of knowing your customers, preventing money laundering, terrorism, international sanctions (Law no. 129/2019 and GEO no. 202/2008), judicial organization (Law no. 304/2022).

2.5. the consent of the Data Subject based on Article 6, paragraph 1, letter a of the GDPR: the Bank query of ANAF (including in the case of PFAs and persons exercising a liberal profession/freelancers) of the Credit Risk Center ("CRC"); the processing of data for direct marketing purposes, if the borrower has expressed an option in this regard. For clarity, the Bank queries the CRC in the case of Data Subjects who have the quality of guarantors of the loans granted by the Bank to SME customers and Corporate, if these Data Subjects are also borrowers (e.g. they have the status of borrower, in the financing contracts, of PFA, sole proprietorship or person exercising a liberal profession) or are majority partners/coordinators within the SME and Corporate (borrowed) clients.

3. Duration of processing:

a) during the validity period of the contracts concluded with the Bank, to which is added 10 years from the termination of the contractual relationship, in relation to the provisions of Law no. 82/1991, Law no. 129/2019 and based on the legitimate interest of the Controller to take the appropriate and necessary measures to preserve the contractual documentation in order to properly defend its rights in relation to any natural or legal person, such as courts, auditors, supervisory authorities, in line with the applicable legislation, according to art. 6, paragraph 1, letters c) and f) of the GDPR, except in cases where, by an applicable legal provision, it is necessary to retain it for a longer period or when the Bank justifies a legitimate interest, in which case the duration of the processing may be extended until that legitimate interest is achieved; b) for a period of 5 years, to which a period of up to 5 years may be added, at the request of the competent authority, if a contractual relationship has not been concluded for the provision of banking services/products to you, according to the legislation for the prevention and sanctioning of money laundering (Law no. 129/2019 and NBR Regulation no. 2/2019; c) regarding direct marketing, information including on the storage period can be obtained from the information note on the processing of personal data dedicated to the current account and available at www.unicredit.ro, Personal Data Protection section or upon request, in the Bank's units.

The personal data transmitted to the Central Credit Register, hereinafter referred to as "CRC", which operates under the NBR, are stored by it for 7 years from the date of the last update, and those transmitted to the Credit Bureau for a period of 4 years from the date of the update. As these storage periods may change independently of the Controller's will, please periodically visit, for CRC, the GDPR information by accessing https://www.bnr.ro/Informare-privind-activitatea-CRC-3084.aspx and, for the Credit Bureau, the GDPR information by accessing: https://www.birouldecredit.ro/wps/wcm/connect/bcro/f0ba1966-df04-4a4e-8a8f-19def66eab72/Informare_BC_octombrie_2019.pdf?MOD=AJPERES&CONVERT_TO=URL&CACHEID=ROOTWORKSPACE.Z18_O9E2H8G0OGTM40QOMCSC7L3000-f0ba1966-df04-4a4e-8a8f-19def66eab72-n5zYr-2; The data subject is encouraged to periodically visit www.bnr.ro (Central Credit Risk section) and www.birouldecredit.ro, the sections dedicated to the protection of personal data, in order to consult the updated versions of the applicable GDPR notices.

4. Controllers/Processors and Recipients of Personal Data

Personal data may be transmitted to the following categories of recipients: a) Data subject, representatives of the data subject, b) entities of the UniCredit Group, c) contractual partners of the Bank in all areas necessary for the optimal performance of the Bank's current activity (e.g.: insurers, debt collection agencies, lawyers, notaries, bailiffs, appraisers, auditors, consultants, companies in the IT/payments area, fraud investigation and documentation service providers, postal and courier services, archive services); d) international organizations (e.g. card organizations – Visa, Mastercard, etc.), e) providers of technical payment processing and facilitation services (e.g. Romcard, Transfond, Society for Worldwide Interbank Financial Telecommunication, etc.), f) public authorities in Romania (e.g. National Bank of Romania, ANAF, National Office for the Prevention and Combating of Money Laundering, Competition Council, etc.) and from abroad (e.g. European Commission, tax authorities, etc.); g) other public and private law institutions (e.g.: General Directorate for Persons’ Records, National Agency for Cadastre and Real Estate Publicity, National Register of Movable Property, National Credit Guarantee Fund for SMEs); h) the employer of the data subject; i) partners of the Bank for the direct transmission by them of commercial communications regarding their services and products, if you have expressed an agreement in this regard.

4.1. Joint controllers:

Insurance companies: in the case of life insurance policies purchased, according to your option, as well as in the case of concluding an insurance contract for an asset brought as collateral for the contracted loan, the data controller is the insurance company that issued the insurance policy, the communication channels with them being mentionedin the Insurance Policy .

Credit Risk Central: the specialized structure established by the Regulation of the National Bank of Romania no. 2/2012 regarding the organization and functioning of the Credit Risk Center at the National Bank of Romania. The Credit Risk Center processes your personal data. personal data, such as: name, surname, CNP, data on the counter credit, global risk situation, situation of outstanding loans, data on card fraud (cardholder identification data, card type, currency, date of fraud finding, amount defrauded).

Credit Bureau S.A.: legal entity Romanian, headquartered in 29 Sfânta Vineri Street, 4th floor, sector 3, Bucharest, postal code 030203, Romania, registered in the Trade Register under no. J40/2176/16.02.2004, unique registration code 16140132, tel. + (40 21) 315.10.17, fax. + (40 21) 315.10.21. Biroul de Credit S.A. processes your personal data. as detailed in the separate information note on this processing (e.g. name, surname, CNP, data on the contracted loan, global risk situation, situation of outstanding loans, as well as the positive and negative data mentioned above).

National Credit Guarantee Fund for Small and Medium-sized Enterprises: if you have applied for a First Home loan, your personal data, including copies of identity documents, are sent to FNGCIMM, with the address at 38 Iulian Stefan Street, Sector 1, Bucharest.

Brokers (credit intermediaries): contractual partners of the Bank who provide intermediation services, services and products of the Bank.

Any of the associated controllers may be contacted directly using their contact details indicated in this document or the public ones, including the address of the data protection officer of each entity, in order to obtain information about the essence of the agreements with the Controller.

5. International transfer

Personal data will be transferred to SWIFT (Rom: Society for Worldwide Interbank Financial Telecommunication), acting as a controller, in case of carrying out credit transfer operations - payments requested by you. includes processing through the SWIFT system. In this regard, there was a possibility that the data transferred to SWIFT, as controller, could be accessible to the US Treasury Department. If you are a citizen of the United States of America (USA) or a resident of the USA, we inform you that, according to FATCA (the legal provisions regarding the tax regime of the US state are directly applicable to you, your data being transmitted by the Bank to the tax authorities in Romania, which may subsequently send them to the tax authorities in the USA. In all situations where the international transfer of data will be necessary, this will only be done if an adequate level of protection of personal data recognized by decision of the European Commission, such as the member countries of the European Economic Union (EEA), is ensured in the recipient country.In the absence of such a decision by the European Commission, the Bank will be able to transfer personal data to a third country only if the person processing the data has provided appropriate safeguards provided by law for the protectionof personal data, such as, but not limited to, the use of binding corporate rules, standard data protection clauses adopted by the European Commission, standard data protection clauses adopted by a supervisory authority, contractual clauses authorised by a supervisory authority, adherence to a code of conduct approved by the supervisory authority. The Bank may be contacted for additional information regarding the safeguards offered for the protection of personal data in the event of each data transfer abroad, by a written request to this effect.

6. Necessity of the processing of Personal Data:

In the event that you refuse the processing of the aforementioned Personal Data, for the requested products and services that are circumscribed to the purposes stipulated in letters 2.1, 2.2, 2.3 (items i-iii, v, vi, viii-xvi), 2.4 above – the Bank will be unable to initiateor continue legal relations with you., as it is unable to comply with the applicable legislation and to conclude the requested contract. If you do not agree to the processing of your Personal Data. for direct marketing purposes, the contractual relationship between you and the Bank will not be affected in any way. In the event that you have been or are an exclusive customer of UniCredit Consumer Financing IFN SA and you had/have only the right to view in Mobile Banking and considering that the Operator has control of the Mobile Banking application, we inform you that it is possible that in Mobile Banking the new direct marketing agreement will become available to you from the Operator based on the legitimate interest of the Operator to strengthen the business relationship with Mobile Banking users according to art. 6, paragraph 1, letter f of the GDPR.

7. Rights of the Data Subject:

a) the right of access to data; b) the right to rectification of data; c) the right to erasure of data; (d) the right to data restriction; (e) the right to data portability; (f) the right to object to processing; (g) the right not to be subject to an automated individual decision, including profiling; h) the right to address the National Authority for the Supervision of Personal Data Processing ("ANSPDCP") and the judiciary. We mention that, according to art. 7, para. 3 of the GDPR, you have the right to withdraw your consent at any time only in the case of processing based on consent with the validity of the processing carried out until the date of withdrawal of consent. With the exception of the rights provided for in letter h) which are exercised through written requests addressed to ANSPDCP and to the competent court, for the exercise of the other rights, you may address with a written request, dated and signed, sent to UniCredit Bank SA, at the address: 1 F Exhibition Boulevard, sector 1, Bucharest, postal code 012101, or by email at infocenter@unicredit.ro, respectively by calling +40 21 200 2020 (normal rate call on the Telekom Romania fixed network) or *2020 (normal rate call on Telekom Romania, Orange, RCS&RDS, Vodafone mobile networks). If you make a request regarding the exercise of your data protection rights, the Bank will respond to this request within one month, which can be extended by two months, under the conditions provided by the GDPR. In the event that you wish to submit a request regarding the exercise of the above rights, in relation to the associated operator - the insurance company - that issued the Insurance Policy, you can address it according to the provisions of the Insurance Policy. Within the Bank, the data protection officer has the following contact details: 1F Expozitiei Boulevard, sector 1, Bucharest, postal code 012101, e-mail dpo@unicredit.ro. As the Bank may periodically amend this document, we recommend that you periodically consult the Bank's website, at www.unicredit.ro, Personal Data Protection section, in order to be permanently updated with the latest changes.

Borrowing

Accounts and Cards

Savings and Investing

Insurance

Digital

Activate now Mobile Banking

Activate now
Mobile Banking