EUCLID FINANCIAL INVESTOR
DESIGNATED ACTIVITY COMPANY

The purpose of this Policy is to explain what Personal Data we process, how and why we process it and to describe our duties and responsibilities regarding the protection of such Personal Data. The manner we process Personal Data may evolve from time to time. Therefore, this Policy may be updated in order to reflect changes of practice accordingly.

To meet our transparency obligations under the Data Protection Law, we will incorporate this Policy by reference to various points of collection of data used by us.

By virtue of a servicing agreement dated 15.11.2024, the Company has appointed the company under the name DOVALUE GREECE LOANS AND CREDITS CLAIM MANAGEMENT SOCIETE ANONYME, a Greek law 5072/2023 and the Executive Committee Act 225/1/30.01.2024, by virtue of Credit and Insurance Committee Decision 507/1/09.07.2024, credit servicing company incorporated and registered under the laws of the Hellenic Republic, registered with the Greek General Commercial Registry under no. 121602601000 (the Servicer) to service and manage certain receivables of a portfolio of non-performing and performing mainly unsecured and low secured (corporate and retail) loans owned by the Company.

The Company will act as a Data Controller in respect of Personal Data provided to it by:

1. the following entities:
   • AGRICULTURAL BANK OF GREECE S.A. UNDER SPECIAL LIQUIDATION;
   • HELLENIC POSTBANK S.A. UNDER SPECIAL LIQUIDATION;
   • PROBANK S.A. UNDER SPECIAL LIQUIDATION;
   • PANELLINIA BANK S.A. UNDER SPECIAL LIQUIDATION;
   • FBB-FIRST BUSINESS BANK S.A. UNDER SPECIAL LIQUIDATION;
   • COOPERATIVE BANK OF DODECANESE LTD UNDER SPECIAL LIQUIDATION;
   • PROTON BANK S.A. UNDER SPECIAL LIQUIDATION;
   • COOPERATIVE BANK OF LAMIA LTD UNDER SPECIAL LIQUIDATION;
   • COOPERATIVE BANK OF EVIA LTD UNDER SPECIAL LIQUIDATION;
   • ACHAIKI COOPERATIVE BANK LTD UNDER SPECIAL LIQUIDATION;
   • COOPERATIVE BANK OF WESTERN MACEDONIA LTD UNDER SPECIAL LIQUIDATION;
   • COOPERATIVE BANK OF PELOPONNESE LTD UNDER SPECIAL LIQUIDATION; and
   • COOPERATIVE BANK OF LESVOS - LEMNOS LTD UNDER SPECIAL LIQUIDATION
     
     (duly represented by PQH Single Special Liquidation Société Anonyme, Special Liquidator of Credit Institutions)
2. the Servicer in respect of debtors and their related persons within the context of debt management; and
3. various individuals in connection with the management, operation and administration of the Company.

Indicatively, such individuals are the following:

1. members of the administration and officers of the Company;
2. persons who provide services to the Company; and
3. debtors that have entered into lending arrangements with the entities under (i) above or any of their predecessors-in-title as well as any third parties that have provided guarantees or other securities for the relevant arrangements as well as persons related to debtors - legal entities
   
   (each of the above a Data Subject).

Personal Data is processed by the Company for the below purposes:

• Compliance with legal and regulatory obligations applicable to the Company from time to time, including, without limitation, applicable tax, anti-money laundering and countering the financing of terrorism legislation.
• Administration and management of loan and credit receivables acquired by the Company and exercise of relevant rights under which the Company acquired them and appointed the Servicer for their management and service.
• The operation of the employment or service provider agreements and in general the relationship between the Company and the employees, executives, officers, members of administration as well as service providers of the Company, to the extent applicable.

The processing of Personal Data by the Data Controller is based on one of the following legal bases, as the case may be:

• Processing is necessary for the performance of agreements between the Company, entities under (i) above or any of their predecessors-in-title, and the Data Subject;
• Processing is necessary for compliance with the legal obligations of the Data Controller; and/or
• Processing is necessary for the purposes of the legitimate interests of the Data Controller.

To the extent that Processing is undertaken based on the instructions of the Company and gives rise to a Data Controller and Data Processor relationship, the Company will ensure that such relationship is governed by an agreement which includes the data protection provisions prescribed by the Data Protection Law.

The Servicer acts as a separate and independent data controller in relation to the Personal Data of the debtors (borrowers, guarantors and/or any person related to debtors - legal entities). The privacy policy of the Servicer should also be consulted for information on the processing of personal data of debtors (borrowers, guarantors and/or any person related to debtors - legal entities). Always available on https://dovaluegreece.gr/en/personal-data-processing-notice-dovalue-greece

As part of our record-keeping obligations under article 30 of the GDPR, the Company retains a record of the Processing activities under its responsibility in accordance with the provisions of the said article.

The Company will not ordinarily obtain or process special categories of data. However, in the very limited circumstances where it does so, it shall process such Personal Data in accordance with the provisions of the Data Protection Law.

The Data Protection Law provides specific rights in favour of data subjects. These rights are the following (the Rights):

• the right of a data subject to receive information on the processing (by virtue of the transparency obligations on the Controller);
• the right of access to Personal Data;
• the right to amend, rectify and complete any inaccuracies related to Personal Data;
• the right to erase Personal Data (right to be forgotten);
• the right of data portability;
• the right to restrict Processing;
• the right to object to Processing based on legitimate interests; and
• the right to object to automated decision making, including profiling.

These Rights may be exercised subject to limitations provided for in the Data Protection Law and the Company will respond to the extent that it is technically feasible with reasonable effort and cost. In certain circumstances, it may not be feasible for the Company to fulfill relevant rights. Data Subjects may address a written request to the Company relating to the management of their personal data, by addressing their request in writing to the Servicer at [dovaluegreece@dovaluegreece.gr ]. Alternatively, they can send a letter with the subject "Personal Data" to the address 27 Kyprou and Archimidous Streets, 18346 Moschato,Attiki. Relevant requests will be treated pursuant to the provisions of the Data Protection Law.

The Company undertakes to hold confidential any Personal Data provided by the Servicer in accordance with the provisions of the Data Protection Law.

Respectively, we and any service providers we may use, apply technical and organizational measures to protect Personal Data from unlawful or unauthorized disclosure, loss, destruction, change, acquisition or access. Personal Data is held securely using a range of appropriate security measures.

Data Controllers have to notify the Data Protection Authority and affected Data Subjects in case of certain types of personal data security breaches. Personal Data Breach means the breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Personal Data transmitted, stored, or otherwise processed. A Data Breach incident that may occur regarding Personal Data under the control of the Company will be dealt with in accordance with the provisions of the Data Protection Law.

We may disclose Personal Data (a) to third parties or allow third parties to access Personal Data we process for the purposes of complying with applicable law; and (b) to authorized persons, consultants, service providers, bodies, statutory auditors, professional advisors, providers of technology services or finance, prospective assignees, and to any affiliated companies or subsidiaries of the foregoing for the same or respective purposes.

We will keep Personal Data:

1. throughout the duration of the Data Subjects’ relationship with the Company and after its expiry in accordance with the Company’s legal and regulatory obligations and any applicable record retention policy of the Company;,
2. for such period as may be deemed by us to be necessary in light of applicable statutory limitation periods; and
3. in any other case, only for as long as the retention of such Personal Data is deemed necessary for the purposes for which that Personal Data is Processed.

From time to time, the Company may transfer Personal Data to countries outside the EEA which may not have the same or equivalent Data Protection Law as Ireland or an equivalent Data Protection Law. If such a transfer occurs, the Company will ensure that this processing of Personal Data is carried out in compliance with the provisions of the Data Protection Law.

For further information about the Policy and/or the processing of Personal Data by or on behalf of the Company, please address your requests in writing to the Servicer at [dovaluegreece@dovaluegreece.gr]. Alternatively, it can be sent a letter with the subject "Personal Data" to the address 27 Kyprou and Archimidous Streets,18346 Moschato,Attiki. and thereafter, if you wish, to the competent authority.

Data Controller means the entity which, alone or jointly with others, determines the purposes and the means of the processing of Personal Data.

Data Protection Law means the General Data Protection Regulation 2016/679 (the GDPR) and the Data Protection Act 2018, as in force, as well as any other laws which may apply to the Company in relation to the Processing of Personal Data.

EEA means Austria, Belgium, Bulgaria, Croatia, the Republic of Cyprus, the Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, the Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, Iceland, Liechtenstein, and Norway.

Personal Data means any and all information relating to a living person which allows the identification of that person. Personal Data may include: (a) the name and other identification information; (b) details about an individual’s location; or (c) any other information that is specific to that individual.

Processing means each action or set of actions performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as consultation, collection, organization, recording, storage, structuring, adaptation or alteration, retrieval, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. The terms Process and Processing are interpreted accordingly.