Frontier Issuer Designated Activity Company

The personal data we process depends on the context of your interactions with us and the choices you make. The personal data we process includes (indicatively) the following:

1. Where you are a Director
   • Identity and contact information: first and last name, copies of ID and other identification documents, date of birth, gender, email address, residential or business address, phone numbers and other similar contact data (whether in a personal or professional capacity).
   • Information about your legal status: nationality and citizenship, marital status.
   • Professional information: occupation, job title, employer.
   • Tax information: tax residency and tax related information, PPS number (or foreign equivalent).
   • Other information: details of other directorships held by you, details of securities held by you, family details, any further information as may be required to comply with applicable anti-money laundering and counter-terrorist financing laws and regulations.
2. Where you are a Borrower
   • Identity and contact information: first and last name, copies of ID and other identification documents, date of birth, gender, email address, residential or business address, phone and fax numbers and other similar contact data (whether in a personal or professional capacity);
   • Information about your legal status: nationality and citizenship, marital status,
   • Professional Information: occupation, job title, employer;
   • Tax information: tax residency and tax related information, PPS number (or foreign equivalent);
   • Data related with the loan agreement owned by the Company
   • Other information: any further information as may be required to comply with applicable anti-money laundering and counter-terrorist financing laws and regulations.

Depending on the context of your interactions with us, we use the information we have about you in the following ways and for the following purposes:

1. To comply with applicable laws and regulations, such as:
   • the Companies Act 2014, as amended;
   • the Taxes Consolidation Act 1997 (as amended);
   • the European Union (Anti-Money Laundering: Beneficial Ownership of Corporate Entities) Regulations 2019;
   • the Criminal Justice (Money Laundering and Terrorist Financing) Act 2010, as amended by the Criminal Justice Act 2013, the Criminal Justice (Money Laundering and Terrorist Financing (Amendment) Act 2018 and the Criminal Justice (Money Laundering and Terrorist Financing (Amendment) Act 2021; and
   • financial sanctions related obligations.
2. To perform contracts that have been entered into by the Company or which are to be entered into by the Company, such as those pertaining to the operation and maintenance of bank accounts, or involving financial transactions of various types;
3. To perform contracts that the Company has entered into with you;
4. To administer and if necessary, enforce, directly or indirectly, Borrower agreements purchased by the Company;
5. To maintain a record of the contact details of the parties to each capital market transaction entered into by the Company, and of those persons providing services to the Company, such as legal advisors, tax advisors, auditors, banks and other service providers;
6. To administer and manage the portfolio of credit agreements owned by the Company;
7. To facilitate loan sale and transfer procedures (including the evaluation process) of loan receivables owned by the Company under the applicable legal and regulatory framework.

We rely on a number of legal bases to lawfully process your personal data, which are as follows:

• compliance with a legal obligation;
• contractual necessity;
• legitimate interests; and
• consent in certain instances.

We rely on several legitimate interests in using and sharing your personal information. These interests include:

i) facilitating the day-to-day business operations of the Company. Examples in this regard include:

• The provision of information to appointed legal counsel, auditors, tax advisers and other service providers to the Company, in addition to further third parties to transactions entered into by the Company, or in which the Company intends to participate, to facilitate their compliance with the provisions of laws and regulations applicable to such parties, or the completion of required due diligence procedures;
• The practical application of powers of attorney granted by the Company;
• The performance and enforcement of contracts that have been, or that are to be, entered into by the Company in the context of a capital markets transaction; and
• To maintain a record of the contact details of the parties to each capital market transaction entered into by the Company, and of those persons providing services to the Company, such as legal counsel, tax advisers, auditors, banks and other service providers.

ii) to facilitate the loan and sale of receivables under credit agreements, bonds or other assets to third parties (including the evaluation process) and the Company's compliance with its relevant obligations deriving from such loan sale and transfer procedures and for the purposes of any reassignment of receivables, to the extent applicable.

You have rights and choices concerning your personal data. For further information in this regard, please refer to the section titled 'Data Subject Rights' below.

You provide some of this data directly to us. Information is provided by you:

• When you respond to a request pertaining to compliance with legal obligations, for example in the area of company law, anti-money laundering and counter-terrorist financing laws and regulations, market abuse regulations, taxation laws and regulations;
• When you are or may be appointed as a director, officer, duly appointed attorney, legal representative or authorised signatory of the Company;
• When you are a person associated with any service provider appointed by the Company;
• When you are a Borrower of, or are associated with a Borrower in respect of any loan contained within the loan portfolio held by the Company;
• When you subscribe for shares in or are an ultimate beneficial owner of the Company;
• When you provide information for, and/or execute documentation pertaining to the establishment and operation of bank accounts or other types of accounts for the Company, or when you engage in similar activities for the purposes of any financial transaction that the Company may wish to conclude; and
• When you act on behalf of a professional adviser or other service provider to the Company, or when you act on behalf of parties to capital market transactions, entered into by the Company, or in which the Company is participating.

We also obtain data from third parties. These third-party sources vary over time, but include:

• When you are a Borrower, the financial institution with which you have entered into a credit agreement, which in turn has sold its interest in that credit agreement to us or other persons acting on your behalf;
• Legal counsel that have been engaged by the Company for the purposes of the completion of a transaction;
• Third parties involved in capital market transactions in which the Company is participating, such as the service provider who we appoint to administer the loan portfolio held by the Company; and
• Publicly available sources such as open government or regulator databases, or other data in the public domain.

The GDPR provides you with a number of rights with respect to your personal data each of which are subject to limitations and exceptions under the GDPR and other applicable data protection laws.

Right of Access. You are entitled to obtain details concerning the processing of your personal data and to have access to a copy of any personal data that is processed by us in an easily accessible format.

Right of Rectification. You are entitled to have inaccurate personal data concerning you rectified without undue delay, and, taking into account the purposes of the processing, to have incomplete personal data completed.

Right of Erasure (Right to be Forgotten). You have the right to have your personal data erased without undue delay in specified circumstances. 

Restriction of Processing. You have the right to request restriction of processing of your personal data in certain circumstances, such as when you believe your personal data processed by us is not accurate. 

Data Portability, when applicablethis right helps to enable the transfer of your personal data you provided to us to a third party, should you choose to do so, where we process that data on the basis of your consent or in order to perform a contract to which you are a party. 

Right to Object to Data Processing. In certain circumstances you may have the right to object to the processing of your personal data on grounds that are personal to you,where we process your personal data on the basis of our legitimate interests. However, we may be entitled to continue processing your personal data, in accordance with the GDPR, when we have a compelling legitimate ground to do so. 

Right to Object to Direct Marketing. If we send you direct marketing messages, you have the right to object to this processing. If you object, we will stop processing your personal data for this purpose and you will no longer receive direct marketing messages from us. 

Right to Withdraw Consent. Where we process your personal data based on your consent, you have the right to withdraw such consent. Please note that this withdrawal will not affect the lawfulness of the processing carried out prior to your withdrawal of consent.

Requests in relation to the enforcement of your rights will be responded to free of charge and within 30 days of receipt of the request. However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.

We will not use your personal data for automated decision-making purposes (including profiling).

Depending on the nature of your relationship with us, we share your personal data with the following third parties:

1. With servicers which we appoint to oversee the administration of any loan agreement which we have purchased from the financial institution with which you, as a Borrower, had intitially contracted with regarding that loan agreement;
2. With the parties of transactions entered into, or to be entered into by the Company, as necessary for the performance of the Company’s contractual obligations in terms of those transactions. Where you are a Borrower and we have purchased an interest in your loan agreement from the bank with which you contracted, these transactions may include, for example, the onward sale of the interest in your loan agreement to a third party.
3. With professional advisers (such as attorneys) to and service providers appointed by the Company:
   (i) where necessary to ensure the efficient operation of the Company;
   (ii) as may be necessary in connection with the performance of contractual obligations, or
   (iii) in circumstances where information is provided to facilitate compliance by such service providers with applicable anti-money laundering and counter-terrorist financing obligations.

• With third parties generally when you have requested us to do so;
• When we have a good faith belief that doing so is necessary to comply with applicable law or respond to valid legal process, including from law enforcement or other governmental agencies; and
• With credit institutions and credit purchasers within the meaning of Greek Law 5072/2023, as applicable from time to time and in force, as well as to related investors for the purposes of the relevant procedures taking place in the context of the sale and transfer of loan receivables owned by the Company, including for the purposes of any reassignment to the extent applicable.

We may, for the purposes outlined in this Notice, transfer your personal data outside of the European Economic Area ("EEA") provided such transfer is to a recipient who

(i) is located in a country that the European Commission deems to provide an adequate level of protection for personal data, or

(ii) is subject to an agreement, derogation or other legal act which allows for the lawful transfer of personal data outside of the EEA.

We will retain your information only for as long as necessary for the purposes set out in this Notice.

The Company is committed to protecting the security of your personal data. Considering the nature, scope, context and purposes of processing and the risks involved, we implement appropriate technical and organisational measures to ensure a level of security appropriate to help protect your personal data from unauthorised access, use or disclosure. For example, we store personal data you provide on computer systems that have limited access and which are located in controlled facilities.

You have the right to file a complaint against us with the Irish Data Protection Commissioner, which is the lead supervisory authority of the Company. You may also complain to your local supervisory authority. You can find your local supervisory authority on https://www.dpa.gr/el/polites/katagelia_stin_arxi.

We would, however, appreciate the opportunity to discuss your concerns with you before you approach any supervisory authority. Should you wish to do so, please contact us using the contact details below.

We will update this Notice when necessary to reflect feedback from you or the way in which we process personal data. When we post changes to this Notice, we will revise the “Last Updated” date at the top of this Notice. If there are material changes to this Notice or in how we will use your personal data, we will notify you before such changes take effect.

If you have a privacy concern, question or complaint, or you wish to exercise any of your rights as a data subject, please address your requestin writing to the Customer Service and Complaints Management Unit of doValue Greece Loans and Credits Claim Management Société Anonyme (the Servicer) at 27 Kyprou and Archimidous Streets, 18346, Moschato, Greece or via email at [email protected].