GRAMILTON DESIGNATED ACTIVITY COMPANY

The purpose of the Policy is to explain what Personal Data we process, how and why we process it and to describe our duties and responsibilities regarding the protection of such Personal Data. The manner we process Personal Data may evolve from time to time. Therefore, this Policy will need to be updated in order to reflect changing practices accordingly.

To meet our transparency obligations under the Data Protection Law, we will incorporate this Policy by reference to various points of collection of data used by us.

By virtue of a Private Agreement for the Servicing of Receivables dated 20.10.2023, the Company has appointed the company under the corporate name doValue Greece Loans and Credits Claim Management Société Anonyme, a Greek law 4354/2015 servicer incorporated and registered under the laws of the Hellenic Republic, registered with the Greek General Commercial Registry under no. 121602601000 (the Servicer) to service certain receivables of a portfolio of Greek law loans and credit facilities owned by the Company.

The Company will act as a Data Controller in respect of Personal Data provided to it by: (i) various individuals in connection with the management, operation and administration of the Company; and (ii) the Servicer in respect of debtors and their related persons within the context of debt management. Indicatively, such individuals are the following:

1. members of the administration, employees and officers of the Company;
2. persons who provide services to the Company; and
3. debtors that have entered into lending arrangements with Cairo no. 1 Finance Designated Activity Company or Cairo no. 2 Finance Designated Activity Company or any of their predecessors-in-title as well as any third parties that have provided guarantees/securities for the relevant arrangements as well as individuals related to debtors - legal entities
   (each a Data Subject).

Personal Data is processed by the Company for the below purposes:

To the extent that Processing is undertaken based on the instructions of the Company and gives rise to a Data Controller and Data Processor relationship, the Company will ensure that such relationship is governed by an agreement which includes the data protection provisions prescribed by the Data Protection Law.

The Servicer acts as a separate and independent controller in relation to the personal data of the borrowers, the guarantors and any individual related to debtors - legal entities. The Servicer’s Privacy Policy should also be consulted for information on the processing of the personal data of borrowers, guarantors and individuals related to debtors - legal entities.

As part of our record-keeping obligations under Article 30 of the GDPR, the Company retains a record of the Processing activities under its responsibility in accordance with the provisions of the said Article.

The Company will not ordinarily obtain or process Special Categories of Data. Nevertheless, in the very limited circumstances where it does so, it shall process such Personal Data in accordance with the provisions of the Data Protection Law.

The Data Protection Law provides specific rights in favour of data subjects. These rights are the following (the Data Subject Rights):

1. the right of a data subject to receive detailed information on the processing (by virtue of the transparency obligations on the Controller);
2. the right of access to Personal Data;
3. the right to amend, rectify and complete any inaccuracies related to Personal Data;
4. the right to erase Personal Data (right to be forgotten);
5. the right of data portability;
6. the right to restrict Processing;
7. the right to object to Processing based on legitimate interests; and
8. the right to object to automated decision making, including profiling.

These Data Subject Rights may be exercised subject to limitations provided for in the Data Protection Law. In certain circumstances, it may not be feasible for the Company to fulfill relevant rights. Data Subjects may address a written request to the Company relating to the management of their personal data, by addressing their request in writing to the Customer Service and Complaints Management Unit of doValue Greece at 27 Kyprou & Archimidous Streets, 18346 Moschato, Greece or via email at [email protected]. Relevant requests shall be dealt with in accordance with the provisions of the Data Protection Law.

The Company undertakes to hold confidential any Personal Data provided by the Servicer in accordance with the provisions of the Data Protection Law.

Respectively, we and any service providers we may use apply technical and organizational measures to protect Personal Data from unlawful or unauthorized destruction, loss, change, disclosure, acquisition or access. Personal Data is held securely using a range of appropriate security measures.

Data Controllers must notify the Data Protection Authority and affected Data Subjects in case of certain types of personal data security breaches. Personal Data Breach means the breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Personal Data transmitted, stored, or otherwise processed. A Data Breach incident that may occur regarding Personal Data under the control of the Company will be dealt with in accordance with the provisions of the Data Protection Law.

We may disclose Personal Data (i) to third parties or allow third parties to access Personal Data we process for the purposes of complying with applicable law; and (ii) to authorized persons, consultants, service providers, bodies, statutory auditors, providers technology services, and to any affiliated companies or subsidiaries of the foregoing for the same or respective purposes.

We will keep Personal Data:

1. throughout the duration of the Data Subjects’ relationship with the Company and after its expiry in accordance with the Company’s legal and regulatory obligations and any applicable record retention policy of the Company;
2. for such period as may be deemed by us to be necessary in light of applicable statutory limitation periods; and
3. in any other case, only for as long as the retention of such Personal Data is deemed necessary for the purposes for which that Personal Data is Processed.

From time to time, the Company may transfer Personal Data to countries outside the European Economic Area which may not have the same or equivalent Data Protection Law as Ireland or an equivalent Data Protection Law. If such a transfer occurs, the Company will ensure that this processing of Personal Data is carried out in compliance with the provisions of the Data Protection Law.

For further information about the Policy and / or the processing of Personal Data by or on behalf of the Company, you may address your requests in writing to the Customer Service and Complaints Management Unit of doValue Greece at 27 Kyprou & Archimidous Streets, 18346 Moschato, Greece or via email at [email protected] and thereafter, if you wish, to the competent Authority.

Data Controller means the entity which, alone or jointly with others, determines the purposes and the means of the processing of Personal Data.

Data Protection Law means the General Data Protection Regulation 2016/679 (the GDPR) and the Data Protection Act 2018 as well as any other laws which may apply to the Company in relation to the Processing of Personal Data.

European Economic Area means Austria, Belgium, Bulgaria, Croatia, the Republic of Cyprus, the Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, the Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, Iceland, Liechtenstein, and Norway.

Personal Data means any and all information relating to a living individual which allows the identification of that individual. Personal Data may include: (i) the name and identification information; (ii) details about an individual’s location; or (iii) any other information that is specific to that individual.

Processing means each action or set of actions performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as consultation, collection, organization, recording, storage, structuring, adaptation or alteration, retrieval, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. The terms Process and Processing are interpreted accordingly.