LEON CAPITAL FINANCE
DESIGNATED ACTIVITY COMPANY

Unless otherwise stated, the Company is a controller of data responsible for your information when you interact with us. The Company’s address is 2nd Floor, Palmerston House, Denzille Lane, Dublin 2, Ireland.

We collect the personal data which we require to participate in capital market transactions in compliance with applicable laws and regulations.

The data we collect depends on the context of your interactions with us and the choices you make. The data we collect can include the following:

1. Identity and contact information: first and last name, date of birth, gender, nationality and citizenship, marital status, occupation, job title, employer, email address, residential or business address, phone and fax numbers and other similar contact data (whether in a personal or professional capacity), tax residency and tax related information, PPS number (or foreign equivalent), family details, copies of ID and other identification documents.
2. Directorships data: details of other directorships held by you with respect to the appointed directors of the Company.
3. Securities data: details of securities held by you with respect to the appointed directors of the Company.
4. Miscellaneous: further information as may be required to comply with applicable anti-money laundering and counter-terrorist financing laws and regulations.

Depending on the context of your interactions with us, we use the information we have about you in the following ways and for the following purposes:

1. To comply with applicable laws and regulations, such as:

• the Companies Act 2014, as amended;
• the Taxes Consolidation Act 1997 (as amended);
• the European Union (Anti-Money Laundering: Beneficial Ownership of Corporate Entities) Regulations 2019;
• the Criminal Justice (Money Laundering and Terrorist Financing) Act 2010, as amended by the Criminal Justice Act 2013, the Criminal Justice (Money Laundering and Terrorist Financing (Amendment) Act 2018 and the Criminal Justice (Money Laundering and Terrorist Financing (Amendment) Act 2021; and
• financial sanctions related obligations.

2. To perform contracts that have been entered into by the Company or which are to be entered into by the Company, such as those pertaining to the operation and maintenance of bank accounts, or involving financial transactions of various types;
3. To perform contracts that the Company has entered into with you;
4. To maintain a record of the contact details of the parties to each capital market transaction entered into by the Company, and of those persons providing services to the Company, such as legal advisors, tax advisors, auditors, banks and other service providers; and
5. Where necessary to ensure the efficient operation of the Company, such as to record attorneys, legal representatives or authorised signatories appointed by the Company.

We rely on a number of legal bases to lawfully process your personal data, which are as follows:

• compliance with a legal obligation;
• contractual necessity;
• legitimate interests; and
• consent in certain instances.

You have choices about the data we collect. For further information in this regard, please refer to the section titled ‘Data Subject Rights’ below.

You provide some of this data directly. Information is provided by you:

• When you respond to a request pertaining to compliance with legal obligations, for example in the area of company law, anti-money laundering and counter-terrorist financing laws and regulations, market abuse regulations, taxation laws and regulations;
• When you are or may be appointed as a director, officer, duly appointed attorney, legal representative or authorised signatory of the Company;
• When you are a person associated with any service provider appointed by the Company;
• When you are a customer of, or are associated with a customer, in respect of any loan contained within the loan portfolio held by the Company;
• When you subscribe for shares in or are an ultimate beneficial owner of the Company;
• When you provide information for, and/or execute documentation pertaining to the establishment and operation of bank accounts or other types of accounts for the Company, or when you engage in similar activities for the purposes of any financial transaction that the Company may wish to conclude; and
• When you act on behalf of a professional adviser or other service provider to the Company, or when you act on behalf of parties to capital market transactions, entered into by the Company, or in which the Company is participating.

We also obtain data from third parties. These third-party sources vary over time, but have included:

• Legal counsel that have been engaged by the Company for the purposes of the completion of a transaction;
• Third parties involved in capital market transactions in which the Company is participating, such as the servicer in respect of the loan portfolio held by the Company; and
• Publicly available sources such as open government or regulator databases, or other data in the public domain.

The personal data that we process can be stored on the systems and on physical files of the Company, or on third-party systems or physical files of service providers to the Company.

We rely on several legitimate interests in using and sharing your personal information. These interests include facilitating the day-to-day business operations of the Company. Examples in this regard include:

• The provision of information to appointed legal counsel, auditors, tax advisers and other service providers to the Company, in addition to further third parties to transactions entered into by the Company, or in which the Company intends to participate, to facilitate their compliance with the provisions of laws and regulations applicable to such parties, or the completion of required due diligence procedures;
• The practical application of powers of attorney granted by the Company;
• The performance of contracts that have been, or that are to be, entered into by the Company in the context of a capital markets transaction; and
• To maintain a record of the contact details of the parties to each capital market transaction entered into by the Company, and of those persons providing services to the Company, such as legal counsel, tax advisers, auditors, banks and other service providers.

The Global Data Protection Regulation provides a number of rights with respect to how the personal data of data subjects is used including rights of access, rectification, erasure, restriction, data portability and objection.
 

1. Right of Access

   Data subjects are entitled to obtain details concerning the processing of their personal data and to have access to a copy of any personal data that is processed in an easily accessible format.
    

2. Right of Rectification

   Data subjects are entitled to have inaccurate personal data concerning them rectified without undue delay, and, taking into account the purposes of the processing, to have incomplete personal data completed.
    

3. Right of Erasure (Right to be Forgotten)

   Data subjects have the right to have their personal data erased without undue delay in specified circumstances. This is known as the right of erasure or ‘the right to be forgotten’. These circumstances include:

   1. The personal data is no longer necessary in relation to the purposes for which it was collected;
   2. The data subject withdraws consent and there is no other legal bases for processing;
   3. In the case of reliance on legitimate interests as a ground for processing and in circumstances where an objection is raised by the data subject, there are no overriding legitimate grounds for the processing;
   4. The personal data has been unlawfully processed;
   5. The personal data has to be erased for compliance with a legal obligation under European Union or Member State law; or
   6. The personal data has been collected in relation to the offer of information society services to a child.
       

   The right to erasure is not available where the processing of the relevant personal data is necessary:

   1. For the purposes of exercising the right of freedom of expression and information;
   2. For compliance with a European Union or Member State legal obligation which requires processing by law and to which the controller is subject, or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
   3. For reasons of public interest in the area of public health;
   4. For certain archiving purposes in the public interest, scientific or historical research purposes or statistical purposes;
   5. For the establishment, exercise or defence of legal claims.
       
4. Restriction of Processing

   There are four instances in which a data subject is entitled to restrict processing of his or her personal data as an alternative to erasure:

   1. The accuracy of the personal data is contested by the data subject, in which case the processing is restricted for a period enabling the controller to verify the accuracy of the personal data;
   2. The processing of the personal data is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of its use instead;
   3. The controller no longer needs the personal data for the purposes of the processing, but the personal data is required by the data subject for the establishment, exercise or defence of legal claims, and
   4. The data subject has objected to processing pending verification whether the legitimate grounds of the controller override those of the data subject.
       

   Where processing has been restricted, continued processing, with the exception of storage, may only occur in the following cases:

   1. The data subject consents;
   2. The processing is necessary for the exercise or defence of legal claims;
   3. The processing is necessary for the protection of the rights of other individuals or legal persons; or
   4. The processing is necessary for public interest reasons.
       

   You are entitled to be notified by us before any restriction on processing is lifted.
    

5. Data Portability

   This right enables you to receive personal data concerning you, in a structured, commonly used and machine-readable format, and to transmit that data to another controller without hindrance from us. This right only applies where processing is based on your consent or on the performance of a contract, and the processing is carried out by automated means.
    

6. Right to Object to Data Processing

   Data subjects have a right to object to the processing of their personal data in the following circumstances:

   1. Where processing is based on legitimate interest grounds or because it is necessary for a public interest task/official authority. The controller is required to cease processing unless it demonstrates compelling legitimate grounds for the processing which override the rights of the data subject or the processing is necessary for the defence of legal claims;
   2. Processing for direct marketing purposes. No further processing may occur once an objection has been received; and
   3. Processing for scientific or historical research or statistical purposes. Processing may only occur following an objection if the processing is necessary for the performance of a task carried out for reasons of public interest.
       
7. Rights in relation to Automated Processing, including Profiling

   Data subjects have a right not to be subject to a decision based solely on automated processing, which includes profiling. This right does not apply if the decision:

   1. Is necessary for entering into, or performance of, a contract between the data subject and a data controller;
   2. Is authorised by law which lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests, or
   3. Is based on the data subject’s explicit consent.
       
8. Right to Withdraw Consent

   Data subjects have a right to withdraw consent, where consent is relied upon as the legal bases for processing.

   Requests in relation to the enforcement of your rights will be responded to free of charge and within 30 days of receipt of the request. However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.

• Reliance on Compliance with a Legal Obligation

These grounds may be relied upon where the bases for processing is laid down in a relevant law or regulation of a European Union Member State such as Ireland, or in a European Union law or regulation. You do not have a right to erasure of your personal data, to data portability or to object to the processing of your personal data where we are relying on the grounds of compliance with a legal obligation with respect to the processing of your personal data.

• Reliance on the Grounds of Contractual Necessity

These grounds may be relied upon where we have entered into a contract with you, in respect of the performance/execution of such contract, and includes steps taken at your request prior to the entering into of the contract.

You do not have a right to object to the processing of your personal data where we are relying on the grounds of contractual necessity for such processing, but you do have a data portability right.

• Reliance on the Grounds of Legitimate Interests

You may object to the processing of your personal data where we are relying on the grounds of legitimate interests for such processing. We can override your objection if we can demonstrate an overriding compelling legitimate ground. We note that the Company will never exercise its legitimate interests to use your personal data for marketing purposes.

A right of data portability does not apply where we are relying on the grounds of legitimate interests in relation to the processing of your personal data.

We will not use your personal data for automated decision-making purposes (including profiling).

We share information we have about you in accordance with this data privacy notice:

1. With the parties to capital market transactions entered into, or to be entered into by the Company, as necessary for the performance of the Company’s contractual obligations, to facilitate compliance with laws and regulations applicable to such parties, or the completion of required due diligence procedures by such parties;
    
2. With professional advisers to and service providers appointed by the Company:
   • as may be necessary in connection with the performance of contractual obligations, or
   • in circumstances where information is provided to facilitate compliance by such service providers with applicable anti-money laundering and counter-terrorist financing obligations.
      
3. With third parties generally when you have requested us to do so; and
    
4. When we have a good faith belief that doing so is necessary to comply with applicable law or respond to valid legal process, including from law enforcement or other governmental agencies.

We may, for the purposes outlined in this data privacy notice, transfer your personal data outside of the European Economic Area (“EEA”) provided such transfer is to a recipient who (i) is located in a country that the European Commission deems to provide an adequate level of protection for personal data, or (ii) is subject to an agreement, derogation or other legal act which allows for the lawful transfer of personal data outside of the EEA.

We will retain your information only for as long as necessary for the purposes set out in this data privacy notice, for as long as your business or professional relationship with us is active, or as needed for the completion of a capital markets transaction, or for other essential purposes such as complying with applicable laws and regulations, resolving disputes or for the establishment, exercise or defence of legal claims.

The Company is committed to protecting the security of your personal data. We use a variety of security technologies and procedures to help protect your personal data from unauthorised access, use or disclosure. For example, we store personal data you provide on computer systems that have limited access and which are located in controlled facilities.

Pursuant to the GDPR, it is mandatory for controllers to designate a Data Protection Officer (“DPO”) in the following circumstances:

• where the processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
• where the core activities of the controller or the processor consist of regular and systematic monitoring of data subjects on a large scale; or
• where the core activities of the controller or the processor consist of processing on a large scale of special categories of data and personal data relating to criminal convictions.

As these circumstances do not apply to us, you are advised that a DPO has not been appointed for the purposes of GDPR.

You have the right to file a complaint against us with the Irish Data Protection Commissioner, which is the lead supervisory authority of the Company. You may also complain to your local supervisory authority. You can find your local supervisory authority on https://commission.europa.eu/law/law- topic/data-protection/data-protection-eu_en#national-data-protection-authorities We would, however, appreciate the opportunity to deal with your concerns before you approach any supervisory authority so please contact us in the first instance.

When collecting your personal data is mandatory (either under applicable law or in accordance with a contractual requirement), this will be stated at the time of collection of the personal data.

We will update this data privacy notice when necessary to reflect feedback from you or the way in which we process personal data. When we post changes to this data privacy notice, we will revise the “Last Updated” date at the top of this data privacy notice. If there are material changes to this data privacy notice or in how we will use your personal data, we will notify you before such changes take effect.

If you have a privacy concern, question or complaint, or you wish to exercise any of your rights as a data subject, please contact us by email at: [email protected] or by telephone on +353 1 905 8020.