Attica Bank : Information for the shareholders of Attica BankSA on the processing of their personal data in accordance with the 2016/679 EU regulation and the relevant Greek legislation

Attica Bank SA

INFORMATION FOR THE SHAREHOLDERS OF ATTICA BANK SA ON THE PROCESSING OF THEIR PERSONAL DATA IN ACCORDANCE WITH THE 2016/679 EU REGULATION AND THE

RELEVANT GREEK LEGISLATION

--------------------------------------------------------------------------------------------------------------------------

ATTICA BANK SA, whose headquarters are located in Athens, at Omirou Str. 23 (tel. 210 3669000) (hereinafter referred to as "the Bank") informs you as shareholders of the Bank, in accordance with the 2016/679 EU Regulation and the relevant provisions of the applicable Greek legislation on the protection of personal data, in its capacity as processing manager, that itself or third parties, at its request and on its behalf, shall process your personal data in line with the following:

1. Which of your personal data do we collect and from where?

a) Your identification data: name, surname, father's name, mother's name, ID number, tax registration number, social security number (AMKA), sex, nationality, date and place of birth, etc.

• b) Your contact data: postal and e-mail address, landline and mobile phone, etc.

• c) Number of shares.

• d) Bank account details.

All the aforementioned data is collected directly from you, or from third parties, at your request and on your behalf, or from the company «Central Securities Depository S.A.»

2. Why we collect your personal data and how we process it.

According to the aforementioned information (Chapter 1), your personal data that is collected is processed for the Bank's compliance with the obligations imposed by the applicable legal, regulatory and supervisory framework, as well as the decisions of any public authorities or courts, as well as for the protection of the rights and fulfillment of the legitimate rights of the Bank, for the purposes mentioned in detail below:

• a) To identify you

• b) To contact you

• c) To check the possibility and legitimacy of exercising your rights as shareholders of the Bank, according to Law 2190/1920 on Societes Anonymes, as applicable (participation in the Bank's General Meetings and exercise of voting rights, etc.)

d) To fulfill our obligations towards you (e.g. payment of dividends)

3. Who we send your personal information to

Your personal data may be transferred to the following persons:

a) The Bank's board of directors and/or Bank employees who are responsible for your identification as well as for checking the legality of the exercise of your rights as shareholder's of the Bank.

• b) Institutions to which the Bank assigns the execution of specific tasks on its behalf (processors), such as lawyers, law firms, notaries and bailiffs, experts, specialists, natural or legal persons as well as data processing companies to check and update them (including updating your contact details if you have omitted to notify the Bank about the relevant change), as well as IT service providers, under the condition that confidentiality is observed at any time.

• c) The company «Central Securities Depository S.A.».

• d) Supervisory, independent, judicial, public and / or other authorities within their framework of responsibility.

4. Transfer of your personal data to third countries outside the EU

We may transfer your personal data to third countries outside the EU in the following cases: a) If the European Commission has issued an enforcement act on an adequate level of protection of personal data in the country in question, or

• b) if you have given your explicit consent to the Bank, or

• c) if the Bank has a relevant obligation arising from a legal provision or a trans-national agreement or a court order, or

d) in line with the Bank's compliance with the rules on the automatic exchange of information in the taxation field, as arising from the international obligations of Greece (e.g. FATCA), or e) if the transfer is crucial for establishing or exercising the rights of the Bank or for safeguarding its interests.

Please note that in order to fulfill the obligations in particular under (d) or (e) above, we may transfer your personal data to competent national authorities in order for them to carry out the transfer to the respective authorities of third countries.

5. How long do we keep your personal data?

Your personal data will be kept for as long as you remain a shareholder of the Bank.

If you lose your shareholder status for any reason whatsoever, your personal data will be kept until the statutory time for the general waiver of claims, i.e. for the time period of twenty (20) years from the expiration of the relevant agreement between the shareholders and the Bank in any way.

If by the end of the twenty (20) years there are any ongoing legal actions whatsoever with the Bank, the said period of keeping your personal data shall be extended until the court issues an irrevocable decision.

6. What are your rights regarding the protection of your personal data and how can you exercise them?

You have the following rights regarding the protection of your personal data:

a) To know what personal data we keep and process, their origin, the purposes of their processing, their recipients, as well as the time for which they will be kept (right of access).

b) Ask for the correction and / or completion of your personal data so that they are complete and accurate (right of correction). In these cases, you must present all necessary documents which prove the need for such correction or completion.

• c) Ask for the restriction of the processing of your data (right of restriction).

• d) Refuse and / or object to any further processing of your personal data that we keep (right of objection).

• e) Ask for the deletion of your personal data from the files we keep (right to erasure).

• f) Ask for the transfer of your personal data to any other processor of your choice (right to data portability).

Please note the following regarding your aforementioned rights:

• • In any case, the Bank reserves the right to refuse to satisfy your request to restrict the processing or deletion of your personal data if the processing or keeping thereof is necessary in order for you to continue being a shareholder of the Bank and to exercise your rights as shareholder, as well as for the establishment, exercise or support of the Bank's legitimate rights or for the fulfillment of its obligations towards you.

• • Exercising the right to portability, above in (f), does not entail deleting your data from our records, which applies under the terms of the exactly previous paragraph.

• • The exercise of these rights is valid for the future and does not apply to any data processing that has already been executed.

g) File a complaint with the Hellenic Data Protection Authority (www.dpa.gr), if you regard that your rights are being infringed in any way whatsoever.

II) To exercise your aforementioned rights, as well as for any matter concerning your personal data, you can contact us by post at: Attica Bank, Data Protection Officer, 23 Omirou Street, 10672, Athens, or send an e-mail todpo@atticabank.gr, or contact us by phone at 210-3669000.

In these cases, we will do our best to reply to your request within thirty (30) days after its submission. This period may be extended for up to sixty (60) more days if the Bank deems it necessary at its absolute discretion, taking into consideration the complexity of the request and the number of requests. Being it so, we will inform you about this extension within the aforementioned period of thirty (30) days.

Exercising your rights does not incur any financial burden on you. Nevertheless, if your claims are manifestly unfounded, excessive or repetitive, we may either ask you to bear the relevant costs about which we will inform you, or refuse to respond to them.

7. How we protect your privacy.

For the security of your data the Bank maintains procedures and systems which it uses for the confidentiality of your personal data and its processing, as well as for protecting it from accidental or unfair destruction, accidental loss, alteration, unauthorized dissemination or access, and any other forms of unauthorized processing, including access controls, physical and logical security, Data Loss Prevention and backup outside the Bank.

The above information supersedes any previous information you may have received about the processing of your personal data.

-------------------------------------------------------------------------------------------------------------------------