BRD Groupe Societe Generale S A : Data Protection Notice For the Shalholders

DATA PROTECTION NOTICE

FOR THE SHALHOLDERS

OF BRD - GROUPE SOCIETE GENERALE S.A.1

B.R.D. - Groupe Société Générale S.A., headquartered in Bucharest, Blvd. Ion Mihalache, No. 1-7, Sector 1, registered with the Trade Register under number J/40/608/19.02.1991, Tax Identification Number 361579, registered with the Banks Register under number RB-PJR-40-007/1999 (hereinafter called "The Bank" or "Us/ We"), acting as data controller, we would like to inform you about the way We process2 the personal data in the context of the activity carried out by BRD, as well as about the rights that you have as a data subject, starting with 25th of May 2018 (General Data Protection Regulation effective date)

I.WHAT DATA CATEGORIES DO WE PROCESS?

As the case may be, The Bank processes the following categories of personal data of : (i)the shareholders (natural person), (ii) shareholders representatives-legal persons or entities without legal personality; iii) persons empowered by shareholders by general or special power of attorney;(iv) the suppliants for the persons designated as shareholders representative ( if the person empowered by shareholder by power of attorney cannot fulfil his mandate); (v) successors of the Bank's shareholders:

• identification data, such as name, surname, CNP, ID card serial and number/other document which can serve as identification (e.g. passport, registration certificate), as well as other information these documents may contain (e.g. date and place of birth, citizenship), signature;
• contact data, such as: home address, mailing address, e-mail, phone number;
• number of shares;
• information necessary for the payment of dividends ( the dividends payment history, the account for the payment of dividends, the amount paid as dividend, the sequester)
• information regarding the participation to the General Shareholders Meetings and the exercise of the voting rights as the place of the meeting, the modality to exercise the voting rights, the debates;
• the video or static image if the GSM is organised to the Bank headquarter and you are present in person or you visit our secondary offices for payment of the dividends;
• voice if and you are present in person to the GSM or in case of recording your calls as shareholder.

II.WHERE DO WE HAVE THE PERSONAL Data FROM?

We process the personal data that you provide Us, directly (e.g. through your requests to add new points on the agenda of the GSM, participation to the GSM or by correspondence on mail or electronic correspondence) or indirectly (e.g. through empowered or other persons representing you in your relationship as shareholder with the Bank, such as, persons who are entrusted with the exercise of parental/ tutorial authority), or Central Depositary as register company for the Bank.

III.WHY DO WE PROCESS THE PERSONAL DATA?

COMPLIANCE WITH SPECIFIC LEGAL OBLIGATIONS

• According to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/ ("GDPR"), aplicable starting on May 25, 2018.

• The processing of data personal refers to any type of activities (such as the collection, storage, use, transfer, erase and disclosure of personal data) which can bring to you or other determined person

1

We process personal data in order to comply with specific legal obligations stipulated by: (i) article 6, paragraph 1, letter c) on GDPR, (ii) Companies Law 31/1990, (iii) Law 24/2017 on issuers of financial instruments and market operations (iv) Regulation no. 5/2018 on issuers of financial instruments and market operations, (v) Articles of incorporation of BRD- Groupe Société Générale S.A, (iv) other provisions regarding the procedure on organizing and running the general shareholders meetings'' ("GSM"),to ensure the shareholder rights to:

• to participate and vote to BRD's GSM;
• to introduce new items on the agenda of the BRD's GSM, to present draft resolutions for the items included or proposed to be included on the agenda of the GSM;
• to make proposals of candidates for the positions of directors, if the election of directors is on the GSM agenda;
• to access information about BRD's GSM;
• to ask questions;
• to receive dividends in the amount and conditions established by the BRD's GSM;
• other rights according to the GSM decisions.

V. TO WHOM DO WE DICLOUSURE THE PERSONAL DATA

We may disclose personal data to:

1. shareholders designated to ensure the GSM secretariat;
2. Trade Registry;
3. Central Depositary;
4. Official gazette;
5. courts;
6. Public notary for succession procedures;
7. Regulatory and supervisory authorities (Financial Supervisory Authority, National Bank of Romania);
8. Bucharest Stock Exchange;
9. Other relevant authorities;
10. Persons empowered by the Bank (layers, valuators, accountants, censors, internal and external auditors, providers of services, It services, physical or electronic archives

VI. DATA TRANSFER ABROAD

As a rule, We transfer personal data only in states belonging to the European Economic Area (EEA) or states that been recognized as having an appropriate level by a decision of the European Commission.

VII.FOR HOW LONG DO WE KEEP YOU DATA?

We keep your personal data as long as necessary to meet the purposes for which it was collected, in compliance with the applicable legal provisions, as well as of the internal procedures on data retention (including the applicable archiving rules at BRD level).

VIII. WHAT ARE THE RIGHT THAT YOU BENEFIT FROM?

According to the Law, you benefit from the following rights concerning the personal data processing that We perform:

1. Right to access your personal data: you may obtain from Us the confirmation that We process your
   personal data, as well as information regarding the specific nature of the processing, such as: tthe purpose of the processing, the categories of personal data processed, the data recipients, the period for which the data are kept, the existence of the right to rectification, erasure or restriction of

2

processing. This right allows you to obtain a free copy of the processed personal data, as well as any other extra copies, for a fee.

1. Right to rectification: you may ask Us to have inaccurate Personal data rectified and incomplete Personal data completed.
2. Right to erasure: you may ask Us to erase your personal data when: (i) the data are no longer necessary for the purposes for which We have collected and processed them; (ii) you have withdrawn your consent and We can not process them on other legal ground; (iii) the personal data are unlawfully processed, respectively (iv) the personal data have to be erased for compliance with the relevant legislation.
3. Consent withdrawal: you may, at any time, withdraw your consent regarding the processing of your personal data, data processed on a consent basis.
4. Right to object: you may object, at any time, to the processing of personal data for marketing purposes, including profiling for the same purpose and you may also object to processing based on Bank's legitimate interest, for reasons related to your specific situation.
5. Right to restriction of processing: you may request to restrict the processing of your personal data
   if: (i) you contest the accuracy of the personal data, for a period enabling Us to verify the accuracy of the personal data; (ii) the processing is unlawful and you refuse the erasure of the personal data and request the restriction of their use instead; (iii) the data is no longer necessary for the purposes of processing, but you require them for exercise or defence of legal claims; respectively (iv) if you have objected to the processing, pending the verification whether the legitimate grounds of the Bank as data controller override those of the data subject.
6. Right to data portability: you may ask us to furnish you your personal data that you have provided us in a structured, commonly used and machine-readable format (e.g. CSV format). Should you expressly request us, We can send your personal data to another entity, if possible from a technical point of view.
7. Rights related to automated decisions that We adopt in our business: for details, please see Section "Automated Individual Decisions" above. The rights attached to automated decisions that We adopt in our activity: for details, please check, "Automated Individual Decisions" above.
8. Right to file a complaint with the Supervisory Authority: you have the right to file a complaint with the Supervisory Authority if you consider that your rights have been infringed.

National Authority for Supervision of Personal Data Processing (ANSPDCP)

B-dulG-ral. Gheorghe Magheru 28-30, Sector 1, cod postal 010336, Bucharest, Romania www.dataprotection.ro

FOR THE EXERCISE OF THE ABOVE-MENTIONED RIGHTS, ITEMS 1 - 8, YOU MAY CONTACT US USING THE CONTACT DATA REFERRED TO IN SECTION CONTACT.

IX. CONTACT

If you have any queries regarding this Notice and/or you wish to exercise your rights in relation to the processing of the personal, please use the contact details set out below:

• Attn: BRD Data Protection Officer (PDPO)
• Contact Address: 1-7 Ion Mihalache Blvd., TURN BRD District 1, postal cod 011171, Bucharest, Romania
• E-mail:dataprotection@brd.ro

3