BRD Groupe Societe Generale S A : Data Protection Notice for the Candidates

DATA PROTECTION NOTICE

FOR THE CANDIDATES TO THE POSITION OF MEMBER OF THE BOARD OF DIRECTORS

OF BRD - GROUPE SOCIETE GENERALE S.A.1

B.R.D. - Groupe Société Générale S.A., headquartered in Bucharest, Blvd. Ion Mihalache, No. 1-7, Sector 1, registered with the Trade Register under number J/40/608/19.02.1991, Tax Identification Number 361579, registered with the Banks Register under number RB-PJR-40-007/1999 (hereinafter called "The Bank" or "Us/ We"), acting as data controller, we would like to inform you about the way We process2 the personal data in the context of the activity carried out by BRD, as well as about the rights that you have as a data subject, starting with 25th of May 2018 (General Data Protection Regulation effective date)

1. INFORMATION WE MAY COLLECT ABOUT YOU

We may collect and process Personal Data about you, such as:

1. Contact information - your contact information, including your home address/residence, telephone number(s), personal email address, contact address;
2. ID information and official documents - your identification information, including your national identification number, ID Card, passport, the registration certificate on Romanian;
3. Performance review and employee assessment, including the independence in relation to BRD and companies from SG Group - information related to your professional assessment processes you may go through, fulfilment of the independence criteria, conflict of interest;
4. Details on the professional experience (CV), information on the studies, diplomas/professional certificates or approvals issued by the regulatory authorities;
5. Data and information on the good repute, honesty and integrity (criminal, administrative or civil procedures, convictions for criminal offence, disciplinary sanctions or measures, investigations, measures or sanctions enforced by a competent authority, regulatory or professional body for the failure to comply with any relevant provisions regulating the banking, financial activity regarding securities or insurance, rejection of the registration, authorization, membership or license or revocation, withdrawn of the authorization/licence by a regulatory body, a public body or by a professional body or association, information on fire or suspension from an administrator position, from a fiduciary or similar relation, registration on defaulting debtors lists, negative records with credit registers or an enforcement procedure, information on any investments, large exposures and/or loans contracted);
6. Video or static image if the GSM is organised to the Bank headquarter and you are present in person;
7. Voice if and you are present in person to the GSM;
8. Details regarding the number of mandates.

We may also collect and process other type of Personal Data about you: record of criminal record and fiscal record.

• According to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/ ("GDPR" or "RGPD"), aplicable starting on May 25, 2018.

• The processing of data personal refers to any type of activities (such as the collection, storage, use, transfer, erase and disclosure of personal data) which can bring to you or other determined person.

1

1. INFORMATION WE MAY COLLECT ABOUT YOUR HUSBAND/WIFE, RELATIVES AND RELATED PERSONS UP TO THE IVth GRADE INCLUSIVE AND OTHER AFFILIATED PERSONS

We may also process personal data of your husband/wife, relatives and related persons up to the IV th grade (e.g., children, spouse, other relatives) and other affiliated persons, including data as the surname, first name, address, telephone, email, functions held for legal purposes or to verify potential conflicts of interests.

For this purpose, you undertake the liability to inform your husband/wife, relatives and related persons up to the IV th grade inclusive and other affiliated persons on the processing of such types of data, in accordance with the information herein provided.

1. WHAT LEGAL BASIS DO WE HAVE FOR USING YOUR PERSONAL DATA

In the context of processing your Personal Data, we act as Data Controller.

Generally, we process your Personal Data on the basis that it is necessary to asset your candidature and to comply to the legal obligation that we have.

IV. WHY WE COLLECT YOUR PERSONAL DATA AND JUSTIFICATION OF USES

PURPOSE

JUSTIFICATION

For the selection and assessment process of your candidature to the position of member of the Board of Directors of the Bank.

To verify how you comply with the Ethics Code of the Bank and/or BRD Group, the internal procedures and the legal and prudential regulations, we may conduct verifications, monitoring, unannounced controls, investigations, audit missions, in which we may:

• access any other data which may be deemed necessary for the selection and assessment process of the candidate (statements of interest, professional assessments, references from the previous employers, statements of independence, other dates from public bases, provided by you in the selection and assessment process or by the shareholder who proposed you as candidate.

Meeting our general legal obligations, including the transparency obligations - such as providing informing the shareholders, the Nomination Committee, the Board of Directors, the authorities, the Official Gazette on the name, locality of domicile and professional qualification.

legal obligation stipulate by Emergency Ordinance No. 99 on Credit Institutions and Capital Adequacy, NBR Regulation no. 5 of 2013 on prudential requirements for credit institutions, NBR Regulation no. 12 of 2020 on the authorization of credit institutions and changes in their situation, Companies Law 31/1990, Law 24/2017 on issuers of financial instruments and market operations, Regulation no. 5/2018 on issuers of financial instruments and market operations (such us to enable us to verify you compliance with the legal provisions for the nomination as member of the board of Directors of a

credit institution, professional experience, honesty and integrity, the number of the mandates hold in the same time);

legitimate interest (to enable us to verify you compliance with the legal provisions and internal policy, e.g. to prevent and detect frauds and conflict of interest cases, to detect conflict of interest, to verify the transparency, honesty and integrity);

2

1. WHERE WE COLLECT YOUR PERSONAL DATA FROM

We obtain your Personal Data primarily from you. Additionally, we may obtain your Personal Data as follows:

1. public databases / Internet search engines (professional and social background data, e.g. in case of suspicions in respect of conflict of interests), (ii) BRD and Société Générale (background data, especially if you had previous employment with them), other subsidiaries of BRD Group / Société Générale (iii) public authorities / entities or private businesses (e.g., incidents, audit, information requests, former employer's recommendations, standard reputation letters comprising reference to your conduct and professional level, identification data and sanctions when such is expressly required by BNR/FSA for approving your position),

1. other employees/future employees/Executive Officers/Directors of the Bank/Group, if they declare to be related to you, in order to prevent conflict of interests.

VI. WHO DO WE PASS YOUR PERSONAL DATA TO AND JUSTIFICATION OF USES

RECIPIENT		ROLE
Shareholders, the	Nomination	legal obligation;
Committee,	the	Board	of
Directors,	Regulatory	and
supervisory	authorities,	the
Official Gazette, other relevant
authorities,

VII. WHEN DO WE SEND YOUR PERSONAL DATA ABROAD?

As a general rule, we process your personal data in Romania or in countries belonging to the European Economic Area (EEA).

VIII. FOR HOW LONG DO WE KEEP YOUR DATA?

We keep records of your data for no longer than is necessary for the purpose for which we obtained them and any other permitted linked purposes (so, if Personal Data is used for two purposes we will retain it until the purpose with the latest period expires; but we will stop using it for the purpose with a shorter period one that period expires).

IX. UPDATING YOUR PERSONAL DATA

We make reasonable efforts to ensure that your Personal Data are accurate. In order to assist us with this, please notify us any changes of your Personal Data that you have provided to us, by contacting investor@brd.ro.

1. YOUR RIGHTS ON PERSONAL DATA PROCESSING

According to the Law, you benefit from the following rights concerning the personal data processing that We perform:

1. Right to access your personal data: you may obtain from Us the confirmation that We process your
   personal data, as well as information regarding the specific nature of the processing, such as: tthe purpose of the processing, the categories of personal data processed, the data recipients, the period for which the data are kept, the existence of the right to rectification, erasure or restriction of processing. This right allows you to obtain a free copy of the processed personal data, as well as any other extra copies, for a fee.
2. Right to rectification: you may ask Us to have inaccurate Personal data rectified and incomplete Personal data completed.

3

1. Right to erasure: you may ask Us to erase your personal data when: (i) the data are no longer necessary for the purposes for which We have collected and processed them; (ii) you have withdrawn your consent and We can not process them on other legal ground; (iii) the personal data are unlawfully processed, respectively (iv) the personal data have to be erased for compliance with the relevant legislation.
2. Consent withdrawal: you may, at any time, withdraw your consent regarding the processing of your personal data, data processed on a consent basis.
3. Right to object: you may object, at any time, to the processing of personal data for marketing purposes, including profiling for the same purpose and you may also object to processing based on Bank's legitimate interest, for reasons related to your specific situation.
4. Right to restriction of processing: you may request to restrict the processing of your personal data
   if: (i) you contest the accuracy of the personal data, for a period enabling Us to verify the accuracy of the personal data; (ii) the processing is unlawful and you refuse the erasure of the personal data and request the restriction of their use instead; (iii) the data is no longer necessary for the purposes of processing, but you require them for exercise or defence of legal claims; respectively (iv) if you have objected to the processing, pending the verification whether the legitimate grounds of the Bank as data controller override those of the data subject.
5. Right to data portability: you may ask us to furnish you your personal data that you have provided us in a structured, commonly used and machine-readable format (e.g. CSV format). Should you expressly request us, We can send your personal data to another entity, if possible from a technical point of view.
6. Rights related to automated decisions that We adopt in our business: for details, please see Section "Automated Individual Decisions" above. The rights attached to automated decisions that We adopt in our activity: for details, please check, "Automated Individual Decisions" above.
7. Right to file a complaint with the Supervisory Authority: you have the right to file a complaint with the Supervisory Authority if you consider that your rights have been infringed.
   National Authority for Supervision of Personal Data Processing (ANSPDCP)
   B-dulG-ral. Gheorghe Magheru 28-30, Sector 1, cod postal 010336, Bucharest, Romania

www.dataprotection.ro

FOR THE EXERCISE OF THE ABOVE-MENTIONED RIGHTS, ITEMS 1 - 8, YOU MAY CONTACT US USING THE CONTACT DATA REFERRED TO IN SECTION CONTACT.

IX. CONTACT

If you have any queries regarding this Notice and/or you wish to exercise your rights in relation to the processing of the personal, please use the contact details set out below:

• Attn: BRD Data Protection Officer (PDPO)
• Contact Address: 1-7 Ion Mihalache Blvd., TURN BRD District 1, postal cod 011171, Bucharest, Romania
• E-mail:dataprotection@brd.ro

4