National Bank of Greece S A : DATA PRIVACY NOTICE ON THE PROCESSING OF PERSONAL DATA OF THE SHAREHOLDERS AND OTHER PARTICIPANTS TO THE REMOTE SHAREHOLDERS MEETING OF THE NATIONAL BANK OF GREECE

NATIONAL BANK OF GREECE S.A

ΑΝNUAL GENERAL MEETING OF SHAREHOLDERS

30 July 2021

DATA PRIVACY NOTICE ON THE PROCESSING OF PERSONAL DATA OF THE

SHAREHOLDERS AND OTHER PARTICIPANTS TO THE REMOTE SHAREHOLDERS MEETING OF THE NATIONAL BANK OF GREECE

The societe anonyme under the name "National Bank of Greece S.A." which has its registered head office in Athens (86 Aiolou Str.). VAT No.: 094014201, Tax Office : Athens Tax Office for Commercial Companies (FAE Αthinon), General Commercial Registry (GEMI) No.: 237901000 (hereinafter referred to as the "Bank"), in its capacity as the controller of personal data in the context and in compliance with the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter referred to as "General Data Protection Regulation" or "GDPR"), the Law 4624/2019 and in general according to currently applicable legislation in force with regard to the protection of personal data, shall hereby provide the following update on the processing necessary of the personal data of the natural persons who are or were registered shareholders of the Bank, of those who have the capacity of the shareholder of the Bank, of their representatives as well as of the pledged creditors of the shares, anyone who has voting right over the shares, and in general derives or/and exercises rights over the shares of the Bank, their representatives, of those who exercise the voting right by representing legal entities as well as of those who participate, under any capacity, to the Annual General Meeting of Shareholders that will take place remotely in real-time via teleconference on 30 July 2021, as well as any repeat meeting thereof (hereinafter, for the purposes of the present, all the above categories of natural persons will be jointly referred to as "Shareholders" and each of them as "Shareholder").

In addition, the Bank, through this supplementary information, informs, in the capacity of the controller, in accordance with the GDPR, the Law 4624/2019 and the other provisions on the protection of personal data, the natural persons other than the Shareholders, who will participate in teleconference (video conference) of the remote General Meeting, such as Members of the Board of Directors of the Bank, executives of the Bank, auditors and other third parties,that it processes the respective personal data, which are collected directly by the data subjects in

question, for the purposes of the legitimate interests pursued by the Bank for said processing.

It shall be noted that processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaption or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

The Bank, as the issuer of the shares, legally processes the personal data of the Shareholders, under the aforementioned capacities, always for legitimate and fair purposes, following the principles of the fair and transparent processing, applying the appropriate technical and organizational measures, in compliance with the requirements of the GDPR as well as the current legal framework, always having as a guide and primary concern the safeguarding and protection of personal data and the fundamental rights of data subjects.

Following the above, the Bank, in compliance with the principle of transparency, is currently informing the Shareholders about the terms of processing of personal data concerning them.

(I) Which personal data the Bank collects and processes

The personal data of the Shareholders which are collected and processed by the Bank in the context of the operation and service of the shareholder capacity and in order to carry out the tasks required under the shareholder relationship are the most necessary, adequate,relevant and limited to what is necessary in relation to the purposes for which they are processed.

Indicatively the main categories of personal data concerning the Shareholders and which the Bank processes for legitimate purposes of processing, are the following:

1. Data and identity documents, such as name and surname, father's name, spouse' s name, date of birth, number and copy of identity card or passport or other equivalent document, tax identification number (A.F.M.), competent Tax Authority (D.O.Y.), country of tax residence, any special tax treatment, profession/activity, citizenship and other demographic data.
2. Contact information such as postal and e-mail address(email), fixed andmobile telephone number.
3. Bank account number.
4. Number and type of shares.
5. Investor Record Code Number in the Dematerialized Securities System (DSS), Securities Account with the Dematerialized Securities System (DSS), Number of
   Shareholder's Registry.
6. Correspondence and communication data.

1. Data relating to the capacity under which the Shareholder participates to the General Meeting of the Bank and the relevant supporting documentation, details of the shares and of any rights they hold on such shares, information regarding any trading activity of shares.
2. Data relating to the participation and the exercise of the voting right of the Shareholder in the General Meeting of the Bank, information regarding any requests addressed to the Bank, signature of the Shareholders and in general any information in the context of implementing the current rules on financial instruments markets.
3. Audio data (audio recording) in case the Shareholder takes the floor during the General Meeting.

The above personal data are collected either directly from the Shareholders for the performance of tasks concerning them - who shall take care for the update of their personal information, so that the Shareholders' Registry remains update up-to-date and accurate -either from third persons authorized by the Shareholders, either from the societe anonyme under the name "Hellenic Central Securities Depository S.A.", which, at its capacity as operator of the Dematerialized Securities System (DSS), keeps the details of identification of the Shareholders as well as other information related to the Bank's shareholder structure, any transactions on the shares and are provided to the Bank through electronic records, according to the provisions of the legislation in force and the Regulation of the Dematerialized Securities System (DSS).

The Bank, hereby notifies the Shareholders that, for reasons of participation to the remote Annual General Meeting of the Shareholders of the Bank, or any adjournment or repeat meeting thereof, will be collected and processed either by the Bank either by the societe anonyme under the name "Hellenic Central Securities Depository S.A.", processor on behalf of the Bank, to which the Bank has assigned the organization of any remote General Meeting, the codes of process of the Shareholders in the online platform https://axia.athexgroup.gr/, through which they will have the possibility to participate and vote remotely in the General Meeting (hereinafter referred to as the "Online Platform"). Furthermore, the Bank informs the Shareholders that, according to article 131 (way of voting in the General Meeting) par. 2 of Law 4548/2018, the remote voting is obvious and the exercise of the right to vote by the Shareholder and the content of his/her vote, if requested, may be communicated to the other participants in the General Meeting, Shareholders.

At the same time, the Bank, proceeds with the processing of the following data of the natural persons other than the Shareholders, who will participate in teleconference (video conference) of the remote General Meeting, such as Members of the Board of Directors of the Bank, executives of the Bank, auditors and other third parties, which are collected directly by the data subjects in question, for the purposes of the legitimate interests pursued by the Bank for that processing:

1. Identification data, such as name, surname, father's name, identity card, passport or other equivalent document.
2. Data relating to the capacity under which such persons are entitled to participate to the General Meeting.

1. E-mailaddress (email), mobile telephone number, in order for the natural person to participate to the teleconference.
2. Data image -sound (video) from the participation of the natural person to the General Meeting.

(II) Which are the purposes of processing of personal data

The Bank collects the personal data of the Shareholders and other natural persons that will participate in the General Meeting, as above mentioned, and in general processes them, for the fulfillment of legitimate purposes of processing and always according to valid legal basis which establish the lawfulness of the processing.

Specifically,the Bank processes the personal data of the natural persons in order:

1. To identify them.
2. To communicate with them.
3. To verify the possibility and legality of exercising Shareholders' rights, according to the relative legislation and moreover to facilitate the Shareholders to exercise their rights, according to the law (indicatively exercise of the right of participation and voting right and in general exercise of the rights of the Shareholders in the General
   Meetings, shareholder confirmation, drawing up a shareholders' list, keeping minutes of the General Meeting, participation to corporate actions, dividend distribution).
4. To facilitate the settlement of corporate actions (e.g. dividend distribution, share capital increase etc), to disclose transactions of liable individuals to the Athens Stock
   Exchange, to monitor transactions on the Bank's shares.
5. To perform the Bank's contractual obligations towards the Shareholders (i.e. dividend distribution) and in general to fulfill the Bank's obligations towards the
   Shareholders.
6. To comply with legal obligations.
7. To fulfill and support legal rights, to protect and service the legitimate interests of the Bank (such as in case of legal claims of the Bank), except where such interests are overridden by the interests or fundamental rights and freedoms of the data subjects which require protection of personal data.
8. To fulfill the obligations arising from provisions of tax legislation and other compulsory provisions.
9. To manage and maintain the Shareholder Register, in accordance with the applicable legal provisions.
10. To perform over the counter transfers of the shares.

1. To publish acts and information of the Bank in the General Commercial Registry (G.E.M.I.), the Athens Stock Exchange or on the website of the Bank, as required by law.
2. To respond to requests of the Shareholders, carry out requests of the Shareholders in connection with the services provided by the Bank (e.g. issuance of certificates), to provide replies and clarifications to specific inquiries or requests addressed to the Bank by the Shareholders.
3. To keep an archive of the Bank's shareholders.

(III) To whom may access to above personal data be awarded

Access to the personal data of the above natural persons shall be awarded only to the Bank' s employees,within the range of their responsibilities and in the exercise of the duties assigned to them and specifically those who are responsible for Shareholders' identification and for reviewing the lawful exercise of their rights.

The Bank shall not transmit or disclose the personal data except in case to:

1. Natural persons and legal entities, to which the Bank assigns the execution of certain tasks on its behalf, such as, inter alia, to providers of technical and support services, database management companies, file storage and recordkeeping companies, postal services providers, providers of services related to the development, maintenance and customization of IT applications, e-mail services providers, companies providing webhosting services (including cloud services), in general to providers of services, to lawyers, law firms, accountants, chartered accountants or audit firms, to external advisers and collaborators of the Bank.
2. The societe anonyme under the name "Hellenic Central Securities Depository
   S.A.", to which the Bank has assigned, as the processor on behalf of the Bank, the organization of the remote General Meeting as well as any sub-processors (further processors) the processing for the societe anonyme under the name "Hellenic Central Securities Depository A.E." (such as the company Cisco Hellas S.A., which provides the WEBEX tool / services team with which video conference is provided through cloud services) which is maintained within the European Economic Area (E.E.A.), as well as anyone else who performs the processing (processor) on behalf of the Bank, to which the Bank entrusts the organization of any remote General Meeting as well as any sub-processor (further processor) the processing for the above processors..
3. Supervisory, audit, tax, independent, judicial, police, public and/or other authorities and bodies within the scope of their statutory tasks, duties and powers (indicatively Bank of Greece, European Central Bank, Hellenic Capital Market Commission, Athens Stock Exchange, Hellenic Central Security Depository, Anti- Money Laundering Authority, Deposits and Loans Funds, General Commercial Registry).
4. Other Shareholders of the Bank, as appropriate, in accordance with the law.
5. Other companies which belong to the Group of the Bank.