National Bank of Greece S A : DATA PRIVACY NOTICE ON THE PROCESSING OF PERSONAL DATA OF THE SHAREHOLDERS AND OTHER PARTICIPANTS TO THE REMOTE SHAREHOLDERS MEETING OF THE NATIONAL BANK OF GREECE

NATIONAL BANK OF GREECE S.A

EXTRAORDINARY GENERAL MEETING OF SHAREHOLDERS

21 April 2021

DATA PRIVACY NOTICE ON THE PROCESSING OF PERSONAL DATA OF THE

SHAREHOLDERS AND OTHER PARTICIPANTS TO THE REMOTE SHAREHOLDERS MEETING OF THE NATIONAL BANK OF GREECE

The societe anonyme under the name "National Bank of Greece S.A." which has its registered head office in Athens (86 Aiolou Str.). VAT No.: 094014201, Tax Office : Athens Tax Office for Commercial Companies (FAE Αthinon), General Commercial Registry (GEMI) No.: 237901000 (hereinafter referred to as the "Bank"), in its capacity as the controller of personal data in the context and in compliance with the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter referred to as "General Data Protection Regulation" or "GDPR"), the Law 4624/2019 and in general according to currently applicable legislation in force with regard to the protection of personal data, shall hereby provide the following update on the processing necessary of the personal data of the natural persons who are or were registered shareholders of the Bank, of those who have the capacity of the shareholder of the Bank, of their representatives as well as of the pledged creditors of the shares, anyone who has voting right over the shares, and in general derives or/and exercises rights over the shares of the Bank, their representatives, of those who exercise the voting right by representing legal entities as well as of those who participate, under any capacity, to the Extraordinary General Meeting of Shareholders that will take place remotely in real-time via teleconference on 21 April 2021, as well as any repeat meeting thereof (hereinafter, for the purposes of the present, all the above categories of natural persons will be jointly referred to as "Shareholders" and each of them as "Shareholder").

In addition, the Bank, through this supplementary information, informs, in the capacity of the controller, in accordance with the GDPR, the Law 4624/2019 and the other provisions on the protection of personal data, the natural persons other than the Shareholders, who will participate in teleconference (video conference) of the remote General Meeting, such as Members of the Board of Directors of the Bank, executives of the Bank, auditors and other third parties,that it processes the respective personal data, which are collected directly by the data subjects in

question, for the purposes of the legitimate interests pursued by the Bank for said processing.

It shall be noted that processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaption or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

The Bank, as the issuer of the shares, legally processes the personal data of the Shareholders, under the aforementioned capacities, always for legitimate and fair purposes, following the principles of the fair and transparent processing, applying the appropriate technical and organizational measures, in compliance with the requirements of the GDPR as well as the current legal framework, always having as a guide and primary concern the safeguarding and protection of personal data and the fundamental rights of data subjects.

Following the above, the Bank, in compliance with the principle of transparency, is currently informing the Shareholders about the terms of processing of personal data concerning them.

(I) Which personal data the Bank collects and processes

The personal data of the Shareholders which are collected and processed by the Bank in the context of the operation and service of the shareholder capacity and in order to carry out the tasks required under the shareholder relationship are the most necessary, adequate,relevant and limited to what is necessary in relation to the purposes for which they are processed.

Indicatively the main categories of personal data concerning the Shareholders and which the Bank processes for legitimate purposes of processing, are the following:

1. Data and identity documents, such as name and surname, father's name, spouse' s name, date of birth, number and copy of identity card or passport or other equivalent document, tax identification number (A.F.M.), competent Tax Authority (D.O.Y.), country of tax residence, any special tax treatment, profession/activity, citizenship and other demographic data.
2. Contact information such as postal and e-mail address(email), fixed andmobile telephone number.
3. Bank account number.
4. Number and type of shares.
5. Investor Record Code Number in the Dematerialized Securities System (DSS), Securities Account with the Dematerialized Securities System (DSS), Number of
   Shareholder's Registry.
6. Correspondence and communication data.

1. Data relating to the capacity under which the Shareholder participates to the General Meeting of the Bank and the relevant supporting documentation, details of the shares and of any rights they hold on such shares, information regarding any trading activity of shares.
2. Data relating to the participation and the exercise of the voting right of the Shareholder in the General Meeting of the Bank, information regarding any requests addressed to the Bank, signature of the Shareholders and in general any information in the context of implementing the current rules on financial instruments markets.
3. Audio data (audio recording) in case the Shareholder takes the floor during the General Meeting.

The above personal data are collected either directly from the Shareholders for the performance of tasks concerning them - who shall take care for the update of their personal information, so that the Shareholders' Registry remains update up-to-date and accurate -either from third persons authorized by the Shareholders, either from the societe anonyme under the name "Hellenic Central Securities Depository S.A.", which, at its capacity as operator of the Dematerialized Securities System (DSS), keeps the details of identification of the Shareholders as well as other information related to the Bank's shareholder structure, any transactions on the shares and are provided to the Bank through electronic records, according to the provisions of the legislation in force and the Regulation of the Dematerialized Securities System (DSS).

The Bank, hereby notifies the Shareholders that, for reasons of participation to the remote Extraordinary General Meeting of the Shareholders of the Bank, or any adjournment or repeat meeting thereof, will be collected and processed either by the Bank either by the societe anonyme under the name "Hellenic Central Securities Depository S.A.", processor on behalf of the Bank, to which the Bank has assigned the organization of any remote General Meeting, the codes of process of the Shareholders in the online platform https://axia.athexgroup.gr/, through which they will have the possibility to participate and vote remotely in the General Meeting (hereinafter referred to as the "Online Platform"). Furthermore, the Bank informs the Shareholders that, according to article 131 (way of voting in the General Meeting) par. 2 of Law 4548/2018, the remote voting is obvious and the exercise of the right to vote by the Shareholder and the content of his/her vote, if requested, may be communicated to the other participants in the General Meeting, Shareholders.

At the same time, the Bank, proceeds with the processing of the following data of the natural persons other than the Shareholders, who will participate in teleconference (video conference) of the remote General Meeting, such as Members of the Board of Directors of the Bank, executives of the Bank, auditors and other third parties, which are collected directly by the data subjects in question, for the purposes of the legitimate interests pursued by the Bank for that processing:

1. Identification data, such as name, surname, father's name, identity card, passport or other equivalent document.
2. Data relating to the capacity under which such persons are entitled to participate to the General Meeting.

1. E-mailaddress (email), mobile telephone number, in order for the natural person to participate to the teleconference.
2. Data image -sound (video) from the participation of the natural person to the General Meeting.

(II) Which are the purposes of processing of personal data

The Bank collects the personal data of the Shareholders and other natural persons that will participate in the General Meeting, as above mentioned, and in general processes them, for the fulfillment of legitimate purposes of processing and always according to valid legal basis which establish the lawfulness of the processing.

Specifically,the Bank processes the personal data of the natural persons in order:

1. To identify them.
2. To communicate with them.
3. To verify the possibility and legality of exercising Shareholders' rights, according to the relative legislation and moreover to facilitate the Shareholders to exercise their rights, according to the law (indicatively exercise of the right of participation and voting right and in general exercise of the rights of the Shareholders in the General
   Meetings, shareholder confirmation, drawing up a shareholders' list, keeping minutes of the General Meeting, participation to corporate actions, dividend distribution).
4. To facilitate the settlement of corporate actions (e.g. dividend distribution, share capital increase etc), to disclose transactions of liable individuals to the Athens Stock
   Exchange, to monitor transactions on the Bank's shares.
5. To perform the Bank's contractual obligations towards the Shareholders (i.e. dividend distribution) and in general to fulfill the Bank's obligations towards the
   Shareholders.
6. To comply with legal obligations.
7. To fulfill and support legal rights, to protect and service the legitimate interests of the Bank (such as in case of legal claims of the Bank), except where such interests are overridden by the interests or fundamental rights and freedoms of the data subjects which require protection of personal data.
8. To fulfill the obligations arising from provisions of tax legislation and other compulsory provisions.
9. To manage and maintain the Shareholder Register, in accordance with the applicable legal provisions.
10. To perform over the counter transfers of the shares.

1. To publish acts and information of the Bank in the General Commercial Registry (G.E.M.I.), the Athens Stock Exchange or on the website of the Bank, as required by law.
2. To respond to requests of the Shareholders, carry out requests of the Shareholders in connection with the services provided by the Bank (e.g. issuance of certificates), to provide replies and clarifications to specific inquiries or requests addressed to the Bank by the Shareholders.
3. To keep an archive of the Bank's shareholders.

(III) To whom may access to above personal data be awarded

Access to the personal data of the above natural persons shall be awarded only to the Bank' s employees,within the range of their responsibilities and in the exercise of the duties assigned to them and specifically those who are responsible for Shareholders' identification and for reviewing the lawful exercise of their rights.

The Bank shall not transmit or disclose the personal data except in case to:

1. Natural persons and legal entities, to which the Bank assigns the execution of certain tasks on its behalf, such as, inter alia, to providers of technical and support services, database management companies, file storage and recordkeeping companies, postal services providers, providers of services related to the development, maintenance and customization of IT applications, e-mail services providers, companies providing webhosting services (including cloud services), in general to providers of services, to lawyers, law firms, accountants, chartered accountants or audit firms, to external advisers and collaborators of the Bank.
2. The societe anonyme under the name "Hellenic Central Securities Depository
   S.A.", to which the Bank has assigned, as the processor on behalf of the Bank, the organization of the remote General Meeting as well as any sub-processors (further processors) the processing for the societe anonyme under the name "Hellenic Central Securities Depository A.E." (such as the company Cisco Hellas S.A., which provides the WEBEX tool / services team with which video conference is provided through cloud services) which is maintained within the European Economic Area (E.E.A.), as well as anyone else who performs the processing (processor) on behalf of the Bank, to which the Bank entrusts the organization of any remote General Meeting as well as any sub-processor (further processor) the processing for the above processors..
3. Supervisory, audit, tax, independent, judicial, police, public and/or other authorities and bodies within the scope of their statutory tasks, duties and powers (indicatively Bank of Greece, European Central Bank, Hellenic Capital Market Commission, Athens Stock Exchange, Hellenic Central Security Depository, Anti- Money Laundering Authority, Deposits and Loans Funds, General Commercial Registry).
4. Other Shareholders of the Bank, as appropriate, in accordance with the law.
5. Other companies which belong to the Group of the Bank.

The Bank has lawfully ensured that any processors of personal data, acting on its behalf, according to the above mentioned, shall meet all requirements and provide sufficient guarantees to implement appropriate technical and organizational measures in such a manner that such processing will meet the requirements of the GDPR and in general of the applicable legislative and regulatory framework and ensure the protection of the rights of the data subjects.

In case that transfer of personal data to third countries (i.e. to countries outside the European Economic Area (EEA) or international organizations is required, such transfer and in general processing shall be subject to compliance with the GDPR and in general the legislative framework with regard to the protection of personal data and only under the condition that requirements shall be met and the provisions of GDPR shall be applied, in order to ensure that the level of protection of natural persons guaranteed by GDPR is not undermined and that sufficient safeguards are provided for the protection of personal data.

(IV) Which is the data retention period

The personal data will be stored/kept by the Bank for the period of time determined by lawand in general required by the legal and/or regulatory framework in force or is required for the purposes of legitimate interests of the Bank, for the exercise of claims and for the defense of the Bank in case of litigation, for the pursuit of claims of the Bank as well as for the performance of contractual obligations and in general in accordance with the respective the legal basis and the purpose of their processing.

(V) Measures of protection and security of personal data

The Bank has incorporated into its systems, policies and internal procedures all the technical and organizational measures aimed at ensuring the lawfulness, objectivity of processing, transparency, limitation of purpose, minimization, accuracy, storage limitation, integrity and confidentiality and is in full compliance with all principles relating to the processing of personal data of Shareholders' and other participants in the remote General Meeting, in accordance with the provisions of the GDPR and the applicable legal framework.

At the same time, the Bank implements the appropriate technical and organizational security measures in its systems and procedures, with the aim of protecting the confidentiality, integrity and availability of personal data as well as protecting personal data against unauthorized or unlawful processing, accidental loss, destruction or damage, alteration, prohibited dissemination or access and in general any other form of unfair processing.

It is further noted that in the context of the remote General Meetings of the Bank, the necessary teleconference is carried out and recorded by audiovisual means (in cases where it is applied in accordance with the above mentioned) by using platforms that support security services, ensuring that the link of the planned teleconference is adequately protected and in general careful study of the terms of use and terms of protection of personal data precedes the selection of the teleconference solution, in full compliance with the GDPR, the Law 4624/2019 and in general the current legislation on personal data protection.

(VI) Which are the rights of data subjects

The data subject, has the following rights, according to GDPR, which may be exercised on case by case basis:

1. Right of access to the personal data concerning the Shareholder, and specifically to know which personal data concerning him/her, are kept and processed by the Bank, their source as well as the purposes of the processing, the categories of the personal data, the recipients or categories of recipients (article 15 of GDPR).
2. Right to rectification of inaccurate personal data as well as supplementation of personal data, in order to be complete and accurate, by submitting any necessary document which shows the need for supplementation or rectification (article 16 of GDPR).
3. Right to erasure (right to be forgotten) of the personal data, when inter alia, there is no longer valid purpose of processing, subject to the Bank's obligations and legal rights to retain them, pursuant to the current applicable laws and regulations (article 17 of GDPR).
4. Right to restriction of processing, among others, when the accuracy of the personal data is contested or the processing is unlawful or the purpose of the processing was eliminated and provided that there is no legitimate reason to retain them (article 18 of GDPR).
5. Right to data portability of the personal data, by virtue of which the data subject has the right to receive the personal data concerning himor her, which he or she has provided to the Bank, in a structured, commonly used and machine-readable format or has the right to ask to transmit those data to another controller, provided tha t the processing is based on consent and is carried out by automated means and subject to the Bank's legal rights and obligations to retain the personal data (article
   20 of GDPR).
6. Right to object the processing of personal data concerning him or her on grounds relating to the particular situation of the Shareholder in case the processing is carried out for the purposes of the legitimate interests pursued by the Bank or by any third party or in order to perform a task carried out for reasons of public interest or in the exercise of official authority vested in the Bank (article 21 of GDPR).
7. Furthermore,the Shareholder, as data subject, has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her, unless special reasons occur according to the legislation in force (article 22 of GDPR).

Furthermore it shall be noted that the Bank has, in any case, the right to refuse the satisfaction of Shareholder's request if, indicatively, the personal data processing is necessary for the retention of the capacity as shareholder and/or the possession of his/her voting right, for the exercise of his/her rights as the Bank's Shareholder or as person having voting right, as well as in case they are necessary for the establishment, exercise or defense of the Bank's legal rights, the compliance of the Bank with its legal obligations or the fulfillment of the Bank' obligations towards the Shareholders.

The Bank reserves in any case the right to deny the deletion of Shareholder's personal data if such personal data is essential for the purposes of maintaining the archive of the Bank's Shareholders, as well as in any case the processing or retention is necessary for the establishment, the exercise and the defense of the Bank's legal rights or the fulfillment of the Bank's obligations.

For further convenience with regard to exercising the rights of respective rights, the Bank ensures the development of external technical procedures so as to respond promptly and effectively to relevant requests of data subjects.

All requests of the Shareholders regarding personal data concerning them and processed by the Bank and the exercise of their rights shall be dispatched in writing to: "National Bank of Greece S.A., Data Protection Office (DPO Office)" and shall be sent either to the email address dpo@nbg.gr or delivered to any branch of the Bank.

A special form for the exercise of the right of access shall be available at all branches of the Bank.

In case that the data subject assumes that his/her rights are infringed in any way and that the processing infringes the current applicable legislation, he/she has the right to file a complaint with the competent authority, by which the Shareholder has the right to submit -file a complaint with the Hellenic Data Protection Authority (www.dpa.gr), which is the competent supervisory authority for the protection of the fundamental rights and freedoms of natural persons.

(VII) Review - amendment of this update

Based on the respective applicable policy on data protection and in the context of the current legislative and regulatory framework, the Bank may review or amend this update, which shall always be up to date and available on https://www.nbg.gr/en/the-group/investor-relations/general-assemblies.