OTP Bank : Information on data processing relating to OTP Bank Plc.’s Annual General and Extraordinary General Meetings

1.

INFORMATION ON DATA PROCESSING RELATING TO OTP BANK PLC.'S ANNUAL GENERAL

AND EXTRAORDINARY GENERAL MEETINGS

The data processing is carried out in accordance with the REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) and the Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information.

By signing the Letter of Consent the person affected voluntarily agrees and authorizes the OTP Bank Plc. -relating to the annual and extraordinary General Meetings of the OTP Bank Plc.- to process his/her personal data determined in this Prospectus in the manner, for the purpose and for the duration specified herein, moreover acknowledges that the OTP Bank Plc. is fulfilling its statutory obligation and processes the personal data contained in the register of shareholders as it is detailed below.

The features of the data processing based on this Prospectus are summarized in the following chart:

Data processing no. 1: Attendance Sheet of the General Meeting

AIM OF THE DATA PROCESSING	LEGAL BASIS OF THE DATA PROCESSING AND	SCOPE OF PROCESSED DATA	DURATION OF DATA PROCESSING
DATA FORWARDING
Documenting attendance at the General Meeting / fulfilling	Pursuant to section 6 (1) (c),	In case of shareholders (natural person or legal person, in case of	(For) As long as the Bank exists.
a legal obligation	processing is necessary for compliance with a legal obligation to	individual entrepreneur): name, address / in case of individual	Act V of 2013, Section 3:278. (3)
	which the controller is subject	entrepreneur registered office, identifier, personal identifier (only in
	3:278. (3) The Board of Directors of the company limited by shares is
	Act V of 2013, Section 3:274. (1), (2)	case of natural persons), number of shares, number of votes, number
	of voting terminal, signature;	obliged to place and keep the minutes of the general meeting as
	Section 3:274. (1) An attendance sheet shall be prepared about the
	In case of a representative (proxy of a natural person shareholder /	well as the attendance sheet among its own documents.
	shareholders appearing at the general meeting, indicating the name
	representative of a legal person shareholder): name, address,
	and residence or registered office of the shareholder, the number of
	personal identifier, signature;
	its shares and the number of votes it holds as well as any changes to
	the identity of the persons who are present at the general meeting.
	Data processor forwards the data to the Company Registry Court of
	the Budapest Metropolitan Court as follows:
	Act V of 2013, Section 3:278. (4)
	3:278. (4) The Board of Directors of the public limited company is
	obliged to submit the minutes of the general meeting and the
	attendance sheet to the court of registry within 30 days from the end
	of the general meeting.

Data processing no. 2: Production and transfer of shareholder register general meeting export files to Conet Kft. as data processor in order to conduct the General Meeting with a wireless voting system

AIM OF THE DATA PROCESSING		LEGAL BASIS OF THE DATA PROCESSING AND	SCOPE OF PROCESSED DATA	DURATION OF DATA PROCESSING
	DATA FORWARDING
The data contained in the register of shareholders shall be used and		Pursuant to section 6 (1) (c),	In the case of shareholders (natural person or legal person if it	(For) As long as the Bank exists.
transferred in the General Meeting of the OTP Bank Plc. in order to	processing is necessary for compliance with a legal obligation to	counts as individual entrepreneur): name, address /in the case of	Act V of 2013, Section 3:245. [Definition of register of shareholders]
ensure the exercise of shareholders' rights and obligations.		which the controller is subject	individual entrepreneurs registered office, identifier, personal
	(1) Companies limited by shares shall keep a register of shareholders,
			identifier (only for natural persons), number of shares,
		Act V of 2013, Section 3:19.	including holders of interim shares, in which to record the name and
		number of votes
		Section 3:19. [Decision-making]	the home address or registered office of shareholders, or their proxy
		In the case of a representative: (proxy of a natural person	in the case of jointly owned shares, the name and home address or
	(1)	The members or founders bring their decisions by voting
	shareholder / representative of a legal person shareholder): name,	registered office of the joint representative, the number of shares or
		on the meeting of the decision-making body.
		address, personal identifier	interim shares, and the percentage of control of shareholders for
		Data controller forwards the data to Conet Kft.
		In case the share has more than one owners, the details of both the	each series of shares. (2) In the event of any change in the particulars
		as data processor as follows:	of an issued share, which is also contained in the register of
		owners and the common representative, according to the above.
			shareholders, the management shall update the register of
				shareholders accordingly.
				(3) The register of shareholders shall be maintained by the
				management board of the company limited by shares. The
				management board shall be entitled to subcontract the keeping of
				the register of shareholders; in the case of public limited companies,
				it shall be published along with the personal data of the subcontractor.

Data processing no. 3: Minutes of the General Meeting

AIM OF THE DATA PROCESSING	LEGAL BASIS OF THE DATA PROCESSING AND	SCOPE OF PROCESSED DATA	DURATION OF DATA PROCESSING
DATA FORWARDING
Documenting the General Meeting / fulfilling a legal obligation	Pursuant to section 6 (1) (c),	In case of the chairman of the General Meeting /	(For) As long as the Bank exists
	processing is necessary for compliance with a legal obligation to	keeper of the minutes, the elected shareholder witnessing the	Act V of 2013., Section 3:278. (3)
	which the controller is subject	minutes / name and signature
	Section 3:278. (3): The management board of the limited company
	Act V of 2013, Section 3:278. (1)c, (2)	in case of vote counters and speaking shareholders: name
	shall archive and safeguard the minutes of the general meeting and
	Section 3:278.
		the attendance list among its own documents.
	(1) The events of general meetings shall be recorded in minutes,
	containing the following:
	c) the names of the chairman of the general meeting, the keeper of the
	minutes, the person appointed to witness the minutes and the official
	vote counters.
	(2) The minutes shall be signed by the keeper of the minutes and the
	chairman of the general meeting, and shall be witnessed by an
	elected shareholder present.
	Data controller shall forward the data to the Court of Registry of
	Budapest Metropolitan Court as follows:
	Act V of 2013., Section 3:278. (4)
	Section 3:278.(4): The management board of a public limited company
	shall submit the minutes of the general meeting and the attendance
	list to the court of registry within a period of thirty days after the close
	of the general meeting.

Data processing no. 4: Video and audio recording on the General Meeting

AIM OF THE DATA PROCESSING	LEGAL BASIS OF THE DATA PROCESSING AND	SCOPE OF PROCESSED DATA	DURATION OF DATA PROCESSING
DATA FORWARDING
The audio and video recording shall be used for the purpose of	Consent (according to Article 6 (1) a) of General Data Protection	Name, address provided in the consent letter, signature;	Until the withdrawal of consent, but for a maximum of 5 years.
documenting the General Meeting as official corporate event and for	Regulation)	Audio and video recording	Act V of 2013, Section 6:22. [Statute of limitations]
facilitating the keeping of the minutes as well as for projecting the
Data forwarding shall not occur.		(1) Unless otherwise provided for in this Act, claims shall lapse after
live image of the General Meeting in the press room.
		five years.
The data contained in the letter of consent shall exclusively be used
for the purpose of enabling OTP Bank Plc. to verify the granting of
the consent in connection with the above.

Data processing no. 5: Proxies for the General Meeting

AIM OF THE DATA PROCESSING	LEGAL BASIS OF THE DATA PROCESSING AND	SCOPE OF PROCESSED DATA	DURATION OF DATA PROCESSING
DATA FORWARDING
Compliance with legal provisions	Pursuant to section 6 (1) (c),	In the case of natural persons included in the Power of attorney:	(For) As long as the Bank exists
	processing is necessary for compliance with a legal obligation to	(principal, proxy, witness): name, address, number of identity	Act V of 2013, Section 3:278. (3)
	which the controller is subject	document, mother's name, tax identification number, signature
	Section 3:278. (3):
	Act V of 2013:
		The management board of the company limited by shares shall
	Section 3:110. [Participating in the supreme body's decision-making
		archive and safeguard the minutes of the general meeting and the
	process]
		attendance list among its own documents.
	(1) All members of the business association shall have the right to
	partake in the activities of the supreme body in person or by way of a
	representative. Unless this Act contains provisions to the contrary, a
	member may delegate one representative, however, a representative
	shall be allowed to represent more than one members. The power of
	attorney for representation shall be fixed in an authentic instrument
	or in a private document with full probative force. (2) The voting right
	of a member in the supreme body of the company is consistent with
	the members' capital contribution.
	Section 3:256. [Shareholder's representative]
	A shareholder may appoint a proxy - after being registered in the
	register of shareholders - to exercise some or all rights of that
	shareholder before the limited company in his own name and for the
	benefit of the shareholder.
	Section 6:15. [Power of Attorney]
	(1) A power of attorney is a unilateral act granting the right of
	representation. The power of attorney shall be addressed to the
	agent, the competent authority or court, or any person to whom the
	agent is authorized to make a legal statement.
	(2) A power of attorney shall be subject to formal requirements as
	prescribed by law for making legal statements on the basis of a power
	of attorney.
	(3) The power of attorney shall remain valid until further notice.
	(4) Any waiver of the right to limit or withdraw the power of attorney
	shall be null and void. Restriction or withdrawal of the power of
	attorney in terms of a third person shall be effective only if he was
	aware or should have been aware thereof.
	(5) A power of attorney may be granted to a person of limited legal
	capacity or a person of partially limited legal capacity to represent a
	competent person.
	Data forwarding shall not occur.

1. Data controller, data of the data protection officer

Name of data controller: OTP Bank Plc. (registered seat: H-1051 Budapest, Nádor utca 16.; registry number:

01-10-041585; address: OTP Bank Plc., H-1876 Budapest; e-mail: informacio@otpbank.hu; telephone:

(+36 1/20/30/70) 3 666 666; website: www.otpbank.hu)

Name of data protection officer: Gázmár Zoárd (address: H-1131 Budapest, Babér u. 9.;

e-mail: adatvedelem@otpbank.hu)

2. Data processing and its purpose:

Data processing no. 1: The identifying data of the share holder or of the private person acting on behalf of the shareholder shall be marked on the attendance sheet. The data content of the general meeting attendance sheet shall be defined by Ptk (Hungarian Civil Code, in the following Ptk). Applying an attendance sheet is defined in the Ptk. as mandatory element in case of holding a general meeting.

Data processing no. 2: The preparation and transfer of shareholder register data file to Conet as data proces- sor. The above personal data shall be transferred for the purpose of conducting the General Meeting with a wireless voting system will be used and transferred to ensure the exercise of shareholders' rights and obligations at the General Meeting. The purpose of data processing is to ensure the shareholder rights of shareholders and shareholder representatives, basically their right to vote. On this basis it is ensured that the number and weighting of votes cast for each proposal for a resolution can be clearly established.

Data processing no. 3: The minutes of the General Meeting contain the resolutions passed, motions and the claims made on the General Meeting. The minutes of the General Meeting necessarily contain the names of the General Meeting officials and any shareholders / shareholders' representatives in the event of a question or motion.

Data processing no. 4: Audio and video recording on the session of the General Meeting. General Meeting officials and the shareholders, shareholders' representative making motions, suggestions, questions are going to be recorded, moreover the live image of the General Meeting is going to be projected in the press room.

Data processing no. 5: The registration of the powers of attorney of the General Meeting is necessary in order to determine the quorum of the General Meeting. Based on the shareholder's proxies it is going to be determined and followed how many shareholders and with what voting power are going to participate in the General Meeting either in person or by proxy.

3. Legal basis of data processing:

Data processing no. 1: The attendance list of the General Meeting is a mandatory item defined by the

Hungarian Civil Code (Hungarian Civil Code, in the following: "Ptk") Section 3:274 in the case of general meetings. According to the provisions of Ptk. the legal basis of data processing is to fulfill a legislative obligation determined in section 6 (1) (c) of GDPR, processing is necessary for compliance with a legal obligation to which the controller is subject.

Data processing no. 2: The data processing occurs in order to ensure compliance with the provisions of Ptk.

Section 3:19 and Section 3: 245.. According to the provisions of Ptk. the legal basis of data processing is to fulfill a legislative obligation determined in section 6 (1) (c) of GDPR, processing is necessary for compliance with a legal obligation to which the controller is subject.

Data processing no. 3: The minutes of the General Meeting is a mandatory item defined by Ptk. Section 3:278 in case of general meetings. According to the provisions of Ptk. the legal basis of data processing is to fulfill a legislative obligation determined in section 6 (1) (c) of GDPR, processing is necessary for compliance with a legal obligation to which the controller is subject.

Data processing no. 4: The legal basis of data processing is the consent of the person affected (according to section 6 (1) (a) of GDPR and Section 2:48 of Hungarian Civil Code, Act V of 2013). The consent shall be given by the shareholders and the shareholders' representatives when completing the attendance sheet. In the case of officials, as officials are mandatory elements for a General Meeting session pursuant to Ptk., fulfillment of legislative obligation shall be the legal basis (determined in section 6 (1) (c) of GDPR, processing is necessary for compliance with a legal obligation to which the controller is subject).

Data processing no 5: The data processing occurs in order to ensure compliance with the provisions of Ptk. Section 3:110 and Section 3:256 and Section 6:19. According to the provisions of Ptk. the legal basis of data processing is to fulfill a legislative obligation determined in section 6 (1) (c) of GDPR, processing is necessary for compliance with a legal obligation to which the controller is subject.

4. Data forwarding

Data processing no. 1: The general meeting attendance sheet shall be submitted in accordance with the provisions of point II.2. e) of Annex 1 of Act V of 2006 on Public Company Information, Company Registration and Winding-up Proceedings (in the following: "Ctv.") and of Section 3:278 (4) of Ptk. to the competent Metropolitan Court.

Data processing no. 2: The data is forwarded in order to fulfill legislative obligation. Data controller transfers data to Conet Kft. as data processor

Data processing no 3: The general meeting attendance sheet shall be submitted in accordance with the provisions of point II.2. e) of Annex 1 of Ctv. and the provisions of Section 3:278 (4) of Ptk. to the competent Metropolitan Court.

Data processing no 4: Data forwarding does not occur.

Data processing no 5: Data forwarding does not occur.

5. Data processors

The following data processors will be used for producing facial likeness and recorded voice by the OTP Bank Plc.:

NAME		REGISTERED SEAT		REGISTRY NUMBER
				(COMPANY REG. NUMBER)
BRILL Audio Visual Kft.		H-1141 Budapest, Komócsy u. 9.		01-09-683103
(repr. by: Mr. Zoltán Éder independently)
KAUS MEDIA Bt.		H-1022 Budapest, Endrődi Sándor u. 7. A. ép. fszt. 3.		01-06-710613
(represented by: Mr. Péter Sorok)

The following data processors will be used for processing personal data contained in the registry of shareholders by the OTP Bank Plc.:

NAME		REGISTERED SEAT		REGISTRY NUMBER
				(COMPANY REG. NUMBER)
CONET Számítógép és		H-1147 Budapest, Fűrész utca 115.		01-09-069422
Hálózatfejlesztő Kft.

6. Personal rights aspectus of the producing facial likeness and recorded voice

According to the Subsection 1 of Section 2:48 of Ptk., facial likeness and recorded voice shall be produced or used only with the consent of the person affected (data subject).

The Data Controller informs the data subject that facial likeness and recorded voice may be produced of him/her, with the consent of the contributor signing it.

In case of the person affected does not intend to be captured (facial likeness) or recorded (voice) he/she is entitled to inform of this the producer of the facial likeness and recorded voice on the event.

Moreover, the data controller hereby notifies the person affected that, according to the Subsection 2 of Section 2:48 of Act V of 2013 on the Civil Code, the consent of the relevant person is not required for recording his/her likeness or voice, and for the use of such recording if made of a crowd (in which case the characters in the picture appear as a crowd).

7. Rights and remedies related to the data processing of the person affected (data subject)

The person affected - based on the Articles 12-21 of General Data Protection Regulation - has right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject and to object to processing as well as the right to data portability.

In case of the infringement of the rights of personal affected determined in the General Data Protection Regulation the person affected has the right to lodge a complaint to data protection officer (his data contained in the Point 1 of this Prospectus).

As data subject you have the following rights:

2.

Right of access

The Data Subject has the right to become aware of all personal data that OTP Bank Plc. processes concerning you. The Data Subject has the right to get the following information:

• the purpose of processing;
• the categories of the personal data processed;
• he recipients or categories of recipients to whom OTP Bank Plc. disclosed or may disclose the Data Subject's personal data
• the envisaged period for which the personal data will be stored;
• the administrative and judicial authorities, where the Data Subject may lodge a complaint;
• in respect of personal data that has not been provided by the Data Subject, information on the source from which the personal data originate;
• where OTP Bank Plc. will also process the Data Subject's personal data for the purposes of automated decision-making, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the Data Subject.

Upon the Data Subject's request, OTP Bank Plc. shall provide a free copy (once) of the personal data processed. Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form.

Please note that OTP Bank Plc. may refuse to make a copy if it would violate the rights and freedoms of others.

Right to rectification

The Data Subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the Data Subject shall have the right to has incomplete personal data completed, including by means of providing a supplementary statement.

Right to erasure

The Data Subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay.

The Data Subject shall be entitled to initiate the erasure of personal data concerning him in the following cases:

• the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed by OTP Bank Plc.;
• the Data Subject withdraws the consent granted, and there is no other legal basis for processing by OTP Bank Plc.;
• the Data Subject objects to the processing and there are no overriding legitimate grounds for the process- ing other than processing for direct marketing purposes based on legitimate interest;
• where personal data are processed for direct marketing purposes, the Data Subject shall has the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing;
• OTP Bank Plc. has processed the Data Subject's personal data unlawfully;
• OTP Bank Plc. is required to erase the personal data in order to comply with an obligation imposed on OTP Bank Plc. by law or by a binding legal act of the European Union; or
• the personal data have been collected in relation to the offer of information society services to children. OTP Bank Plc. shall be under no obligation to erase personal data in cases where processing is lawfully. The data processing is required for the following purposes:
• for exercising the right of freedom of expression and information;
• for OTP Bank Plc.'s compliance with a personal data processing obligation imposed on OTP Bank Plc. by law or by a binding legal act of the European Union;
• for reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9
  (2) as well as Article 9 (3);
• • for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89 (1) in so far as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing;
• for the establishment, exercise or defence of legal claims.

Right to restriction of processing

The Data Subject shall have the right to obtain from OTP Bank Plc. restriction of processing where one of the following applies:

• the accuracy of the personal data is contested by the Data Subject, for a period enabling OTP Bank Plc. to verify the accuracy of the personal data;
• the processing is unlawful and the Data Subject opposes the erasure of the personal data and requests the restriction of their use instead;
• OTP Bank Plc. no longer needs the personal data for the purposes of the processing, but they are required by the Data Subject for the establishment, exercise or defence of legal claims;
• the Data Subject has objected to processing pending the verification whether the legitimate grounds of OTP Bank Plc. override those of the Data Subject.

Right to data portability

You may at any time request that the Data Controller provide your personal data processed on a contractual basis, in a structured, widely used, machine-readable format.

If it is otherwise technically feasible, the Data Controller will transfer the personal data at your request directly to another data controller indicated in your request. The right to data portability under this point does not create an obligation for data controllers to implement or maintain technically compatible data management systems.

In the event that your right to data portability adversely affects the rights and freedoms of others, in particular the trade secrets and intellectual property of others, the Data Controller is entitled to refuse to comply with your request to the extent necessary.

Right to object

The Data Subject shall has the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on point (e) or (f) of Article 6 (1), including profiling based on those provisions. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.

Where personal data are processed for direct marketing purposes, the Data Subject shall has the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing. The personal data shall no longer be processed for such purposes.

The Data Subject may exercise his or her right to object by automated means using technical specifications. Where personal data are processed for scientific or historical research purposes or statistical purposes pursuant the Data Subject, on grounds relating to his or her particular situation, shall has the right to object to processing of personal data concerning him or her, unless the processing is necessary for the performance of a task carried out for reasons of public interest.

Enforcement of rights

Data subject may turn to the data controller if he/she feels that his/her personal data are violated by the controller.

Complaints may be addressed to the Hungarian National Authority for Data Protection and Freedom of Information (website: http://naih.hu/; address: 1055 Budapest, Falk Miksa u. 9-11.; postal address: 1363 Budapest, Pf.: 9; phone: +36-1-391-1400; Fax: +36-1-391-1410; email: ugyfelszolgalat@naih.hu). Data subject may turn to other supervisory authority as well corresponding to his/her residential address.

Procedures may be filed regarding the breach of the data processing regulations at the court against the data processor. Data subject may file his/her claim at the Budapest-Capital Regional Court or at the regional court corresponding to his/her residential address. Data subject may access the list of Hungarian regional courts on the following link: http://birosag.hu/torvenyszekek.