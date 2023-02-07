PERSONAL DATA PROTECTION POLICY AT SMN Applicable to SpareBank 1 SMN - all employees, all trade union representatives and all persons who have access to and/or process and manage personal data through SMN's ICT infrastructure, as well as group companies insofar as appropriate Basis in law Personal Data Act and GDPR Art. 5 and Art. 24 Responsible for CEO in the persons of group management directors compliance Responsible for Responsibility delegated to the Data Controller updates/revision Level of protection Open Version 3.1 Established 23.11.2017 Most recent update 02.12.2021 Considered by board 04.12.2021 of directors 04.02.2021 05.03.2019 18.12.2017 Revision history Date Version Change Approved Author by 22.11.17 1.0 Guidelines established for personal data Board of Nina Marie protection directors Grinde 23.01.19 2.0 Aligned with new Personal Data Act, Board of Åshild incl. GDPR, and 'Guidelines' replaced directors Margrethe with 'Policy' Revhaug 27.01.2021 3.0 Addition of formal roles in the SB1- Board of Åshild allianse collaboration directors Margrethe Revhaug 15.11.2021 3.1 The delegated data controller has Board of Åshild responsibility for policy updates and directors Margrethe revisions Revhaug Contents Introduction Background Purpose Policies, standards and procedures Relevant legislation in the data privacy sphere Central requirements on the processing of personal data Security objectives Organisation and responsibility structure Board of directors Group CEO Delegated data controller All group management directors

Data protection officer Legal Services Policy compliance Risk Management All employees Collaborative forums in Sparebank 1-alliansen 'Felles bestiller' 'Kunderåd Marked (KRM)' 'Kunderåd IT' (KRIT) Strategies to ensure policy compliance Record of processing activities Training Risk assessment 5.3.1 Data protection impact assessment (DPIA) Good and timely attention to customers' rights Controls Systematic follow up of undesired events and discrepancies Data processors and outsourcing of activities Reporting Available documentation Annex 1 Policies

Procedures and guidelines 1. Introduction 1.1 Background The Personal Data Act implements Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data, (hereafter abbreviated to GDPR). The Act and the Regulation entered into force on 20 July 2018. The Regulation is designed to protect the individual's data privacy against violation through the processing of personal data and to ensure protection of the individual's fundamental rights and freedoms. SpareBank 1 SMN ('SMN' or 'the bank' in the following) processes personal data related to customers and employees. The same is true of group companies. 1.2 Purpose This policy forms part of the governance element of the internal control system, identifies overall requirements and obligations on the processing of personal data, and describes the in- house organisation set-up, and the responsibility and authority structure. The bank is dependent on the trust and confidence of its customers, shareholders and investors, partners and supervisory authorities and other stakeholders in order to maintain and expand its own market position. The bank must therefore ensure that personal data are

handled in a confidence-inspiring and safe manner, in conformity with applicable rules. Using a systematic and risk-based approach, the overall purpose of the work on data privacy at SMN is to: ensure the protection of data subjects' (customers and others) personal data

support the management of the business by ensuring that the bank at all times has control over its processing of personal data

protect SMN's reputation through correct handling of personal data

ensure compliance with the Personal Data Act and the GDPR 1.3. Policies, standards and procedures This policy should be viewed in conjunction with other policies, guidelines, standards and procedures of the bank and of SpareBank 1-alliansen in general. See Annex 2 to this policy. 1.4 Relevant legislation in the data privacy sphere The processing of personal data at SMN is regulated by a number of acts and regulations. Among the most central ones are: The Personal Data Act of 15 June 2018 No. 38 to which is annexed the General Data Protection Regulation (GDPR) of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)

o Regulations on the use of electronic mailboxes and other electronically stored material

o Regulations on camera surveillance in undertakings o Financial Supervision Act

o Financial Institutions Act

o Regulations on the use of information and communication technology (ICT regulations)

o Financial Contracts Act

o Regulations on risk management and internal control o Anti-Money Laundering Act with regulations

o Marketing Act 2. Central requirements on the processing of personal data In order to achieve its objectives the bank must ensure that anyone who handles or processes personal data at or on behalf of SMN contributes to ensuring that personal data: are processed in a lawful, fair and transparent manner

are only collected for specified, explicit and legitimate purposes and are not further processed in a manner that is incompatible with those purposes

are adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (data minimisation)

are accurate and kept up to date

are processed in such a way that it is not possible to identify the data subjects for longer than is necessary

are processed in a manner that ensures information security and the security of personal data SMN shall maintain records of the data that are processed

maintain an overview of the responsibility and authority structure in the bank as regards the processing of personal data

maintain an overview and knowledge of regulatory requirements on the processing of personal data, including requirements on the legal basis for processing, fulfilment of quality requirements, compliance with the information requirement, and right of access to and rectification or erasure of personal data

have established appropriate and practical procedures that describe how the day-to-day handling of personal data should proceed and be secured in order to ensure the confidentiality, integrity and availability of the data

day-to-day handling of personal data should proceed and be secured in order to ensure the confidentiality, integrity and availability of the data have established control procedures that provide information on whether established measures and procedures are adhered to

have in place processes that ensure regular assessment of any need for new measures or changes to existing measures and procedures

at all times have in place a data protection officer as part of the bank's internal control function

ensure that the data protection officer becomes involved in an appropriate and timely manner in all matters concerning the protection of personal data. SMN shall in such instances ensure that the data protection officer's advice and assessments are heard and taken into consideration

support the data protection officer in the performance of his/her tasks by providing the resources and accesses necessary to perform those tasks. 3. Security objectives SMN's processing of personal information shall be in conformity with regulatory, in-house and contract law requirements regarding information security. Personal data and other information worthy of protection shall be assessed, classified and handled and secured in a satisfactory manner through physical, technical and organisational measures such that data privacy is not violated. Confidentiality Personal data and other information worthy of protection that is processed at SMN shall be protected against unauthorised access. Personal data shall be processed confidentially and may only be shared with other staff members to the extent necessary for the performance of their duties. Personal data relating to the bank's own employees may only be processed by a person who needs the data for the performance of his/her duties.