This Notification is aimed at advising clients, or potential clients, or other persons (hereinafter: “the
Client”) on collection and further processing of personal data by Banca Intesa a.d. Beograd, 11070
Novi Beograd, Milentija Popovića 7b, Reg. No.
07759231 (hereinafter: “the Bank”), in accordance with the Law on Personal Data Protection.
I. DATA PROCESSING BY THE BANK
1) Informing the Client on conditions of data collection and processing
Conditions of collection and further processing of personal data not presented in this Notification are given in relevant Data Processing Records, publicly available in the Central Data File Register maintained by the Commissioner for Information of Public
Importance and Personal Data Protection, and accessible at the address: http://registar.poverenik.rs
.
The Bank enables the Client to have insight into hardcopies of the said records, or delivers them to the
Client at his/her request.
2) Manner of data collection
The Bank regularly collects personal data from the data subject, and exceptionally data may be collected also from third parties if:

Envisaged by a contract concluded with a data subject;

Envisaged by a law or another regulation passed pursuant to a law;

Necessary concerning the nature of the task;

Related to excessive consumption of time and resources;

Necessary for the purpose of achieving or protecting vital interests of a client, in particular his/her life, health and physical integrity.
3) Particularly sensitive data
Data relating to the following are deemed as particularly sensitive: (a) political party affiliation, (b) trade union membership, (c) health status, (d) receipt of social support, (e) criminal record, (f) gender, (g) religion, (h) ethnicity, (i) race, (j) language, (k) victims of violence and (l) sexual life.
Data specified above shall be processed on the basis of informed consent of the Client, save for data relating to political party affiliation, health status, or receipt of social support, when the law allows the processing of such data without the subject's consent.
The specified data are labelled as “Particularly Sensitive
Personal Data ” and protected by special safeguards.
4) Data excluded from processing
The Bank does not process personal data in the following cases:

When the Client did not give or withdrew his/her consent to personal data processing, and the legal authority for processing data without such consent is missing;

If processing is done for the purposes other than those specified in the Bank’s internal regulations, or database content;

If the purpose of processing is vaguely defined, modified, inadmissible or already achieved;

If the purpose of such processing is achieved
(when the client is still identified or identifiable);

If the means of processing data meanwhile became inadmissible, i.e. if they are not based on a credible source anymore;

If the processed data is unnecessary or unsuitable for the purpose of processing;

If the number or type of data processed is disproportionate to the purpose of processing;

If the data are inaccurate and incomplete, i.e. if not based on a credible source or outdated.
II. Right to notification of data processing
At the request, the Bank informs the Client on the following:

Personal data processing, as follows:
- Whether the Bank processes data on the Client and, if so, which processing operations it performs;
Page 1 of 3

- Which data are being processed;
- Who the data was collected from, i.e. who was the source of data;
- The purposes for which the data is being processed;
- The legal grounds for data processing;
- Which data files contain the data;

Users of the data:
- Who are the users of the data;
- Data and /or types of data that are used;
- The purpose for which such data is used;
- The legal grounds for the use of data;

Transfer on personal data:
- To whom the data are transferred;
- Which data are transferred;
- The purposes for which the data are transferred;
- The legal grounds for data transfer.
III. LEGAL GROUND FOR DATA PROCESSING
1) Client's consent on conditions of collection and processing of data
After the Client is advised on conditions of collection and further processing of data, he/she may provide the Bank with valid consent to carry out processing of personal data:

In writing (as a separate statement or within other document, such as questionnaire, contract, etc.);

Verbally for the record.
Consent may be given through a proxy provided that such must be certified by the competent authority.
For persons incapable of giving their own consent, such consent may be given by their appointed representatives or guardians.
Consent for processing of data on deceased persons may be given by the spouse, children above 15 years of age, parents, siblings, legal heirs, or persons appointed for that purpose by the deceased.
Consent may be withdrawn in writing or verbally for the record.
By giving the consent on conditions of collection and further processing of personal data, the Client entitles the Bank:

To forward his/her personal data to the central database of the Intesa Sanpaolo Group, members of their bodies, shareholders, staff of the Bank, external auditors of the Bank, as well as other persons who must have access to such data because of the nature of their job, and to third parties with whom the Bank has concluded nondisclosure agreement;

To use his/her personal data for its regular business operations and performance of its legal obligations founded in any existing, completed, or future agreement with the Client, including preparation and delivery of offers for other products of the Bank, market researches, customer satisfaction analysis, risk assessment, recording, validation, and updating, as well as analysis and processing of statistical nature;

To process any personal data obtained in accordance w ith the law and the Bank’s internal acts, from the Client or third parties, including those obtained through the Credit Bureau maintained by the Association of Serbian Banks, in conformity with the relevant Data Processing Records within the Central Data File Register accessible at the address: http://registar.poverenik.rs
.
2) Processing of data without client`s consent
The Bank is allowed to process personal data without the Client`s consent only in the following cases:

To achieve or protect vital interests of the Client or a third party;

For the purpose of fulfilling its legal obligations prescribed:
- By a law or other regulation;
- By an enactment adopted pursuant to the law;
- By a contract concluded with the data subject, as well as for the purpose of contract preparation;

In other cases envisaged by Law on Personal
Data Protection, for the purpose of achieving a prevailing justifiable interest of the data subject, the Bank or a user.
Page 2 of 3

IV. CLIENT’S RIGHTS RELATING TO DATA
PROCESSING
1) Right of access data and right to a copy
At the request, the Bank enables the Client to access personal data relating to him/her, as follows:

To review and read the data;

To make notes.
At the request, the Bank obtains the copy of the said data to the Client.
Request for accessing and/or copying data shall be usually submitted in the Bank’s Branch Office, and detailed instructions may be required from the Bank’s
Call Centre: +381 11 310 88 88.
The Bank notifies the Client on time and location where the data may be accessed, in any case not later than 30 days of receipt of an orderly request from the Client.
2) Unacceptable request
If a request is unintelligible or incomplete, the Bank shall instruct the requester to rectify any shortcomings within the adequate deadline.
If the requester fails to rectify shortcomings within the period specified, and if the shortcomings are such that the request cannot be processed, the Bank shall dismiss such request as unacceptable by passing a relevant resolution.
3) Restrictions of Client’s Rights
The Bank may dismiss the Client’s request in the following cases:

If the Client requests information referred to the data already entered in a public register or otherwise made publicly available;

If the Client obviously abuses his/her right to notification, access and copy;

If the Bank has already notified to the Client the information he/she requires, and the data have not changed in the meantime;

If the information relates to anti-money laundering or combating financing of terrorism activities;

If the Bank would be prevented from performing its operations within its scope of activities;

If the provision of such information would significantly prejudice the crime prevention, detection, investigation and prosecution, or a major economic or financial interest of the state;

If the provision of such information would disclose data identified as confidential under any regulation, insofar as the disclosure of such data could seriously prejudice an interest protected by the law;

If the provision of such information would seriously prejudice privacy or a vital interest of the Client or a third party;

During the stay of processing if the processing was stayed on the Client’s request.
4) Client ’s rights upon obtaining access to data
Upon obtaining access to data, the Client has the right to file request to correct, modify, update or deletion of personal data. The request shall be usually submitted to the Bank’s Branch Office on the special form of the Bank, in person or by proxy
(provided that such proxy must be certified by the competent authority).
The Bank shall bring decision on request not later than 15 days of the date of filling orderly request. In case of rejection, the Client has the right to lodge an appeal with the Commissioner for Information of
Public Importance and Personal Data Protection, within 15 days of receipt of such ruling.
NOTE: The Client shall be informed on this
Notification within the Bank’s premises, and he/she may require keeping hardcopy of the Notification.
Page 3 of 3