Terms and Conditions of Personal Data Processing (Privacy Policy)

This Privacy Policy is intended to give a brief summary of scope, purposes and form of personal data processing by
Equa bank a.s. Id. No. 47116102 (hereinafter the “Bank”). Applicant for a bank product or client is informed about terms
and conditions of its personal data processing upon submitting contact form, application for a bank product, or upon
signing of a contract on provision of bank products and services. Terms and Conditions of Personal Data Processing are
published on Bank´s website at www.equabank.cz, and on its branches.

Purposes of Personal Data Processing

The Bank collects and processes personal data in the sense of Act No. 101/2000 Coll., on personal data protection, as
amended,

• for the purposes of negotiating and administration of a contractual relationship, identifying the applicant, and
assessing the applicant’s creditworthiness (in case of a loan product),
• for compliance with the obligations arising from relevant regulation (particularly Act no. 21/1992 Coll., on banks,
Act no. 253/82008 Coll., on selected measures against legitimisation of proceeds of crime and financing of
terrorism),
• for its internal needs (risk evaluation, protection of Bank´s rights, monitoring of quality of services).
Such processing of personal data is carried out within the performance of the statutory duties of the Bank as a personal
data controller. Provision of personal data for the abovementioned purposes is voluntary, but is unavoidable for
performance of a contractual relationship.

Further, personal data are processed for business purposes such as informing about new products and services of the
Bank and, as the case may be, of third party products, relevant in connection with bank services. Such personal data
processing is only allowed upon client’s approval.

Scope of Personal Data Processed by Bank

The Bank processes personal data in the scope of the information provided by the applicant or client, including any third-
party personal data provided in the documents for the approval of a bank product or service. In general, the Bank
processes the following personal data: name, surname, title, date of birth, birth number, permanent residence address,
ID card number, number of passport or other similar document contact address, mobile telephone number, e-mail
address, profile photograph and other similar information.

The Bank shall store the personal data for the period stipulated by law, i.e. 10 years after the termination of the
contractual relationship. If no contractual relationship is established, the Bank maintains personal data for the period
specified in a consent, or for the period specified in the Information Memorandum of the client Information Bank and
Non-Bank Registers and in the Advice on Registers of the SOLUS Association, or, if not expressly specified, for a period
appropriate for the respective purpose of processing.

Protection of Personal Data, Processing by Third Parties

Personal data are under continuous physical, electronic and procedural control of the Bank, protected by up-to-date
technological means against unauthorized access or transmission, loss or destruction. All persons who have access to
the personal data are bound by a non-disclosure obligation. Further, client information is classified as a bank secret.

The personal data shall be processed directly by the Bank or other specialised external entity both in the Czech Republic
and abroad (e.g. a person authorised by the Bank to perform its contractual obligations or statutory duties, including
enforcement of the rights under contractual relationships with clients, a person with whom the Bank negotiates the
assignment of receivables from the client or the assumption of the Bank’s obligations vis-à-vis the client, or a person with
whom the Bank negotiates in relation to the provision of bank products to clients) which also provides sufficient and
credible guarantees of the technical and organisational arrangement of personal data protection. The data shall be
processed in technically and physically secured electronic information systems.

The Bank shall publish a list of persons with whom the Bank negotiates in relation to the provision of bank products to
the clients, in each case with specification of the relevant purpose for the transfer and processing of the personal data,
as well as any change in the list, at its branches and on its website at www.equabank.cz. This shall in no way prejudice
the Bank’s responsibility to the clients in relation to the processing of personal data by third parties set out in this
document. Personal data of a natural person may be disclosed under certain conditions to governmental authorities
(courts, police, notaries, tax authorities, etc., within the performance of their statutory competence) or the Bank may
provide them directly to other banks within the scope stipulated by a special law or through third parties established with
a view to keeping client registers.

Clients Rights with Respect to Personal Data

The client has right to access (for a fee set out on the Bank’s website) its personal data collected by the Bank, as well as
other rights stipulated in Section 21 of Act No. 101/2000 Coll., on personal data protection, especially of its right to
request explanation and correction of inaccuracies.

Clients who require more information about data processing by the Bank, who have wish to update or correct their
personal data of who wish to revoke their previously given consent are invited to:

• visit any Bank branch,

• send an e-mail to the address: customer.service@equabank.cz,
• contact Customer Services Center: 222 010 222,
• send a letter to Equa bank a.s., Karolinská 661/4, Praha 8 – Karlín, PSČ 186 00.