DATA PRIVACY POLICY FOR PROCESSING BIOMETRICS IN THE CONTEXT OF REMOTE ELECTRONIC IDENTIFICATION OF NATURAL PERSONS WHEN ENTERING INTO A BUSINESS RELATIONSHIP WITH WORLDLINE GREECE

" WORLDLINE MERCHANT ACQUIRING GREECE S.A. » (hereinafter, " Worldline Greece" or the "Company") has as a main priority the protection of the personal data it processes. For this purpose, it constantly complies with the applicable legislation for the protection of personal data.

This Privacy Policy (hereinafter the "Policy") has the purpose of informing you as counterparties of the Company regarding the processing of your biometric data in the context of the process of remote electronic identification of natural persons when entering into a business relationship, as defined in the decision taken in the no. 172/29.5.2020 meeting of the Executive Committee of the Bank of Greece, as well as regarding your rights for this processing. It is noted that any data processing, which is carried out in the context of entering into a business relationship with Worldline Greece, but does not concern the remote electronic identification of natural persons, takes place in accordance with the relevant Personal Data Processing Policy which is available here: Worldline | Privacy Policy

1. Processing Manager

"WORLDLINE MERCHANT ACQUIRING GREECE S.A.", based in Neo Psychiko, Attica, at Messogeion Avenue 253-255 and Riga Feraiou Street 44-46, P.O. 15451, Athens, with VAT.: 800610001, DOU FAE Athens, as legally represented, is the Data Controller for the processing of your biometric data related to your remote electronic identification for the purpose of serving our transactional relationship in the context of the regulatory framework for the prevention of money laundering and terrorist financing.

2. Which of your personal data do we process, in what way and for what period of time

In this context, your information that is processed is the following: Name, identification documents ( civil identity card – Passport) , biometric data (when videoconferencing or taking a dynamic self- portrait ), E1 form details, proof of occupation and residential address, VAT number and mobile number. These details are provided directly by you or, if you choose, some of them are also provided through the eGov - KYC service (using TAXISnet codes ).

You can perform remote electronic identification with the following two (2) alternative methods:

First , by videoconference , which constitutes two-way visual and audio communication in real time between you and our assigned employee, while you are in different locations and which simultaneously supports the exchange of files and messages.

Secondly, with the automated process without the presence of an employee, which is based on certified software, biometric analysis and artificial intelligence algorithms, through taking dynamic- selfie ( dynamic-selfie ), which is based on your dynamic rather than static photo, to ensure the participating liveness in the process. In this case, an automated decision can be made, without the intervention of a natural person. Furthermore, through document authentication technologies, the validity of the documents you send to us can be checked, as well as data extraction from these documents.

The above personal data for the purpose of identification are kept as long as necessary to comply with the relevant legislation and the decision the decision taken at 172/29.5.2020  meeting of the Executive Committee of the Bank of Greece and then they are permanently deleted without the possibility of recovery , unless their storage is permitted if justified by another provision of law or regulatory decision for a longer period of time, which cannot exceed ten years,.

3. Processing purposes

The Company keeps your above information and proceeds with this process in order to remotely identify you electronically, so that it is in compliance with the provisions of the institutional framework for the prevention of money laundering and terrorist financing as applicable from time to time, and , specifically, in compliance with the decision taken at 172/29.5.2020 meeting of the Executive Committee of the Bank of Greece which, among other things, defines the terms and conditions for the remote electronic identification of natural persons, when entering into a business relationship with credit institutions and financial organizations supervised by the Bank Greece's.

4. Legal basis of processing

The Company processes personal data in the context of this process based on your express consent (Article 9 par. 2 (a) GDPR) in the context of processing your biometric data for the purpose of your indisputable identification, as well as its legal obligation as a responsible processing (article 6 par. 1 (c) GDPR). If consent is not given to the processing of biometric data, it will not be possible to complete the remote electronic identification and another way will have to be followed to fulfill your said request.

5. How and with whom we share your personal data

Worldline Greece entrusts the company with the name "INTELLI SOLUTIONS IT SERVICES S.A." (hereinafter " Intelli " ) the processing of personal data and in this context, Intelli acts as the processor. Intelli takes appropriate measures to protect the confidentiality and security of personal data, having entered into a relevant contract with corresponding commitments, as provided for in the applicable legislation.

6. Data Security

The Company takes all appropriate technical and organizational measures for the security of your personal data, to ensure the confidentiality of its processing and its protection from accidental or unlawful destruction/loss/alteration, prohibited dissemination or access and any other form of unlawful processing. In addition, it binds all persons who have access to or process personal data on its behalf with confidentiality clauses and the obligation to maintain confidentiality.

7. Your rights in relation to your personal data

In relation to your personal data that is processed as described above, you have the following rights:

Right of information & access: You have the right to be informed and have access to your data and to receive additional information about its processing.

Right to rectification: You have the right to request the correction, amendment, completion and updating of your data.

Right to erasure: You have the right to request the erasure of your held personal data if the subject's consent to profiling is revoked or where such right is not subject to restrictions under applicable law or any other restrictions.

Right to restriction of processing: You have the right to request the restriction of the processing of your personal data when: (a) the accuracy of the personal data is disputed and pending verification, (b) the processing is unlawful and you request the restriction of use of the personal data instead of deletion of your data, (c) the personal data are not needed for the purposes of processing, but are nevertheless necessary for the establishment, exercise, support of legal claims, and (d) you object to the processing and until it is verified that there are legitimate reasons that concern us and prevail of the reasons for which you object to the processing.

Right to object to the processing: You have the right to object at any time to the processing of your personal data under specific conditions provided by law.

Right to portability : You have the right to receive your personal data free of charge in a format that will allow you to access, use and process it, and to request that your data be transferred directly to another controller, where technically feasible. This right applies to data provided by you and processed by automated means based on your consent.

Right to non-automated individual decision-making, including profiling : You have the right to object when a decision concerning you is based solely on automated processing, including profiling, and that decision produces legal effects or significantly affects you and we are obliged to implement appropriate measures to protect your rights, such as ensuring human intervention in receiving the expression of opinion or challenging the decision from you.

Right to withdraw consent : You have the right to withdraw your consent at any time, without affecting the processing operations carried out before the withdrawal and your data will be deleted or anonymized, if there is no legitimate basis justifying the continuation of the processing (e.g. further storage of the data ).

To exercise any of your rights above you can contact the email address:

dl-dpo.gr@worldline.com

Right to file a complaint with the Data Protection Authority: You have the right to file a complaint with the Personal Data Protection Authority (www.dpa.gr). Call Center: +30 210 6475600, Fax : +30 210 6475628, Email: complaints@dpa.gr.

8. Data Protection Officer ( DPO )

For issues related to the processing of your personal data, you can contact the Company's Data Protection Officer (" DPO "), at the email address: dl-dpo.gr@worldline.com