personal data processing

GDPR NOTIFICATION

NOTICE OF PERSONAL DATA PROTECTION

This notice describes how the APS Group (the “Controller” or “APS”) handles personal information it obtains about you and/or your property in connection with your investments, debt collection activities, real estate sales or any other activity in which you come into contact with the APS Group. This notice complies with the General Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (GDPR), according to which you have the right to be informed about the data that various processors hold and process about you and about your rights in relation to such data.

This notice does not apply to the processing of personal data of the controller's employees or to the processing of personal data in connection with APS CREDIT FUND SICAV.

1. PROCESSING OF PERSONAL DATA

The following categories of personal data are processed:

Identification data (e.g. name, surname);

Contact details (e-mail address, postal address, telephone number),

Information about your use of our products and services, including information in your requests for products and services;

Information from our personal, telephone and electronic communications with you;

Information from the web browser you use or mobile applications;

Financial situation and creditworthiness,

as well as any information processed by the Controller in connection with the performance of a contract or legal obligation and for the purposes of the Controller's legitimate interest.

(hereinafter referred to as "personal data").

2. SOURCES OF PERSONAL DATA

APS, including its predecessors, successors, and/or its affiliates and subsidiaries, are purchasers of pooled or individual loans (performing, recurring, and non-performing), including distressed consumer debt, specifically accounts of borrowers frequently subject to current bankruptcy, insolvency, restructuring, workout, or similar proceedings. APS purchases such accounts/loans from banks and other financial institutions.

APS respects the privacy of borrowers and confidentially protects any personal and private information relating to borrowers, customers, clients, investors, partners and employees.

APS collects the following categories of data from the following sources:

information we receive from the original lender of their account/loan and/or their account/loan vendor;

information obtained from third party service providers;

information we receive from participants in bankruptcy and insolvency processes;

information we obtain from publicly available sources. For example, information received from a website managed by the Insolvency Registry;

information we receive from other APS entities;

the information you provide.

APS may process copies of identity cards only in cases where it is required to do so by law (in particular Act No. 253/2008 Coll., on certain measures against the legalization of the proceeds of crime and the financing of terrorism), or in cases where the owner of the identity card consents to the acquisition and processing of a copy of the identity card.

Personal data is processed manually and automatically by means of computer technology.

3. PURPOSE OF PROCESSING

APS processes personal data for the following purposes:

investing in outstanding debt to acquire it,

due diligence, pricing (e.g. to establish a more accurate price for the claim);

creation, management and liquidation of debt;

supervising the submission of proof of claims in bankruptcy, insolvency or similar proceedings for purchased accounts;

debt collection and communication with bankruptcy trustees, insolvency practitioners, attorneys or persons holding similar positions and credit reporting agencies;

communication with debtors;

legal or regulatory requirements;

any other purpose that has been notified or agreed in writing;

auctions;

performance of the contract under which APS transfers ownership of the property;

marketing and business purposes (e.g. offering products and services, sending commercial communications, invitations to cultural events).

4. HOW IS PERSONAL DATA PROCESSED?

The processing of your personal data may be carried out manually or automatically. However, none of the personal data collected is used for automatic decision-making. Your personal data is processed mainly by the designated employees of the Controller, but also by external processors (accountants, lawyers) with whom the Controller has concluded a contract for the processing of personal data, which contains all the necessary guarantees regarding the processing of personal data.

5. WHAT ARE THE LEGAL GROUNDS FOR PROCESSING PERSONAL DATA?

The legal grounds for processing personal data are

The legitimate business interests of APS to conduct its business activities and manage its relationship with potential, existing and former contractual partners pursuant to Article 6(1)(f) of the GDPR;

For the performance of a contract with business partners (e.g. investors, suppliers, real estate buyers) or for the implementation of measures at the request of the data subject prior to the conclusion of a contract pursuant to Article 6(1)(b) GDPR;

Compliance with legal obligations imposed by legislation (e.g. Act No. 253/2008 Coll., on certain measures against the legalization of proceeds of crime and terrorist financing);

APS also processes the personal data of some of its clients for direct marketing purposes because of its legitimate interest in promoting its similar products and services. In the case of non-clients, we process personal data only on the basis of the consent granted.The client can object to the processing of personal data for direct marketing purposes via the above email address.

6. WILL WE TRANSFER PERSONAL DATA TO A THIRD COUNTRY OR INTERNATIONAL ORGANISATION?

In the case of international transfers originating in the European Economic Area (EEA), where the European Commission has recognised a country outside the EEA as having an adequate level of data protection, your personal data may be transferred on this basis.

For transfers to countries outside the EEA whose level of protection has not been recognised as sufficient by the European Commission, we will rely on the legislative restrictions applicable to the specific situation (e.g. where the transfer needs to be made to fulfil our contract with you, such as when making an international payment) or the implementation of one of the safeguards below to ensure the protection of your personal data:

7. STANDARD CONTRACTUAL CLAUSES APPROVED BY THE EUROPEAN COMMISSION. RIGHTS RELATING TO THE PROCESSING OF PERSONAL DATA

- standard contractual clauses approved by the European Commission. RIGHTS RELATING TO THE PROCESSING OF PERSONAL DATA

APS ensures that your personal data is processed in a secure and accurate manner. You may exercise all the rights described in this clause against the Controller.

The person whose data is processed is also referred to in the text as the "data subject".

How can you exercise your rights?

You can exercise each of your individual rights by sending an email to:

gdpr_group@aps-holding.com, Barbora Kubíková

or by sending a written request to the Controller.

APS will provide you with a statement or information about the measures taken as soon as possible, but no later than 1 month after receipt of the request. APS is entitled to extend this period by 2 months, taking into account the complexity of the matter and the number of applications submitted, and will inform you of any such extension.

The data subject shall have the right to object at any time to the processing of personal data.

If the personal data are processed for direct marketing purposes, the data subject has the right to object at any time to the processing of personal data for such marketing, and the Controller shall terminate the processing of personal data for direct marketing purposes.

The data subject has the right to ask APS to confirm whether it processes personal data concerning him or her. If the company processes the personal data of the data subject, the data subject has the right to access such personal data and to information on the purpose of the processing, the categories of personal data concerned, the recipients of the personal data, the intended duration of the processing and his or her rights in relation to the processing of personal data.

The data subject has the right to have inaccurate personal data corrected and incomplete personal data completed.

The data subject also has the right to erasure of personal data, namely:

if they are no longer necessary for the purposes for which they were processed,

if he/she withdraws consent to the processing of personal data and there is no other legal basis for the processing,

if he/she objects to processing for which there are no overriding legal grounds for processing,

if the personal data have been unlawfully processed,

where erasure is necessary to comply with a legal obligation; or

where the personal data were collected in connection with the offer of information society services to a child under 13 years of age.

The data subject also has the right to limit the processing of personal data, namely:

if he/she denies the accuracy of the personal data, for the period necessary to verify the accuracy of the personal data,

if the processing is unlawful and the data subject refuses to erase the personal data and requests instead that the use of the data be restricted,

where the Controller no longer needs the personal data for the purposes of the processing, but the data subject requires them for the establishment, exercise or defence of legal claims, or

if he/she has objected to the processing until it is verified that the legitimate grounds of the controller outweigh the legitimate grounds of the client.

The data subject also has the right to the portability of personal data processed on the basis of consent or for the performance of a contract, which means the right to obtain the personal data he/she has provided to the Controller in a structured, commonly used and machine-readable format and the right to transmit those data to another controller, or the right to have those data transmitted directly from one controller to another, if technically feasible.

If personal data are processed on the basis of consent, the data subject has the right to withdraw this consent at any time. However, the lawfulness of the processing of personal data before the withdrawal of consent is not affected.

The data subject has the right to lodge a complaint with the Office for Personal Data Protection at any time if he/she believes that a breach of the law has occurred.

If you wish to exercise the above rights, please send a letter or email to the above address.

In accordance with the applicable regulation, in addition to your rights mentioned above, you also have the right to file a complaint with the competent supervisory authority, which in the Czech Republic is the Office for Personal Data Protection, located at Pplk. Sochora 727/27, 170 00 Prague 7, Holešovice.

8. RECIPIENTS OF PERSONAL DATA

The Company may provide personal data to processors, namely companies that perform activities requiring the processing of personal data for the Company under contract, in particular:

Authorised APS staff;

Information technology providers or operators;

Providers of legal and accounting services;

Companies belonging to the APS Group (see list below).

If APS uses the services of processors to process your personal data, this is only provided that the personal data protection standards of the specific processor are contractually guaranteed at least at the same level as those of the Company and that such processor meets the conditions stipulated by law.

The Company may also provide personal data to supervisory authorities (e.g. the Czech National Bank), law enforcement authorities or other administrative authorities if necessary to comply with legal obligations.

9.PROCESSING PERIOD OF PERSONAL DATA

APS processes personal data for the period of time for which it is obliged to retain personal data according to legal regulations

For the duration of the claim/contractual relationship and for the following 5 years after its termination;

Accounting documents for 10 years;

Legal or administrative proceedings: processing of data lasts until the final decision (to the extent necessary with regard to the procedure and situation of APS, the claim in question or the personal data required by the legal dispute

Even if no contract is concluded between APS and the potential client, APS retains the potential client's personal data for the period of time for which it is obliged to do so under the law.

After this period or after your consent to the processing of your personal data has expired and become effective, your personal data will be deleted, anonymized or processed only to the extent and for purposes for which your consent is not required.

If APS processes personal data on the basis of consent to the processing of personal data, it processes them for the period for which consent was given or until the consent is withdrawn.

10. HOW CAN YOU CONTACT US?

If you have any questions regarding the processing of your personal data, you can contact our Data Protection Officers directly using the contact details provided in section 7, or you can also contact us in writing, by email or by telephone using the contact details provided below:

Address: Celetná 988/38, 110 00 Prague 1, Czech Republic

Group DPO:

E-mail: gdpr_group@aps-holding.com, Barbora Kubíková

11. GENERAL INFORMATION

The Controller is entitled to amend, supplement, cancel or replace this notice at any time if necessary, provided that the updated notice must be published at least 30 days before it becomes effective.

List of associated and cooperating persons/entities of the Controller:

Name of the entity: APS Holding S.A.

ID: B 201461

Registered Office: 1, rue Jean Piret, L- 2350 Luxembourg

Name of the entity: APS Investments S.à.r.l.

ID: B219890

Registered Office: 1 rue Jean Piret, 2350 Luxembourg

Name of the entity: APS Investment Funds S.à.r.l.

ID: B219886

Registered Office: 1 rue Jean Piret, 2350 Luxembourg

Name of the entity: APS Delta S.A.

ID: B204416

Registered Office: 1 rue Jean Piret, 2350 Luxembourg

Name of the entity: APS Recovery a.s.

ID: 03409422