Customer Information on Data Protection Who does this information on data protection apply to? This information on data protection (the “Information”) is directed at customers and partners (within the framework of this information jointly referred to as “customers”) of SIX Payment Services (“SPS”). This Information thus applies to recipients who are customers of one or several of the following legal entities: SIX Payment Services Ltd SIX Payment Services (Europe) S.A. SIX Payment Services (Germany) GmbH The legal entities above will be referred to in the following individually as “SPS Company” or jointly as “SPS Companies” unless certain statements apply solely to (a) specific legal entity/ies. In such cases, the SPS Company in question will be referred to by name. What is the aim of the Information? This Information is aimed to notify customers about: which personal data (“Data”) made available by customers is being processed by SPS Companies, for what purpose and on what basis SPS Companies are doing this, how and how long Data is processed, what data protection rights customers have vis-à-vis SPS Companies, and the unit responsible for the Data processing within a SPS Company and whom customers can contact in case of questions. What Data is processed by SPS Companies? SPS Companies process Data that is transferred or made available to them by the customer for the purpose of contract execution within the framework of business relationships. This applies to details about contact persons such as their names, e-mail addresses or business telephone numbers. By disclosing the above Data to the SPS Company, the customer confirms to have notified the natural persons in question (employees, agents, etc.) whose Data he/she is disclosing to the SPS Company about the transfer of Data to the SPS Company. If the customer uses online services of the SPS Companies, the Privacy Statement of SPS shall be consulted. Do SPS Companies process other Data? In the context of fulfilling their obligations to prevent money laundering and terrorist financing, SIX Payment Services (Europe) S.A. is obligated by applicable Money Laundering Act regulations to collect and keep specific documents and information of persons. For this reason, SIX Payment Services (Europe) S.A. shall, among other things, determine and check the identity of customers, beneficial owners of customers or any trustors of the customers, assess the purpose pursued by the customer and the nature of the business relationship to which the customer aspires, gather and check information on the origin of deployed resources, as well as continuously monitor the business relationship and transactions carried out within its framework. SIX Payment Services (Europe) S.A. must in particular keep copies of the documents and information received, which are required for fulfilling the described duty of care as well as transaction receipts and records required for the identification of transactions. For what purpose do SPS Companies process the Data? The Data is processed by SPS Companies exclusively for the purpose of executing contracts with customers. The specific use of the Data depends on the contract concluded between the customer and a SPS Company. The SPS Companies particularly require the Data for: generally maintaining the customer relationship; provide services that they are contractually obliged to provide; sending products and information that they are contractually obliged to provide; billing purposes; reimbursement purposes; processing objections or complaints made by the customer; providing the customer with information about changes and developments of products and services. dispatch of newsletters voice recording Under no circumstances do SPS Companies process the Data outside of their contractual relationships with customers. What justification does a SPS Company provide for its processing of the Data? A SPS Company processes the Data primarily in its own legitimate interests, particularly to ensure adherence to customer contracts and regulatory compliance. Is the Data also passed onto third parties? All SPS Companies are directly or indirectly wholly owned subsidiaries of Worldline. SPS Companies can outsource all or some of the processing of the Data and other services to Worldline or other subsidiaries (incl. SPS Companies) of Worldline and to external third parties in Switzerland and abroad. If Data is transmitted to Worldline, subsidiaries of Worldline or external third parties as part of such outsourcing, the outsourcing SPS Company obligates the recipient in advance to wholly guarantee compliance with the existing confidentiality and data protection obligations of the outsourcing SPS Company. Each SPS Company reserves the right to disclose personal Data to the authorities and/or third parties in Switzerland or abroad if the SPS Company is obliged to make such disclosure by the applicable legal provisions. Do SPS Companies also transfer Data to countries outside the EU, EEA or Switzerland? As part of the execution of their contracts with customers, SPS Companies may cooperate with third parties (e.g. suppliers) that provide some of their services or produce some of their products outside the EU, EEA or Switzerland. If such third parties could obtain access to Data as part of the execution of the contract, a respective SPS Company and the third party provider will enter into a written agreement ensuring data protection equivalent to the data protection level required by EU and Swiss data protection regulation. Upon request, customers may view contractual arrangements (excerpts) a SPS Company has implemented with third parties that actually process such customer’s Data. How long is the Data processed or stored by SPS Companies? Data is normally stored for ten years beyond the end of a contractual relationship with the customer. An exception to this is data which must to be deleted previously pursuant to local legislation. What rights do affected natural persons (“Data Subjects”) have whose Data are being processed by SPS Companies as part of their business relationship with customers? Data Subjects are entitled to the following rights concerning Data about the Data Subject: to receive information on whether and which Data a SPS Company may save or store (categories of Data, recipients or categories of recipients, storage duration, or criteria governing such duration); to obtain a copy of Data processed by SPS Companies; to request the rectification of Data if it is incorrect; to request the deletion of Data; to request restrictions on the processing of Data; to receive Data in a structured, accessible and machine-readable format; to submit an objection to processing of Data, especially for the purpose of direct advertising. The rights specified above may be denied or restricted if the interests, rights and freedoms of third parties prevail or if processing of Data is necessary to establish, exercise or defend any legal claims of SPS Companies. Do the SPS Companies have data protection officers? Yes. All questions concerning data protection and the rights of individuals affected can be directed to the data protection officers (DPOs) of SPS at the following contact addresses: SIX Payment Services Ltd Compliance Hardturmstrasse 201 8021 Zurich Switzerland For SIX Payment Services Ltd: dataprotection.switzerland@six-payment-services.com For SIX Payment Services (Europe) S.A.: dataprotection.europe@six-payment-services.com For SIX Payment Services (Germany) GmbH: dataprotection.germany@six-payment-services.com Who is responsible for the processing of Data at the respective SPS Companies? For individual SPS companies, the following entities and/or departments are responsible for handling queries related to data processing: SIX Payment Services Ltd Global Data Protection Support Hardturmstrasse 201 8021 Zurich Switzerland dataprotection.switzerland@six-payment-services.com SIX Payment Services (Europe) S.A. Global Data Protection Support 10, rue Gabriel Lippmann 5365 Munsbach Luxemburg dataprotection.europe@six-payment-services.com SIX Payment Services (Germany) GmbH Global Data Protection Support Langenhorner Chaussee 92-94 22415 Hamburg Germany dataprotection.germany@six-payment-services.com In the event of a discrepancy between the German version and a translation, the German version shall prevail. Current Privacy Statement of SIX