Common use of PLEASE ALSO NOTE Clause in Contracts

PLEASE ALSO NOTE. Deposits by private individuals and companies are normally covered by deposit guarantee schemes. Exceptions for certain types of deposits will be announced on the website of the relevant deposit guarantee scheme. You can also request information from your bank about which products are covered and which are not. If deposits are covered by a guarantee scheme, this will be stated on the relevant account statement. PRIVACY POLICY (DATA PROTECTION INFORMATION) card complete Service Bank AG 1011 Vienna, P.O. Box 147, Registered office in Vienna Court of Registration: Vienna FN.84.409g Responsibility Who is responsible for my personal data and whom can I contact if I have questions? card complete Service Bank XX, Xxxxxxxxxxxxxx 0, 0000 Xxxxxx, is responsible for the collection and control of your personal data. If you have any questions concerning the processing of the personal data we have collected or concerning your rights under the GDPR and the Austrian DPA, please contact the Data Protection Officer (DPO) of card complete Service Bank AG at the same address as above. Data types and sources What information do you collect about me and where do you obtain it? We collect the personal data necessary to provide services under our contract with you. We obtain it either from you directly, or from another trusted party to which you have provided it (e.g. your bank). It may include data that we are entitled to obtain from credit agencies, debtor lists, business information services (e.g. CRIF, KSV 1870 Holding, Bureau Van Dijk Electronic publishing, Dow Xxxxx News) and from publicly available sources (e.g. Commercial Register, Land Register, the media, blacklists). Purpose and legal basis Why do you need my data and what is your legal basis for processing it? We need your data to facilitate the business relationship that we have with you, and all our use of your data is in compliance with the GDPR and the DPA. We use your data in fulfilment of one or more of the following: • contractual obligations (e.g. providing banking services, handling customer inquiries, calculating commissions, updating customer databases, processing applicant data, crediting and correcting mileage balances in the Miles & More programme) • legal obligations (e.g. ensuring legal compliance, monitoring card transactions, reporting to the financial markets authority or the public prosecutor’s office, consulting credit agencies) • pursuit of legitimate interests (e.g. fraud prevention; internet and data security; handling inquiries from authorities, attorneys, collection agencies, customers, etc.; direct marketing) • other purposes in so far as you have given specific consent (e.g. advertising and marketing, customer satisfaction surveys) Data sharing Who else will receive my data? We share your data to a limited extent with some third-party processors (e.g. IT and back-office processors) as well as with our sales partners. If you are a participant in the Miles & More programme, we share your data with Austrian Airlines AG. All of these are legally and contractually obligated to treat your data as confidential, to ensure that it is kept safe and to process it only in performance of their contractual obligations. If there is a legal obligation, your personal data can also be accessed by public authorities (tax offices, financial market authorities) and by card complete’s owners. International data transfers Will my data be shared with third parties in other countries? Card transactions (whether at the point of sale or online) may give rise to certain queries from Acceptance Partners. In such cases, information is exchanged between the international card organisations (which may be outside the EU or the EEA), their licensees, and the Acceptance Partners. Depending on the product, processing a transaction may entail transmitting personal data to the respective countries of these parties. Data retention How long will you store and process my data? We keep your personal data for as long as we have a contract with you, but also for longer in so far as necessary to defend legal claims or as required under certain laws for specific periods: Anti-Money-Laundering Act – 5 years, Commercial Code and Federal Tax Code – 7 years, Equality of Treatment Act – 6 months, and the Austrian Civil Code – 3 to 30 years. Obligation to provide data Do I have to provide my personal data? You are required to provide the data necessary for us to carry out a business relationship with you, and we are required by law to collect it. If you are not willing to provide such data, we are generally forced to decline a contract with you or to refuse the service requested. Even if a contract already exists, we will be unable to fulfil it and must therefore terminate it. You can, however, object to data processing which is not essential or relevant for our performance under the contract. Data security How do you keep my data safe? card complete Service Bank AG has instituted extensive technical and organisational measures of the highest international standards to provide your data with optimal security. These measures are regularly monitored and updated to ensure that they remain appropriate and effective. Rights of the data subject What are my rights as a “data subject”? As a natural person protected by the GDPR and Austrian Data Protection Act (= “data subject”), you can exercise the following rights at any time: to access your data, to rectify inaccurate data, to erase data (“right to be forgotten”), to restrict the processing of your data, to transmit your data (“data portability”), and to object to the processing of your data. If you believe that your data is being processed in violation of the GDPR or the DPA, please contact us so that we can address your concerns. If you have a complaint, you can contact the Austrian Data Protection Authority (Österreichische Datenschutzbehörde).

PLEASE ALSO NOTE. Deposits by private individuals and companies are normally covered by deposit guarantee schemes. Exceptions for certain types of deposits will be announced on the website of the relevant deposit guarantee scheme. You can also request information from your bank about which products are covered and which are not. If deposits are covered by a guarantee scheme, this will be stated on the relevant account statement. Compensation will not be paid for deposits showing no related account transactions in the 24 months prior to the insolvency date and where the value of the deposits is not high enough to cover the guarantee scheme’s administrative costs of paying out. Deposits covered by the scheme are only eligible for compensation after the offsetting of any legally or contractually chargeable debts of the depositor towards the bank that were incurred prior to or on the insolvency date. Version: 08/2019-BD PRIVACY POLICY (DATA PROTECTION INFORMATION) card complete Service Bank AG 1011 Vienna, P.O. Box 147, Registered office in Vienna Court of Registration: Vienna FN.84.409g Responsibility Who is responsible for my personal data and whom can I contact if I have questions? card complete Service Bank XX, Xxxxxxxxxxxxxx 0, 0000 Xxxxxx, is responsible for the collection and control of your personal data. If you have any questions concerning the processing of the personal data we have collected or concerning your rights under the GDPR and the Austrian DPA, please contact the Data Protection Officer (DPO) of card complete Service Bank AG at the same address as above. Data types and sources What information do you collect about me and where do you obtain it? We collect the personal data necessary to provide services under our contract with you. We obtain it either from you directly, or in the course of processing payments (e.g. from Accepting Partners), or from another trusted party to which you have provided it (e.g. your bank). It may include data that we are entitled to obtain from credit agencies, debtor lists, business information services (e.g. CRIF, KSV 1870 Holding, Bureau Van Dijk Electronic publishing, Dow Xxxxx News) and from publicly available sources (e.g. Commercial Register, Land Register, the media, blacklists). Purpose and legal basis Why do you need my data and what is your legal basis for processing it? We need your data to facilitate the business relationship that we have with you, and all our use of your data is in compliance with the GDPR and the DPA. We use your data in fulfilment of one or more of the following: • contractual obligations (e.g. providing banking and payment services, handling customer inquiries, calculating commissions, updating customer databases, processing applicant data, crediting and correcting mileage balances in the Miles & More programme) • legal obligations (e.g. ensuring legal compliance, processing secure online transactions, monitoring card transactions, reporting to the financial markets authority or the public prosecutor’s office, consulting credit agencies) • pursuit of legitimate interests (e.g. fraud prevention; internet and data security; handling inquiries from authorities, attorneys, collection agencies, customers, etc.; direct marketing) • other purposes in so far as you have given specific consent (e.g. advertising and marketing, customer satisfaction surveys) Data sharing Who else will receive my data? We share your data to a limited extent with some third-party processors (e.g. IT and back-office processors) as well as ), with other parties in payment transactions, and with our sales partners. If you are a participant in the Miles & More programme, we share your data with Austrian Airlines AG. All of these are legally and contractually obligated to treat your data as confidential, to ensure that it is kept safe and to process it only in performance of their contractual obligations. If there is a legal obligation, your personal data can also be accessed by public authorities (tax offices, financial market authorities) and by card complete’s owners. International data transfers Will my data be shared with third parties in other countries? Card transactions (whether at the point of sale or online) may give rise to certain queries from Acceptance Partners. In such cases, information is exchanged between the international card organisations (which may be outside the EU or the EEA), their licensees, and the Acceptance Partners. Depending on the product, processing a transaction may entail transmitting personal data to the respective countries of these parties. Data retention How long will you store and process my data? We keep your personal data for as long as we have a contract with you, but also for longer in so far as necessary to defend legal claims or as required under certain laws for specific periods: Anti-Money-Laundering Act – 5 years, Commercial Code and Federal Tax Code – 7 years, Equality of Treatment Act – 6 months, and the Austrian Civil Code – 3 to 30 years. Obligation to provide data Do I have to provide my personal data? You are required to provide the data necessary for us to carry out a business relationship with you, and we are required by law to collect it. If you are not willing to provide such data, we are generally forced to decline a contract with you or to refuse the service requested. Even if a contract already exists, we will be unable to fulfil it and must therefore terminate it. You can, however, object to data processing which is not essential or relevant for our performance under the contract. Data security How do you keep my data safe? card complete Service Bank AG has instituted extensive technical and organisational measures of the highest international standards to provide your data with optimal security. These measures are regularly monitored and updated to ensure that they remain appropriate and effective. Rights of the data subject What are my rights as a “data subject”? As a natural person protected by the GDPR and Austrian Data Protection Act (= “data subject”), you can exercise the following rights at any time: to access your data, to rectify inaccurate data, to erase data (“right to be forgotten”), to restrict the processing of your data, to transmit your data (“data portability”), and to object to the processing of your data. If you believe that your data is being processed in violation of the GDPR or the DPA, please contact us so that we can address your concerns. If you have a complaint, you can contact the Austrian Data Protection Authority (Österreichische Datenschutzbehörde).. Further information Where can I find out more? You can find our complete privacy policy at xxx.xxxxxxxxxxxx.xxx/xxxxxxxxxxx

PLEASE ALSO NOTE. Deposits by private individuals and companies are normally covered by deposit guarantee schemes. Exceptions for certain types of deposits will be announced on the website of the relevant deposit guarantee scheme. You can also request information from your bank about which products are covered and which are not. If deposits are covered by a guarantee scheme, this will be stated on the relevant account statement. Compensation will not be paid for deposits showing no related account transactions in the 24 months prior to the insolvency date and where the value of the deposits is not high enough to cover the guarantee scheme’s administrative costs of paying out. Deposits covered by the scheme are only eligible for compensation after the offsetting of any legally or contractually chargeable debts of the depositor towards the bank that were incurred prior to or on the insolvency date. PRIVACY POLICY (DATA PROTECTION INFORMATION) card complete Service Bank AG 1011 Vienna, P.O. Box 147, Registered office in Vienna Court of Registration: Vienna FN.84.409g Responsibility Who is responsible for my personal data and whom can I contact if I have questions? card complete Service Bank XX, Xxxxxxxxxxxxxx 0, 0000 Xxxxxx, is responsible for the collection and control of your personal data. If you have any questions concerning the processing of the personal data we have collected or concerning your rights under the GDPR and the Austrian DPA, please contact the Data Protection Officer (DPO) of card complete Service Bank AG at the same address as above. Data types and sources What information do you collect about me and where do you obtain it? We collect the personal data necessary to provide services under our contract with you. We obtain it either from you directly, or in the course of processing payments (e.g. from Accepting Partners), or from another trusted party to which you have provided it (e.g. your bank). It may include data that we are entitled to obtain from credit agencies, debtor lists, business information services (e.g. CRIF, KSV 1870 Holding, Bureau Van Dijk Electronic publishing, Dow Xxxxx News) and from publicly available sources (e.g. Commercial Register, Land Register, the media, blacklists). Purpose and legal basis Why do you need my data and what is your legal basis for processing it? We need your data to facilitate the business relationship that we have with you, and all our use of your data is in compliance with the GDPR and the DPA. We use your data in fulfilment of one or more of the following: • contractual obligations (e.g. providing banking and payment services, handling customer inquiries, calculating commissions, updating customer databases, processing applicant data, crediting and correcting mileage balances in the Miles & More programme) • legal obligations (e.g. ensuring legal compliance, processing secure online transactions, monitoring card transactions, reporting to the financial markets authority or the public prosecutor’s office, consulting credit agencies) • pursuit of legitimate interests (e.g. fraud prevention; internet and data security; handling inquiries from authorities, attorneys, collection agencies, customers, etc.; direct marketing) • other purposes in so far as you have given specific consent (e.g. advertising and marketing, customer satisfaction surveys) Data sharing Who else will receive my data? We share your data to a limited extent with some third-party processors (e.g. IT and back-office processors) as well as ), with other parties in payment transactions, and with our sales partners. If you are a participant in the Miles & More programme, we share your data with Austrian Airlines AG. All of these are legally and contractually obligated to treat your data as confidential, to ensure that it is kept safe and to process it only in performance of their contractual obligations. If there is a legal obligation, your personal data can also be accessed by public authorities (tax offices, financial market authorities) and by card complete’s owners. International data transfers Will my data be shared with third parties in other countries? Card transactions (whether at the point of sale or online) may give rise to certain queries from Acceptance Partners. In such cases, information is exchanged between the international card organisations (which may be outside the EU or the EEA), their licensees, and the Acceptance Partners. Depending on the product, processing a transaction may entail transmitting personal data to the respective countries of these parties. Data retention How long will you store and process my data? We keep your personal data for as long as we have a contract with you, but also for longer in so far as necessary to defend legal claims or as required under certain laws for specific periods: Anti-Money-Laundering Act – 5 years, Commercial Code and Federal Tax Code – 7 years, Equality of Treatment Act – 6 months, and the Austrian Civil Code – 3 to 30 years. Obligation to provide data Do I have to provide my personal data? You are required to provide the data necessary for us to carry out a business relationship with you, and we are required by law to collect it. If you are not willing to provide such data, we are generally forced to decline a contract with you or to refuse the service requested. Even if a contract already exists, we will be unable to fulfil it and must therefore terminate it. You can, however, object to data processing which is not essential or relevant for our performance under the contract. Data security How do you keep my data safe? card complete Service Bank AG has instituted extensive technical and organisational measures of the highest international standards to provide your data with optimal security. These measures are regularly monitored and updated to ensure that they remain appropriate and effective. Rights of the data subject What are my rights as a “data subject”? As a natural person protected by the GDPR and Austrian Data Protection Act (= “data subject”), you can exercise the following rights at any time: to access your data, to rectify inaccurate data, to erase data (“right to be forgotten”), to restrict the processing of your data, to transmit your data (“data portability”), and to object to the processing of your data. If you believe that your data is being processed in violation of the GDPR or the DPA, please contact us so that we can address your concerns. If you have a complaint, you can contact the Austrian Data Protection Authority (Österreichische Datenschutzbehörde).

PLEASE ALSO NOTE. Deposits by private individuals and companies are normally covered by deposit guarantee schemes. Exceptions for certain types of deposits will be announced on the website of the relevant deposit guarantee scheme. You can also request information from your bank about which products are covered and which are not. If deposits are covered by a guarantee scheme, this will be stated on the relevant account statement. Compensation will not be paid for deposits showing no related account transactions in the 24 months prior to the insolvency date and where the value of the deposits is not high enough to cover the guarantee scheme’s administrative costs of paying out. Deposits covered by the scheme are only eligible for compensation after the offsetting of any legally or contractually chargeable debts of the depositor towards the bank that were incurred prior to or on the insolvency date. PRIVACY POLICY (DATA PROTECTION INFORMATION) card complete Service Bank AG 1011 Vienna, P.O. Box 147, Registered office in Vienna Court of Registration: Vienna FN.84.409g Responsibility Who is responsible for my personal data and whom can I contact if I have questions? card complete Service Bank XX, Xxxxxxxxxxxxxx 0, 0000 Xxxxxx, is responsible for the collection and control of your personal data. If you have any questions concerning the processing of the personal data we have collected or concerning your rights under the GDPR and the Austrian DPA, please contact the Data Protection Officer (DPO) of card complete Service Bank AG at the same address as above. Data types and sources What information do you collect about me and where do you obtain it? We collect the personal data necessary to provide services under our contract with you. We obtain it either from you directly, or from another trusted party to which you have provided it (e.g. your bank). It may include data that we are entitled to obtain from credit agencies, debtor lists, business information services (e.g. CRIF, KSV 1870 Holding, Bureau Van Dijk Electronic publishing, Dow Xxxxx News) and from publicly available sources (e.g. Commercial Register, Land Register, the media, blacklists). Purpose and legal basis Why do you need my data and what is your legal basis for processing it? We need your data to facilitate the business relationship that we have with you, and all our use of your data is in compliance with the GDPR and the DPA. We use your data in fulfilment of one or more of the following: • contractual obligations (e.g. providing banking services, handling customer inquiries, calculating commissions, updating customer databases, processing applicant data, crediting and correcting mileage balances in the Miles & More programme) • legal obligations (e.g. ensuring legal compliance, monitoring card transactions, reporting to the financial markets authority or the public prosecutor’s office, consulting credit agencies) • pursuit of legitimate interests (e.g. fraud prevention; internet and data security; handling inquiries from authorities, attorneys, collection agencies, customers, etc.; direct marketing) • other purposes in so far as you have given specific consent (e.g. advertising and marketing, customer satisfaction surveys) Data sharing Who else will receive my data? We share your data to a limited extent with some third-party processors (e.g. IT and back-office processors) as well as with our sales partners. If you are a participant in the Miles & More programme, we share your data with Austrian Airlines AG. All of these are legally and contractually obligated to treat your data as confidential, to ensure that it is kept safe and to process it only in performance of their contractual obligations. If there is a legal obligation, your personal data can also be accessed by public authorities (tax offices, financial market authorities) and by card complete’s owners. International data transfers Will my data be shared with third parties in other countries? Card transactions (whether at the point of sale or online) may give rise to certain queries from Acceptance Partners. In such cases, information is exchanged between the international card organisations (which may be outside the EU or the EEA), their licensees, and the Acceptance Partners. Depending on the product, processing a transaction may entail transmitting personal data to the respective countries of these parties. Data retention How long will you store and process my data? We keep your personal data for as long as we have a contract with you, but also for longer in so far as necessary to defend legal claims or as required under certain laws for specific periods: Anti-Money-Laundering Act – 5 years, Commercial Code and Federal Tax Code – 7 years, Equality of Treatment Act – 6 months, and the Austrian Civil Code – 3 to 30 years. Obligation to provide data Do I have to provide my personal data? You are required to provide the data necessary for us to carry out a business relationship with you, and we are required by law to collect it. If you are not willing to provide such data, we are generally forced to decline a contract with you or to refuse the service requested. Even if a contract already exists, we will be unable to fulfil it and must therefore terminate it. You can, however, object to data processing which is not essential or relevant for our performance under the contract. Data security How do you keep my data safe? card complete Service Bank AG has instituted extensive technical and organisational measures of the highest international standards to provide your data with optimal security. These measures are regularly monitored and updated to ensure that they remain appropriate and effective. Rights of the data subject What are my rights as a “data subject”? As a natural person protected by the GDPR and Austrian Data Protection Act (= “data subject”), you can exercise the following rights at any time: to access your data, to rectify inaccurate data, to erase data (“right to be forgotten”), to restrict the processing of your data, to transmit your data (“data portability”), and to object to the processing of your data. If you believe that your data is being processed in violation of the GDPR or the DPA, please contact us so that we can address your concerns. If you have a complaint, you can contact the Austrian Data Protection Authority (Österreichische Datenschutzbehörde).