General Notice on Personal Data Processing

This notice is effective as of 11 March 2026

1. Introductory provisions

This General Notice on Personal Data Processing (hereinafter: "Notice"), explains in more detail how AikGroup (CY) Limited, financial holding company incorporated and registered in the Republic of Cyprus, processes personal data related to natural persons (hereinafter: "Data subject") in accordance with General Data Protection Regulation (EU) 2016/679 (GDPR), Cypriot Law 125(I) of 2018 Law providing for the protection of natural persons with regard to the processing of personal data and for the free movement of such data, and other regulations governing the protection of personal data and accompanying by-laws, prescribed best practices and ethical standards.

AikGroup (CY) Limited and its subsidiaries are committed to protecting Data subject’s privacy and responsible processing of entrusted personal data. AikGroup (CY) Limited and every subsidiary have its own notice on personal data protection.

With this Notice, AikGroup (CY) Limited, as a data controller, provides information about categories of Data subjects and personal data processed, purposes for which it is processed and the legal basis for the processing, recipients, personal data processors, data transfers, data retention period, applied safeguards to protect personal data, as well as the rights of the Data subject and how to exercise them, with AikGroup (CY) Limited and Group Data Protection Officer (DPO) contact data. This document is available on AikGroup (CY) Limited web site and through a link in the Notice on Personal Data Processing on Intranet Portal (TeamLink).

2. Responsibility for the processing of personal data and the contact information

AikGroup (CY) Limited is financial holding company based in Limassol, Cyprus, The Oval Office: 502, Street: Krinou 3, 4103 Agios Athanasios, phone: +357 25 25 94 90, email: office@aik-group.com.

This is general Notice. To obtain information regarding the specific processing of personal data or to exercise their rights, Data subjects can contact DPO via e-mail at: dpo@aik-group.com and via mobile: +381 64 865 37 21.

In order to lodge a complaint with the Cyprus data protection authority, contact information of the Office of the Commissioner for Personal Data Protection is: Office address: Iasonos 1, 1082 Nicosia, Cyprus, Postal address: P.O.Box 23378, 1682 Nicosia, Cyprus, phone: +357 22 818 456, fax: +357 22 304 565, email: commissioner@dataprotection.gov.cy, complaints procedure information: https://cutt.ly/TLHRy84.

3. Categories of Data subjects

This Notice is related to:

• Visitors of AikGroup (CY) Limited website, professional and/or social network accounts or attendants of AikGroup (CY) Limited events;
• Persons registering for email notifications (news, press releases, job alerts, etc.);
• Applicants interested in job offers, volunteer or trainee arrangements (candidates) published by AikGroup (CY) Limited;
• Persons in leading operational activities of AikGroup (CY) Limited, persons engaged in executing operational activities in AikGroup (CY) Limited, employees and other Data subjects engaged by AikGroup (CY) Limited on a contractual basis (service provider representatives, commercial partner representatives, etc.);
• Members of AikGroup (CY) Limited management bodies, other stakeholders;
• AikGroup (CY) Limited subsidiaries’ clients when justified and necessary.

When disclosing personal data about other Data subjects to AikGroup (CY) Limited, make sure to inform them about that and share information contained in this Notice.

4. Categories of personal data collected and processed by AikGroup (CY) Limited

AikGroup (CY) Limited processes personal data that Data subjects provide mostly directly, by themselves. Personal data might be collected indirectly, obtained from other sources, including subsidiaries, for the processing within a group of undertakings, as a controlling undertaking, based on legitimate interest, or other entities for the execution of orders/ legal obligations, or for the fulfillment of contractual obligations, all to the extent of the specific purpose.

Categories of personal data that AikGroup (CY) Limited may process are:

• general personal data for identification (first name, middle name, last name, gender, age, signature, photograph, date and place of birth, citizenship (nationality), national identification/ID number, tax number, etc.);
• contact personal data to get in touch (postal/ home address, telephone number, email address, etc.);
• data originating from IT equipment Data subjects use when visiting and browsing web sites related to AikGroup (CY) Limited (IP address, MAC address, operating system, geolocation, browsing activities, preferences, log files, cookie consent data, etc.);
• education and previous employment data (educational profile, level and institution of education, employment history, previous employer name, personal and business skills relevant for job description, other relevant data contained in CV, etc.);
• data resulting from the performance of contractual obligation (employees, persons in leading operational activities of AikGroup/persons engaged in executing operational activities in AikGroup (CY) Limited performance evaluations, personal development plans, trainings, etc.);
• personal data collected from publicly available sources when processing is not prohibited by law (e.g. register of business entities, media, internet, real estate cadaster), for a specific allowed purpose and on an adequate legal basis.

Personal data relating to criminal convictions and offences and special categories data (e.g. trade union membership) are lawfully processed only when it is required.

5. Purpose and legal basis of personal data processing

Personal data may be processed on the following grounds and for the following purposes:

a. Performing contractual obligations and/or taking actions at the request of Data subject before the conclusion of the contract.

The processing of personal data is carried out for the preparation and/or execution of the contract between AikGroup (CY) Limited and the Data subject with a specific purpose/s.

The purpose of data processing depends on the subject of contract between AikGroup (CY) Limited and Data subject, which is the part of contractual documentation. In this situation, provision of personal data is contractual requirement, or a requirement necessary to enter a contract. To prepare or execute the contract Data subject is obliged to provide the Personal data, otherwise it will not be possible to establish a contractual relationship and execute the contract.

b. Legitimate interest of AikGroup (CY) Limited or a third party

AikGroup (CY) Limited may process personal data in cases where the processing is based on its legitimate interests or legitimate interest of a third party, if these interests are not overridden by the interests or fundamental rights and freedoms of the Data subjects:

• in order to advise and exchange data with the Group members where AikGroup (CY) Limited is controlling undertaking, for reporting, determination of risks, the approval of products, etc.;
• processing of personal data even after the expiry of the terms for data retention and storage in order to protect AikGroup (CY) Limited’s interests in disputes before various competent authorities (courts, inspections, supervisory authorities, etc.);
• for the purpose of advertising or market research, except for data for which Data subjects have lodged an objection (the right to object is described in a separate article of this Notice);
• processing of personal data related to fraudulent/illegal activities in order to protect AikGroup (CY) Limited from possible losses and consequences for reputation;
• obtaining a certificate of a person's criminal record during engagement in order to protect AikGroup (CY) Limited interests and reputation;
• data on family members and assets of certain Group member employees in order to prevent conflicts of interest;
• ensuring information security, internal and/or external audit procedures;
• video surveillance in order to protect staff, visitors, processes and property (video surveillance of the AikGroup (CY) Limited premises, as well as the area around the premises for security reasons, access management of certain facilities, etc.);
• specific AML/CTF goals, sanctions regimes imposed by the European Union, UN, UK and US as AikGroup (CY) Limited operates on the territory of the European Union and has an interest to process certain personal data in order to comply with relevant restrictions related to sanctions regimes.

c. Consent

The legality of personal data processing may be based on consent when another lawful basis is not available. Consent must be given freely and unconditionally by the Data subject, granulated for one or more specific purposes, and it must be unambiguous with information provided in plain language. Data subject can simply and easily withdraw consent at any time. Withdrawal of consent does not affect the legality of data processing, based on consent, which was carried out before the withdrawal.

Provision of personal data is a free will of Data subject, otherwise it will not be possible to perform processing and achieve the purpose.

d. Compliance with the AikGroup (CY) Limited legal obligations

In order to comply with legal obligations and regulatory requirements, AikGroup (CY) Limited, as a financial holding company, processes personal data to fulfill its obligations regarding various EU and local directives and regulations.

Provision of personal data is a statutory requirement and the Data subject is obliged to provide the personal data (e.g. in order to comply with requirements from AML/CTF regulation, reporting requirements from various EU and local laws).

e. Protection of vital interests of the Data subject or of another natural person

AikGroup (CY) Limited may process personal data to protect interests that are essential and vital for someone’s life, usually in an emergency situation.

6. Recipient categories and transfer of personal data

AikGroup (CY) Limited may disclose personal data to competent financial authorities, contractual parties and service providers that act on behalf of AikGroup (CY) Limited (data processors), as well as other AikGroup members, when obliged to do so or when necessary.

When entrusting processing activities, AikGroup (CY) Limited cooperates only with data processors who sufficiently guarantee to implement appropriate contractual, technical, and organizational measures so that the processing complies with the requirements of the GDPR and ensures the protection of the rights of Data subject.

AikGroup (CY) Limited pays special attention when transferring personal data to a third country or an international organization outside of EEA (European Economic Area - EU countries and Iceland, Liechtenstein, and Norway).

Except in EU, some AikGroup members operate in non-EU countries, outside of EEA. If personal data processing includes cross-border transfer to a country or international organization outside of EEA, that transfer may take place only:

• on the basis of an adequacy decision by the EU Commission, or, where applicable for non-EU countries, on the basis of an adequacy decision by the competent authority;
• after providing appropriate safeguards (standard contractual clauses adopted by the EU Commission; standard contractual clauses adopted by a supervisory authority, ad hoc contractual clauses which are subject to approval from the supervisory authority; binding corporate rules);
• if based on an international agreement;
• on the conditions prescribed as derogations of GDPR for specific situations.

More detailed information on transfers of personal data, as well as appropriate or suitable safeguards in case of transfer of personal data to third countries in line with GDPR requirements, can be requested by writing to: dpo@aik-group.com.

7. Security and protection of personal data

AikGroup (CY) Limited implements appropriate technical and organizational measures to secure and protect entrusted personal data, both at the time of the determination of the means for processing and at the time of processing itself (data protection by design and by default), which include:

• implementation of appropriate data protection policies,
• implementation of the state-of-the-art security standards in IT infrastructure, especially in the collection, storage, and disclosure of personal data,
• physical and logical access management and control to AikGroup (CY) Limited information systems and business premises where personal data is processed and stored, including the data in paper and digital format,
• in the case of entrusting processing tasks, data processors are contractually obliged to implement the same or higher level of technical and organizational measures to protect personal data.

8. Personal data storage period

AikGroup (CY) Limited will store and retain personal data for no longer that the period required to achieve the purpose - comply with applicable laws and regulations, for the performance of the contractual obligations and fulfilment of legitimate interests.

AikGroup (CY) Limited will regularly delete personal data if it does not have a specific reason for storing and processing personal data after the expiration of the contractual obligation, depending on the purpose, at the latest after the expiration of all legal deadlines for data storage.

9. Rights of Data subjects

AikGroup (CY) Limited will respond to Data subject’s request for exercising their rights by electronic means, where appropriate, without undue delay, and no later than within a month of receipt of the proper request. Proper request must include Data subject’s identity and related data so that it can be identified by AikGroup (CY) Limited.

The specified period may be extended by two further months where necessary, considering the complexity and number of the requests. In the case of a large number or complexity of inquiries, it is possible that AikGroup (CY) Limited may need additional time to respond, in which case AikGroup (CY) Limited shall inform the Data subjects about two months extension within a month of receipt of request, together with the reasons for the delay. In that case, AikGroup (CY) Limited will respond to request no later than within three months of receipt of the Request.

A copy of the personal data undergoing processing by AikGroup (CY) Limited shall be provided for free. If Data subject requests further copies, AikGroup (CY) Limited might charge a reasonable fee based on administrative costs.

If AikGroup (CY) Limited decides not to act on the request of the Data subject, it shall inform the Data subject without delay and at the latest within one month of receipt of the request of the reasons for not acting and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.

Data subjects have the following rights:

a. Right of access by the Data subject

Data subject has the right to request confirmation as to whether AikGroup (CY) Limited processes his/ her personal data, as well as to request access to personal data being processed. Data subject can exercise these rights by filling out the proposed “Request form for Data Subject”, which can be downloaded from the AikGroup (CY) Limited website and sending it to AikGroup (CY) Limited DPO by email. The exercise of Data subject’s rights does not depend on the use of the proposed form.

b. Right to rectification

Data subject has the right to request updating or supplementing inaccurate personal data processed by AikGroup (CY) Limited, or to have incomplete personal data completed, including by means of providing a supplementary statement.

c. Right to erasure (Right to be forgotten)

The Data subject has the right to demand erasure of personal data without undue delay where one of the following grounds apply:

• a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
• b) the Data subject withdraws consent on which the processing is based and there is no other legal ground for the processing;
• c) the Data subject objects to the profiling, direct marketing or other processing based on legitimate interest and there are no overriding legitimate grounds for the processing;
• d) the personal data have been unlawfully processed;
• e) the personal data have to be erased for compliance with a legal obligation in EU or member state law to which AikGroup (CY) Limited is subject.

AikGroup (CY) Limited shall not erase the data if that processing is necessary for compliance with a legal obligation which requires processing by EU or member state law, or for the establishment, exercise, or defense of legal claims.

d. Right to restriction of processing

The Data subject has the right to request restriction of processing when one of the following applies:

• a) the accuracy of the personal data is contested by the Data subject, for a period enabling the AikGroup (CY) Limited to verify the accuracy of the personal data;
• b) the processing is unlawful and the Data subject opposes the erasure of the personal data and requests the restriction of their use instead;
• c) the AikGroup (CY) Limited no longer needs the personal data for the purposes of the processing, but they are required by the Data subject for the establishment, exercise or defence of legal claims;
• d) the Data subject has objected to processing based on AikGroup (CY) Limited legitimate interest pending the verification whether the AikGroup (CY) Limited legitimate grounds override those of the Data subject.

Where processing has been restricted, related personal data shall, except for storage, only be processed with the Data subject's consent or for the establishment, exercise or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the EU or of a member state. AikGroup (CY) Limited will inform the Data subject who has obtained restriction of processing before the restriction of processing is lifted.

e. Notification obligation of AikGroup (CY) Limited

Where AikGroup (CY) Limited has disclosed personal data to other recipients and is obliged to rectify, erase, or restrict processing of personal data, reasonable steps, including technical measures are taken by AikGroup (CY) Limited to inform recipients (other data controllers or data processors) which are processing the data about the rectification, erasure, or restriction of processing.

f. Right to portability

Where the processing is based on consent or on a contract and it is carried out by automated means, the Data subject has the right to receive related personal data from AikGroup (CY) Limited in a structured, commonly used, and machine-readable format and has the right to transmit those data to another data controller.

This right shall not adversely affect the rights and freedoms of others and the Data subject may request to have his/her personal data transmitted directly from AikGroup (CY) Limited to another controller, where technically feasible.

g. Right to object

If AikGroup (CY) Limited processes personal data for direct marketing purposes, the Data subject has the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing.

Where the Data subject objects to processing for direct marketing purposes, AikGroup (CY) Limited will no longer process the personal data for such purposes.

10. Automated individual decision-making, including profiling

The Data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.

The abovementioned does not apply if that decision:

• a) is necessary for entering into, or performance of, a contract between AikGroup (CY) Limited and the Data subject;
• b) is authorized by EU or member state law to which AikGroup (CY) Limited is subject and which also lays down suitable measures to safeguard the Data subject's rights and freedoms and legitimate interests; or
• c) is based on the Data subject's explicit consent.

In the cases referred to in points a) and c), AikGroup (CY) Limited implements suitable measures to safeguard the Data subject's rights and freedoms and legitimate interests, at least the right to obtain human intervention on the AikGroup (CY) Limited part, to express his or her point of view and to contest the decision.

11. Restriction of rights

According to the provisions of GDPR and the Cypriot Law 125(I) of 2018, AikGroup (CY) Limited may implement measures to restrict Data subject’s rights (e.g. realization of claims in civil court disputes). Where the restrictions of the rights relate to a processing operation carried out by a data processor, the measures are implemented in accordance with the section 6. of the Notice and relevant regulation provisions related to the data processor, which previously require carrying out a data protection impact assessment and prior consultation with the Cypriot data protection authority.

12. Right to complain and right to an effective judicial remedy

To lodge a complaint with the Cyprus data protection authority, contact information of the Office of the Commissioner for Personal Data Protection is provided in the section 2. of the Notice, with useful link related to the complaint’s procedure information.

Data subject has the right to an effective judicial remedy where he or she considers that his or her rights under GDPR have been infringed because of the processing of his or her personal data in non-compliance with this Regulation.

13. Communication of a personal data breach to the Data subject

When personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, AikGroup (CY) Limited shall communicate the personal data breach to the Data subject without undue delay.

The communication to the Data subject referred to in paragraph 1 of this Article shall describe in clear and plain language the nature of the personal data breach and contain information and measures about the following: the name and contact details of the DPO or other contact point where more information can be obtained, description of the likely consequences of the personal data breach and description of the measures taken or proposed to be taken by AikGroup (CY) Limited to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

According to the GDPR, communication to the Data subject referred to in paragraph 2 of this Article is not required if AikGroup (CY) Limited:

• a) has implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorised to access it, such as encryption;
• b) AikGroup (CY) Limited has taken subsequent measures which ensure that the high risk to the rights and freedoms of Data subjects is no longer likely to materialize;
• c) it would involve disproportionate effort. In such a case, there shall instead be a public communication or similar measure whereby the Data subjects are informed in an equally effective manner.

Request Form for Data Subject

Individuals may exercise their data protection rights by completing the Request Form or by submitting a written request to AikGroup (CY) Limited

Request Form for Data Subject