This notice concerns the processing of your personal data carried out by "HELLENIC EXCHANGES – ATHENS STOCK EXCHANGE S.A.” (“ATHEX”), in your capacity as a legal representative or authorised user of the "H.E.R.ME.S.” electronic system of connectivity and communication owned by ATHEX and operating as a mechanism for the central storage of regulated information (hereinafter referred to as the "H.E.R.ME.S. System"). Please read this notice in order to be informed in detail about the terms of processing your data:This notice concerns the processing of your personal data carried out by "HELLENIC EXCHANGES – ATHENS STOCK EXCHANGE S.A.” (“ATHEX”), in your capacity as a legal representative or authorised user of the "H.E.R.ME.S.” electronic system of connectivity and communication owned by ATHEX and operating as a mechanism for the central storage of regulated information (hereinafter referred to as the "H.E.R.ME.S. System"). Please read this notice in order to be informed in detail about the terms of processing your data:

ATHEX acts as data controller, pursuant to General Data Protection Regulation (EE) 2016/679 (“GDPR”), for the processing of your personal data, which is carried out when you use the H.E.R.ME.S. System The registered seat of ATHEX is in Athens, at 110 Athinon Ave., postal code 104 42, contact telephone number: +30 210 33 66 800, e-mail: protocol@athexgroup.gr, info@athexgroup.gr.

The personal data processed by ATHEX are collected directly from your employer, or from you during your use of the H.E.R.ME.S. System. These personal data are strictly necessary for the achievement of the intended processing purposes and include:

• Basic data of the natural person (full name).
• Contact details (email address, mobile phone number).
• Usage data of the application (e.g. personalised security credentials, strong identification code, logs of accesses to the H.E.R.ME.S. System, IP address)

The personal data collected by ATHEX are processed exclusively for the purpose of: a) confirming your details as the legal representative of your company, b) gaining access and enabling you to use the H.E.R.ME.S. System, in your capacity as an authorized user and c) the security of ATHEX's information systems that support the H.E.R.ME.S. System.

Within the context of the use of the H.E.R.ME.S. System, ATHEX processes your personal data according to the following legal bases:

• Public Interest (Article 6 par. 1e GDPR)

Given that the above processing for the purposes of a) and b) is carried out in the context of the use of the H.E.R.ME.S. System, the provision and operation of which is inextricably linked to the institutional role of ATΗEX in the Greek capital market, the legal basis for the processing of your data is the fact that the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller under Law 3556/2007 (Article 21, paragraph 4) and the ATHEX Exchange Rulebook (Article 4.1.3).

• Legitimate Interest (article 6 par. 1f GDPR)

In addition, in pursuit of the above purpose c), ATHEX processes personal data in the context of its legitimate interest, which is to protect the security of the network, systems and information of ATHEX.

ATHEX ensures that your personal data are processed solely by its necessary personnel, which has been adequately informed regarding the secure processing of your personal data.
Additionally, recipients of your personal data also include natural and legal persons, to which ATHEX assigns the performance of specific tasks on its behalf, such as, inter alia, providers of maintenance and technical support for systems. These persons, acting as processors of the personal data, are informed and contractually bound to ensure confidentiality of personal data, as well as to follow our instructions regarding the processing of personal data and take all appropriate measures for their protection. Finally, recipients as independent Data Controllers may be your employer and the competent supervisory authorities.

Your personal data are not transferred to third countries (to countries outside the European Economic Area).

Your personal data are only retained for the period of time which is necessary due to the nature of the processing and only for as long as this is required for the fulfilment of each processing purpose, unless there is a contrary legal obligation to comply with them further.

In accordance with the provisions of Regulation (EU) 2016/679 (GDPR), as a data subject, you have the following rights, which may be exercised as appropriate:

• Right to access your personal data.
• Right to correct and/or update your data.
• Right to deletion / right to be forgotten.
• Right to restrict processing.
• Right to object to the processing of your personal data.
• Right to data portability.

If you wish to receive further information about the processing of your personal data or exercise any of your rights, you can contact ATHEX either in writing at: HELLENIC EXCHANGES – ATHENS STOCK EXCHANGE S.A., 110 Athinon Ave., 104 42 Athens, for the attention of: Data Protection Officer (DPO), or by e-mail addressed to the Data Protection Officer (DPO) of the ATHEX Group at: dataprotectionofficer@athexgroup.gr.

ATHEX implements an information security management system to ensure the confidentiality, security of data processing and protection against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access, as well as any other form of unlawful processing. It is noted that ATHEX’s authorised personnel has received appropriate training and guidance.

If you believe that any request submitted by you has not been adequately and legally satisfied, or your right to personal data protection is being breached by any processing that is carried out by ATHEX, you have the right to lodge a complaint through the dedicated online portal of the Hellenic Data Protection Authority (postal address: 1-3 Kifissias Ave., 115 23, Athens, https://www.dpa.gr/, tel. 210 6475600, e-mail: contact@dpa.gr).