This privacy statement sets out how CIS Management B.V. (“CIS Management”) processes personal data and the rights of the data subjects. It applies to all processing of personal data by CIS Management.

THE PERSONAL DATA CIS MANAGEMENT PROCESSES

CIS Management processes personal data which has been provided to CIS Management by data subjects, (potential) clients of CIS Management or the agents, intermediaries or other service providers of (potential) clients of CIS Management or which CIS Management has obtained from publicly available sources (like the Chamber of Commerce). Examples of personal data CIS Management processes are: name, private address, cv, background, passport number, social security number and whether a person can be qualified as a Prominent Political Person.

OBJECTS OF AND LEGAL GROUNDS FOR PROCESSING OF PERSONAL DATA

CIS Management processes personal data with the following objects and on the following legal grounds:

- in the context of entering into a contract with a potential client;

- for the performance of a contract;

- to comply with legal obligations

• pursuant to laws and regulations, like the Dutch Act on the Supervision of Trust Offices (Wet toezicht trustkantoren), the Regulation on Sound Operational Management Relating to the Dutch Act on the Supervision of Trust Offices (Regeling integere bedrijfsvoering Wtt), the Dutch Money Laundering and Terrorist Financing (Prevention) Act (Wet ter voorkoming van witwassen en financieren van terrorisme) and the Implementing Rules Money Laundering and Terrorist Financing (Prevention) Act (Uitvoeringsregeling Wet ter voorkoming van witwassen en financieren van terrorisme), CIS Management is obliged to process certain personal data.

- for direct marketing activities, like sending newsletters or invitations for webinars

• for the processing of personal data for this object, CIS Management has obtained the consent of the data subjects, which consent may be withdrawn at any moment by using the unsubscribe button/link at the footer of each newsletter or by contacting CIS Management. The personal data which CIS Management process based on consent, will not be shared with other commercial organizations, save in case CIS Management organizes an event (like a webinar) in cooperation with another organization.

- Legitimate interest:

• CIS Management processes personal data based on a legitimate interest in the following cases: the management of CIS Management, (possible) claims and legal proceedings, when it retains services from professional service providers.

RIGHTS OF THE DATA SUBJECTS

The rights of the data subjects the personal data of which CIS Management processes include:

- a right to receive information on and access to the personal data;

- a right to have the personal data rectified and erased;

- a right to restrict the processing;

- a right to data portability;

- a right to object the processing;

- a right to withdraw consent.

STORAGE AND PROTECTION OF PERSONAL DATA

CIS Management stores personal data on its privately owned server. Apart from CIS Management, only the external supporting IT service provider of CIS Management has access to the server. CIS Management and its external supporting IT service provider have entered into a processing agreement to safeguard the protection of personal data.

CIS Management has tasked its external supporting IT service provider with implementing and keeping up-to-date the technical protection of the server of CIS Management (against leakage of personal data).

TRANSFER OF PERSONAL DATA (OUTSIDE THE EU/EEA)

CIS Management may share personal data (with state authorities) when it has a statutory or regulatory obligation to do so or pursuant to a court order or verdict. Personal data may be shared with the external (compliance) auditors and other professional service providers of CIS Management.

CIS Management will only transfer personal data outside the EU/EEA when:

- the country to which the personal data is sent is recognized by the European Commission as providing adequate protection

• for a list of countries providing adequate protection, please, see: https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/adequacy-protection-personal-data-non-eu-countries_en;

- CIS Management and the (legal) person to which the personal data is sent have entered into a model contract for the transfer or personal data to third countries as established by the European Commission

• for the model contracts, please, see: https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/model-contracts-transfer-personal-data-third-countries_en; or

- the data subject has given its consent.

HOW LONG DOES CIS MANAGEMENT KEEP PERSONAL DATA

Personal data which CIS Management processes pursuant to a statutory or regulatory obligation, will be kept for period until five years after the termination of the contractual relationship with the client or as long as prescribed by any applicable law or regulation.

Personal data which CIS Management processes pursuant to consent given by the data subject for direct marketing activities, will be kept as long as CIS Management performs direct marketing activities and until the data subject has withdrawn his/her consent.

In case of (possible) claims or court proceedings, CIS Management may decide to keep personal data for as long as required in this context.

DETAILS OF CIS MANAGEMENT

The details of CIS Management are:

CIS Management B.V.

Strawinskylaan 613

1077 XX Amsterdam

Registered with the Business Register of the Netherlands Chamber of Commerce under file number: 21016442

For any questions, requests or complaints, please, contact CIS Management at [email protected] or +31 (0)20 333 1691.

For more information on data protection, please, see the website of the Dutch Data Protection Authority the Autoriteit Persoongsgegevens: https://autoriteitpersoonsgegevens.nl. Data subjects may file a complaint at the Autoriteit Persoonsgegevens.

This privacy statement is effective from 01 Jan 2023