Protection of Personal Data

Lion Capital S.A. (the new corporate name starting March 24, 2023, of Societatea de Investiții Financiare Banat-Crișana) safeguards the confidentiality of the information brought to its knowledge. Under this obligation, Lion Capital undertakes to protect and make appropriate use of the personal data made available by the data subjects or a third party.
Lion Capital lawfully processes the personal data (“Personal Data” or “Data”) to which it has access (e.g. on the basis of a consent of the natural person, a contract, legal obligations, legitimate interests of the Company) , in order to ensure the access to the Company’s website and the submission of Company’s replies to the requests of the visitors of the Company’s website, in compliance with the provisions of Regulation (EU) no. (EEC) no. 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), hereinafter “Regulation no. 2016/679”.
The company will ensure compliance with all the principles laid down in Regulation no. 2016/679 on the processing of Personal Data to which it has access.
The processing of Personal Data is performed by automated and manual means, in compliance with the legal requirements and under conditions that ensure the security, confidentiality and respect of the rights of the data subjects.

In this document:
“Data subject” or “User” means any natural person identified or identifiable as a result of the processing of personal data by Lion Capital as a result of accessing, reading and using the website.

“Website” means the Internet address of the Company, respectively www.lion-capital.ro.

By its website, Lion Capital may collect personal data either as a regulated / authorized / supervised entity by ASF, or as an issuer of securities listed on the regulated market, either as a contractual partner or in other particular cases, which may occur exceptionally in Company’s activity.

Unless the processing of personal data is performed for the fulfilment of a legal obligation, for the conclusion or performance of a contract, for the protection of a legitimate interest, public interest or vital interest, the Company requires the express consent of the data subject, which must be explicit. This acceptance must be given expression in a statement or an unequivocal action. An inaction or the silence cannot be a considered an agreement.

The Company will process various data from Users depending on the activity of the Users on the website, respectively the Data processed as a result of a simple visit on the website will be different from the Data processed as a result of using the Contact Form.

4.1 Visiting the website
The user may visit the website without disclosing any information about his or her Personal Data. However, some Personal Data may be automatically transmitted to the Company by the User’s browser. These Data refer to:
a) Internet Protocol (IP) address;
b) the type of browser used, its version and the language used;
c) the access times of the website and the reference addresses of the websites from where the User visits the website;
d) the type of device used and the operating system;
e) the date and time of accessing the website,
but these Data cannot be attributed to any person, i.e. they cannot determine the person’s identity.

4.2 Using the Contact Form
To complete the Contact Form by the users in order to contact the Company, they must disclose the following information about themselves:
a) name, surname;
b) e-mail address;
c) telephone number;
d) the matters for which they contact the Company.
The failure to provide the above data determines Company’s failure to respond to the User’s requests.

In addition, the Company will collect and store all the correspondence sent by Users as a result of using the Contact Form.

The processing of personal data of website Users is grounded on the users’ expressly given consent, the fulfillment of legal or regulatory requirements, and the pursuit of the legitimate interests of the Company.

Personal data are collected for the purpose of managing the relationship with website Users. It is possible that, if a website User does not provide the requested Personal Data, the Company may not provide an adequate response to the issues identified by the website User.

User Data will be used by the Company as follows:
• to ensure access to the website;
• to provide the requested information and to respond to the correspondence received from Users as a result of their use of the Contact Form;
• to contact the Users when needed.

Also, Personal Data processed by Lion Capital may be disclosed to the following recipients:
– central and local public authorities;
– the courts, the public ministry, the police, the bailiffs, etc. if these Data are required to conduct judicial trials or inquiries;
– Depozitarul Central SA, the Financial Supervisory Authority, the National Agency for Fiscal Administration;
– the contractual partners the company has concluded contracts with for the payment of dividends (banking companies – payment agents) or for the performance of other services in the interest of the shareholders.

Data may be transferred to other European Union countries without the prior consent and prior notification of the Data subjects concerned. If the Company intends to transfer the Data to countries outside the European Union, the Data subject will be previously informed.

Personal data will be retained for the length of time required to meet the purposes for which the data were collected, depending on the legal basis on which these data were obtained and / or for what period the applicable legal provisions dictate the Company to retain such data.

With respect to Personal Data processed by the Company, the data subjects mainly have the following rights:
• the right of access to personal data;
• the right of rectification of personal data;
• the right to erase the personal data that exceeds the required data to be provided for the purposes mentioned above;
• the right to restriction of the processing of Personal Data;
• the right to portability of personal data;
• the right to object to the processing of Personal Data that exceeds the mandatory data to be provided for the purposes mentioned above;
• the right to address to the competent authorities if they consider that the processing of Personal Data violates the legal provisions, respectively the National Supervisory Authority for Personal Data Processing in Romania.

9.1 Right of access to data
The data subject has the right to obtain from the Company a confirmation that his or her data is processed or not, as well as access to those Data in the case of Processing.
The Company will provide the data subject the following information upon request:
a) if the Data are not processed – a notice specifying that the Company does not process his/her Data;
b) if the Data are processed – a copy of such Data.
The copy of the Data will be transmitted by the Company without a fee from the Company, unless the data subject requests other copies, in which case the Company may charge a reasonable fee based on the administrative costs incurred with this request.
The Company’s response will be submitted electronically if (i) the data subject submits the application in electronic form or (ii) the data subject does not request another format.

9.2 Right to Rectification of Data, including their completion by means of a supplementary statement
The data subject shall have the right to obtain from the Company, at request and free of charge, as the case may be, the rectification, update, blocking or erasure of whose processing is not compliant to the provisions of Regulation no. 679/2016, especially the incomplete or inaccurate personal data, their pseudonymization, and the Company to notify the third parties to third parties to whom it have been disclosed the data of any operation performed as above.

9.3 Right to erasure (“right to be forgotten”)
The data subject shall have the right to obtain from the Company the erasure of personal data where one of the following grounds applies:
• Personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
• The data subject withdraws consent on which the processing is based and where there is no other legal ground for the processing;
• The data subject objects to the processing and there are no overriding legitimate grounds for the processing or the data subject objects the processing for direct marketing purposes;
• The personal data have been unlawfully processed;
• the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the Company is subject;
• the personal data have been collected in relation to the offer of information society services directly to a child.
Where the Data have been made public, and the Data subject requests their erasure, the Company is obliged to erase the personal data, taking account of available technology and the cost of implementation.
The Company is not obliged to erase the Data, to the extent that processing is necessary:
• for exercising the right of freedom of expression and information;
• for compliance with a legal obligation which requires processing by Union or Member State law to which the Company is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Company;
• for reasons of public interest in the area of public health;
• for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in so far as the right of freedom of expression and information is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
• for the establishment, exercise or defense of legal claims.

The Company is obliged to communicate to any person to whom personal data has been disclosed any rectification or erasure of personal data or restriction of data processing, unless this proves impossible or involves disproportionate efforts. The Company informs the Data subject about the recipients, if so requested.

9.4 Right to restriction of processing
The data subject shall have the right to obtain from the Company restriction of processing where one of the following applies:
• the accuracy of the personal data is contested by the data subject, for a period enabling the Company to verify the accuracy of the personal data;
• the processing is unlawful, and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
• the Company no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defense of legal claims;
• the data subject has objected to processing pending the verification whether the legitimate grounds of the controller override those of the data subject.
Where processing has been restricted, such personal data shall, with the exception of storage, only be processed by the Company (i) with the data subject’s consent or (ii) for the establishment, exercise or defense of legal claims or (iii) for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.
Before the restriction of processing is lifted, a data subject who has obtained restriction of processing shall be informed by the Company.

9.5 Right to data portability
Based on the written request of the Data subjects, the Company will transmit their Data to them in a structured format, currently used and machine-readable, the data subjects having the right to:
• transmit those data to another controller where:
(i) the processing is based on consent and
(ii) the processing is carried out by automated means.
• have the personal data transmitted directly from the Company to another controller, where technically feasible.

9.6 Right to object to data processing
At any given time, the data subject shall have the right to object, on grounds relating to his or her particular situation, to the processing of personal data concerning him or her. In such cases, the Company shall no longer process the personal data unless it demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defense of legal claims.

Where the data subject objects to processing the personal data, those shall no longer be processed for such purposes.

9.7. Right to address to the National Supervisory Authority for Personal Data Processing
The data subject has the right to appeal to the competent authorities if he/she considers that the processing of personal data violates the legal provisions, respectively the National Supervisory Authority for Personal Data Processing in Romania, as well as the competent courts.

The data subject has the following obligations:
• to provide true, accurate, and complete Data about himself/herself, to meet the purposes for which the Company processes those Data. If the Data of the data subjects are not true, accurate and complete, the data subjects have the obligation to notify the Company as soon as possible in order to remedy this situation.
• to maintain and update the Data to be true, accurate, and complete when the situation so requires.

Lion Capital has implemented reasonable technical and organizational measures meant to ensure the security of personal data in case of accidental loss and unauthorized access, use, modification or disclosure.
Our Privacy Program is based on an information security standard and follows a risk-based approach that includes people, processes and technologies.
Concerning the processing of personal data, the Company undertakes to:
• process personal data according to the specific legislation in force;
• process personal data only by secure means;
• confirm to the data subjects the processing or not of personal data following a dated and signed application submitted in writing to the Company;
• rectify, update, block, erase or pseudonymization free of charge, the personal data whose processing does not comply with legal provisions;
• cease, free of charge, the processing of personal data that are not lawfully processed;
• take all necessary security measures to protect personal data against unauthorized access to such data;
• facilitate the exercise of the data subject’s rights with respect to personal data;
• notify the competent authorities in cases of breaches of personal data security;
• Inform the data subjects of the breach of personal data security if the violation is likely to generate a high risk for their rights.
Lion Capital will periodically update the Personal data protection policy according to subsequent legislative changes. We invite you to periodically review this section to make sure you are aware of our security policies.

If a data subject wishes to exercise the above rights or wishes to ask questions / complaints about the Company’s privacy and personal data processing policies, he/she is requested to address the Company in writing by means of a dated and signed application sent to:
Postal address: Lion Capital, 35A Calea Victoriei, postal code 310158, Arad, Arad county, Romania;
Email address: gdpr@lion-capital.ro

Any changes to Personal Data in the Shareholders’ Registry (concerning identification data, address, share transfers and the like) are made only by Depozitarul Central S.A. (with the registered office in Bucharest, 34-36 Carol I Boulevard, 3rd floor) in accordance with the legal provisions and procedures of Depozitarul Central S.A.