Privacy Statement

The protection of your privacy is extremely important. This Privacy Statement contains detailed information about how we handle your personal data.

We may modify this Privacy Statement to comply with any changes in the law and/or to reflect the way the bank processes personal data. This version was created on 26/02/2021 and will be effective 01/04/2021. The most recent version can be found on the website www.delen.lu. We will inform you of any significant changes through the usual channels..

1. We handle your personal data with due care

Delen Private Bank Luxembourg SA ("Delen Private Bank", "the Bank" or "we"), whose registered office is located at 287 Route d'Arlon, 1150 Luxembourg, is a credit institution specialised in discretionary asset management.

Cadelux SA ( « Cadelux », or «we») is a management company whose registered office is located at 287 Route d'Arlon, 1150 Luxembourg, and is a subsidiary of Delen Private Bank Luxembourg SA.

In this capacity, the Bank and Cadelux are responsible for processing personal data relating to clients, to persons linked to the accounts of clients, and to potential clients. We always handle personal data with due care.

2. Scope

This Privacy Statement applies to the following persons:

• past, present or potential clients and agents
• the representative/ beneficial owner of legal entities that have a past, present or potential relationship with the bank or Cadelux
• any past, present or potential registered investor of a fund administrated by the Bank and/or managed by its subsidiary Cadelux SA
• person involved in any transaction with the bank, whether in his/her own name or in the capacity of a legal entity (e.g. legal representative, effective beneficial owner, )

We obtain your personal data inter alia as follows:

• when you become a client of the bank or when you share data with us during our business relationship;
• when you take on another role on an account (e.g. as a proxy)
• when you accept an invitation of an event organized by the bank
• when you contact the bank or Cadelux through one of our communication channels
• on the basis of public data and data that we obtain from third parties (e.g. beneficiary registers, financial databases, databases consulted for the purpose of fighting money laundering and terrorist financing, online or via traditional media)

3. Which personal data do we process?

The term "Personal Data" refers to any data relating to you, which can identify you or which can be linked to you as a physical person.

If you are a client or potential client of the bank, the bank processes data such as:

• your identification data, such as first name and surname, date and place of birth, identity card number, address, nationality, specimen of your signature, tax number/UK registry number, IP address and the type of mobile device or computer you use for our online applications
• your contact details, such as your address, email address, telephone number, personal and professional number
• your financial data, including account numbers, transaction data, credit records and overall asset situation

• your family situation, g. marital status, family situation and relationships
• your patrimonial data, g. a marriage contract or donation documents.
• the KYC identification data - 'Know Your Customer'
• data collected within the framework of Delen Family Services
• public data and data we obtain from third parties, including data from the Central Individual Credit Register or data from external companies that we use to complete our files
• your areas of interest that you have communicated to us, such as hobbies
• data collected through the use of the bank's digital applications
• the images from our surveillance cameras: for security reasons our offices can be fully or partially placed under camera surveillance
• the recordings of telephone and video calls, as the bank may record conversations by telephone or video with its clients in order to use them in the context of disputes or for audits

Sensitive data

The term 'Sensitive Data' refers in particular to data relating to health, ethnic origin, religious or political beliefs, genetic or biometric data, or criminal data.

We might collect sensitive data in the context of our KYC obligation and in the context of our specific services (e.g. estate planning).

KYC, which stands for 'Know Your Client', refers to all the procedures by which a bank has to identify a client or potential client. As part of our duty of care to our clients, we must comply with regulations on combating money laundering, preventing terrorist financing and tax fraud.

We apply a range of measures in this regard. These include the collection of personal data necessary to prevent and detect fraudulent behaviour and behaviour that violates national and international regulations. We collect this information about the client in the course of our contractual relationship with him.

In this context, we will also check certain data we have collected against public or external databases and we must also check, identify and record any data relating to sources of information that contain judicial or criminal data about the client.

We also need to check whether the client is a Politically Exposed Person (PEP).

Third party data

In certain cases, the bank holds data on persons connected to you (e.g. when you share information or documents with us that relate to connected persons).

When you provide us with such information, we ask you to inform these persons about it and to notify them that we process the Personal Data concerned for the same purposes and under the same conditions as set out in this Privacy Statement.

Data on minors

We process data on minors when you open an account for them with the bank or when you provide data on them in the context of our business relationship, including in the context of Estate Planning or Delen Family Services.

4. Why and for how long do we process personal data?

The bank and Cadelux process your personal data in order to provide you with an adequate service.

By 'processing' we mean all manual or automated operations that are performed on the data in question, such as the collection, recording, storage, consultation, adjustment, organization, use, transfer or deletion.

More specifically, the bank and Cadelux process your data on the basis of the following legal grounds:

• in order to conclude and correctly execute our contracts

Important exam pies in this context are: managing your accounts, executing transactions, estate planning and credit monitoring.

• to fulfil our legal obligations

When we open an account for you, we are required by law to collect personal data to confirm your identity and to determine whether we can enter into a business relationship.

Other important regulations are: obligations under anti-money laundering and counter-terrorism legislation, obligations under MiFID II regulations, obligations under SRD II regulations, obligations under financial planner regulations, financial reporting obligations (e.g. to the Central Contact Point).

• to serve the legitimate interests of the bank and/or Cadelux or of the person concerned

This includes actions that (i) improve our services, (ii) relate to the preparation of internal reports, (iii) prevent, detect and monitor abuse and fraud, (iv) serve to compile statistics and perform tests, (v) are intended for direct marketing.

• with your consent for commercial

How long personal data is kept depends on the type of data. The bank and Cadelux use data when it has a purpose to do so (for example, in the context of exercising a contract or on the basis of legal obligations on the part of the bank). For the exercise of your or our rights, this can be longer than the statutory retention periods. This also allows us to offer you, as a client, the best possible service, especially in the context of our KYC obligation and tax and Estate Planning services.

5. Can data be shared with third parties?

In order to fulfil some of our obligations, we transfer certain data to third parties, both internal (within the group) and external recipients (i.e. outside the group). As part of our banking activities, the bank and Cadelux may need to transfer personal data to countries located outside the European Economic Area (EEA).

Governmental, legal and supervisory authorities

In order to comply with our legal obligations, we must disclose certain data to governmental, judicial and regulatory authorities:

• public authorities and regulatory authorities and supervisors such as the CSSF
• the tax authorities may require certain reports from us, g. in the context of FATCA/CRS
• the judicial/ investigative services (police, prosecutor, courts and arbitration/ mediation authorities) upon legal request
• the notaries, g. within the framework of a notarial deed or when processing inheritance files

Delen Group entities

We host your data in centralized storage systems within the parent company Delen Private Bank N.V. (Belgium) for harmonization, efficiency and security ( for example the cloud environment), apps and all internal data. We would like to point out that in order to preserve the confidentiality of this data, it is strictly separated from other information processed by our parent company.

The IT helpdesk support of our parent company Delen Private Bank N.V. is also available to all of our clients for first line support regarding the Delen app and Delen online.

Financial institutions

When you make a transfer to an account at another bank, the transaction always involves an institution other than the bank or a specialized financial company. For the settlement of securities and payment transactions, both nationally and internationally, we as the principal are required to provide the other bank with data relating to you, such as your name, your address and the account number in our books.

In the context of money transfers or transactions in financial instruments, the data required to carry out the transactions is processed by third parties involved in the transaction (e.g. correspondent banks, stock exchanges, financial messaging service providers, etc.), which may be located outside the EEA.

Other Service Providers and third parties

Within the framework of our services, the bank and Cadelux can - with your (tacit) approval - also share information with third parties indicated by you or with third parties proposed to you by the bank and Cadelux, such as notaries, external lawyers, lawyers, accountants or auditors.

Furthermore, in the event that certain tasks are outsourced, the bank and Cadelux may pass on data to carefully selected third parties who process certain data on the bank's/Cadelux's instructions. For this purpose, the bank and Cadelux use third party processors who, in the opinion of the bank or Cadelux, offer adequate guarantees for the protection of this data. These third parties undertake to preserve the confidentiality of the data.

The following are non-exhaustive examples of activities in which the bank and Cadelux may share certain data with external service providers:

• when managing correspondence with our clients (e.g. when communicating by post)
• when organizing direct marketing campaigns
• when organizing events
• in the context of external archive management
• within the framework of managing disputes (e.g. engaging a law firm)

6. Your rights and excercising them

You also have a number of rights concerning the personal data that the bank processes. You will find an overview below:

• you can view your data

You can inspect the personal data that we process for you and/or request a copy.

• you can have your data corrected

In so far as the personal data that we maintain are incorrect or incomplete, you have the right to request that these data are corrected. If we have passed them on to a third party, we will inform this party of your request for correction.

• you can object to a certain use of your data

You have the right to object to a certain use of your personal data. We will comply with this request unless the processing is necessary for legal purposes or to fulfil our contractual obligations.

For example, you can object to commercial messages being sent. When you become a client with the bank, we may ask you if you want to receive invitations to our events. If you change your mind at a later date, you can stop the sending of these, in particular by contacting your relationship manager.

When we process personal data on the basis of your consent in the case of active canvassing, you always have the option of withdrawing your consent.

• you can ask for your data to be transferred to a third party

You have the right to request the personal data you have provided us with to be transferred to a third party. If it is technically possible, we will ensure the transfer of your personal data.

• you can have your data deleted

If you suspectthat we are unlawfully processing certain data, you can requestthat we delete it. We will comply with this request unless the processing is necessary for legal purposes or to fulfil our contractual obligations.

Exercising your rights

You can exercise your rights by sending a letterto Delen Private Bank S.A., Route d'Arlon 287, 1150 Luxembourg or to Cadelux, Route d'Arlon 287, 1150 Luxembourg, for the attention of the 'Data Protection Officer' or by sending an e-mail to privacy@delen.lu or privacy@cadelux.lu.

In order to ensure the confidentiality and protection of your data, we can ask you for a copy of your proof of identity or additiona 1 information to verify your identity.

Any request for the exercise of a right that you make to the bank or to Cadelux will be dealt with and answered within the statutory time limit.

In some cases, we may refuse to comply with your request, or we may charge you a fee for processing your request, if it is deemed to be improper, repetitive, or if it results in excessive costs.

Should the Data Protection Officer decide that no action can be taken on a request, he or she will inform you no later than one month after receiving the request. In this case, the reason of the action will be provided to you.

Your right to lodge a complaint

If you do not agree with the bank's position or Cadelux's position, you have the right to lodge a complaint. You can send this to the Data Protection Officer of Delen Private Bank S.A. via privacy@delen.lu or to Cadelux via privacy@cadelux.lu. You are also free to contact the Luxembourgian Data Protection Authority via the details given below, or the data protection authority of your own country:

• by postal mail: to the attention of Commission Nationale pour la Protection des Donnees (CNPD), Klachtendienst, Boulevard du Jazz 15, L-4370 Belvaux
• via the website: https://cn pu blic.lu/fr/particu liers/faire-valoir/formulaire-plainte.htm1

7. How do we protect your personal data and what can you do to help us?

We take appropriate technical and organisational measures (policies and procedures, IT security, etc.) to ensure the confidentiality and integrity of your personal data and processing. To ensure the security of your personal data, we apply a number of internally developed policies and standards to all our activities. These are regularly updated to take into account the latest regulations and developments in this area.

For example, bank and Cadelux employees are subject to confidentiality obligations and must not disclose your personal data in an unlawfuI manner or when it is not necessary for the perform anee of their duties. To help us protect your personal data permanently, you should always contact the bank and/or Cadelux if you suspect that your personal data has been misused.

We use all our human, technicaI and IT resources to protect your data. You can equally contribute to the protection of your data as follows:

• install anti-virus software, anti-spyware software, a firewall and keep this software up-to-date
• do not leave your equipment and mobile devices unattended
• report the loss of your digipass to the bank immediately to block its use
• log out of online banking tools when you are not using them
• keep your passwords strictly confidential and use strong passwords (avoid combinations of letters and numbers that are easy to guess)
• stay alert on the internet and learn to recognise suspicious activities, such as website address changes or phishing emails asking for personal information