04/2018 Deutsche Bank Luxembourg S.A. Privacy Notice 1/3

April 2018

The following information provides an overview of how we process your personal

data and your rights under data protection law. Which speciﬁc data are

processed and how they are used depends largely on the services requested or

agreed in each case.

Please also forward this information to the current and future authorized

representatives and beneﬁcial owners as well as any co-obligors under a loan.

These include, e. g., beneﬁciaries in the event of death, commercial attorneys-

in-fact or guarantors.

1. Who is responsible for the data processing and who can I contact in this

regard

Controller:

Deutsche Bank Luxembourg S.A.

2 Boulevard Konrad Adenauer, 1115 Luxemburg

Tel.: (+352) 4 21 221

Fax: (+352) 4 21 224 49

E-Mail: WMLux@db.com

Our internal data protection ofﬁcer may be contacted at

Deutsche Bank Luxembourg S.A.

Data Protection Officer

2 Boulevard Konrad Adenauer, 1115 Luxemburg

Tel.: (+352) 4 21 221

E-Mail: GDPR.lu@db.com

2. What sources and data do we use?

We process personal data which we receive from our clients in the context of

our business relationship. To the extent necessary in order to provide our

services, we also process personal data which we lawfully (e. g., for executing

orders, performing contracts or on the basis of your consent) receive from other

entities within the Deutsche Bank Group or other third parties (e. g., third party

financial institutions). We also process personal data from publicly available

sources (e. g., debtor directories, land registers, commercial registers and

registers of associations, press, media, Internet) which we lawfully obtain and

are permitted to process.

Relevant personal data collected in dealing with prospective clients, master data

set-up, in the context of authorization (account authorization and / or credit card

holder) or as a co-obligor under a loan (e. g., guarantor) may be:

Name, address / other contact information (telephone, e-mail address), date /

place of birth, gender, nationality, marital status, legal capacity, occupational

group code / partner type (employed / self-employed), residential status (rental

/ ownership), identiﬁcation data (e. g., identiﬁcation document data),

authentication data (e. g., specimen signature), tax-ID, FATCA status, EU basic

payment account identiﬁcation.

When products / services from the product categories listed below are

purchased and used, additional personal data may be collected, processed and

stored in addition to the aforementioned data. These primarily include:

Account and payment transactions (incl. online banking)

Order data (e. g., payment orders), data related to the performance of our

contractual obligations (e. g., payment transaction data).

Deposits

Data stemming from the performance of our contractual obligations (e. g.,

transactions), tax information (e. g., information on the obligation to pay church

tax), information on any third-party beneﬁciaries, direct debit data,

documentation data. (e. g., consultation records).

Securities business

Information on knowledge of and / or experience with securities (MiFID status),

investment behavior / strategy (scope, frequency, risk appetite), occupation,

ﬁnancial situation (assets, liabilities, income from (self-)employment / trade,

expenses), foreseeable changes in ﬁnancial circumstances (e. g., age of

retirement), speciﬁc objectives / major concerns in the future (e. g., planned

acquisitions, redemption of liabilities), tax information (e. g., information on the

obligation to pay church tax), documentation data (e. g., suitability statement).

Life insurance

Policy number, product data (e. g., rate, beneﬁt, premium), documentation data

(e. g., consultation records). Where the premiums are invested in securities, the

personal data listed under no. 2.3 Securities business will be used.

Structured ﬁnancing (consumers and self-employed persons)

Credit records (salary statements, cash ﬂow accounts and balance sheets, tax

documentation, information / proof of assets and liabilities, guarantees

assumed, third-party account statements, expenses), employer, nature and

term of the employment relationship, nature and term of self-employment,

number of dependent children, marital property, residence / work permit in the

case of non-EU nationals, scoring / rating data, information / proof of intended

purpose, own and external collateral:

property documentation (e. g., land register extracts, property appraisals),

documentation data (e. g., consultation records).

In the case of personal guarantees by third parties (external collateral), the bank

may impose comparable requirements on the respective guarantors to disclose

the economic and ﬁnancial circumstances.

Interest rate, currency and liquidity management

Information on knowledge of and / or experience with interest rate / currency

products / ﬁnancial investment (MiFID status), investment behavior / strategy

(scope, frequency, risk appetite), occupation, ﬁnancial situation (assets,

liabilities, income from (self-)employment / trade, expenses), foreseeable

changes in ﬁnancial circumstances (e. g., age of retirement), speciﬁc objectives

/ major concerns in the future (e. g., planned acquisitions, redemption of

liabilities), tax information (e. g., information on the obligation to pay church tax),

documentation data (e. g., consultation records).

Client contact information

In the business origination and development phase and over the course of the

business relationship, particularly as a result of personal, telephone or written

contact initiated by you or the bank, additional personal data is created, e. g.,

information about the contact channel, date, occasion and result, (electronic)

copies of correspondence and information on participation in direct marketing

activities.

Digital services

With respect to data processed when using digital service products, please refer

to further information on data protection in connection with the respective digital

service (for instance, processing transaction data from integrated third-party

bank accounts in the context of multi-bank aggregation).

3. Why do we process your data (purpose of the processing) and on what legal

basis

We process the aforementioned personal data in compliance with the

provisions of the EU General Data Protection Regulation (GDPR) and the

applicable Luxembourgish Data Protection Act:

a. for the performance of contractual obligations (article 6 (1) b) GDPR)

The processing of personal data is carried out in order to perform banking

transactions and ﬁnancial services pursuant to contracts with our clients or to

take steps at your request prior to entering into a contract.

The purposes of the data processing are primarily dependent on the speciﬁc

product (see no. 2) and may include, among other things, requirements analyses,

advice, asset management and transactional services. For further details on the

purpose of the data processing, please refer to the respective contractual

documentation and terms and conditions.

b. for the purposes of safeguarding legitimate interests (article 6 (1) f)

GDPR)

Where necessary, we process your data above and beyond the actual

performance of our contractual obligations in order to safeguard the legitimate

Data protection information under the EU General Data Protection

Regulation for “natural persons”

04/2018 Deutsche Bank Luxembourg S.A. Privacy Notice 2/3

interests pursued by us or by a third party. Examples:

— Evaluating and optimizing procedures for demand analysis and for

approaching clients directly; incl. client segmentation and calculating the

likelihood of closure.

— Advertising or market and opinion research, to the extent that you have not

objected to having your data used

— Asserting legal claims and mounting a defense in the event of litigation

— Ensuring the bank’s IT security and IT operations

— Preventing crime

— Video surveillance to safeguard against trespassers, to gather evidence in

the event of robbery or fraud or to document disposals and deposits, e. g., at

ATMs

— Measures for building and systems security (e. g., admittance control)

— Measures to ensure against trespassing

— Measures to manage business and further develop services and products

— Group risk management

c. on the basis of your consent (article 6 (1) a) GDPR)

Insofar as you have granted us consent to the processing of personal data for

speciﬁc purposes (e. g., transfer of data within the association / Group), the

lawfulness of such processing is based on your consent. Any consent granted

may be revoked at any time. This also applies to the revocation of declarations of

consent that are granted to us prior to the entry into force of the EU General

Data Protection Regulation, i. e., prior to 25 May 2018. Please be advised that the

revocation shall only have effect for the future. Any processing that was carried

out prior to the revocation shall not be affected thereby. You can request a status

overview of the consents you have granted from us at any time.

d. for compliance with a legal obligation (article 6 (1) c) GDPR) or in the

public interest (article 6 (1) e) GDPR)

As a bank, we are also subject to various legal obligations, i. e., statutory

requirements (e. g., the Law of 17 June 1992 relating to the accounts of credit

institutions, the EU Directive 2015/849 on the prevention of the use of the

financial system for the purposes of money laundering or terrorist financing, the

Law of 5 April 1993 on the financial sector, tax laws) as well as banking

supervisory requirements (e.g. Deutsche Bundesbank, Bafin, the European

Central Bank, the European Banking Supervisory Authority, the Luxembourgish

Central Bank and the Luxembourgish Financial Supervisory Authority

(Commission de surveillance du secteur financier – CSSF). Other purposes of

processing include credit checks, identity and age veriﬁcation, anti-fraud and

anti-money laundering measures, the satisfaction of tax law control and

reporting obligations as well as the assessment and management of risks in the

bank and the Group.

4. Who receives my data

Within the bank, those ofﬁces are given access to your data which require them

in order to perform our contractual and statutory obligations. Service providers

and vicarious agents employed by us may also receive data for these purposes

if they observe banking secrecy and our written instructions under data

protection law. These are mainly companies from the categories listed below.

With regard to the transfer of data to recipients outside the bank, it must ﬁrst of

all be noted that as a bank we are under a duty to maintain secrecy about any

customer-related facts and evaluations of which we may have knowledge

(Banking secrecy under no. 2 of our General Business Conditions). We may only

disclose information about you if we are legally required to do so, if you have

given your consent, if we are authorized to provide bank information and / or if

processors commissioned by us guarantee compliance with banking secrecy

and the provisions of the GDPR).

Under these conditions, recipients of personal data may be, for example:

— Public authorities and institutions (e.g., Deutsche Bundesbank, Bafin,

CSSF, the European Banking Authority, the European Central Bank, tax

ofﬁces) insofar as a statutory or ofﬁcial obligation exists.

— Other credit and ﬁnancial services institutions, comparable institutions and

processors to whom we transfer personal data in order to perform the

business relationship with you:

Speciﬁcally: processing of bank references,

support / maintenance of EDP/ IT applications, archiving, document

processing, call centre services, compliance services, controlling, data

screening for anti-money laundering purposes, data destruction, purchasing

/ procurement, space management, real estate appraisals, loan processing

service, collateral management, collection, payment card processing (debit

card / credit cards), customer manage- ment, lettershops, marketing, media

technology, reporting, research, risk controlling, expense accounting,

telephony, video identiﬁcation, website management, investment services,

share register, fund management, auditing services, payment transactions.

Other recipients of data may be those ofﬁces to which you have given your

consent to the transfer of data or with respect to which you have exempted us

from banking secrecy by agreement or consent.

5. Is data transferred to a third country or to an international organisation

Data will only be transferred to countries outside the EU or the EEA (so- called

third countries) if this is required for the execution of your orders (e. g. payment

and securities orders), prescribed by law (e. g., reporting obligations under tax

law), if you have given us your consent or in the con- text of commissioned data

processing. If service providers in a third country are used, they are obligated to

comply with the data protection level in Europe in addition to written instructions

by agreement of the EU standard contractual clauses.

6. How long will my data be stored

We process and store your personal data as long as it is necessary for the

performance of our contractual and statutory obligations. In this regard, it should

be noted that our business relationship is a continuing obligation designed to

last for several years.

If the data are no longer required for the performance of our contractual and

statutory obligations, they are regularly deleted, unless their further processing

(for a limited time) is necessary for the following purposes:

— Compliance with records retention periods under commercial and tax law,

such as the Luxembourgish Commercial Code (Le Code de commerce); the

Law of 17 June 1992 relating to the accounts of credit institutions; the EU

Directive 2015/849 on the prevention of the use of the financial system for

the purposes of money laundering or terrorist; and the Law of 5 April 1993

on the financial sector). The records retention periods prescribed therein

range from 5 to 10 years.

— Preservation of evidence within the scope of statutes of limitations. Un- der

art 2262. of the Luxembourgish Civil Code (Code civil), these limitation

periods may be up to 30 years.

7. What data protection rights do I have

Every data subject has a right of access (article 15 GDPR), a right to rectiﬁcation

(article 16 GDPR), a right to erasure (article 17 GDPR), a right to restriction of

processing (article 18 GDPR), a right to object (article 21 GDPR) and a right to

data portability (article 20 GDPR). The right of access are subject to restrictions

(article 29 of the modified law of 2002 in conjunction with article 23 GDPR). Data

subjects also have a right to lodge a complaint with a supervisory authority

(article 77 GDPR).

You may revoke your consent to the processing of personal data at any time.

This also applies to the revocation of declarations of consent that are granted

prior to the entry into force of the EU General Data Protection Regulation, i. e.,

prior to 25 May 2018. Please be advised that the revocation will only take effect

in the future. Any processing that was carried out prior to the revocation shall

not be affected thereby.

Our cooperation partner, Banque de Luxembourg is responsible for creating

your credit cards. Please contact the Data Protection Ofﬁcer of the

aforementioned organization directly regarding your data protection rights.

8. Am I under any obligation to provide data

Within the scope of our business relationship, you must provide personal data

which is necessary for the initiation and execution of a business relationship and

the performance of the associated contractual obligations or which we are

legally obligated to collect. As a rule, we would not be able to enter into any

contract or execute the order without these data or we may no longer be able to

carry out an existing contract and would have to terminate it.

In particular, provisions of money laundering law require that we verify your

identity before entering into the business relationship, for example, by means of

your identity card and that we record your name, place of birth, date of birth,

nationality and your residential address. In order for us to be able to comply with

this statutory obligation, you must provide us with the necessary information and

documents in accordance with the EU Directive 2015/849 on the prevention of

the use of the financial system for the purposes of money laundering or terrorist

and notify us without undue delay of any changes that may arise during the

course of the business relationship. If you do not provide us with the necessary

information and documents, we will not be allowed to enter into or continue your

requested business relationship.

9. To what extent is automated decision-making (including proﬁling) carried out

As a rule, we do not make decisions based solely on automated processing as

deﬁned in article 22 GDPR to establish and implement the business relationship.

04/2018 Deutsche Bank Luxembourg S.A. Privacy Notice 3/3

If we use these procedures in individual cases, we will inform you of this

separately, provided that this is prescribed by law.

10. Is “proﬁling” used

In some cases, we process your data automatically with the aim of evaluating

certain personal aspects (proﬁling). For instance, we use proﬁling in the

following cases:

— We are required by law to take anti-money laundering and anti-fraud

measures. Data evaluations are also carried out (in payment transactions,

among other things) in this context. These measures also serve to protect

you.

— In order to provide you with targeted information and advice on products,

we use evaluation tools. These enable demand-oriented communication

and advertising, including market and opinion research.

— We use scoring to assess your creditworthiness. We calculate the likelihood

that a given client will meet their contractual payment obligations. The

calculation may include, for example, income levels, expenses, existing

liabilities, occupation, length of employment, experiences from the previous

business relationship, repayment of prior loans in accordance with the

contract, and information from credit agencies. Scoring is based on a

mathematically and statistically recognized and proven procedure. The

calculated score values assist us in our decision-making and are

incorporated into ongoing risk management.

Information on your right to object under article 21 of the EU General

Data Protection Regulation (GDPR)

1. Ad hoc right to object

You have the right to object, on grounds relating to your particular situation,

at any time to processing of personal data concerning you which is based

on article 6 (1) e) GDPR (processing in the public interest) and article 6 (1)

f) GDPR (processing for the purposes of safeguarding legitimate interests);

this includes any proﬁling based on those provisions within the meaning of

article 4 (4) GDPR.

If you lodge an objection, we will no longer process your personal data

unless we can demonstrate compelling legitimate grounds for the

processing which override your interests, rights and freedoms or unless the

processing is for the establishment, exercise or defense of legal claims.

2. Right to object to the processing of data for marketing purposes

In certain cases, we process your personal data for direct marketing

purposes. You have the right to object at any time to processing of personal

data concerning yourself for such marketing, which includes proﬁling to the

extent that it is related to such direct marketing.

If you object to processing for direct marketing purposes, we will no longer

processes your personal data for such purposes.

There are no formal requirements for lodging an objection; where possible

it should be made by telephone to: +352 421 221.