We, Bank of China (Central and Eastern Europe) Limited Vienna Branch (the "Bank", "us" or "we"), strive to ensure customer data privacy is protected.

We process the personal data provided by our customers in accordance with the provisions of the General Data Protection Regulation (GDPR) and the Data Protection Act 2000, as amended (DSG). We have implemented appropriate technical and organizational measures to ensure that no unauthorized access to (or unlawful processing of) the personal data provided to us is made possible. The technical and organizational measures include, in particular, an access authorization concept, a data backup concept, and physical and digital protection measures for our information technology (IT) infrastructure. The security measures are continuously revised and audited in accordance with technological developments. Our employees are bound by contract and/or professional secrecy (pursuant to section 38 of the Austrian Banking Act [Bankwesengesetz - BWG]) to maintain confidentiality and data secrecy in accordance with section 6 DSG.

The processing of personal data is carried out exclusively on the basis of the justification principle outlined in article 6 paragraph 1 GDPR, primarily for the purpose of providing the contractually guaranteed services (article 6 paragraph 1 letter b GDPR) as well as for the purpose of fulfilling various legal obligations (article 6 paragraph 1 letter c GDPR), and in individual cases on the basis of our legitimate interests (article 6 paragraph 1 letter f GDPR), e.g. data sharing with credit agencies. The data are also processed on the basis of individual storage and documentation obligations, which arise in particular from the Austrian Commercial Code (Unternehmensgesetzbuch - UGB), the BWG, the Financial Markets Anti-Money Laundering Act (Finanzmarkt-Geldw?schegesetz - FM-GwG) and other statutory regulations in Austria. Within the Bank, only authorized employees have access to the personal data on a need-to-know basis. We process and store the personal data provided to us only as long as it is necessary for the fulfilment of the aforementioned purposes or if we have other legitimate interests like statutory storage requirements. Personal data will be deleted after the purpose for which it was collected has been achieved and if we have no further legitimate interests. In practice this means, that we process and store your personal data, as far as necessary, for the entire duration of the business relationship (beginning with negotiation and signing of a contract, during execution of the contract and ending with its termination) as well as in accordance with the mandatory storage and documentation obligations as required by the applicable Hungarian and Austrian laws, in particular pursuant to the following legal provisions: the Austrian Companies Code (Unternehmensgesetzbuch, UGB), the Austrian Banking Act (Bankwesengesetz BWG), the Austrian AML Act (Finanzmarkt-Geldw?schegesetz, FM-GwG), all relevant and applicable tax and accounting laws. Moreover, the data storage is also subject to the statutory limitation periods, e.g. under the Austrian General Civil Code (Allgemeines Bürgerliches Gesetzbuch, ABGB) and may - in certain cases - last up to 30 years. Generally, the most relevant limitation periods according to the several laws are ranging usually between 3 and 10 years.

As far as it is necessary to fulfil the contract or justified within the scope of our legitimate interests, we may forward personal data to other companies within the Bank of China Group, in particular to Bank of China (Central and Eastern Europe) Limited, Budapest, Hungary (parent bank) and to the head office of Bank of China Limited, seated in Fuxingmen Nei Dajie, Beijing, China. Furthermore, personal data may also be transferred to processors (service providers) used by us but only if they comply with the written data protection requirements specified by us and if they are bound to secrecy. For this purpose, a contract is signed with the service provider. While China is considered a "third country" that does not ensure an adequate level of data protection within the meaning of article 45 GDPR, the head office of Bank of China guarantees to strictly uphold the data protection requirements of the European Union (in accordance with article 46 GDPR). This guarantee ("Standard Contractual Clauses") is provided to any affected customer on the homepage of our Bank under the following link: http://pic.bankofchina.com/bocappd/austria/201805/P020180528641968808213.pdf

Typically, we process the following data:

• General customer data (including the data of any representatives, authorized signatories, beneficial owners, netbank users, contact persons), e.g. name, address, date of birth, telephone number, e-mail address, ID document etc.;
• Product data, e.g. types of products, transactions, usage of net banking, etc.;
• Data required to assess a customer's creditworthiness;
• Data required to fulfill legal and regulatory obligations;
• In addition, other types of data may be processed depending on the products chosen by the customer.
• Most data collected and processed by us will result out of information provided by the customer himself, respectively by the related data subject itself or it is created by us in the course of the fulfillment of a contract. In addition, we may use the following sources for further information:
• Credit agencies, e.g. KSV1870 Holding AG, CRIF GmbH, etc.;
• Public registers, e.g. companies register; land register, insolvency database, etc.;
• Media and publicly available sources

The provision of personal data is strictly voluntary. However, if a customer does not provide us with the required personal data then we may not be able to provide our services to such customer, e.g. without receiving the information to perform mandatory checks to combat money laundering and the financing of terrorism, we are not allowed to provide any banking services to a customer.

We do not use fully automated decision-making technologies within the meaning of Article 22 GDPR in order to establish and/or to conduct a business relationship.

While using our website (the "Site"), we collect the personal information of our Site's visitors (the "Users") in an effort to provide them with the greatest degree of personalized experience. With a better knowledge of our Users, we can provide information and services more tailored to our Users specific needs. However, under no circumstances will advertisers be able to obtain the personal data of our Users, unless the release of such data is expressly authorized by the respective User. We will not use the personal information or browsing information of Users, nor will we share it with others.

Our system will automatically collect the information of Users browsing the Site to use the services, but it will not record the internet protocol (IP) addresses of Users. We will not share the User's information with third parties, but our system will summarize the browsing information of Users to know how Users as a whole are using our services so that such services can be improved. We will also share browsing information of Users with related companies within the Bank of China Group. We do not track the User's internet browsing information. Once a User leaves our Site, his/her browsing information will no longer be collected.

Insofar as we are controller of personal data within the meaning of the GDPR, a customer has the following rights towards us, as long as these rights do not violate legal regulations or secrecy obligations towards third parties:

• right to be informed, whether, and if so which, personal data are processed as well as to receive a copy of such data (please see article 15 GDPR);
• right to have your personal data corrected (please see article 16 GDPR);
• right to have your personal data erased (please see article 17 GDPR);
• right to object to the processing of personal data (under certain conditions, please see article 18 GDPR);
• right to data portability (please see article 20 GDPR);
• right to withdraw the consent given at any time (without affecting the legality of the processing until the consent is revoked);
• right to lodge a complaint with a supervisory authority (e.g. Austrian Data Protection Authority); and
• right to get information about the identity of third parties to whom the personal data are transmitted.

Contact of the Data Protection Officer:

For any questions about our Privacy Policy, please feel free to contact us at any time using the contact details given in our General Information and Contact page. We will get back to you as soon as possible.