Present document is to provide information on types of personal data obtained by the JSC Pasha Bank Georgia (I/N 404433671, hereinafter – the “Bank”) from you and the underlaying purposes. Also, the document will introduce the scope of personal data processing, your rights regarding the processing of personal data, terms of confidentiality of information received by the Bank and information security standards, established by the Bank.

Terms envisaged by the present document apply to any information, which is collected by the Bank from you, including but not limited to, by using present web-page and remote services.

When using web-page and/or sharing your personal information (personal data) in any form you automatically agree to the terms set forth in the present document.

Types of personal data obtained by the bank For the purposes to establish business relations with you, when using present web-page and/or Bank’s remote services, the Bank may obtain and process your personal information (name, family name, personal number, contact information etc.) as well as special category data.

1.1 Information obtained when using Bank’s web page

While visiting bank’s web-page, the system automatically records details regarding your visit, including you IP address, information on web-page from which you visited Bank’s web-page itself, types of used devices and browsers, also information on your visit duration and etc.

In addition, Bank collects all yuor personal data (name, family name, personal number, contact information and etc.) which you provide for receiving services and/or subscribing for news – by filling the registration forms posted at the web-page.

While using the web-page, your information is collected using technologies such as ready records (cookies) or tags. Cookies and tags help the Bank to manage and improve web-page efficiency.

Prior to using web page, make sure that in your device you have activated coockies in a way that you have not selected that type of ready records, which you do not want to allow the Bank to use. At any time, you can also reject using up mentioned technologies, however, you may not be able to use the web-page fully and promptly at its best.

1.2 Remote Identification (Distance On-Boarding) and processing of special categories of data (Biometrics)

For the purposes of receiving distance services, consistent with the effective legislation, you have to undergo proper identification and verification procedures, under which, by using special technological solution the bank obtains and processes your personal data, among them special categories of data – your biometrics (photo, so called Selfie).

For your identification/verification the bank uses technical solution developed by JSC Identity and Trust Solutions (ID 405365215) and/or “Raizomat LLC (ID 402102005) which:

From your identification document reads your personal information for the purposes to compare it with the data stored at LEPL Services Development Agency, and Compares your “selfie” to the photo on your ID. If you successfully pass the identification/verification process and if it is ensured that the request is received personally from you - you are authorized to use distance services.

Also, please consider that the system does not generate the templates of your image or biometric data, does not store it and it is impossible to regenerate biometric data from final information.

Servers of the Web-services that are used in the remote identification/verification process are located on the territory of EU and in states which have relevant guarantees on personal data protection.

1.3 Personal data obtained through other channels

Your personal data is also collected and received when visiting our branches and contacting our call center as well. Similarly, purpose of collecting your personal data in such cases is to identify and verify you and provide proper services.

Purpose of data processing, consent, and transfer of data to third parties The Bank shall collect and process your personal data solely as per your consent unless such consent is not needed under effective legislation.

The Bank may process your personal data for the following purposes:

For providing any type of banking services to you (among them for providing distance services service); For providing general information on any banking services or for suggesting such services to you (direct marketing); For analyzing your solvency and/or monitoring your current obligations; For analyzing and/or monitoring the individuals financially related to you; For renewing data and for ensuring compliance of the Bank’s processes/procedures with effective legislation; For performing/providing various types of research and/or services; For reporting to founders of the Bank; For engaging you in various encouraging competitions (such as Visa, MasterCard and other bank service related activities); For protecting your and Bank’s interests; For fulfillment of other obligations under effective legislation; Your personal data is only transferred to third parties if your consent is properly received and/or such transfer is allowed under effective legislation.

If the consent is received as per effective legislation, your personal data may be transferred to Pasha Holding (part of which is the Bank) and/or legal entities related to it. Also, the Bank may share your personal data with its contracting parties if the confidentiallity of such data is guaranteed.

While sharing your personal data to third parties – your best interests are considered by the Bank as well as all type of consents are received/obtained in advance as per effective legislation. Scope of information sharing is limited by the purposes of the goals to be reached, to be protected your and the Bank’s interests and the services to be provided promptly.

Personal data security

For securing data, the Bank has introduced all technical solutions envisaged by the international standards in accordance with the effective legislation.

Informational/technical resources of the bank, in line with the effective legislation, secures information from accidental or unlawful deletion, amendment, disclosure, appropriation, any other unlawful utilization or accidental or unlawful loss.

Your Rights as the subject of the personal data

In accordance with an effective law of Georgia on “Personal Data Protection”, you are authorized to:

Request and receive information on which type of your personal data is processed; Request and receive information on purpose(s) of data processing; Check for the legislative grounds for data processing; Request and verify information how and in which way your data was collected; Request and receive information to whom, to what extent and depending on which grounds was your personal data transferred; In addition, if you request, in line with the timeframes and the terms established under the effective legislation, we are obliged to correct, update, add, block, delete, or destroy data if the data are incomplete, inaccurate, not updated, or were illegally collected and processed..

Also, you are authorized to request termination of processing your personal data for direct marketing purposes.

Term on storing of personal data

Your personal data is stored at the Bank for the period that is needed to achieve the goals for which the data was collected and/or for the term determined by the legislation, among them by the NBG.

Recommendations for storing personal data

When disclosing your personal data, it is necessary to observe all relevant terms and therefore, to prevent disclosure of your personal data, accordingly, the Bank recommends:

To enter your personal data only at the official web-page of the bank rebank.ge and application.rebank.ge/www.pashabank.ge and/or at internet banking web-page -www.rebanking.ge/www.pashaonline.ge. Furthermore, be sure that you access web-page through secure network (not using public network) and the Bank’s web page address starts with “https//”; Not to disclose your personal data/confidential information to third parties; Not to store your personal data at devices, which are not protected with relevant password and access to which can be gained easily by third parties; Only to use your personal devices while receiving banking services and not to save the your username and password on your device; Only to use your personal information as a contact information (use your personal telephone number, email etc. by which your additional verification can be made); To ensure that you are using secure browser and your device is equipped with all necessary security program (antivirus etc.) while using distance/online services or setting distance/online operations;

For obtaining detailed information on personal data processing and/or in case you wish to exercise your rights under effective legislatio, please contact us.

Thank you for using our services!

JSC Pasha Bank Georgia (I/N 404433671)

Legal/actual address: Tbilisi, Chavchavadze ave N 37M, 0179, Georgia.

[email protected]

(+995 32) 222 25 25; (+995 32) 2265 000

*2525