Kruk S.A. — AGM Information 2023

May 24, 2023

Key information about the processing of your personal data by KRUK S.A., provided under Article 13(1) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC ("GDPR").

Data Controller	KRUK S.A.
	ul. Wołowska 8, 51-116 Wrocław
	email: info@kruksa.pl
	phone: (+48) 71 790 28 00
Data Protection Officer	email: dpo@kruksa.pl
	mailing address: ul. Wołowska 8, 51-116 Wrocław
	phone: (+48) 71 790 28 00
Where we obtained your data	We obtained your data from the Central Securities Depository of Poland, which is a statutory requirement. We may also obtain your data directly from you if you have signed the KRUK S.A. General Meeting attendance list or provided your data in a General Meeting voting form and application to participate in the General Meeting by means of remote communication, or in the form of an audio and video recording made at the KRUK S.A. General Meeting. If you are acting as a proxy for a KRUK S.A. shareholder, we may also obtain your data from that shareholder.
Purpose and basis of data processing	Your personal data is processed as part of activities necessary for the performance of legal obligations imposed on the data controller, that is for the purpose of holding, documenting and archiving the proceedings of the KRUK S.A. General Meeting, in accordance with the Commercial Companies Code and Article 6(1)(c) of the GDPR.
Data recipients	Your data may be made available to entities supporting our business, such as providers of legal and accounting services, telecommunication operators, providers of postal and courier services, entities supporting our IT infrastructure, our consultants, and, where we are required to do so by law, governmental agencies and other authorities.
Period of personal data retention	Your data will be processed for such period as is required under Regulation (EU) No. 596/2014 of the European Parliament and of the Council of April 16th 2014 on market abuse (market abuse regulation) and repealing Directive 2003/6/EC of the European Parliament and of the Council and Commission Directives 2003/124/EC, 2003/125/EC and 2004/72/EC (OJ EU L 2014, 173, p. 1), the Commercial Companies Code of September 15th 2000 (consolidated text: Dz.U. of 2019, item 505, as amended), and the Act on Public Offering, Conditions Governing the Introduction of Financial Instruments to Organised Trading, and Public Companies of July 29th 2005 (consolidated text: Dz.U. of 2019, item 623, as amended), and Art. 6.1(c) of the GDPR.
Rights of data subjects	You have the right to: obtain information regarding our processing of your data and a copy of your data (Article 15 of the GDPR); obtain the rectification of your personal data if it is inaccurate, e.g., outdated or incomplete (Article 16 of the GDPR);

	obtain the erasure of your personal data ("the right to be forgotten") in situations described in Article 17 of the GDPR; obtain the restriction of processing of your personal data (Article 18 of the GDPR); lodge a complaint with a regulatory authority in charge of personal data protection, i.e., the President of the Office for Personal Data Protection (Article 77 of the GDPR).
How to make a request	by sending an email to info@kruksa.pl; by sending a letter by regular mail or in person at the following address: KRUK S.A., ul. Wołowska 8, 51-116 Wrocław
Profiling and automated decision-making	Your personal data will not be subject to automated decision-making, including profiling.
Transferring data outside the European Economic Area (EEA)	We use the services of suppliers and partners outside the EEA and therefore it is possible that personal data may be transferred to countries outside the EEA. Such transfer of personal data may be based on a decision finding an adequate level of protection or subject to appropriate safeguards (Articles 45 and 46 of the GDPR).