Unicredit — AGM Information 2024

Mar 1, 2024

List no. 1 submitted by the Board of Directors of UniCredit S.p.A.

Ordinary Shareholders' Meeting - 12 April 2024

List no. 1 submitted by the Board of Directors of UniCredit S.p.A.

Publication of the documents concerning the list

With reference to point 6 on the Agenda of the Ordinary Shareholders' Meeting of UniCredit S.p.A., convened on April 12, 2024, to complete the documentation concerning its own list of candidates, marked as List no. 1, and that has been already made public to the market on February 16, 2024

		Name
Section no. 1	1	Pietro Carlo PADOAN
Candidates to the office of Director, other than member of the		Designated as Chair
Audit Committee	2	Andrea ORCEL
		Designated as Chief Executive
		Officer
	3	Paola BERGAMASCHI
	4	Elena CARLETTI
	5	Marcus Johannes CHROMIK
	6	António DOMINGUES
	7	Jeffrey Alan HEDBERG
	8	Beatriz Ángela LARA
		BARTOLOMÉ
	9	Maria PIERDICCHI
Section no.2	1	Paola CAMAGNI
Candidates to the office of Director and member of the Audit	2	Gabriele VILLA
Committee	3	Julie B. GALBO

for each candidate the following documentation is published:

• declaration of candidacy acceptance and meeting of the necessary requirements;
• curriculum vitae and the list of the directorships in other companies.

Milan, March 1, 2024

The Board of Directors of UniCredit S.p.A.

STATEMENT OF CANDIDACY AND DECLARATION ATTESTING THE INEXISTENCE OF REASONS FOR INELIGIBILITY, FORFEITURE OR INCOMPATIBILITY, AS WELL AS REGARDING THE MEETING OF THE REQUIREMENTS PROVIDED FOR BY CURRENT PROVISIONS AND OF ACCEPTANCE OF APPOINTMENT

I, the undersigned Pietro Carlo PADOAN born in Rome (Italy) on 19 January 1950, tax code PDNPRC50A19H501D, resident in Rome (Italy), Italian nationality, in relation to the office of Director/Chair of the Board of Directors in UniCredit S.p.A. ("UniCredit" or the "Bank") in light of the Agenda of the Shareholders' Meeting convened for 12 April 2024, under my own responsibility,

taking into account, among others, the provisions of Section 91 of the Directive 2013/36/EU dated June 26, 2013, as subsequently amended ("CRD"), Articles 2382 and 2387 of the Italian Civil Code, Section 26 of Legislative Decree no. 385 dated September 1, 1993 ("TUB"), Articles 147-ter and 147-quinquies of Legislative Decree no. 58 dated February 24, 1998 ("TUF"), the Ministry of Economy and Finance no. 169 dated November 23, 2020 (the "Decree"), the Ministry of Justice Decree no. 162 dated March 30, 2000, Clause 20 of the UniCredit Articles of Association and Article 2, recommendation 7, of the Corporate Governance Code (the "Corporate Governance Code")

STATE THAT

there are no reasons for my ineligibility, forfeiture or incompatibility and that I meet the requirements provided for by currently applicable provisions, as well as by the Articles of Association of UniCredit for the appointment as Director/Chair of the Board of Directors; with specific reference to the experience and independence requirements:

DECLARE THAT

Experience

I possess the knowledge, skills and experience required by the CRD, TUB and the Decree, and, in particular, that I have accrued the appropriate overall experience of at least 10 years through the exercise of 1:

• activity of Director and Chair in UniCredit respectively from October 2020 and April 2021 to today;
• activity of Professor in Economics carried out at La Sapienza University of Rome from 1974 to 2007:
• activity of Executive Director carried out at the International Monetary Fund from 2001 to 2005;
• activity of General Vice-Secretariat, from 2007 to 2014, and Chief Economist G20 Finance Deputy, from 2009 to 2014, carried out at the Organizzazione per la Cooperazione e lo Sviluppo Internazionale;
• Ministry of Economics and Finance of the Italian Government from 2014 to 2018,

¹ Please indicate (i) for Directors with executive roles: management or control activities or managerial positions held in the credit, financial, securities or insurance sectors; and/or management or control activities or managerial positions held in listed companies or companies whose size and complexity are greater than, or equal to those of Uniciedit (in terms of revenues, nature and complexity of the organization or activities performed), and (II) for Directors with non-executive roles, in addition to the abovementioned ones: professional activities practiced in credit, finance related fields or anyhow instrumental for the activities of UniCredit – activities shall be sufficiently complex and performed in a continuous and significant manner; and/or university teaching (first or second level) of legal or economics subjects functional to the credit, financial, securities or insurance sectors; and/or managerial/executive functions or public administration offices relating to the credit, financial, securities or insurance sectors provided that the officer performed such activities has a size and complexity similar to those of UniCredit.

In addition to the above, the chief executive officer shall possess a specific experience in the fields of credit, financial, securities or insurance, gained through management or control activities or managerial positions held for at least 5 years in the credit, financial, securities and insurance sectors, or in companies whose size and complexity are greater than, or egual to, those of UniCredit (in terms of revenues, nature and complexity of the organization or activities performed). Moreover, the chair of the Board of Directors shall possess at least 5 years of experience in the activities indicated under para (1) or (1) above.

as they result from both the attached curriculum vitae (see Annex 1) and the list of offices of administration and control currently held in other companies (see Annex 2).

INDEPENDENCE

I meet the independence criteria pursuant to the following provisions:

1)	Article 148 TUF, para. 3 and Article 2399, para. 1 (as recalled by Article 区 Yes		O No
	2409-septiesdecies) Italian Civil Code
2)	Article 13 of the Decree	X Yes	No
	3) Italian Corporate Governance Code	× Yes	No

l, the undersigned, also:

• state to be a candidate as member to the Board of Directors of UniCredit, and, if appointed, to irrevocably accept my appointment as from today;
• state that I am not in any of the situations provided for by (i) Article 2390 Italian Civil Code, nor (ii) 36 of Law Decree no. 201 dated December 6, 2011, converted into Law no. 214 dated December 22, 2011 (i.e., interlocking);
• state that I do not exceed the limits upon the maximum number of offices to be held pursuant to applicable rules and that I am able to commit the necessary time to effectively carry out the office;
• undertake to promptly inform UniCredit of any changes in the above-mentioned circumstances and, on request by the Company, to produce any documentation suitable to confirm the truthfulness of the facts declared;
• having read the information notice on the processing of personal data reported in attachments, acknowledge the disclosure of the information above and the information indicated in the Annexes.

Annexes:

• 1) CV
• 2) List of offices of administration and control currently held in other companies
• 3) Privacy statement

Signature

ANNEX 1 - CV

Pietro Carlo Padoan

Born in Rome on January 19th, 1950

Main posts held:

• Chairman of the Board of Directors
• · Member of the Internal Controls & Risks Committee
• · Member of the Board of Directors of ABI Italian Banking Association
• · Member of the Executive Committe of ABI Italian Banking Association
• · Member of the Institut International d'Etudes Bancaires
• · Chairperson of the High Level Group on Financing Sustainability Transition
• · Vice Chairmain and member of the European Financial Roundtable (EFR)
• · Member of the European Banking Group (EBG)
• · Member of the Executive Committee of FeBAF (Italian Banking, Insurance and Finance Federation)
• · Member of the Executive Committee of Assonime
• Chairman of Committee of Market Operators and Investors (COMI)
• · Member of the Governing Council of the School for Economic and Social Politics (AISES)
• · Member of "Comitato Scientifico Osservatorio Banca Impresa 2030"
• · Member of the Board of "Istituto Luigi Einaudi per gli Studi bancari, finanziari e assicurativi"
• Member of Corporate Governance Committee of Borsa Italiana .
• · Member of the Board of the Institute of International Finance (IIF)
• · Member of the FEPs High-Level Group on the New Global Deal
• · Member of the Consiglio Generale of AIFI (Associazione Italiana del Private Equity, Venture Capital e Private Debt
• · Vice President of IAI Istituto Affari Internazionali
• · Member of the Scientific Council of LUISS Institute for European Analysis and Policy (LEAP)
• · Senior Scientific Advisor of Master Luiss Energy And Sustainability
• · Honorary Board Member of Scope Foundation

· Distinguished Fellow of the Centre for International Governance Innovation (CIGI)

Previously held posts:

• · Minister of Economy and Finance of the Italian government in two successive governments
• · Member of the Chamber of Deputies of the Italian Republic and member of the Budget Commission
• · Deputy Secretary General and Chief Economist, Organization for Economic Co-operation and Development
• · Executive Director of International Monetary Fund
• · Economic advisor to the Prime Minister, responsible for coordinating the Italian position in the negotiations of the Agenda 2000 for the EU budget, the Lisbon Agenda, the European Council, bilateral meetings and the G8 meetings.
• · Senior Fellow and member of the Scientific Council of SEP School of European Political Economy, LUISS University
• · Member of the Board of Directors International Monetary Conference
• · Member of Committee of Market Operators and Investors (COMI)

Academic career:

Professor of Economics, University La Sapienza of Rome (retired) He has held various academic positions in Italian and foreign universities, including at the University of Rome, College of Europe (Bruges and Warsaw), Université Libre de Bruxelles, University of Urbino, Universidad de la Plata, University of Tokyo Degree in Economics, University of Rome

12/02 Date and place, Signed _

List of offices of administration and control currently held in other companies

None

Date, place 12/02/24 MUAN రామ 1100 Signature

INFORMATION NOTICE ON THE PROCESSING OF PERSONAL DATA BY UNICREDIT

The following information notice aims at providing you with an overview on the use of your personal data by UniCredit S.p.A. and of your rights pursuant to the General Data Protection - Regulation (EU) 2016/679 (hereinafter also GDPR).

1. DATA CONTROLLER AND DATA PROTECTION OFFICER

The Data Controller is UniCredit S.p.A., with registered office in Milan, Piazza Gae Aulenti n. 3, Tower A, 20154 Milan (UniCredit).

The Data Protection Officer (DPO) can be contacted at:

UniCredit S.p.A. Data Protection Office, Piazza Gae Aulenti n. 1, Tower B, 20154 Millano, E-mail: Group.DPO@unicredit.eu, PEC: Group.DPO@pec.unicredit.eu,

2. PURPOSE AND LEGAL BASIS OF PROCESSING

UniCredit processes the personal data in its possession, that is collected directly from you, or from the relevant local administrations to verify, among others, their accuracy for the following purposes:

A. Need to fulfill legal obligations deriving from your candidacy as a Member of the UniCredit's Board of Directors.

These obligations imply, among others, verifying - both during the selection procedures and on an ongoing basis - the compliance: // with the eligibility requirements for taking on and maintaining the role of Director as well as of specific positions (such as integrity requirements, criteria of correctness, professional experience requirements and competence, independence, time commitment, maximum number of offices covered, respect of the prohibition of interlocking) as required by applicable law, by UniCredit's Articles of Association and by the Corporate Governance Code (i.e. Codice di Corporate Governance) as well as with social security and fiscal obligations linked to the remuneration provided.

To comply with the above-mentioned obligations, in some cases, UniCredit is required to carry out analyses that concern also your relatives?. For this reason, we kindly ask you to let them aware of this Information Notice.

These needs represented above are the legal basis legitimizing the related data processing. Data provided by you is necessary to comply with the obligations arising from your role of UniCredit's Board of Directors; without your personal data, UniCredit would not be in a position to establish a relationship with you or to comply with the law obligations.

B. Fulfilment of legal obligations and requests from Public and Supervisory Authorities, concerning the process, communication and/or disclosure - also during the selection procedures - on the website www.unicreditgroup.eu and/ or on specific corporate documents (e.g. Prospectus / Corporate Governance Report, Financial Statements) of your data (such as data contained in your curriculum vitae and in the list of the tasks carried out by you in other banks and commercial companies, as required by the applicable law, and according to the Articles of Association and the Corporate Governance Code).

The needs represented above are the legal basis legitimizing the related data processing. Data provided by you is necessary to comply with the legal obligations, the requests from the Authorities, as well as to take on the role of member of the Board of Directors of UniCredit; without your personal data, UniCredit would not be in a position to establish a relationship with you or to comply with the law obligations.

CATEGORIES OF PERSONAL DATA PROCESSED

UniCredit processes personal data collected directly from you, or from third parties (e.g. relevant local administrations), which include, but are not limited to, personal data (e.g. name, sumame, address, date and place of birth), banking data, information on the financial situation (e.g. patrimonial status, information on credit requests/relationships), positions held and related income, employment relationships, commercial/professional relationships.

² The relatives scope is identified on the basis of the specific applicable regulations.

This information may concern existing or past relationships with Group Legal Entities or third parties.

3.1 JUDICIAL DATA

UniCredit may process judicial data (i.e. personal data relating to criminal convictions and offences or related security measures, including information on pendings) refering to you, in order to verify the subjective and integrity requirements and/or conditions that prevent from being appointed as member of the Board of Directors of UniCredit.

In such cases, the processing is necessary to fulfill legal obligations as well as to comply with requests coming from Public or Supervisory Authorities (e.g. filling the questionnaire requested by the ECB). This need represents the legal basis that legitimizes the related data processing. Data provided by you is necessary to comply with the legal obligations; without your personal data, UniCredit would not be in a position to establish a relationship with you or to comply with the law obligations.

4. RECIPIENTS OR CATEGORIES OF RECIPIENTS OF PERSONAL DATA

Your data may be communicated to the natural and legal persons that are acting as "Data Processors", listed in the Unicredit premises and on the website www.unicredit.it, as well as -- in the quality of persons authorized to process personal data in relation to the data necessary for the performance of the duties they are assigned to - the natural persons belonging to the following categories: employees of the Bank, seconded personnel, temporary workers, interns, consultants and the employees of the external companies appointed as Data Processors.

Your data may be communicated:

• · to those subjects to whom this communication must be carried out in compliance with an obligation established by law (e.g. Bank of Italy and ECB), by a regulation or by EU legislation. Further information can be found on the website www.unicredit.it in the "Privacy" section;
• · to legal Entities belonging to the Unicredit Group (also foreign Legal Entities), subsidiaries or associates under the terms of article 2359 of the Italian Civil Code, when such communication is permitted on the basis of a Garante per la Protezione dei Dati Personali's measure or by a law provision.

The detailed list of subjects to whom the data can be communicated is available on the website www.unicredit.it, in the "Privacy" section.

DATA TRANSFER TO THIRD COUNTRIES 5.

Unicredit informs you that your personal data may also be transferred to the European Union or the European Economic Area (so called "Third Countries") if the EU Commission states that the Third Country ensures an adequate level of protection of personal data or in case of other appropriate safeguards, namely when the supplier of Unicredit located in the Third Country contractually ensures an appropriate level of personal data protection (e.g. through the standard contractual clauses provided by the European Commission), including enforceable and effective data subject rights. Further information can be requested by writing to Group.DPO@unicredit.eu.

DATA PROCESSING MODALITIES 6.

The processing of personal data involves the usage of manual and IT instruments with modalities closely connected with the purposes defined above and, in any case, in such a way to guarantee the security and confidentiality of the data.

DATA SUBJECT' RIGHTS 7.

GDPR grants and assures specific rights, including the right to know what data concerning you are held by UniCredit, as well as how they are used, and the right to obtain, under certain conditions, the copy, the erasure, the rectification or, if interested, the integration of your data, as well as the right to data portability.

7.1 DATA RETENTION PERIOD AND RIGHT TO ERASURE

UniCredit processes and stores your personal data for all the time you keep the role of Director, to execute the related and connected obligations, to comply with the applicable legal, contractual and regulatory obligations, as well as for its own defensive purposes or third parties until the expiration of the longest mandatory retention

period provided by the applicable law (i.e. 11 years) starting from the date of termination of the relationship with you. UniCredit processes and stores your personal data even after the expiry of the employment relationship when this is necessary for archiving purposes for historical research purposes, according, to the methods set out in the "Ethical rules of processing for archiving purposes in the public interest or historical research"3.

At the end of the applicable mandatory retention period, your personal data will be erased or kept in a form which does not permit your identification (e.g. irreversible anonymization), unless the further processing is necessary for one or more of the following purposes: i) for resolution of pre-litigation, started before the expiration of the mandatory retention period; if) to follow up with investigations/inspections/y internal control functions and/or external authorities, started before the mandatory retention period; iii) to follow up with requests from the Italian and/or foreign Public Authorities, received/notified to UniCredit before the expiration of the mandatory retention period.

8. PROCEDURE TO EXERCISE THE RIGHTS

The e-mail address which you can refer to for the exercise of your rights described in the paragraph 7 is the following one: corporate.law@pec.unicredit.eu.

The deadline for the reply is one (1) month, that may be extended for two (2) further months in cases of particular complexity; in these cases, UniCredit informs you about such extension within one (1) month from the receipt of the request.

The exercise of rights is, in principle, free of charge.

9. COMPLAINT OR REPORTING TO THE "GARANTE PER LA PROTEZIONE DEI DATI PERSONALI"

UniCredit informs you that you have the right to lodge a complaint with, or to report to the Garante per la Protezione dei Dati Personali, or else to appeal to the Judicial Authority. The Garante per la Protezione dei Dati Personali can be consulted on the website http://www.garanteprivacy.it.

Date and place,

³ Record of the provisions 19 December 2018, n. 513

STATEMENT OF CANDIDACY AND DECLARATION ATTESTING THE INEXISTENCE OF REASONS FOR INELIGIBILITY, FORFEITURE OR INCOMPATIBILITY, AS WELL AS REGARDING THE MEETING OF THE REQUIREMENTS PROVIDED FOR BY CURRENT PROVISIONS AND OF ACCEPTANCE OF APPOINTMENT

I, the undersigned Andrea ORCEL, born in Rome (Italy) on 14 May 1963, tax code RCLNDR63E14H501E, resident in Milan (Italy), Italian nationality, in relation to the office of Director/Chief Executive Officer in UniCredit S.p.A. ("UniCredit" or the "Bank") in light of the Agenda of the Shareholders' Meeting convened for 12 April 2024, under my own responsibility,

taking into account, among others, the provisions of Section 91 of the Directive 2013/36/EU dated June 26, 2013, as subsequently amended ("CRD"), Articles 2382 and 2387 of the Italian Civil Code, Section 26 of Legislative Decree no. 385 dated September 1, 1993 ("TUB"), Articles 147-ter and 147-quinquies of Legislative Decree no. 58 dated February 24, 1998 ("TUF"), the Ministry of Economy and Finance no. 169 dated November 23, 2020 (the "Decree"), the Ministry of Justice Decree no. 162 dated March 30, 2000, Clause 20 of the UniCredit Articles of Association and Article 2, recommendation 7, of the Corporate Governance Code (the "Corporate Governance Code")

STATE THAT

there are no reasons for my ineligibility, forfeiture or incompatibility and that I meet the requirements provided for by currently applicable provisions, as well as by the Articles of Association of UniCredit for the appointment as Director/Chief Executive Officer; with specific reference to the experience and independence requirements:

DECLARE THAT

EXPERIENCE

I possess the knowledge, skills and experience required by the CRD, TUB and the Decree, and, in particular, that I have accrued the appropriate overall experience of at least 10 years through the exercise of 1:

• activity of Chief Executive Officer in UniCredit from April 2021 to today;
• activity of Co-Head of Financial Institutions Group for Europe, Middle East & Africa carried out at Merrill Lynch then Bank of America from 1999 to 2003;
• activity of Head di Global Financial Institutions Group carried out at Merrill Lynch then Bank of America from 2003 to 2007;
• activity of Head of Origination and Co-President of Global Markets and Investment Banking for . Europe, Middle East & Africa carried out at Merrill Lynch then Bank of America from 2004 to 2007;

¹ Please indicate (1) for Directors with executive roles; management or control activities or managerial positions held in the credit, financial, securities or insurance sectors; and/or management or control activities or managerial positions held in listed companies or companies whose size and complexity are greater than, or equal to those of UniCredit (in terms of revenues, nature and complexity of the organization or activities performed), and (ii) for Directors with non-executive roles, in addition the abovementioned ones: professional activities practiced in credit, financial, securities, insurance related fields or anyhow instrumental for the activities of UniCredit – activities shall be sufficiently complex and performed in a continuous and significant manner; and/or university teaching (first or second level) of legal or economics subjects functional to the credit, financial, securities or insurance sectors; and/or managerial/executive functions or public administration offices relating to the credit, financial, securities or insurance sectors provided that the officer performed such activities has a size and complexity similar to those of UniCredit.

In addition to the above, the chief executive officer shall possess a specific experience in the fields of credit, financial, securities or insurance, gained through management or control activities or managerial positions held for at least 5 years in the credit, financial, securities and insurance sectors, or in listed companies whose size and complexity are greater than, or equal to, those of UniCredit (in terms of revenues, nature and complexity of the organization or activities performed). Moreover, the chair of the Board of Directors shall possess at least 5 years of experience in the activities indicated under para (i) or (ii) above.

• activity of Head of Global Origination, President of EMEA Global Markets & Investment Banking and member of Merrill Lynch Management Committee caried out at Merrill Lynch then Bank of America from 2007 to 2009;
• activity of President of International Global Banking, Securities & Wealth Management; Head of International Corporate and Investment Banking carried out at Merrill Lynch then Bank of America in 2009;
• activity of Executive Chair of the Investment Bank and President of Emerging Markets ex Asia carried out at Merrill Lynch then Bank of America from 2009 to 2012;
• activity of Member of Group Executive Board carried out at UBS from 2012 to 2018;
• activity of President, Investment Bank presso UBS from 2012 to 2018;
• activity of CEO, UBS Limited and UBS AG London Branch (UK SMF1) carried out at UBS from 2014 to 2018;
• activity of Member of the Board of UBS Americas carried out at UBS from 2016 to 2018;
• activity of Senior Officer Outside of Australia (SOOA) from 2016 to 2018,

as they result from both the attached curriculum vitae (see Annex 1) and the list of administration and control currently held in other companies (see Annex 2).

INDEPENDENCE

I meet the independence criteria pursuant to the following provisions:

1)	Article 148 TUF, para. 3 and Article 2399, para. 1 (as recalled by Article □ Yes
	2409-septiesdecies) Italian Civil Code
2)	Article 13 of the Decree	Yes	XI No
	3) Italian Corporate Governance Code	Yes	X No I

I, the undersigned, also:

• state to be a candidate as member to the Board of Directors of UniCredit, and, if appointed, to irrevocably accept my appointment as from today;
• state that I am not in any of the situations provided for by (i) Article 2390 Italian Civil Code, nor (ii) 36 of Law Decree no. 201 dated December 6, 2011, converted into Law no. 214 dated December 22, 2011 (i.e., interlocking);
• state that I do not exceed the limits upon the maximum number of offices to be held pursuant to applicable rules and that I am able to commit the necessary time to effectively carry out the office;
• undertake to promptly inform UniCredit of any changes in the above-mentioned circumstances and, on request by the Company, to produce any documentation suitable to confirm the truthfulness of the facts declared;
• having read the information notice on the processing of personal data reported in attachments, . acknowledge the disclosure of the information above and the information indicated in the Annexes.

ANNEXES:

1)

2) List of offices of administration and control currently held in other companies

3) Privacy statement

pictor (19 2 Date, place _ 10) Signature 116

larna Date, place Signature

[CV]

EDUCATION

MBA, INSEAD (1990) B.A. Economics and Commerce, University of Rome (1986)

Andrea Orcel

unicredit Group ceo and head of ITaly, chairman unicredit foundation

Andrea Orcel began his career in 1987 at Midland Montagu in Fixed Income. In 1988 he moved to Goldman Sachs and in 1990 he joined The Boston Consulting Group.

From 1992 to 2012, Andrea worked for Merrill Lynch (then Bank of America), with a number of senior positions: Executive Chairman of the Investment Bank and President of Emerging Markets ex Asia (2009), President of International Global Banking, Securities & Wealth Management; Head of International Corporate and Investment Banking (2009), Head of Global Origination, President of EMEA Global Markets & Investment Banking and member of Merrill Lynch Management Committee (2007), Head of Origination and Co-President of Global Markets and Investment Banking for Europe, Middle East & Africa (2004), Head of Global Financial Institutions Group (2003), Co-Head of Financial Institutions Group for Europe, Middle East & Africa (1999).

In 2012, Andrea joined UBS as a Member of the Group Executive Board and then President, Investment Bank; then CEO, UBS Limited and UBS AG London Branch (2014); Member of the Board of UBS Americas Holding LLC, senior contact for US industry regulators and Senior Officer Outside of Australia and enior contact for Australia industry regulators (2016). He was also a Member of the Board of UBS Optimus Foundation, Senior Sponsor and Leader for Diversity and Talent Development in the Investment Bank and the UK.

On 15th April 2021, Andrea Orcel was appointed Group Chief Executive Officer of UniCredit. On 6th July 2022, Andrea Orcel was appointed Head of Italy in addition to his role as Group Chief Executive Officer, while on 7th July he was nominated Chairman of the UniCredit Four dation by its board.

ANNEX 2

LIST OF OFFICES OF ADMINISTRATION AND CONTROL CURRENTLY HELD IN OTHER COMPANIES

Non-executive Director at EIS, California (USA) Chair of the Supervisory Board at UniCredit Bank GmbH

AND Date, place Signature |

INFORMATION NOTICE ON THE PROCESSING OF PERSONAL DATA BY UNICREDIT

The following information notice aims at providing you with an overview on the use of your personal data by UniCredit S.p.A. and of your rights pursuant to the General Data Protection Regulation - Regulation (EU) 2016/679 (hereinafter also GDPR).

1. DATA CONTROLLER AND DATA PROTECTION OFFICER

The Data Controller is UniCredit S.p.A., with registered office in Milan, Piazza Gae Aulenti n. 3, Tower A, 20154 Milan (UniCredit).

The Data Protection Officer (DPO) can be contacted at:

UniCredit S.p.A. Data Protection Office, Piazza Gae Aulenti n. 1, Tower B, 20154 Milano, E-mail: Group.DPO@unicredit.eu, PEC: Group.DPO@pec.unicredit.eu.

2. PURPOSE AND LEGAL BASIS OF PROCESSING

UniCredit processes the personal data in its possession, that is collected directly from you, or from the relevant local administrations to verify, among others, their accuracy for the following purposes:

A. Need to fulfill legal obligations deriving from your candidacy as a Member of the UniCredit's Board of Directors.

These obligations imply, among others, verifying - both during the selection procedures and on an ongoing basis - the compliance: i) with the eligibility requirements for taking on and maintaining the role of Director as well as of specific positions (such as integrity requirements, criteria of correctness, professional experience reguirements and competence, independence, time commitment, maximum number of offices covered, respect of the prohibition of interlocking) as required by applicable law, by UniCredit's Articles of Association and by the Corporate Governance Code (i.e. Codice di Corporate Governance) as with social security and fiscal obligations linked to the remuneration provided.

To comply with the above-mentioned obligations, in some cases, UniCredit is required to carry out analyses that concern also your relatives ?. For this reason, we kindly ask you to let them aware of this Information Notice.

These needs represented above are the legal basis legitimizing the related data processing. Data provided by you is necessary to comply with the obligations arising from your role of UniCredit's Board of Directors; without your personal data, UniCredit would not be in a position to establish a relationship with you or to comply with the law obligations.

B. Fulfilment of legal obligations and requests from Public and Supervisory Authorities, concerning the process, communication and/or disclosure - also during the selection procedures - on the website www.unicreditgroup.eu and/ or on specific corporate documents (e.g. Prospectus / Corporate Governance Report, Financial Statements) of your data (such as data contained in your curriculum vitae and in the list of the tasks carried out by you in other banks and commercial companies, as required by the applicable law, and according to the Articles of Association and the Corporate Governance Code).

The needs represented above are the legal basis legitimizing the related data processing. Data provided by you is necessary to comply with the legal obligations, the requests from the Authorities, as well as to take on the role of member of the Board of Directors of UniCredit; without your personal data, UniCredit would not be in a position to establish a relationship with you or to comply with the law obligations.

3. CATEGORIES OF PERSONAL DATA PROCESSED

UniCredit processes personal data collectly from you, or from third parties (e.g. relevant local administrations), which include, but are not limited to, personal data (e.g. name, surname, address, date and place of birth), banking data, information on the financial situation (e.g. patrimonial status, information on credit requests/relationships), positions held and related income, employment relationships, commercial/professional relationships.

² The relatives scope is identified on the basis of the specific applicable regulations.

This information may concern existing or past relationships with UniCredit as well as with Group Legal Entities or third parties.

3.1 JUDICIAL DATA

UniCredit may process judicial data (i.e. personal data relating to criminal convictions and offences or related security measures, including information on pending proceedings) refering to you, in order to verify the subjective and integrity requirements and/or conditions that prevent from being appointed as member of the Board of Directors of UniCredit.

In such cases, the processing is necessary to fulfill legal obligations as well as to comply with requests coming from Public or Supervisory Authorities (e.g. filling the questionnaire requested by the ECB). This need represents the legal basis that legitimizes the related data processing. Data provided by you is necessary to comply with the legal obligations; without your personal data, UniCredit would not be in a position to establish a relationship with you or to comply with the law obligations.

RECIPIENTS OR CATEGORIES OF RECIPIENTS OF PERSONAL DATA বা

Your data may be communicated to the natural and legal persons that are acting as "Data Processors", listed in the UniCredit premises and on the website www.unicredit.it, as well as - in the quality of persons authorized to process personal data in relation to the data necessary for the performance of the duties they are assigned to - the natural persons belonging to the following categories: employees of the Bank, seconded personnel, temporary workers, interns, consultants and the employees of the external companies appointed as Data Processors.

Your data may be communicated:

• to those subjects to whom this communication must be carried out in compliance with an obligation established by law (e.g. Bank of Italy and ECB), by a regulation or by EU legislation. Further information can be found on the website www.unicredit.it in the "Privacy" section;
• · to Legal Entities belonging to the UniCredit Group (also foreign Legal Entities), subsidiaries or associates under the terms of article 2359 of the Italian Civil Code, when such communication is permitted on the basis of a Garante per la Protezione dei Dati Personali's measure or by a law provision.

The detailed list of subjects to whom the data can be communicated is available on the website www.unicredit.it, in the "Privacy" section.

5. DATA TRANSFER TO THIRD COUNTRIES

UniCredit informs you that your personal data may also be transferred to the European Union or the European Economic Area (so called "Third Countries") if the EU Commission states that the Third Country ensures an adequate level of protection of personal data or in case of other appropriate safeguards, namely when the supplier of UniCredit located in the Third Country contractually ensures an appropriate level of personal data protection (e.g. through the standard contractual clauses provided by the European Commission), including enforceable and effective data subject rights. Further information can be requested by writing to Group.DPO@unicredit.eu.

DATA PROCESSING MODALITIES 6.

The processing of personal data involves the usage of manual and IT instruments with modalties closely connected with the purposes defined above and, in any case, in such a way to guarantee the security and confidentiality of the data.

7. DATA SUBJECT' RIGHTS

GDPR grants and assures specific rights, including the right to know what data concerning you are held by UniCredit, as well as how they are used, and the right to obtain, under certain conditions, the copy, the erasure, the rectification or, if interested, the integration of your data, as well as the right to data portability.

7.1 DATA RETENTION PERIOD AND RIGHT TO ERASURE

Unicredit processes and stores your personal data for all the time you keep the role of Director, to execute the related and connected obligations, to comply with the applicable legal, contractual and regulatory obligations, as well as for its own defensive purposes or third parties until the expiration of the longest mandatory retention

period provided by the applicable law (i.e. 11 years) starting from the date of termination of the relationship with you. UniCredit processes and stores your personal data even after the expiry of the employment relationship when this is necessary for archiving purposes for historical research purposes, according, to the methods set out in the "Ethical rules of processing for archiving purposes in the public interest or historical research"3.

At the end of the applicable mandatory retention period, your personal data will be erased or kept in a form which does not permit your identification (e.g. irreversible anonymization), unless the further processing is necessary for one or more of the following purposes: i) for resolution and/or litigation and/or litigation, started before the expiration of the mandatory retention period; ii) to follow up with investigations/inspections by internal control functions and/or external authorities, started before the expiration of the mandatory retention period; iii) to follow up with requests from the Italian and/or foreign Public Authorities, received/notified to UniCredit before the expiration of the mandatory retention period.

8. PROCEDURE TO EXERCISE THE RIGHTS

The e-mail address which you can refer to for the exercise of your rights described in the paragraph 7 is the following one: corporate.law@pec.unicredit.eu.

The deadline for the reply is one (1) month, that may be extended for two (2) further months in cases of particular complexity; in these cases, UniCredit informs you about such extension within one (1) month from the receipt of the request.

The exercise of rights is, in principle, free of charge.

9. COMPLAINT OR REPORTING TO THE "GARANTE PER LA PROTEZIONE DEI DATI PERSONALI"

UniCredit informs you that you have the right to lodge a complaint with, or to report to the Garante per la Protezione dei Dati Personali, or else to appeal to the Judicial Authority. The Garante per la Protezione dei Dati Personali can be consulted on the website http://www.garanteprivacy.it.

Date and place Signature

³ Record of the provisions 19 December 2018, n. 513

STATEMENT OF CANDIDACY AND DECLARATION ATTESTING THE INEXISTENCE OF REASONS FOR INELIGIBILITY, FORFEITURE OR INCOMPATIBILITY, AS WELL AS REGARDING THE MEETING OF THE REQUIREMENTS PROVIDED FOR BY CURRENT PROVISIONS AND OF ACCEPTANCE OF APPOINTMENT

I, the undersigned PAOLA BERGAMASCHI, born in Milano (MI) on JUNE 5™ 1961, tax code BRGPLA61H45F205U, resident in London, of dual italian and english nationality, in relation to the office of Director in UniCredit S.p.A. ("UniCredit" or the "Bank") in light of the Agenda of the Shareholders' Meeting convened for 12 April 2024, under my own responsibility,

taking into account, among others, the provisions of Section 91 of the Directive 2013/36/EU dated June 26, 2013, as subsequently amended ("CRD"), Articles 2382 and 2387 of the Italian Civil Code, Section 26 of Legislative Decree no. 385 dated September 1, 1993 ("TUB"), Articles 147-ter and 147-quinquies of Legislative Decree no. 58 dated February 24, 1998 ("TUF"), the Ministry of Economy and Finance no. 169 dated November 23, 2020 (the "Decree"), the Ministry of Justice Decree no. 162 dated March 30, 2000, Clause 20 of the UniCredit Articles of Association and Article 2, recommendation 7, of the Corporate Governance Code (the "Corporate Governance Code")

STATE THAT

there are no reasons for my ineligibility, forfeiture or incompatibility and that I meet the requirements provided for by currently applicable provisions, as well as by the Articles of Association of UniCredit for the appointment as Director; with specific reference to the experience and independence requirements:

DECLARE THAT

EXPERIENCE

I possess the knowledge, skills and experience required by the CRD, TUB and the Decree, and, in particular, that I have accrued the appropriate overall experience of at least 3 years through the exercise of 1:

• Member of the Board, Risk and Audit Committees at AlG Inc from December 2022 to present;
• Member of the Board, Chair of Risk Committee and member of the Audit and Nomination Committees at BNY Mellon International from March 2017 to present;
• Member of the Board and Chair of Risk and Control Committee, member of Remuneration Committee at ARCA Fondi SGR from September 2015 to present;
• Member of the Board and Nomination and Risk Committees, Chair of Remuneration Committee at Wells Fargo Securities International from April 2017 to January 2022;
• Member of the Board, Chair of Risk Committee and member of the Audit Committee at Arrow Global Plc from July 2020 to October 2021 (company taken over and delisted in October 2021);

¹ Please indicate (I) for Directors with executive roles: management or control activities or managerial positions held in the credit, financial, securities or insurance sectors; and/or managerial positions or managerial positions held in listed companies or companies whose size and complexity are greater than, or equal to those of UniCredit (in terms of revenues, nature and complexity of the organization or activities performed), and (ii) for Directors with non-executive roles, in addition to the abovementioned ones: professional activities practiced in credit, finance related fields or anyhow instrumental for the activities of UniCredit - activities shall be sufficiently complex and significant manner; and/or university teaching (first or second level) of legal or economics subjects functional to the credit, financial, securities or insurance sectors; and/or managerial/executive in public organizations or public administration offices relating to the credit, financial, securities or insurance sectors provided that the officer performed such activities has a size and complexity similar to those of UniCredit.

In addition to the above, the chief executive officer shall possess a specific experience in the fields of credit, financial, securities or insurance, gained through management or control activities or managerial positions held for at least 5 years in the credit, financial, securities and insurance sectors, or in companies whose size and complexity are greater than, or equal to, those of UniCredit (in terms of revenues, nature and complexity of the organization or activities performed). Moreover, the chair of the Board of Directors shall possess at least 5 years of experience in the activities indicated under para (i) or (i) above.

• Head of Sales/Distribution for different businesses at State Street Corp from May 2003 to August 2014:
• Director Equity sales at Credit Suisse First Boston from 1998 to 2003;
• Industry Director at the Institute of Finance and Technology UCL London from September 2018 to September 2023,

as they result from both the attached curriculum vitae (see Annex 1) and the list of offices of administration and control currently held in other companies (see Annex 2).

INDEPENDENCE

I meet the independence criteria pursuant to the following provisions:

1)	Article 148 TUF, para. 3 and Article 2399, para. 1 (as recalled by Article 区 Yes		O No
	2409-septiesdecies) Italian Civil Code
2)	Article 13 of the Decree	× Yes	No
	3) Italian Corporate Governance Code	× Yes	ONO

I, the undersigned, also:

• state to be a candidate to the Board of Directors of UniCredit member, and, if appointed, to irrevocably accept my appointment as from today;
• state that I am not in any of the situations provided for by (i) Article 2390 Italian Civil Code, nor (ii) 36 of Law Decree no. 201 dated December 6, 2011, converted into Law no. 214 dated December 22, 2011 (i.e., interlocking);
• state that I do not exceed the limits upon the maximum number of offices to be held pursuant to applicable rules and that I am able to commit the necessary time to effectively carry out the office;
• undertake to promptly inform UniCredit of any changes in the above-mentioned circumstances and, on request by the Company, to produce any documentation suitable to confirm the truthfulness of the facts declared;
• having read the information notice on the processing of personal data reported in attachments, acknowledge the disclosure of the information above and the information indicated in the Annexes.

ANNEXES:

• 1) CV
• 2) List of offices of administration and control currently held in other companies
• 3) Privacy statement

12th of February 2024, London

Signature

Paola Bergamaschi

PERSONAL PROFILE AND CORE ABILITIES

I have been a portfolio INED since 2014, leveraging on my long term experience in the City both in capital markets and investment services. I bring to the Board table strategic thinking, international business experience, regulatory and risk knowledge. These attributes have been developed over a 25+ years as senior executive mainly at global banking groups (Goldman Sachs, Credit Suisse First Boston, State Street Corp) where I held senior managerial positions, with P&L responsibility across geographies and products, running complex organisations, working collaboratively with clients and colleagues to deliver results. I am an Advisor to Quantexa (technology sector) and I hold seminars at UCL in London where I have been the Industry Director at the Institute of Finance and Technology for years.

CAREER SUMMARY

Current non-executive roles:

As of the 1st of December 2022 I joined the Board of AIG Group Inc (NY) as Independent nonexecutive director and member of the Risk and Audit Committees.

Independent non-executive director at BNY Mellon International, member of the Audit and Nomination Committees. Chair of the Risk Committee (SMF 10). I also Chaired the Advisory Board of the Depositary and Trust business of BNY Mellon International. BNYMIL is headquartered in London and it provides asset servicing solutions (March 2017-present)

Independent non-executive director, Chair of the Risk and Control Committee and member of the Remuneration Committee at ARCA Fondi SGR in Milan - ARCA Fondi SGR is an independent asset manager with 35+bn euros of AUM. (September 2015-present)

Member of the Advisory Board Quantexa Ltd (August 2020-present). Quantexa is a software company

Previous main non exec roles:

Independent non-executive director at Well Fargo Securities International and member of the Nomination and Risk Committees, Chair of the Remuneration Committee. WFSIL is headquartered in London and it delivers a comprehensive set of capital markets products and services (April 2017-January 2022)

Independent non-executive director at Arrow Global Plc (FTSE 250). Also member of the Audit Committee and Chair of the Risk Committee (SMF10) (July 2020-October 2021). Arrow Global is active in the UK and European NPL space as an integrated player (both direct investment and asset servicing) and has been taken private in October 2021 by private equity

Independent non -executive director at Millenium and Copthorne (FTSE 250) active in the hotels and REIT business. Also member of Audit and Remuneration Committee. (May 2019-delisted in October 2019 following a tender offer)

Member of the Board of Big Society Capital (2018-june 2020) also member of the Risk Committee. BSC is an independent financial institution with a social mission, set up to help grow social investment in the UK. I left the BSC Board to be able to join Arrow Global Plc in 2020 but I stayed as external advisor on their Risk Committee until June 2022.

Other Previous activities/collaborations/unregulated entities:

Industry Director at the UCL Institute of Finance and Technology (2018-2023);

Treasurer of SAMTI (A Dutch Foundation- Stichting Administratiekantoor Mobile Telecoms Investor) (March 2016-March 2022);

Trustee of FareShare- FareShare is a UK charity that operates at the national level for the redistribution of in-date food for human consumption from retail chains to thousands of charities (September2014-September 2020)

Advisor of EthicalFin (2014-2016) -impact investing

Advisor of the Lord Young Foundation and Plusvalue -impact investing

Angel investor in impact companies

Previous Executive Positions:

State Street Corp, London:

Head of Asset Owners Solutions, Senior Managing Director, EMEA

Responsible for the sales of multi product solutions to Pension Funds, Corporates, Endowment and Foundations and Banks across State Street divisions in EMEA.

Global Head of Client Relationship Management, Global Markets. Senior Man Dir

· Took global responsibility for overall CRM program for State Street Global Markets Division reporting directly to the Global Head of GM. A member of the Senior Management group

Global Head of Equity Distribution. Senior Managing Director

Headhunted for the opening and roll out of the Equity Sales and Sales Trading business in Europe and later globally

Credit Suisse First Boston, London

Director Equity Sales, London (1998 - 2003)

· Headhunted for the opening and roll out of the European Equity Team when DLJ expanded from New York to London . Moved from DLJ to CSFB following the take-over by the latter in 2000, dealing with complex clients and gaining a reputation for "trouble shooting" client issues across the globe.

IMI San Paolo, London

Deputy Head of Equities

· Brought in to turn around and reposition a divided research team and very fragmented research product, achieving recognition by Institutional Investor, top tier ranking in 1997.

Goldman Sachs, London

Executive Director - Equity Research

· One of the first hired into the International Research Department when Goldman opened the London operation, with responsibility for setting up the Italian Strategy and Equity Research product

Montedison Group, Milan

Head of Investor Relations

· Head of Investor Relations for one of the largest Italian listed conglomerates (Petrochemicals, Advanced Materials, Plastics, Pharma, Retailing main assets). As part of this role I was also responsible for the Proxy Fight project as well as the ADR listing

PERSONAL PARTICULARS

Education and Accreditations

FCA Senior Manager Regime: SMF10

Economics Degree (summa cum laude); Universita' Bocconi, Milan: 1985 Exchange Programme (Econ/International Monetary Policy); New York University: 1983

2003-2014

1998-2003

1989-1995

1995-1998

1985-1989

2

Languages: Bilingual Italian and English (dual nationality), colloquial level French

DATE AND SIGNATURE

London, 12 February 2024

LIST OF OTHER ROLE IN OTHER COMPANIES

London, February the 12th 2024

I the undersigned Paola Bergamaschi declare the following other current roles:

• 1) AIG inc. (NY) Member of the Board of Directors, member of the Risk Committee and Audit Committee
• 2) BNY Mellon International Ltd (London), Member of the Board of Directors, Chair of the Risk Committee, member of the Audit Committee and Nomination Committee
• 3) ARCA Fondi SGR (Milan), Member of the Board of Directors, Chair of the Risk and Control Committee, member of the Remuneration Committee (*)

(*) I commit to resign from the office in Arca Fondi as effective from 12 April 2024, subject to my appointment in UniCredit S.p.A.

Signature

Information notice on the processing of personal data by UniCredit

The following information notice aims at providing you with an overview on the use of your personal data by UniCredit S.p.A. and of your rights pursuant to the General Data Protection - Regulation (EU) 2016/679 (hereinafter also GDPR).

1. DATA CONTROLLER AND DATA PROTECTION OFFICER

The Data Controller is UniCredit S.p.A., with registered office in Milan, Piazza Gae Aulenti n. 3, Tower A, 20154 Milan (UniCredit).

The Data Protection Officer (DPO) can be contacted at:

UniCredit S.p.A. Data Protection Office. Piazza Gae Aulenti n. 1, Tower B, 20154 Milano, E-mail: Group.DPO@unicredit.eu, PEC: Group.DPO@pec.unicredit.eu,

2. PURPOSE AND LEGAL BASIS OF PROCESSING

UniCredit processes the personal data in its possession, that is collected directly from you, or from the relevant local administrations to verify, among others, their accuracy for the following purposes:

A. Need to fulfill legal obligations deriving from your candidacy as a Member of the UniCredit's Board of Directors.

These obligations imply, among others, verifying - both during the selection procedures and on an ongoing basis - the compliance: i) with the eligibility requirements for taking on and maintaining the role of Director as well as of specific positions (such as integrity requirements, criteria of correctness, professional experience requirements and competence, independence, time commitment, maximum number of offices covered, respect of the prohibition of interlocking) as required by applicable law, by UniCredit's Articles of Association and by the Corporate Governance Code (i.e. Codice di Corporate Governance) as with social security and fiscal obligations linked to the remuneration provided.

To comply with the above-mentioned obligations, in some cases, UniCredit is required to carry out analyses that concern also your relatives? For this reason, we kindly ask you to let them aware of this Information Notice.

These needs represented above are the legal basis legitimizing the related data processing. Data provided by you is necessary to comply with the obligations arising from your of UniCredit's Board of Directors; without your personal data, UniCredit would not be in a position to establish a relationship with you or to comply with the law obligations.

B. Fulfilment of legal obligations and requests from Public and Supervisory Authorities, concerning the process, communication and/or disclosure - also during the selection procedures - on the website www.unicreditgroup.eu and/ or on specific corporate documents (e.g. Prospectus / Corporate Governance Report, Financial Statements) of your data (such as data contained in your curriculum vitae and in the list of the tasks carried out by you in other banks and commercial companies, as required by the applicable law, and according to the Articles of Association and the Corporate Governance Code).

The needs represented above are the legal basis legitimizing the related data processing. Data provided by you is necessary to comply with the legal obligations, the requests from the Authorities, as well as to take on the role of member of the Board of Directors of UniCredit; without your personal data, UniCredit would not be in a position to establish a relationship with you or to comply with the law obligations.

3. CATEGORIES OF PERSONAL DATA PROCESSED

UniCredit processes personal data collectly from you, or from third parties (e.g. relevant local administrations), which include, but are not limited to, personal data (e.g. name, address, date and place of birth), banking data, information on the financial situation (e.g. patrimonial status, information on credit

² The relatives scope is identified on the basis of the specific applicable requlations.

requests/relationships), positions held and related income, employment relationships, commercial/professional relationships.

This information may concern existing or past relationships with Group Legal Entities or third parties.

3.1 JUDICIAL DATA

UniCredit may process judicial data (i.e. personal data relating to criminal convictions and offences or related security measures, including information on pending proceedings) referring to you, in order to verify the subjective and integrity requirements and/or conditions that prevent from being appointed as member of the Board of Directors of UniCredit.

In such cases, the processing is necessary to fulfill legal obligations as well as to comply with requests coming from Public or Supervisory Authorities (e.g. filling the questionnaire requested by the ECB). This need represents the legal basis that legitimizes the related data processing. Data provided by you is necessary to comply with the legal obligations; without your personal data, UniCredit would not be in a position to establish a relationship with you or to comply with the law obligations.

4. RECIPIENTS OR CATEGORIES OF RECIPIENTS OF PERSONAL DATA

Your data may be communicated to the natural and legal persons that are acting as "Data Processors", listed in the Unicredit premises and on the website www.unicredit.it, as well as - in the quality of persons authorized to process personal data in relation to the data necessary for the performance of the duties they are assigned to - the natural persons belonging to the following categories: employees of the Bank, seconded personnel, temporary workers, interns, consultants and the employees of the external companies appointed as Data Processors.

Your data may be communicated:

• to those subjects to whom this communication must be carried out in compliance with an obligation established by law (e.g. Bank of Italy and ECB), by a regulation or by EU legislation. Further information can be found on the website www.unicredit.it in the "Privacy" section;
• · to Legal Entities belonging to the UniCredit Group (also foreign Legal Entities), subsidiaries or associates under the terms of article 2359 of the Italian Civil Code, when such communication is permitted on the basis of a Garante per la Protezione dei Dati Personali's measure or by a law provision.

The detailed list of subjects to whom the data can be communicated is available on the website www.unicredit.it, in the "Privacy" section.

5. DATA TRANSFER TO THIRD COUNTRIES

UniCredit informs you that your personal data may also be transferred to the European Union or the European Economic Area (so called "Third Countries") if the EU Commission states that the Third Country ensures an adequate level of protection of personal data or in case of other appropriate safeguards, namely when the supplier of UniCredit located in the Third Country contractually ensures an appropriate level of personal data protection (e.g. through the standard contractual clauses provided by the European Commission), including enforceable and effective data subject rights. Further information can be requested by writing to Group.DPO@unicredit.eu.

DATA PROCESSING MODALITIES 6.

The processing of personal data involves the usage of manual and IT instruments with modalities closely connected with the purposes defined above and, in any case, in such a way to guarantee the security and confidentiality of the data.

DATA SUBJECT' RIGHTS 7.

GDPR grants and assures specific rights, including the right to know what data concerning you are held by UniCredit, as well as how they are used, and the right to obtain, under certain conditions, the copy, the erasure, the rectification or, if interested, the integration of your data, as well as the right to data portability.

7.1 DATA RETENTION PERIOD AND RIGHT TO ERASURE

UniCredit processes and stores your personal data for all the time you keep the role of Director, to execute the related and connected obligations, to comply with the applicable legal, contractual and regulatory obligations, as well as for its own defensive purposes or third parties until the expiration of the longest mandatory retention period provided by the applicable law (i.e. 11 years) starting from the relationship with you. UniCredit processes and stores your personal data even after the expiry of the employment relationship when this is necessary for archiving purposes for historical research purposes, according, to the methods set out in the "Ethical rules of processing for archiving purposes in the public interest or historical research"3.

At the end of the applicable mandatory retention period, your personal data will be erased or kept in a form which does not permit your identification (e.g. irreversible anonymization), unless the further processing is necessary for one or more of the following purposes: i) for resolution of pre-litigation, started before the expiration of the mandatory retention period; ii) to follow up with investigations by internal control functions and/or external authorities, started before the expiration of the mandatory retention period; iii) to follow up with requests from the Italian and/or foreign Public Authorities, received/notified to UniCredit before the expiration of the mandatory retention period.

8. PROCEDURE TO EXERCISE THE RIGHTS

The e-mail address which you can refer to for the exercise of your rights described in the paragraph 7 is the following one: corporate.law@pec.unicredit.eu.

The deadline for the reply is one (1) month, that may be extended for two (2) further months in cases of particular complexity; in these cases, UniCredit informs you about such extension within one (1) month from the receipt of the request.

The exercise of rights is, in principle, free of charge.

9. COMPLAINT OR REPORTING TO THE "GARANTE PER LA PROTEZIONE DEI DATI PERSONALI"

UniCredit informs you that you have the right to lodge a complaint with, or to report to the Garante per la Protezione dei Dati Personali, or else to appeal to the Judicial Authority. The Garante per la Protezione dei Dati Personali can be consulted on the website http://www.garanteprivacy.it.

12th of February 2024, London

Signature

³ Record of the provisions 19 December 2018, n. 513

STATEMENT OF CANDIDACY AND DECLARATION ATTESTING THE INEXISTENCE OF REASONS FOR INELIGIBILITY, FORFEITURE OR INCOMPATIBILITY, AS WELL AS REGARDING THE MEETING OF THE REQUIREMENTS PROVIDED FOR BY CURRENT PROVISIONS AND OF ACCEPTANCE OF APPOINTMENT

I, the undersigned Elena CARLETTI, born in La Spezia (Italy) on 8 September 1969, tax code CRLLNE69P48E463H resident in Milan (Italy), Italian nationality, in relation to the office of Director in UniCredit S.p.A. ("UniCredit" or the "Bank") in light of the Shareholders' Meeting convened for 12 April 2024, under my own responsibility,

taking into account, among others, the provisions of Section 91 of the Directive 2013/36/EU dated June 26, 2013, as subsequently amended ("CRD"), Articles 2382 and 2387 of the Italian Civil Code, Section 26 of Legislative Decree no. 385 dated September 1, 1993 ("TUB"), Articles 147-ter and 147-quinquies of Legislative Decree no. 58 dated February 24, 1998 ("TUF"), the Ministry of Economy and Finance no. 169 dated November 23, 2020 (the "Decree"), the Ministry of Justice Decree no. 162 dated March 30, 2000, Clause 20 of the UniCredit Articles of Association and Article 2, recommendation 7, of the Corporate Governance Code (the "Corporate Governance Code")

STATE THAT

there are no reasons for my ineligibility, forfeiture or incompatibility and that I meet the requirements provided for by currently applicable provisions, as well as by the Articles of Association of UniCredit for the appointment as Director; with specific reference to the experience and independence requirements:

DECLARE THAT

EXPERIENCE

I possess the knowledge, skills and experience required by the CRD, TUB and the Decree, and, in particular, that I have accrued the appropriate overall experience of at least 3 years through the exercise of 4:

• activity of non-executive Director in UniCredit from February 2019 to today;
• activity of Full professor of Finance carried out at the Bocconi University from 2013 to today;
• activity of Dean for Research carried out at Bocconi University from 2022 to today;
• activity as Member of the Advisory Scientific Committee (ASC) at the European Systemic Risk Board (ESRB), from 2015 to 2023;
• activity of Founding Director and scientific advisor carried out at the European University Institute, Florence School of Banking and Finance (FBF) from 2016 to today;
• activity of Member of the Expert Panel on the banking supervision carried out at the European Parliament from 2016 to today;

¹ Please indicate (I) for Directors with executive roles: management or control activities or managerial positions held in the credit, financial, securities or insurance sectors; and/or management or control activities or managerial positions held in listed companies or companies whose size and complexity are greater than, or equal to those of UniCredit (in terms of revenues, nature and complexity of the organization or activities performed), and (il) for Directors with non-executive roles, in addition to the abovementioned ones: professional activities practiced in credit, insurance related fields or anyhow instrumental for the activities of UniCredit - activities shall be sufficiently complex and significant manner; and/or university teaching (first or second level) of legal or economics subjects functional to the credit, financial, securities or insurance sectors; and/or managerial/executive functions or public administration offices relating to the credit, financial, securities or insurance sectors provided that the officer performed such activities has a size and complexity similar to those of UniCredit.

In addition to the above, the chief executive officer shall possess a specific experience in the fields of credit, financial, securities or insurance, gained through management or control activities or managerial positions held for at least 5 years in the credit, financial, securities and insurance sectors, or in companies whose size and complexity are greater than, or equal to, those of UniCredit (in terms of revenues, nature and complexity of the organization or activities performed). Moreover, the chair of the Board of Directors shall possess at least 5 years of experience in the activities indicated under para (i) or (i) above.

• activity of Director carried out at the Fondazione Cassa di Risparmio di La Spezia from April 2016 to February 2019,

as they result from both the attached curriculum vitae (see Annex 1) and the list of administration and control currently held in other companies (see Annex 2).

INDEPENDENCE

I meet the independence criteria pursuant to the following provisions:

1)	Article 148 TUF, para. 3 and Article 2399, para. 1 (as recalled by Article 図 Yes		ONo
	2409-septiesdecies) Italian Civil Code
	2) Article 13 of the Decree	× Yes	I No
	i 3) Italian Corporate Governance Code	× Yes	ONo I

I, the undersigned, also:

• state to be a candidate as member to the Board of Directors of UniCredit, and, if appointed, to irrevocably accept my appointment as from today;
• state that I am not in any of the situations provided for by (i) Article 2390 Italian Civil Code, nor (ii) 36 of Law Decree no. 201 dated December 6, 2011, converted into Law no. 214 dated December 22, 2011 (i.e., interlocking);
• state that I do not exceed the limits upon the maximum number of offices to be held pursuant : to applicable rules and that I am able to commit the necessary time to effectively carry out the office;
• undertake to promptly inform UniCredit of any changes in the above-mentioned circumstances and, on request by the Company, to produce any documentation suitable to confirm the truthfulness of the facts declared;
• having read the information notice on the processing of personal data reported in attachments, acknowledge the disclosure of the information above and the information indicated in the Annexes.

ANNEXES:

• 1) CV
• 2) List of offices of administration and control currently held in other companies
• 3) Privacy statement

Date, place __ Milano, 08 February 2024________

Elens Corren Signature

ELENA CARLETTI February 2024

Bocconi University - Department of Finance 20136 Milano, Italy

PERSONAL INFORMATION

• · Italian citizenship, female, married, one child
• · Mother tongue Italian, Fluent in English and German

ACADEMIC POSITIONS

• Bocconi University, .
  • o Full Professor of Finance, Bocconi University, Department of Finance, since October 2013
  • o Dean for Research, Bocconi University, since 2022
  • o Baffi Center for Applied Research, Director of Unit "Banking, Finance and Regulation", since 2015
• · Center for European Policy Research (CEPR), Director, Banking and Corporate Finance Program, and Director, Research Policy Network (RPN) on European Financial Architecture, since 2022
• · European Finance Association, Past-president, since 2023
• · Full Professor of Economics, European University Institute, Joint Chair Economics Department and Robert Schuman Centre for Advanced Studies, 2008-2013
• · Associate Professor, Goethe University of Frankfurt, Department of Finance, 2008-2013 (on leave part of the period)
• Senior Researcher, Center for Financial Studies, University of Frankfurt, 2004-2008 .
• · Assistant Professor of Economics, University of Mannheim, 2000-2004
• Tutorial Fellow in Finance, London School of Economics, 1999-2000

EDUCATION

• · Habilitation in Economics, University of Mannheim, 2007
• · Ph.D. in Economics, London School of Economics, 2000
• · Doctorate in Economics, University of Bologna, 1998
• Master in Economics (with distinction and best student award), Bocconi University, 1994
• · Laurea in Economics (110/110 and Summa cum laude), Bocconi University, 1993

CURRENT PROFESSIONAL ACTIVITIES

• · Unicredit, Member of the Board of Directors, since February 2019
  • Chair of the Internal Controls and Risk Committee, since 2021
  • o Member of the Related Parties Committee, since 2021
• · Bruegel, President of the Scientific Committee, since 2023
• · European University Institute, Florence School of Banking and Finance (FBF), Scientific Advisor and since 2020
• Deutsche Bundesbank, Research Professor, since 2017 0
• · European Parliament, Member of Expert Panel on banking supervision, since 2016

PREVIOUS PROFESSIONAL ACTIVITIES

• · Norges Bank, Member of Review Panel, Research department, 2022
• · European University Institute, Florence School of Banking and Finance (FBF), Founding Director, 2016-2020
• · European Systemic Risk Board (ESRB) European System of Financial Supervision, Member of the Advisory Scientific Committee (ASC), 2015 - 2023
• · Bank of Italy, Scientific Committee "Paolo Baffi Lecture", 2015-2021
• · Fondazione Cassa di Risparmio di La Spezia, Board Member, 2016-2019
• · Confindustria, Scientific Committee Member, 2014-2016
• · Riksbank (Swedish Central Bank), Review Panel Member, 2014
• · Central Bank of Ireland, Review Panel Member, 2011
• · Bangor University, Research Professor, 2013-2015
• · Financial Intermediation Research Society (FIRS), Board Director, 2010-2013
• · Vinnova Review Panel Financial Market Research Centres, Member, Stockholm, 2010
• · Consultant, OECD, 2009, 2010, 2017
• Consultant, World Bank, 2008 .
• · Economist, Italian Antitrust Authority, Rome, 1997-1998

ACADEMIC AFFILIATIONS

• · Finance Theory Group, United States, member, since 2014
• Wharton Financial Institutions Center, Philadelphia, Fellow, since 2006
• · Centre for Economic European Research (CEPR), London, Research Fellow in Financial Economics, since 2011
• IGIER, Bocconi University, Fellow, since 2013 .
• · CESifo, Munich, Fellow, since 2011
• · Center for Financial Studies (CFS), Frankfurt, Fellow, since 2008
• · Tilburg Law and Economic Center (TILEC), Tilburg, Extramural Fellow, since 2008
• · Federal Deposit Insurance Corporation (FDIC), Washington DC, Center for Financial Research (CFR), Fellow, 2004
• European Central Bank-Center for Financial Studies Research Network Contributor, 2003-2007 .

AREAS OF INTEREST

· Central Banking and Monetary Policy, Banking and Financial Crises, Regulation and Supervision, Resolution, Financial Markets, Corporate Governance, Climate Finance

TEACHING EXPERIENCE

• · I teach various courses in Bocconi and SDA Bocconi at Bachelor, Master and Ph.D. Level., on topics related to International Banking, International Financial Systems and Financial Crises
• · I have taught courses before at the European University Institute, Goethe University Frankfurt, Tor Vergata University and University of Mannheim
• · I have also taught in various institutions such as the Banca of Italy, European Commission, European Central Bank, and Bundesbank

Milan, 08 February 2024

Elena Carletti Elens Carres

ANNEX 2

LIST OF OFFICES OF ADMINISTRATION AND CONTROL CURRENTLY HELD IN OTHER COMPANIES

None

Date, place __Milano, 08 February 2024______

Elens Corren Signature

INFORMATION NOTICE ON THE PROCESSING OF PERSONAL DATA BY UNICREDIT

The following information notice aims at providing you with an overview on the use of your personal data by UniCredit S.p.A. and of your rights pursuant to the General Data Protection - Regulation (EU) 2016/679 (hereinafter also GDPR).

1. DATA CONTROLLER AND DATA PROTECTION OFFICER

The Data Controller is UniCredit S.p.A., with registered office in Milan, Piazza Gae Aulenti n. 3, Tower A, 20154 Milan (UniCredit).

The Data Protection Officer (DPO) can be contacted at:

UniCredit S.p.A. Data Protection Office, Piazza Gae Aulenti n. 1, Tower B, 20154 Milano, E-mail: Group.DPO@unicredit.eu, PEC: Group.DPO@pec.unicredit.eu.

2. PURPOSE AND LEGAL BASIS OF PROCESSING

UniCredit processes the personal data in its possession, that is collected directly from you, or from the relevant local administrations to verify, among others, their accuracy for the following purposes:

A. Need to fulfill legal obligations deriving from your candidacy as a Member of the UniCredit's Board of Directors.

These obligations imply, among others, verifying - both during the selection procedures and on an ongoing basis - the compliance: i) with the eligibility requirements for taking on and maintaining the role of Director as well as of specific positions (such as integrity requirements, criteria of correctness, professional experience requirements and competence, independence, time commitment, maximum number of offices covered, respect of the prohibition of interlocking) as required by applicable law, by UniCredit's Articles of Association and by the Corporate Governance Code (i.e. Codice di Corporate Governance) as with social security and fiscal obligations linked to the remuneration provided.

To comply with the above-mentioned obligations, in some cases, UniCredit is required to carry out analyses that concern also your relatives?. For this reason, we kindly ask you to let them aware of this Information Notice.

These needs represented above are the legitimizing the related data processing. Data provided by you is necessary to comply with the obligations arising from your role of UniCredit's Board of Directors; without your personal data, UniCredit would not be in a position to establish a relationship with you or to comply with the law obligations.

B. Fulfilment of legal obligations and requests from Public and Supervisory Authorities, concerning the process, communication and/or disclosure - also during the selection procedures - on the website www.unicreditgroup.eu and/ or on specific corporate documents (e.g. Prospectus / Corporate Governance Report, Financial Statements) of your data (such as data contained in your curriculum vitae and in the list of the tasks carried out by you in other banks and commercial companies, as required by the applicable law, and according to the Articles of Association and the Corporate Governance Code).

The needs represented above are the legal basis legitimizing the related data processing. Data provided by you is necessary to comply with the legal obligations, the requests from the Authorities, as well as to take on the role of member of the Board of Directors of UniCredit; without your personal data, UniCredit would not be in a position to establish a relationship with you or to comply with the law obligations.

3. CATEGORIES OF PERSONAL DATA PROCESSED

UniCredit processes personal data collectly from you, or from third parties (e.g. relevant local administrations), which include, but are not limited to, personal data (e.g. name, surname, address, date and place of birth), banking data, information on the financial situation (e.g. patrimonial status, information on credit requests/relationships), positions held and related income, employment relationships, commercial/professional relationships.

² The relatives scope is identified on the basis of the specific applicable regulations.

This information may concern existing or past relationships with Group Legal Entities or third parties.

3.1 JUDICIAL DATA

UniCredit may process judicial data (i.e. personal data relating to criminal convictions and offences or related security measures, including information on pending proceedings) refering to you, in order to verify the subjective and integrity requirements and/or conditions that prevent from being appointed as member of the Board of Directors of UniCredit.

In such cases, the processing is necessary to fulfill legal obligations as well as to comply with requests coming from Public or Supervisory Authorities (e.g. filling the questionnaire requested by the ECB). This need represents the legal basis that legitimizes the related data processing. Data provided by you is necessary to comply with the legal obligations; without your personal data, UniCredit would not be in a position to establish a relationship with you or to comply with the law obligations.

4. RECIPIENTS OR CATEGORIES OF RECIPIENTS OF PERSONAL DATA

Your data may be communicated to the natural and legal persons that are acting as "Data Processors", listed in the Unicredit premises and on the website www.unicredit.it, as well as - in the quality of persons authorized to process personal data in relation to the data necessary for the performance of the duties they are assigned to - the natural persons belonging to the following categories: employees of the Bank, seconded personnel, temporary workers, interns, consultants and the employees of the external companies appointed as Data Processors.

Your data may be communicated:

• to those subjects to whom this communication must be carried out in compliance with an obligation established by law (e.g. Bank of Italy and ECB), by a regulation or by EU legislation. Further information can be found on the website www.unicredit.it in the "Privacy" section;
• · to Legal Entities belonging to the UniCredit Group (also foreign Legal Entities), subsidiaries or associates under the terms of article 2359 of the Italian Civil Code, when such communication is permitted on the basis of a Garante per la Protezione dei Dati Personali's measure or by a law provision.

The detailed list of subjects to whom the data can be communicated is available on the website www.unicredit.it, in the "Privacy" section.

5. DATA TRANSFER TO THIRD COUNTRIES

UniCredit informs you that your personal data may also be transferred to the European Union or the European Economic Area (so called "Third Countries") if the EU Commission states that the Third Country ensures an adequate level of protection of personal data or in case of other appropriate safeguards, namely when the supplier of UniCredit located in the Third Country contractually ensures an appropriate level of personal data protection (e.g. through the standard contractual clauses provided by the European Commission), including enforceable and effective data subject rights. Further information can be requested by writing to Group.DPO@unicredit.eu.

DATA PROCESSING MODALITIES 6.

The processing of personal data involves the usage of manual and IT instruments with modalities closely connected with the purposes defined above and, in any case, in such a way to guarantee the security and confidentiality of the data.

7. DATA SUBJECT' RIGHTS

GDPR grants and assures specific rights, including the right to know what data concerning you are held by UniCredit, as well as how they are used, and the right to obtain, under certain conditions, the copy, the erasure, the rectification or, if interested, the integration of your data, as well as the right to data portability.

7.1 DATA RETENTION PERIOD AND RIGHT TO ERASURE

Unicredit processes and stores your personal data for all the time you keep the role of Director, to execute the related and connected obligations, to comply with the applicable legal, contractual and regulatory obligations, as well as for its own defensive purposes or third parties until the expiration of the longest mandatory retention

period provided by the applicable law (i.e. 11 years) starting from the date of termination of the relationship with you. UniCredit processes and stores your personal data even after the employment relationship when this is necessary for archiving purposes for historical research purposes, according, to the methods set out in the "Ethical rules of processing for archiving purposes in the public interest or historical research"3.

At the end of the applicable mandatory retention period, your personal data will be erased or kept in a form which does not permit your identification (e.g. irreversible anonymization), unless the further processing is necessary for one or more of the following purposes: i) for resolution of pre-litigation, started before the expiration of the mandatory retention period; ii) to follow up with investigations/inspections by internal control functions and/or external authorities, started before the expiration of the mandatory retention period; ili) to follow up with requests from the Italian and/or foreign Public Authorities, received/notified to UniCredit before the expiration of the mandatory retention period.

8. PROCEDURE TO EXERCISE THE RIGHTS

The e-mail address which you can refer to for the exercise of your rights described in the paragraph 7 is the following one: corporate.law@pec.unicredit.eu.

The deadline for the reply is one (1) month, that may be extended for two (2) further months in cases of particular complexity; in these cases, UniCredit informs you about such extension within one (1) month from the receipt of the request.

The exercise of rights is, in principle, free of charge.

9. COMPLAINT OR REPORTING TO THE "GARANTE PER LA PROTEZIONE DEI DATI PERSONALI"

UniCredit informs you that you have the right to lodge a complaint with, or to report to the Garante per la Protezione dei Dati Personali, or else to appeal to the Judicial Authority. The contacts of the Garante per la Protezione dei Dati Personali can be consulted on the website http://www.garanteprivacy.it.

Date, place __ Milano, 08 February 2024______

Correin Signature

³ Record of the provisions 19 December 2018, n. 513

STATEMENT OF CANDIDACY AND DECLARATION ATTESTING THE INEXISTENCE OF REASONS FOR INELIGIBILITY, FORFEITURE OR INCOMPATIBILITY, AS WELL AS REGARDING THE MEETING OF THE REQUIREMENTS PROVIDED FOR BY CURRENT PROVISIONS AND OF ACCEPTANCE OF APPOINTMENT

I, the undersigned MARCUS JOHANNES CHROMIK, born in Kiel (Germany) on 13 May 1972, tax code 42 293 685 707, resident in Frankfurt am Main (German nationality, in relation to the office of Director in UniCredit S.p.A. ("UniCredit" or the "Bank") in light of the Agenda of the Shareholders' Meeting convened for 12 April 2024, under my own responsibility,

taking into account, among others, the provisions of Section 91 of the Directive 2013/36/EU dated June 26, 2013, as subsequently amended ("CRD"), Articles 2382 and 2387 of the Italian Civil Code, Section 26 of Legislative Decree no. 385 dated September 1, 1993 ("TUB"), Articles 147-ter and 147-quinquies of Legislative Decree no. 58 dated February 24, 1998 ("TUF"), the Ministry of Economy and Finance no. 169 dated November 23, 2020 (the "Decree"), the Ministry of Justice Decree no. 162 dated March 30, 2000, Clause 20 of the Unicredit Articles of Association and Article 2, recommendation 7, of the Corporate Governance Code (the "Corporate Governance Code")

STATE THAT

there are no reasons for my ineligibility, forfeiture or incompatibility and that I meet the requirements provided for by currently applicable provisions, as well as by the Articles of Association of UniCredit for the appointment as Director; with specific reference to the experience and independence requirements:

DECLARE THAT

FXPFRIFNCF

I possess the knowledge, skills and experience required by the CRD, TUB and the Decree, and, in particular, that I have accrued the appropriate overall experience of at least 10 years through the exercise of 4:

• Chief Risk Officer, member of Management board at Commerzbank AG from 01/2016 to 12/2023;
• Chief Credit Risk Officer, divisional board member at Commerzbank AG from 11/2012 to 12/2015;
• Chief Market Risk Officer, divisional board member at Commerzbank AG from 07/2009 to 12/2012;
• Member of Supervisory board and chairman of the risk committee at mBank S.A. from 01/2016 to 12/2023:
• Member of Supervisory board at Commerzreal AG from 01/2021 to 12/2023;
• Member of the Advisory Board of WM Gruppe from 2021 to 04/2023;
• Member of the Supervisory board at Valovis Bank AG from 10/2012 to 12/2015;
• -Member of the Supervisory board at Düsseldorfer Hypotheken Bank AG from 04/2015 to 12/2015;

¹ Please indicate (I) for Directors with executive roles: management or control activities or managerial positions held in the credit. financial, securities or insurance sectors; and/or management or control activities or managerial positions held in listed companies or companies whose size and complexity are greater than, or equal to those of UniCredit (in terms of revenues, nature and complexity of the organization or activities performed), and (ii) for Directors with non-executive roles, in addition to the abovementioned ones: professional activities practiced in credit, insurance related fields or anyhow instrumental for the activities of Unicedit - activities shall be sufficiently complex and significant manner, and/or university teaching (first or second level) of legal or economics subjects functional to the credit, financial, securities or insurance sectors; and/or managerial/executive functions or public administration offices relating to the credit, financial, securities or insurance sectors provided that the officer performed such activities has a size and complexity similar to those of UniCredit.

In addition to the above, the chief executive officer shall possess a specific experience in the fields of credit, financial, securities or insurance, gained through managerial positions or managerial positions held for at least 5 years in the credit, financial, securities and insurance sectors, or in companies whose size and complexity are greater than, or equal to, those of UniCredit (in terms of revenues, nature and complexity of the organization or activities performed). Moreover, the chair of the Board of Directors shall possess at least 5 years of experience in the activities indicated under para (i) or (ii) above.

• Member of the Verwaltungsrat at Argor Heraeus S.A. from 01/2013 to 12/2015.
• INDEPENDENCE

I meet the independence criteria pursuant to the following provisions:

1)	Article 148 TUF, para. 3 and Article 2399, para. 1 (as recalled by Article 図 Yes		ONo
	2409-septiesdecies) Italian Civil Code
2)	Article 13 of the Decree	× Yes	LINO I
	3) Italian Corporate Governance Code	× Yes	ONO I

I, the undersigned, also:

• state to be a candidate to the Board of Directors of UniCredit member, and, if appointed, to ı irrevocably accept my appointment as from today;
• state that I am not in any of the situations provided for by (i) Article 2390 Italian Civil Code, nor (ii) 36 of Law Decree no. 201 dated December 6, 2011, converted into Law no. 214 dated December 22, 2011 (i.e., interlocking);
• to applicable rules and that I am able to commit the necessary time to effectively carry out the office;
• undertake to promptly inform UniCredit of any changes in the above-mentioned circumstances and, on request by the Company, to produce any documentation suitable to confirm the truthfulness of the facts declared;
• having read the information notice on the processing of personal data reported in attachments, acknowledge the disclosure of the information above and the information indicated in the Annexes.

ANNEXES:

• 1) CV
• 2) List of offices of administration and control currently held in other companies
• 3) Privacy statement

13.2.27

Annex 1 Curriculum Vitae

Dr. Marcus Johannes Chromik

PERSONAL DATA Born May 13th 1972 in Kiel, Germany

PROFESSIONAL EXPERIENCE

Commerzbank AG, Frankfurt, Germany

January 2016 - December 2023

• Member of the board, CRO, responsible for Risk Management and Compliance .
• Responsibilities
  • Group Credit Risk Management
  • Group Risk Control, including market risk and liquidity risk u
  • Group Cyber Risk & Information Security .
  • Big Data and Advanced Analytics
  • Group Compliance since 2020
• · Supervisory board mandates
  • mBank S. A., Warsaw, member of the supervisory Board since 2016
  • mBank S. A., Warsaw, chairman of the risk committee since 2016 ..
  • Commerzreal AG, member of the supervisory board, since 2021
  • · WM Gruppe (Börsenzeitung, WM Datenservice) member of advisory board since 2021
• Member
  • German Eastern Business Association, member Steering Committee since 2016 .
  • International Chamber of Commerce Germany, member of board since 2016
  • " German Banking Association, chairman of committee of SSM1 banks

November 2012 - December 2015

• Divisional board member, Chief Credit Risk Officer core bank .
• · Principal work: Group wide underwriting of credit risk for all core segments of Commerzbank AG. Responsibility for credit policies and processes and credit decisions. Since 2015 additional responsible for country risk steering
• Committees 0
  • " Credit risk committee (voting member, deputy chair with veto power)

• Strategic risk committee (voting member)
• Risk management board (management board of the risk function)
• . Portfolio

0

• New underwriting and management of existing portfolio of the core bank (retail, corporates, FI, sovereigns)
• 트 EAD approx. 355bn €1
• 트 LAD approx. 105bn €
• I RWA approx. 170bn €
• . Economic capital (credit risk) approx. 8 bn €
• Decision authority
  • · Credit authority in the credit risk committee with veto power up all-in of 1 bn €2
  • · Credit authority for 4-eye approval up to all-in of 400m €
• Headcount ~1200

July 2009 - October 2012

• Divisional board member, Chief Market Risk Officer
• · Principal work: Group wide controlling of market, liquidity and counterparty risk. Responsibility for methods, modelling, IT implementation, reporting and management (trade approval, limit setting). Responsible for market risk integration after the merger, Basle II.5 and Basle III implementation. Overall risk function for portfolio restructuring unit (PRU)
• Committees .
  • Group market risk committee (co-chair, chair)
  • " Segment market risk committee (for corporates and markets and treasury, chair)
  • · Asset Allocation Committee (ALCO)
  • · Credit risk committee (voting member)
  • · PRU board (voting member)
  • " Corporates and Markets Executive Committee (EXCO)
  • " Risk Management Board (management board of the risk function)
• Portfolio .
  • · Complete market risk portfolio of the group (credit, IR, FX, EQ and commodity), especially generated by the units of Corporates and Markets, treasury and public finance
• · Decision authority
  • Credit authority in the credit risk committee, see above
  • " Group authority in PRU board for exit decisions with losses up to 20m € per transaction
  • · Group authority in the market risk committees for risk mitigating measures with loss budget up to 100m €
  • " Several trades based approval authorities regarding special market risk deals with structural features or longer maturities
• Headcount ~300 .

May 2010 - October 2012

• · General manager London branch (in parallel to role as chief market risk officer)
• · Principal work: Oversight over risk function in London and PRU

Deutsche Postbank AG, Bonn, Germany

September 2008 - June 2009

• · Head of liquidity management and credit treasury
• · Principal work: Liquidity management via short term funding and repo-business (book 20-30 bn €), medium and long term funding for the Postbank group (10 bn € p.a.), optimization of group liquidity, securitization of assets (3 bn € p.a.), management of structured credit (book 5 bn €), optimizing the mix of regulatory capital as well as collateral management and optimization, representing Postbank group in the money and capital markets
• General commercial power of representation (Prokura) jointly with second qualified member .
• Headcount 39

October 2007 - August 2008

¹ Figures as of 12/2014, except mentioned otherwise

² Based on investment grade credit, rating based scale down

• Head of primary capital markets
• · Principal work: medium and long term funding for the Postbank group (10 bn € p.a.), securitization of assets (3 bn € p.a.), management of structured credit (book 5 bn €), optimizing the mix of regulatory capital as well as collateral management and optimization, representing Postbank group in the capital markets
• General commercial power of representation (Prokura) jointly with second qualified member
• Headcount 18

January 2006 - October 2007

• Head of risk controlling .
• · Principal work: group wide risk controlling responsibility for methods and reports for all risk classes, implementation of Basle II processes in the group, controlling of regulatory and economic equity
• · General commercial power of representation (Prokura) jointly with second qualified member
• Headcount 36

March 2004 - December 2005

• Head of credit risk
• · Principal work: development and monitoring of all scoring and rating models of Postbank group, measurement of "Credit Value at Risk", credit risk controlling and reporting
• Commercial power of representation (registered manager, Handlungsbevollmächtigter) jointly . with second qualified member
• Headcount 11 0

McKinsey & Company, Inc., Hamburg, Germany

June 2001 - January 2004

• Senior associate
• Principal work: Serving clients in the financial services industry in risk management projects Work included:
  • Development and implementation of risk measurement and management systems
  • Leading and coordinating large project teams
  • Presentations/speeches at various hierarchy levels
  • Coaching and development of training programs for clients
  • Facilitating trainings for other McKinsey consultants

OTHER MANDATES

• · Valovis Bank AG (Small German retail bank), member of the supervisory board 2012-2015
• Düsseldorfer Hypothekenbank AG, member of the supervisory board 2015-2015
• Argor Heraeus S.A. (Swiss refinery, precious metals), member of the supervisory board (Verwaltungsrat) 2013-2015
• . Allianz Global Investors Europe GmbH, member of investment advisory committee for three fonds belonging to Commerzbank's pension scheme from 2011-2012

COMMITTEES IN BANKING ORGANISATIONS

• · Working committee for the "risk policy committee" of the association of German banks (BdB) from 2006-2007
• Working committee for the "credit policy committee" of the association of German banks (BdB) . from 2006-2007
• Expert committee "Pfandbrief and capital markets" of the association of German Pfandbrief . banks 2008-2009
• IIF Special Committee on "Financial crisis prevention and resolution", 2009-2012 0

EDUCATION

Ph.D. (Nuclear Physics) - Ludwig-Maximilians-Universität Munich (LMU), Germany

· Thesis Title: Investigation of the double proton decay in 17Ne

• Advisor: Professor Dr. Dieter Habs .
• Date: Awarded June 2001 .
• Remark: Experiments for thesis performed at the National Superconducting . Cyclotron Laboratory, East Lansing, Michigan

Diploma (Physics) - Ludwig-Maximilians-Universität Munich (LMU), Germany

• Thesis Title: Excitation and decay of the first excited state in 17Ne .
• Advisor: Professor Dr. Dieter Habs .
• Major: Experimental Nuclear Physics .
• . Minors: Physical Chemistry and Accelerator Physics
• Date: Awarded June 1998 0
• Remark : Classes taken also at the University of Kiel and Michigan State University

Pre-Diploma (Physics) - Georgia Augusta, University of Göttingen, Germany

• Minor: Chemistry
• Date: Awarded Fall 1994

Abitur - Kieler Gelehrtenschule (Secondary school, Humanistisches Gymnasium), Germany

• Physics, Mathematics Majors:
• Date: Awarded Spring 1991

INTERNSHIPS / ACADEMIC ASSISTANTSHIPS

Ludwig-Maximilians-Universität Munich, Germany

• August 1998 May 2001 .
• Research assistant
• Principal work: spokesperson of an international collaboration, proposing, preparing . and analysing a basic research experiment, reporting the results, teaching lab classes

Boston Consulting Group, Munich Germany

• August 1999 November 1999 .
• Visiting associate .
• · Principal work: market analysis, quantification of market potential, management of the personnel transfer processes and discussion with clients

Accelerator Laboratory Garching, Germany

• November 1996 November 1997 .
• Operator
• Principal work: controlling and operating the accelerator, troubleshooting .

National Superconducting Cyclotron Laboratory, Michigan, USA

• August 1995 October 1996 .
• Research assistant
• Principal work: performing and analysing two experiments and reporting the results

PROFESSIONAL AFFILIATIONS

German physics association (Deutsche Physikalische Gesellschaft)

ANNEX 2

LIST OF OFFICES OF ADMINISTRATION AND CONTROL CURRENTLY HELD IN OTHER COMPANIES

none

Fount furt, 13.2.24

INFORMATION NOTICE ON THE PROCESSING OF PERSONAL DATA BY UNICREDIT

The following information notice aims at providing you with an overview on the use of your personal data by UniCredit S.p.A. and of your rights pursuant to the General Data Protection - Regulation (EU) 2016/679 (hereinafter also GDPR).

1. DATA CONTROLLER AND DATA PROTECTION OFFICER

The Data Controller is UniCredit S.p.A., with registered office in Milan, Piazza Gae Aulenti n. 3, Tower A, 20154 Milan (UniCredit).

The Data Protection Officer (DPO) can be contacted at:

UniCredit S.p.A. Data Protection Office, Piazza Gae Aulenti n. 1, Tower B, 20154 Milano, E-mail: Group.DPO@unicredit.eu, PEC: Group.DPO@pec.unicredit.eu.

2. PURPOSE AND LEGAL BASIS OF PROCESSING

UniCredit processes the personal data in its possession, that is collected directly from you, or from the relevant local administrations to verify, among others, their accuracy for the following purposes:

A. Need to fulfill legal obligations deriving from your candidacy as a Member of the UniCredit's Board of Directors.

These obligations imply, among others, verifying - both during the selection procedures and on an ongoing basis - the compliance: i) with the eligibility requirements for taking on and maintaining the role of Director as well as of specific positions (such as integrity requirements, criteria of correctness, professional experience requirements and competence, independence, time commitment, maximum number of offices covered, respect of the prohibition of interlocking) as required by applicable law, by UniCredit's Articles of Association and by the Corporate Governance Code (i.e. Codice di Corporate Governance) as well as with social security and fiscal obligations linked to the remuneration provided.

To comply with the above-mentioned obligations, in some cases, UniCredit is required to carry out analyses that concern also your relatives ?. For this reason, we kindly ask you to let them aware of this Information Notice.

These needs represented above are the legal basis legitimizing the related data processing. Data provided by you is necessary to comply with the obligations arising from your role of UniCredit's Board of Directors; without your personal data, UniCredit would not be in a position to establish a relationship with you or to comply with the law obligations.

B. Fulfilment of legal obligations and requests from Public and Supervisory Authorities, concerning the process, communication and/or disclosure - also during the selection procedures - on the website www.unicreditgroup.eu and/ or on specific corporate documents (e.g. Prospectus / Corporate Governance Report, Financial Statements) of your data (such as data contained in your curriculum vitae and in the list of the tasks carried out by you in other banks and commercial companies, as required by the applicable law, and according to the Articles of Association and the Corporate Governance Code).

The needs represented above are the legal basis legitimizing the related data processing. Data provided by you is necessary to comply with the legal obligations, the requests from the Authorities, as well as to take on the role of member of the Board of Directors of UniCredit; without your personal data, UniCredit would not be in a position to establish a relationship with you or to comply with the law obligations.

3. CATEGORIES OF PERSONAL DATA PROCESSED

UniCredit processes personal data collectly from you, or from third parties (e.g. relevant local administrations), which include, but are not limited to, personal data (e.g. name, surname, address, date and place of birth), banking data, information on the financial situation (e.g. patrimonial status, information on credit requests/relationships), positions held and related income, employment relationships, commercial/professional relationships.

² The relatives scope is identified on the basis of the specific applicable regulations.

This information may concern existing or past relationships with UniCredit as well as with Group Legal Entities or third parties.

3.1 JUDICIAL DATA

UniCredit may process judicial data (i.e. personal data relating to criminal convictions and offences or related security measures, including information on pending proceedings) refering to you, in order to verify the subjective and integrity requirements and/or conditions that prevent from being appointed as member of the Board of Directors of UniCredit.

In such cases, the processing is necessary to fulfill legal obligations as well as to comply with requests coming from Public or Supervisory Authorities (e.g. filling the questionnaire requested by the ECB). This need represents the legal basis that legitimizes the related data processing. Data provided by you is necessary to comply with the legal obligations; without your personal data, UniCredit would not be in a position to establish a relationship with you or to comply with the law obligations.

4. RECIPIENTS OR CATEGORIES OF RECIPIENTS OF PERSONAL DATA

Your data may be communicated to the natural and legal persons that are acting as "Data Processors", listed in the UniCredit premises and on the website www.unicredit.it, as well as – in the quality of persons authorized to process personal data in relation to the data necessary for the performance of the duties they are assigned to – the natural persons belonging to the following categories: employees of the Bank, seconded personnel, temporary workers, interns, consultants and the employees of the external companies appointed as Data Processors.

Your data may be communicated:

• to those subjects to whom this communication must be carried out in compliance with an obligation established by law (e.g. Bank of Italy and ECB), by a regulation or by EU legislation. Further information can be found on the website www.unicredit.it in the "Privacy" section;
• · to Legal Entities belonging to the UniCredit Group (also foreign Legal Entities), subsidiaries or associates under the terms of article 2359 of the Italian Civil Code, when such communication is permitted on the basis of a Garante per la Protezione dei Dati Personali's measure or by a law provision.

The detailed list of subjects to whom the data can be communicated is available on the website www.unicredit.it, in the "Privacy" section.

5. DATA TRANSFER TO THIRD COUNTRIES

UniCredit informs you that your personal data may also be transferred to the European Union or the European Economic Area (so called "Third Countries") if the EU Commission states that the Third Country ensures an adequate level of protection of personal data or in case of other appropriate safeguards, namely when the supplier of UniCredit located in the Third Country contractually ensures an appropriate level of personal data protection (e.g. through the standard contractual clauses provided by the European Commission), including enforceable and effective data subject rights. Further information can be requested by writing to Group.DPO@unicredit.eu.

DATA PROCESSING MODALITIES 6.

The processing of personal data involves the usage of manual and IT instruments with modalities closely connected with the purposes defined above and, in any case, in such a way to guarantee the security and confidentiality of the data.

DATA SUBJECT' RIGHTS 7.

GDPR grants and assures specific rights, including the right to know what data concerning you are held by UniCredit, as well as how they are used, and the right to obtain, under certain conditions, the copy, the erasure, the rectification or, if interested, the integration of your data, as well as the right to data portability.

7.1 DATA RETENTION PERIOD AND RIGHT TO ERASURE

Unicredit processes and stores your personal data for all the time you keep the role of Director, to execute the related and connected obligations, to comply with the applicable legal, contractual and regulatory obligations, as well as for its own defensive purposes or those of third parties until the expiration of the longest mandatory retention

period provided by the applicable law (i.e. 11 years) starting from the date of termination of the relationship with you. UniCredit processes and stores your personal data even after the employment relationship when this is necessary for archiving purposes for historical research purposes, according, to the methods set out in the "Ethical rules of processing for archiving purposes in the public interest or historical research"3.

At the end of the applicable mandatory retention period, your personal data will be erased or kept in a form which does not permit your identification (e.g. irreversible anonymization), unless the further processing is necessary for one or more of the following purposes: i) for resolution of pre-litigation, started before the expiration of the mandatory retention period; il) to follow up with investigations/inspections by internal control functions and/or external authorities, started before the expiration period; iii) to follow up with requests from the Italian and/or foreign Public Authorities, received/notified to UniCredit before the expiration of the mandatory retention period.

8. PROCEDURE TO EXERCISE THE RIGHTS

The e-mail address which you can refer to for the exercise of your rights described in the paragraph 7 is the following one: corporate.law@pec.unicredit.eu.

The deadline for the reply is one (1) month, that may be extended for two (2) further months in cases of particular complexity; in these cases, UniCredit informs you about such extension within one (1) month from the receipt of the request.

The exercise of rights is, in principle, free of charge.

9. COMPLAINT OR REPORTING TO THE "GARANTE PER LA PROTEZIONE DEI DATI PERSONALI"

UniCredit informs you that you have the right to lodge a complaint with, or to report to the Garante per la Protezione dei Dati Personali, or else to appeal to the Judicial Authority. The Garante per la Protezione dei Dati Personali can be consulted on the website http://www.garanteprivacy.it.

³ Record of the provisions 19 December 2018, n. 513

STATEMENT OF CANDIDACY AND DECLARATION ATTESTING THE INEXISTENCE OF REASONS FOR INELIGIBILITY, FORFEITURE OR INCOMPATIBILITY, AS WELL AS REGARDING THE MEETING OF THE REQUIREMENTS PROVIDED FOR BY CURRENT PROVISIONS AND OF ACCEPTANCE OF APPOINTMENT

I, the undersigned ANTÓNIO DOMINGUES, born in Arcos de Valdevez on 30 December 1956, tax code 149941722, resident in Portugal, of Portuguese nationality, in relation to the office of Director in UniCredit S.p.A. ("UniCredit" or the "Bank") in light of the Agenda of the Shareholders' Meeting convened for 12 April 2024, under my own responsibility,

taking into account, among others, the provisions of Section 91 of the Directive 2013/36/EU dated June 26, 2013, as subsequently amended ("CRD"), Articles 2382 and 2387 of the Italian Civil Code, Section 26 of Legislative Decree no. 385 dated September 1, 1993 ("TUB"), Articles 147-ter and 147-quinquies of Legislative Decree no. 58 dated February 24, 1998 ("TUF"), the Ministry of Economy and Finance no. 169 dated November 23, 2020 (the "Decree"), the Ministry of Justice Decree no. 162 dated March 30, 2000, Clause 20 of the UniCredit Articles of Association and Article 2, recommendation 7, of the Corporate Governance Code (the "Corporate Governance Code")

STATE THAT

there are no reasons for my ineligibility, forfeiture or incompatibility and that I meet the requirements provided for by currently applicable provisions, as well as by the Articles of Association of UniCredit for the appointment as Director; with specific reference to the experience and independence requirements:

DECLARE THAT

EXPERIENCE

l possess the knowledge, skills and experience required by the CRD, TUB and the Decree, and, in particular, that I have accrued the appropriate overall experience of at least 3 years through the exercise of ';

• Non-executive Director of Banco CTT (2022-present);
• Non-executive Director, Chair of Audit Committee, Chair of Governance Committee, member of Risk committee and member of Remuneration Committee of Haitong Investment Bank S.A. (Private) (2018-present);
• Chief Executive Officer of Caixa Geral de Depositos (2016-2016);
• Deputy CEO and Chief Financial Officer of Banco BPI Group (2003-2016);
• Non-executive Director, Chair of Audit & Risk Committee and member of Governance Committee . of NOS S.A. (2004-2022);
• Non-executive Director of Allianz (Portugal) (2003-2016);

¹ Please indicate (i) for Directors with executive roles: management or control activities or managerial positions held in the credit, financial, securities or insurance sectors; and/or management or control activities or managerial positions held in listed companies or companies whose size and complexity are greater than, or equal to those of UniCredit (in terms of revenues nature and complexity of the organization or activities performed), and (ii) for Directors with non-executive roles, in addition the abonmentioned ones: professional activities practiced in credit, financial, securities, insurance related fields or anyhow instrumental for the activities of UniCredit – activities shall be sufficiently complex and significan matron; and on university teaching (first or second level) of legal or economics subjects functional to the creatit, firancial, securities or insurance sectors; and/or managerial/executive functions or public administration offices relating to the credit, financial, securities or insurance sectors provided that the office performed such activities has a size and complexity similar to those of UniCredit.

In addition to the above, the chief executive officer shall possess a specific experience in the fields of credit, financial, securities or insurance, gained through management or control activities or managerial positions held for at least 5 years in the credit, financial, securities and insurance sectors, or in listed companies whose size and companies whose size and an the br equal to, those of Unicredit (in terms of revenues, nature and complexity of the organization or activities performed). Moreoner, the chair of the Board of Directors shall possess at least 5 years of experience in the activities indicated under para (i) or (ii) above.

• Vice Chair of BFA- Banco de Fomento de Angola (2002-2020);
• Non-executive Director of BCI (Moçambique) (2002-2012);
• Non-executive Director of SIBS (1999-2012);
• Non-executive Director of Unicre (1999-2008).

as they result from both the attached curriculum vitae (see Annex 1) and the list of offices of administration and control currently held in other companies (see Annex 2).

INDEPENDENCE

I meet the independence criteria pursuant to the following provisions:

	Article 148 TUF, para. 3 and Article 2399, para. 1 (as recalled by Article 区 Yes		LINO
	2409-septiesdecies) Italian Civil Code
2)	Article 13 of the Decree	× Yes	I No
	3)	× Yes	No I

I, the undersigned, also:

• state to be a candidate to the Board of Directors of UniCredit member, and, if appointed, to irrevocably accept my appointment as from today;
• state that I am not in any of the situations provided for by (i) Article 2390 Italian Civil Code, nor (ii) 36 of Law Decree no. 201 dated December 6, 2011, converted into Law no. 214 dated December 22, 2011 (i.e., interlocking);
• state that I do not exceed the limits upon the maximum number of offices to be held pursuant to applicable rules and that I am able to commit the necessary time to effectively cary out the office;
• undertake to promptly inform UniCredit of any changes in the above-mentioned circumstances and, on request by the Company, to produce any documentation suitable to confirm the truthfulness of the facts declared;
• having read the information notice on the processing of personal data reported in attachments, . acknowledge the disclosure of the information above and the information indicated in the Annexes.

ANNEXES:

• 1) CV
• 2) List of offices of administration and control currently held in other companies
• 3) Privacy statement

15 February 2024, Milan

Signaturg

António Domingues

Current Board Affiliations

• · Non-executive Director of Banco CTT (2022-present)
• · Non-executive Director, Chair of Audit and Governance Committees, member of Risk and Remuneration Committees of Haitong Investment Bank S.A. (Private) (2018-present)

Former Board Affiliations

• Non-executive Director, Chair of Audit & Risk Committee and member of Governance Committee of NOS S.A. (2004-2022)
• · Non-executive Director of Allianz (Portugal) (2003-2016)
• · Vice Chair of BFA- Banco de Fomento de Angola (2022-2020)
• · Non-executive Director of BCI (Moçambique) (2002-2012)
• Non-executive Director of SIBS (1999-2012) .
• · Non-executive Director of Unicre (1999-2008)
• · Vice Chair of BPI Investment Bank (1995-2016)
• · Non-executive Director of Banco de Fomento & Exterior (1996-1999)
• · Non-executive Director of Banco Borges & Irmão (1996-1999)

Professional experience

CULLO-ZULLO	Caixa Geral de Depositos Chief Executive Officer
1989-2016 2003-2016 1995-2003 1989-1995	Banco BPI Group Deputy CEO and Chief Financial Officer Chief Financial Officer Treasures
1989-1989	Banco Portugues do Investmento (BPA) Deputy General Manager of France branch network
1985-1988	Banco de Portugal Foreign Department, Fx Reserves Management
1982-1985	Monetary Authority of Macao Research & Statistic Department, Treasury Division
1980 -1982	Ministério de Industria e Energia Portugal Research and Planning Department

Education

ISEG - Universidade Técnica de Lisboa, Degree in Economics, 1979 Languages: Portuguese, native language; English, French and Spanish fluent

15 February 2024, Milan

Signature

LIST OF OFFICES OF ADMINISTRATION AND CONTROL CURRENTLY HELD IN OTHER COMPANIES

I the undersigned António Domingues declare the following other current roles:

• 1) Non-executive Director of Banco CTT
• 2) Non-executive Director, Chair of Audit Committee, Chair of Governance Committee, member of Risk committee and member of Remuneration Committee of Haitong Investment Bank S.A. (Private)

Milan, 15 February 2024

Signature

INFORMATION NOTICE ON THE PROCESSING OF PERSONAL DATA BY UNICREDIT

The following information notice aims at providing you with an overview on the use of your personal data by UniCredit S.p.A. and of your rights pursuant to the General Data Protection Regulation (EU) 2016/679 (hereinafter also GDPR).

1. DATA CONTROLLER AND DATA PROTECTION OFFICER

The Data Controller is UniCredit S.p.A., with registered office in Milan, Piazza Gae Aulenti n. 3, Tower A, 20154 Milan (UniCredit).

The Data Protection Officer (DPO) can be contacted at:

UniCredit S.p.A. Data Protection Office, Piazza Gae Aulenti n. 1, Tower B, 20154 Milano, E-mail: Group.DPO@unicredit.eu, PEC: Group.DPO@pec.unicredit.eu.

2. PURPOSE AND LEGAL BASIS OF PROCESSING

UniCredit processes the personal data in its possession, that is collected directly from you, or from the relevant local administrations to verify, among others, their accuracy for the following purposes:

A. Need to fulfill legal obligations deriving from your candidacy as a Member of the UniCredit's Board of Directors.

These obligations imply, among others, verifying - both during the selection procedures and on an ongoing basis - the compliance: i) with the eligibility requirements for taking on and maintaining the role of Director as well as of specific positions (such as integrity requirements, criteria of correctness, professional experience requirements and competence, independence, time commitment, maximum number of offices covered, respect of the prohibition of interlocking) as required by applicable law, by UniCredit's Articles of Association and by the Corporate Governance Code (i.e. Codice di Corporate Governance) as well as with social security and fiscal obligations linked to the remuneration provided.

To comply with the above-mentioned obligations, in some cases, UniCredit is required to carry out analyses that concern also your relatives?. For this reason, we kindly ask you to let them aware of this Information Notice.

These needs represented above are the legal basis legitimizing the related data processing. Data provided by you is necessary to comply with the obligations arising from your role of member of UniCredit's Board of Directors; without your personal data, UniCredit would not be in a position to establish a relationship with you or to comply with the law obligations.

B. Fulfilment of legal obligations and requests from Public and Supervisory Authorities, concerning the process, communication and/or disclosure - also during the selection procedures - on the website www.unicreditqroup.eu and/ or on specific corporate documents (e.g. Prospectus / Corporate Governance Report, Financial Statements) of your data (such as data contained in your curriculum vitae and in the list of the tasks carried out by you in other banks and commercial companies, as required by the applicable law, and according to the Articles of Association and the Corporate Governance Code).

The needs represented above are the legal basis legitimizing the related data processing. Data provided by you is necessary to comply with the legal obligations, the requests from the Authorities, as well as to take on the role of member of the Board of Directors of UniCredit; without your personal data, UniCredit would not be in a position to establish a relationship with you or to comply with the law obligations.

3. CATEGORIES OF PERSONAL DATA PROCESSED

UniCredit processes personal data collectly from you, or from third parties (e.g. relevant local administrations), which include, but are not limited to, personal data (e.g. name, surname, address, date and place of birth), banking data, information on the financial situation (e.g. patrimonial status, information on credit

² The relatives scope is identified on the basis of the specific applicable regulations.

requests/relationships), positions held and related income, employment relationships, commercial/professional relationships.

This information may concern existing or past relationships with UniCredit as with Group Legal Entities or third parties.

3.1 JUDICIAL DATA

UniCredit may process judicial data (i.e. personal data relating to criminal convictions and offences or related security measures, including information on pending proceedings) referring to you, in order to verify the subjective and integrity requirements and/or conditions that prevent from being appointed as member of the Board of Directors of UniCredit.

In such cases, the processing is necessary to fulfill legal obligations as well as to comply with requests coming from Public or Supervisory Authorities (e.g. filling the questionnaire requested by the ECB). This need represents the legal basis that legitimizes the related data processing. Data provided by you is necessary to comoly with the legal obligations; without your personal data, UniCredit would not be in a position to establish a relationship with you or to comply with the law obligations.

RECIPIENTS OR CATEGORIES OF RECIPIENTS OF PERSONAL DATA 4.

Your data may be communicated to the natural and legal persons that are acting as "Data Processors", listed in the Unicredit premises and on the website www.unicredit.it, as well as – in the quality of persons authorized to process personal data in relation to the data necessary for the performance of the duties they are assigned to – the natural persons belonging to the following categories: employees of the Bank, seconded personnel, temporary workers, interns, consultants and the employees of the external companies appointed as Data Perocessors.

Your data may be communicated:

• to those subjects to whom this communication must be carried out in compliance with an obligation established by law (e.g. Bank of Italy and ECB), by a regulation or by EU legislation. Further information can be found on the website www.unicredit.it in the "Privacy" section;
• to Legal Entities belonging to the UniCredit Group (also foreign Legal Entities), subsidiaries or associates under the terms of article 2359 of the Italian Civil Code, when such communication is permitted on the basis of a Garante per la Protezione dei Dati Personali's measure or by a law provision.

The detailed list of subjects to whom the data can be communicated is available on the website www.unicredit.it, in the "Privacy" section.

DATA TRANSFER TO THIRD COUNTRIES

UniCredit informs you that your personal data may also be transferred to the Countries outside the European Union or the European Economic Area (so called "Third Countries") if the EU Commission states that the Third Country ensures an adequate level of protection of personal data or in case of other appropriate safeguards, namely when the supplier of UniCredit located in the Third Country contractually ensures an appropriate level of personal data protection (e.g. through the signing of the standard contractual clauses provided by the European Commission), including enforceable and effective data subject rights. Further information can be requested by withing to Group.DPO@unicredit.eu.

6. DATA PROCESSING MODALITIES

The processing of personal data involves the usage of manual and IT instruments with modalities closely connected with the purposes defined above and, in any case, in such a way to guarantee the security and confidently of the data.

7. DATA SUBJECT' RIGHTS

GDPR grants and assures specific rights, including the right to know what data concerning you are held by UniCredit, as well as how they are used, and the right to obtain, under certain conditions, the copy, the erasure, the update, the rectification or, if interested, the integration of your data, as well as the right to data portability.

7.1 DATA RETENTION PERIOD AND RIGHT TO ERASURE

Unicredit processes and stores your personal data for all the time you keep the role of Director, to execute the related and connected obligations, to comply with the applicable legal, contractual and regulatory obligations, as well

as for its own defensive purposes or those of third parties until the expiration of the longest mandatory retention period provided by the applicable throp starting from the expiration of the information retention
vou. Unifredit processes and stores voys occessal data are of termination of you. UniCredit processes and stores years) form the oate of the mail on the endinonip with this is necessary for archiving purposes for historical research por the emblogment mationship when
"Ethical rules of processing historical research purposes, according, to t "Ethical rules of processing for archiving purposes in the public interest or historical research"3

At the end of the applicable mandatory retention period, your personal data will be erased or kept in a form which does not permit your identification (e.g. irreversible anonymization), unless the firther processing in a form which
one or more of the following nurocess: it for reso one or more of the following purposes: i) for resolution of pre-litigation and/or litigation, started before the expiration of the mandatory retention in pre-fitigation andror utigation, started before the
functions and/or external authorities started by outh investigations/inspections functions and/or external authorities, it per the expiration of the mandatory retention period, iii) to follow up with requests from the Italian andor starees octor of the mandatory receition period, with follow up
of the mandatory retention poriod of the mandatory retention period.

8. PROCEDURE TO EXERCISE THE RIGHTS

The e-mail address which you can refer to for the exercise of your rights described in the paragraph 7 is the following
one: cornorate law@nec upicredit ou one: corporate.law@pec.unicredit.eu.

The deadline for the reply is one (1) month, that may be extended for two (2) further months in cases of particular complexity; in these cases, UniCredit interns you about such extension within one (1) month from the receipt of the request.

The exercise of rights is, in principle, free of charge.

9. COMPLAINT OR REPORTING TO THE "GARANTE PER LA PROTEZIONE DEI DATI PERSONALI"

UniCredit informs you that you have the right to lodge a complaint with, or to report to the Garante per la Protezione dei Dati Personali, or else to appeal to the Judicial Authority. The Garante per la Protezione
Personali can be consulted on the Judicial Authority. The contacts of the Garan Personali can be consulted on the website http://www.garanteprivacy.it.

15 February 2024, Milan

Signature

³ Record of the provisions 19 December 2018, n. 513

STATEMENT OF CANDIDACY AND DECLARATION ATTESTING THE INEXISTENCE OF REASONS FOR INELIGIBILITY, FORFEITURE OR INCOMPATIBILITY, AS WELL AS REGARDING THE MEETING OF THE REQUIREMENTS PROVIDED FOR BY CURRENT PROVISIONS AND OF ACCEPTANCE OF APPOINTMENT

I, the undersigned Jeffrey Alan HEDBERG, born in Philadelphia – Pennsylvania (USA) on 29 October 1961, tax code HDBJFR61R29Z404T, resident in Laglio (CO, Italy), US nationality, in relation to the office of Director in UniCredit S.p.A. ("UniCredit" or the "Bank") in light of the Agenda of the Shareholders' Meeting convened for 12 April 2024, under my own responsibility,

taking into account, among others, the provisions of Section 91 of the Directive 2013/36/EU dated June 26, 2013, as subsequently amended ("CRD"), Articles 2382 and 2387 of the Italian Civil Code, Section 26 of Legislative Decree no. 385 dated September 1, 1993 ("TUB"), Articles 147-ter and 147-quinquies of Legislative Decree no. 58 dated February 24, 1998 ("TUF"), the Ministry of Economy and Finance no. 169 dated November 23, 2020 (the "Decree"), the Ministry of Justice Decree no. 162 dated March 30, 2000, Clause 20 of the UniCredit Articles of Association and Article 2, recommendation 7, of the Corporate Governance Code (the "Corporate Governance Code")

STATE THAT

there are no reasons for my ineligibility, forfeiture or incompatibility and that I meet the requirements provided for by currently applicable provisions, as well as by the Articles of Association of UniCredit for the appointment as Director; with specific reference to the experience and independence requirements:

DECLARE THAT

EXPERIENCE

I possess the knowledge, skills and experience required by the CRD, TUB and the Decree, and, in particular, that I have accrued the appropriate overall experience of at least 3 years through the exercise of ':

• activity of non-executive Director in UniCredit from April 2021 to today;
• activity of CEO carried out at Wind Tre S.p.A. from June 2017 to April 2023;
• activity of Chair and CEO carried out at Mobilink Pakistan from 2014 to 2016,

as they result from both the attached curriculum vitae (see Annex 1) and the list of offices of administration and control currently held in other companies (see Annex 2).

I Please indicate (i) for Directors with executive roles: management or control activities or managerial positions held in the credit, financial, securities of insurance sectors; and/or management or control activities or managerial positions held in listed companies or companies whose size and complexity are greater than, or equal to those of UniCredit (in Lerms of revenues nature and complexity of the organization or activities performed), and (i) feder of online of in relins on relevises, in addition to the abovementioned ones: professional activities practiced in credit, financial, securities, insurance related fields or anyboxunstal on the activities of UniCredit – activities shall be sufficiently complex and performed in a continuous and significant manner, and o university teaching (first or second level) of legal or economics subjects functional to the credit, finalial, securities or insurance sectors; and/or managerial/executive functions in public administrations or public administration offices, relating to the credit, financial, securities or insurance sectors provided that the officer performed such onlines and has a size and complexity similar to those of UniCredit.

In addition to the above, the chief executive officer shall possess a specific experience in the fields of credit, financial, securities or insurance, gained through management or control activities or managerial positions held for at least 5 years in the credit, financial, securities and insurance sectors, or in listed companies whose size and compensive are greater than or equal to, those of Unicedit (in terms of revenues, nature and complexity of the organization or activities performed), Moreo, the chair of the Board of Directors shall possess at least 5 years of experience in the activities indicated unincor, (i) or (ii) above

INDEPENDENCE

I meet the independence criteria pursuant to the following provisions:

	Article 148 TUF, para. 3 and Article 2399, para. 1 (as recalled by Article 区 Yes 2409-septiesdecies) Italian Civil Code		LINO
2)	Article 13 of the Decree	× Yes	LI No
3)	Italian Corporate Governance Code	× Yes	LINO

l, the undersigned, also:

• state to be a candidate as member to the Board of Directors of UniCredit, and, if appointed, to irrevocably accept my appointment as from today;
• state that I am not in any of the situations provided for by (i) Article 2390 Italian Civil Code, nor (ii) 36 of Law Decree no. 201 dated December 6, 2011, converted into Law no. 214 dated December 22, 2011 (i.e., interlocking);
• state that I do not exceed the limits upon the maximum number of offices to be held pursuant to applicable rules and that I am able to commit the necessary time to effectively carry out the office;
• undertake to promptly inform UniCredit of any changes in the above-mentioned circumstances and, on request by the Company, to produce any documentation suitable to confirm the truthfulness of the facts declared;
• having read the information notice on the processing of personal data reported in attachments, acknowledge the disclosure of the information above and the information indicated in the Annexes.

ANNEXES:

• 1) CV
• 2) List of offices of administration and control currently held in other companies
• 3) Privacy statement

Date, place_ m ] LARO _ 12. 2. 2 y Signature

EMARKET SDIR certified

Jeffrey Alan Hedberg

Main posts held in UniCredit

• Member of the Board of Directors
• Chairman of the Remuneration Committee
• Member of the ESG Committee .

Born in Philadelphia (Pennsylvania - USA) on October 29th 1961

EDUCATION

University of Denver, MA in International Management with a focus on International Policy and International Law Northeastern University, BS in Business Administration

Posts previously held

CEO - Wind Tre S.p.A.

Board Member - Wind Tre S.p.A.

Board Member - Wind Tre Italia S.p.A.

Board Member - 3lettronica Industriale S.p.A.

Chairman and CEO - Wind Tre Retail S.r.l.

Advisory Board Member - SDA Bocconi

Vice President - ASSTEL

President & CEO - Mobilink, Pakistan

Advisory role to the Managing Director of the Technology, Media and Telecommunications - Boston Consulting Group, South Africa

Acting CEO - Telkom, South Africa

CEO - Multi-links Telkom, Nigeria

CEO - Cell C, South Africa

Chairman and CEO - Deutsche Telekom USA

Executive Vice President and Member of the Board of Management - Deutsche Telekom AG

Executive Vice President and Member of the Board of Management - Swisscom, Bern

Senior Associate Telecommunication Industries - Coopers & Lybrand, London

Corporate Strategy and Strategic Marketing Manager International - US-West, Inc.

Venture Capital Analyst - TVM Techno Venture Management, Boston

Venture Capital and Corporate Finance Analyst - TVM / Matuschka Group, Munich

mlusto, 12.2.2.201 Date and place, _ Signed _____

ANNEX 2

LIST OF OFFICES OF ADMINISTRATION AND CONTROL CURRENTLY HELD IN OTHER COMPANIES

None

Date, place _ hourses / 2, 2. 2. 2. 2. 2. 2. 2. 2. 2. 2. 2. 2. 2. 2. 2. 2. 2. 2. 2. 2. 2. 2. 2. 2. 2. 2. 2. 2. 2. 2. 2. 2. 2. 2. 2. 2. 2. 2. 2. 2. 2. 2. 2. 2. 2. 2. 2. 2. 2. Signature ____________________________________________________________________________________________________________________________________________________________________

INFORMATION NOTICE ON THE PROCESSING OF PERSONAL DATA BY UNICREDIT

The following information notice aims at providing you with an overview on the use of your personal data by Unicredit S.p.A. and of your rights pursuant to the General Data Protection - Regulation (EU) 2016/679 (hereinafter also GDPR).

1. DATA CONTROLLER AND DATA PROTECTION OFFICER

The Data Controller is UniCredit S.p.A., with registered office in Milan, Piazza Gae Aulenti n. 3, Tower A, 20154 Milan (UniCredit).

The Data Protection Officer (DPO) can be contacted at:

UniCredit S.p.A. Data Protection Office, Piazza Gae Aulenti n. 1, Tower B, 20154 Milano, E-mail: Group.DPO@unicredit.eu, PEC: Group.DPO@pec.unicredit.eu.

2. PURPOSE AND LEGAL BASIS OF PROCESSING

UniCredit processes the personal data in its possession, that is collected directly from you, or from the relevant local administrations to verify, among others, their accuracy for the following purposes:

A. Need to fulfill legal obligations deriving from your candidacy as a Member of the UniCredit's Board of Directors.

These obligations imply, among others, verifying - both during the selection procedures and on an ongoing basis - the compliance: i) with the eligibility requirements for taking on and maintaining the role of Director as well as of specific positions (such as integrity requirements, criteria of correctness, professional experience requirements and competence, independence, time commitment, maximum number of offices covered, respect of the prohibition of interlocking) as required by applicable law, by UniCredit's Articles of Association and by the Corporate Governance Code (i.e. Codice di Corporate Governance) as well as with social security and fiscal obligations linked to the remuneration provided.

To comply with the above-mentioned obligations, in some cases, UniCredit is required to carry out analyses that concern also your relatives? For this reason, we kindly ask you to let them aware of this Information Notice.

These needs represented above are the legal basis legitimizing the related data processing. Data provided by you is necessary to comply with the obligations arising from your role of UniCredit's Board of Directors; without your personal data, UniCredit would not be in a position to establish a relationship with you or to comply with the law obligations.

B. Fulfilment of legal obligations and requests from Public and Supervisory Authorities, concerning the process, communication and/or disclosure - also during the selection procedures - on the website www.unicreditgroup.eu and/ or on specific corporate documents (e.g. Prospectus / Corporate Governance Report, Financial Statements) of your data (such as data contained in your curriculum vitae and in the list of the tasks carried out by you in other banks and commercial companies, as required by the applicable law, and according to the Articles of Association and the Corporate Governance Code).

The needs represented above are the legal basis legitimizing the related data processing. Data provided by you is necessary to comply with the legal obligations, the requests from the Authorities, as well as to take on the role of member of the Board of Directors of UniCredit; without your personal data, UniCredit would not be in a position to establish a relationship with you or to comply with the law obligations.

3. CATEGORIES OF PERSONAL DATA PROCESSED

Unicredit processes personal data collectly from you, or from third parties (e.g. relevant local administrations), which include, but are not limited to, personal data (e.g. name, surname, address, date and place of birth), banking data, information on the financial situation (e.g. patrimonial status, information on credit requests/relationships), positions held and related income, employment relationships, commercial/professional relationships.

² The relatives scope is identified on the basis of the specific applicable regulations.

This information may concern existing or past relationships with UniCredit as well as with Group Legal Entities or third parties.

3.1 JUDICIAL DATA

UniCredit may process judicial data (i.e. personal data relating to criminal convictions and offences or related security measures, including information on pending proceedings) refering to you, in order to verify the subjective and integrity requirements and/or conditions that prevent from being appointed as member of the Board of Directors of UniCredit.

In such cases, the processing is necessary to fulfill legal obligations as well as to comply with requests coming from Public or Supervisory Authorities (e.g. filling the questionnaire requested by the ECB). This need represents the legal basis that legitimizes the related data processing. Data provided by you is necessary to comply with the legal obligations; without your personal data, UniCredit would not be in a position to establish a relationship with you or to comply with the law obligations.

RECIPIENTS OR CATEGORIES OF RECIPIENTS OF PERSONAL DATA 4.

Your data may be communicated to the natural and legal persons that are acting as "Data Processors", listed in the UniCredit premises and on the website www.unicredit.it, as well as - in the quality of persons authorized to process personal data in relation to the data necessary for the performance of the duties they are assigned to - the natural persons belonging to the following categories: employees of the Bank, seconded personnel, temporary workers, interns, consultants and the employees of the external companies appointed as Data Processors.

Your data may be communicated:

• to those subjects to whom this communication must be carried out in compliance with an obligation established by law (e.g. Bank of Italy and ECB), by a regulation or by EU legislation. Further information can be found on the website www.unicredit.it in the "Privacy" section;
• · to Legal Entities belonging to the UniCredit Group (also foreign Legal Entities), subsidiaries or associates under the terms of article 2359 of the Italian Civil Code, when such communication is permitted on the basis of a Garante per la Protezione dei Dati Personali's measure or by a law provision.

The detailed list of subjects to whom the data can be communicated is available on the website www.unicredit.it, in the "Privacy" section.

5. DATA TRANSFER TO THIRD COUNTRIES

UniCredit informs you that your personal data may also be transferred to the European Union or the European Economic Area (so called "Third Countries") if the EU Commission states that the Third Country ensures an adequate level of protection of personal data or in case of other appropriate safeguards, namely when the supplier of UniCredit located in the Third Country contractually ensures an appropriate level of personal data protection (e.g. through the standard contractual clauses provided by the European Commission), including enforceable and effective data subject rights. Further information can be requested by writing to Group.DPO@unicredit.eu.

DATA PROCESSING MODALITIES 6.

The processing of personal data involves the usage of manual and IT instruments with modalities closely connected with the purposes defined above and, in any case, in such a way to guarantee the security and confidentiality of the data.

DATA SUBJECT' RIGHTS 7.

GDPR grants and assures specific rights, including the right to know what data concerning you are held by UniCredit, as well as how they are used, and the right to obtain, under certain conditions, the copy, the erasure, the rectification or, if interested, the integration of your data, as well as the right to data portability.

7.1 DATA RETENTION PERIOD AND RIGHT TO ERASURE

UniCredit processes and stores your personal data for all the time you keep the role of Director, to execute the related and connected obligations, to comply with the applicable legal, contractual and regulatory obligations, as well as for its own defensive purposes or third parties until the expiration of the longest mandatory retention

period provided by the applicable law (i.e. 11 years) starting from the date of termination of the relationship with you. UniCredit processes and stores your personal data even after the expiry of the emaloyment relationship when this is necessary for archiving purposes for historical research purposes, according, to the methods ser our in the "Ethical rules of processing for archiving purposes in the public interest or historical research"3.

At the end of the applicable mandatory retention period, your personal data will be erased or kept in a form which does not permit your identification (e.g. irreversible anonymization), whiese the further processing is normanial one or more of the following purposes: i) for resolution of pre-litigation and/or litigation, started before the expiration of the mandatory retention period; ii) to follow up with investigations/inspections/inspections/increal control functions and/or external authorities, started before the expiration of the mandatory reteptions of internation on with requests from the Italian and/or foreign Public Authorities, received/notified to Unicipality of the exirition of the mandatory retention period.

PROCEDURE TO EXERCISE THE RIGHTS 8.

The e-mail address which you can refer to for the exercise of your rights described in the paragraph 7 is the following one: corporate law@pec.unicredit.eu.

The deadline for the reply is one (1) month, that may be extended for two (2) further months in cases of particular complexity; in these cases, UniCredit informs you about such extension within one (1) month from the receipt of the request.

The exercise of rights is, in principle, free of charge.

9. COMPLAINT OR REPORTING TO THE "GARANTE PER LA PROTEZIONE DEI DATI PERSONALI"

UniCredit informs you that you have the right to lodge a complaint with, or to report to the Garante per la Protezione dei Dati Personali, or else to appeal to the Judicial Authority. The contacts of the Garante per la Protezione dei Dati Personali can be consulted on the website http://www.garanteprivacy.it.

	Date and place, _ mill And 12. 2. 24
--	--------------------------------------	--	--	--

Signature _

³ Record of the provisions 19 December 2018, n. 513

STATEMENT OF CANDIDACY AND DECLARATION ATTESTING THE INEXISTENCE OF REASONS FOR INELIGIBILITY, FORFEITURE OR INCOMPATIBILITY, AS WELL AS REGARDING THE MEETING OF THE REQUIREMENTS PROVIDED FOR BY CURRENT PROVISIONS AND OF ACCEPTANCE OF APPOINTMENT

I, the undersigned Beatriz Angela LARA BARTOLOMÉ, born in Buenos Aires (Argentina) on 30 November 1962, tax code LBRBRZ62S70Z600D, resident in Madrid (Spain), Spanish nationality, concerning the office of Director in UniCredit S.p.A. ("UniCredit" or the "Bank") in light of the Agenda of the Shareholders' Meeting convened for 12 April 2024, under my own responsibility,

taking into account, among others, the provisions of Section 91 of the Directive 2013/36/EU dated June 26, 2013, as subsequently amended ("CRD"), Articles 2382 and 2387 of the Italian Civil Code, Section 26 of Legislative Decree no. 385 dated September 1, 1993 ("TUB"), Articles 147-ter and 147-guinquies of Legislative Decree no. 58 dated February 24, 1998 ("TUF"), the Ministry of Economy and Finance no. 169 dated November 23, 2020 (the "Decree"), the Ministry of Justice Decree no. 162 dated March 30, 2000, Clause 20 of the UniCredit Articles of Association and Article 2, recommendation 7, of the Corporate Governance Code (the "Corporate Governance Code")

STATE THAT

there are no reasons for my ineligibility, forfeiture or incompatibility, and I meet the requirements provided for by currently applicable provisions, as well as by the Articles of Association of UniCredit for the appointment as Director; with specific reference to the experience and independence requirements:

DECLARE THAT

Experience

I possess the knowledge, skills and experience required by the CRD, TUB and the Decree, and, in particular, I have accrued the appropriate overall experience of at least 3 years through the exercise of 1:

• activity of non-executive Director in UniCredit from February 2020 to today;
• activity of non-executive Director in FINCOMUN from April 2023 to today:
• Chair of Chapter Zero Spain (non-profit) from October 2023 to today;

¹ Please indicate (i) for Directors with executive roles: management or control activities or managerial positions held in the credit, financial, securities or insurance sectors; and/or management or control activities or managerial positions held in listed companies or companies whose size and complexity are greater than, or equal to those of UniCredit (in terms of revenues, nature and complexity of the organization or activities performed), and (ii) for Directors with non-executive roles, in addition to the above-mentioned ones: professional activities practiced in credit, financial, securities, insurance related fields or anyhow instrumental for the activities shall be sufficiently complex and performed in a continuous and significant manner; and/or university teaching (first or second level) of legal or economics subjects, or other subjects functional to the credit, finance sectors; and/or managerial/executive functions in public organizations or public administration offices relating to the credit, financial, securities or insurance sectors provided that the entity where the officer performed such activities has a size and complexity similar to those of UniCredit.

In addition to the above, the chief executive officer shall possess specific experience in the fields of credit, financial, securities or insurance, gained through management or control activities or managerial positions held for at least 5 years in the credit, financial, securities and insurance sectors, or in listed companies whose size and complexity are greater than, or equal to, those of UniCredit (in terms of revenues, nature and complexity of the organisation or activities performed). Moreover, the Board of Directors shall possess at least 5 years of experience in the activities indicated under para (i) or (ii) above.

• the activity of the Founder and Sole Director carried out at AHAOW Moment S.L. from November 2015 to today;
• the activity of the Director & CEO carried out at IMERSIVO from March 2015 to April 2019;
• BBVA from June 2006 to July 2015 (please see details in the CV);
• ALCATEL from June 2003 to June 2006 (please see details in the CV);
• ERICSSON from June 1997 to May 2003 (please see details in the CV);
• AT&T Network Systems (now Nokia) from 1990 to 1997 (please see details in the CV).

as they result from both the attached curriculum vitae (see Annex 1) and the list of offices of administration and control currently held in other companies (see Annex 2).

INDEPENDENCE

I meet the independence criteria according to the following provisions:

	Article 148 TUF, para. 3 and Article 2399, para. 1 (as recalled ☑ Yes		O No
	by Article 2409-septiesdecies) Italian Civil Code
2)	Article 13 of the Decree	网 Yes	O No
3)	Italian Corporate Governance Code	� Yes	O No

I, the undersigned, also:

• state to be a candidate as a member to the Board of Directors of UniCredit, and, if appointed, to irrevocably accept my appointment as from today;
• state that I am not in any of the situations provided for by (i) Article 2390 Italian Civil Code, nor (ii) 36 of Law Decree no. 201 dated December 6, 2011, converted into Law no. 214 dated December 22, 2011 (i.e., interlocking);
• state that I do not exceed the limits upon the maximum number of offices to be held pursuant to applicable rules and that I am able to commit the necessary time to effectively carry out the office;
• undertake to promptly inform UniCredit of any changes in the above-mentioned circumstances and, on request by the Company, to produce any documentation suitable to confirm the truthfulness of the facts declared;
• having read the information notice on the processing of personal data reported in attachments, acknowledge the disclosure of the information above and the information indicated in the Annexes.

ANNEXES:

• 1) CV
• 2) List of offices of administration and control currently held in other companies
• 3) Privacy Statement

This Document is digitally signed in Madrid on 12/02/2024 by 201033** BEATRIZ/ANGELA LARA (R: Signature

In Madrid, Spain, on February 12th, 2024.

2024_02_12 Statement of Candidacy BL

ANNEX 1

[CV BEATRIZ A. LARA BARTOLOMÉ]

Currently a Non-Executive Director in both listed and non-listed banks. An Angel Investor in DeepTech ventures. Chair of a non-profit organisation. Mentor at business schools. Led a successful executive career, spearheading international and large-scale innovation, digitisation, and sustainability programs in highly regulated industries like banking and telecommunications and competitive sectors like consulting, retail, and manufacturing. Proven track record of high performance during periods of hypergrowth and crisis.

BOARD COMPETENCIES

• O Multisectoral international experience
• O Strategic planning and future foresight
• O Banking business
• O Sustainability and climate change
• O Digital and emerging technologies
• o Non-financial risks
• O Telecommunication and retail business O
• Innovation fostering
• Strategic change and cultural transformation o
• o 30 years of professional reputation and experience

OFFICES HELD IN FINANCIAL SERVICES (Present)

UNICREDIT S. p. A. / Milan, Italy. / Listed Pan-European Commercial Bank.

• · Member of the ESG Committee since its creation in April 2021.
• · Member of the Board of Directors coopted in February 2020.

FINCOMUN S.A. / Mexico City, Mexico. / A microfinance entity for financial inclusion (Sofipo).

• · Member of the Board of Directors since April 2023.
• · Member of the Digital Transformation Advisory Board since January 2021.

HOLDING OF OTHER ADVISOR POSITIONS (Present)

CHAPTER ZERO SPAIN / Universidad de Navarra, Madrid, Spain. / World Economic Forum Climate Governance Initiative. / Non-Profit. / Chair of the Board of Directors since October 2023.

BOUND4BLUE / Barcelona, Spain. / Suction sails for vessels to drive decarbonisation. / Strategy Advisor & Investor since May 2021.

ZELEROS HYPERLOOP / Valencia, Spain. / Magnetic levitation at 1,000 km/h within a low-pressure tube. / Strategy Advisor & Seed Investor since September 2017.

OPINNO / Founded in Silicon Valley, CA, USA. / Global innovation consultancy and venture builder firm. / Senior Advisor & Investor since May 2014.

NON-EXECUTIVE ROLES EXPERIENCE

October 2019 - Dic 2021: Innovation Advisory Board / PROSEGUR / Madrid, Spain. / Strategic Security Provider of physical and cyber solutions in 31 countries.

February 2016 - March 2020: Banking Industry Advisor in EMEA / GLOBANT / Buenos Aires, Argentina. / Digitally native company delivering profound transformations in 30 countries.

March 2015 - April 2019: Board Member & Investor / IMERSIVO / Madrid, Spain. / Digitization solutions for physical shops and stores.

March 2013 - Sep 2014: Customer Advisory Board / GOOGLE ENTERPRISE INC. / Palo Alto, CA. / Google Workspace, ChromeBook, Nexus, and G+ Social network for large enterprises.

July 2009 - November 2012: Elective Trustee & Designed Representative / MASSACHUSETTS INSTITUTE OF TECHNOLOGY / Cambridge, MA, USA. / Contracts signed and led: ILP, Media Labs, CSAIL, CSIR, Senseable Cities Labs and other Open Innovation Think Tanks.

November 2008 - March 2011: Elective Trustee & Designed Representative / IMDEA NETWORKS INSTITUTE / Madrid, Spain. / Research organisation on data networks & edge computing.

March 2007 - February 2015: Nominee Director / BBVA NEXT TECHNOLOGIES / Madrid, Spain. / Digital solutions to accelerate the BBVA digital transformation.

EXECUTIVE CAREER

IMERSIVO / Madrid, Spain. / New shopping experience through customer recognition in context.

• · November 2015 July 2017: Chief Executive Officer.
• Achievements:
  • Close the company without debts and legal penalties. Imersivo was a sales channel intent on connecting the physical shop with the e-commerce of a brand, but Al technologies needed to be more mature in those days.

BBVA / Madrid, Spain. / Listed global financial services group, present in more than 25 countries.

• October 2012 July 2015: Global Director of Corporate Transformation
• · March 2010 October 2012: Chief Innovation Officer
• June 2006 March 2010: Director of Strategy & Innovation, IT & Operations

Achievements:

• · Led the creation of the BBVA Open Innovation Network and the first BBVA Innovation Centres in Spain, Colombia, and the USA.
• Spearheaded the early adoption of new digital technologies and methodologies into the banking business in all BBVA geographies:
  • o Implemented Big Data in treasury desks.
  • Re-designed the customer experience and piloted design principles in several branches in different countries.
  • Pioneered the use of Artificial Intelligence in the first-ever banking virtual agent. Today, it is Kasisto.com.
  • Designed and executed a new working experience at physical, technological, and cultural levels ("brick, bytes, and behaviour") deployed in all BBVA HQs worldwide.

• o Migration to the Google Cloud lays the foundation for collaborative teleworking and creates an operational shift in the industry's perception of cloud computing and its value to banks.
• · Hold four international patents in banking (number D603124, D603125, D678651, and D624127). Received numerous awards and industry recognitions, like the Museum of Modern Art of New York exhibition of one of patented designs ("Talk to Me", 2012).

ALCATEL / Paris, France. / Today, NOKIA - Alcatel was a French telecom infrastructure manufacturer. Lucent Technologies (former AT&T Network Systems) acquired it. NOKIA acquired Alcatel-Lucent and the former Bell Labs after the telecom sector consolidation.

· June 2003 - June 2006: Director of Mobile Markets and Applications.

Achievements:

• · Successfully expanded Alcatel's market reach, driving sales of their entire portfolio (from satellites to mobile phones) to Mobile Operators in Spain and LatAm. Managed a large team of engineers and partners across 24 countries.
• · Transformed Alcatel's Global Competence Center for Mobile Applications based on the Intelligent Network platform.

ERICSSON / Stockholm, Sweden. / Multinational networking and telecommunications company founded in 1876 and inventor of Bluetooth technology, among other 57,000 granted patents.

• · 2002 2003: Business Development Director of Global Services.
• · 2000 2002: Director of Strategic Marketing Division.
• · 1999 2000: Executive Director of New Market Operators Unit.
• o 1997 - 1999: Business Development Manager for Spain's third GSM mobile license.

Achievements:

• · Deployment of the critical infrastructures of today's Digital Society as part of a European group of forerunners in "mobile telephony" and "mobile internet".
• · Secured multi-million euro supply contracts annually with major mobile operators, enabling the deployment of 3G networks across Spain and EU Countries.
• · Established Ericsson COMCENTER, the first Demo Center outside Sweden.

AT&T NETWORK SYSTEMS / Madrid, Spain. / (Now, NOKIA)

• · 1995 1997: Account Director for Mobile and New Private Operators
• · 1994 1995: GSM Business Development Manager (Technical sales support)
• 0 1992 - 1993: Network Development Manager at AT&T Wireless Business Unit
• 1990 1992: Computer Integrated Manufacturing Manager 0

MANUFACTURING AND RESEARCH:

• · 1989 1990: EIIT / Spain / Technical Sales Support / industrial and military projects.
• · 1987 1989: IT&T-NOKIA Supervisor of product development & quality assurance.
• · Summer of 1986 / KFKI Research Center / Budapest, Hungary. /CERN's Project.
• · 1985 1986: Universidad Complutense / Madrid, Spain/ Meteorology Research Project.

OTHER COLLABORATIONS

• · January 2023 present: Mentor at EXSIM (Executive Simulation Lab), International MBA, IESE Business School. Madrid, Spain.
• · May 2019 to present: Mentor at Startup Lab, IMBA, IE Business School. Madrid, Spain.
• · November 2019: Lecturer and mentor of Digital Transformation, IPADE in SFO, CA, USA.
• · September 2014 November 2016: Master Lecturer at Istituto Europeo di Design, IED.
• · December 2013: Lecturer at MIT CSIR Executive Forum. Melbourne, Australia.

EDUCATION

Universidad Complutense de Madrid. Madrid, Spain.

• Master's Degree, Physics Science (September 1981 - June 1986).

Universidad de Navarra. IESE Business School. Madrid & Barcelona Campus, Spain.

• MBA for senior executives, "PDG, Programa de Dirección General" (2002 - 2003).

MIT Sloan School of Management.

• Executive Master Programme "Driving Strategic Innovation" (2010).

TRAINING PROGRAMS FOR NEDs

Oxford University, Said Business School. Oxford, United Kingdon.

• "Developing purposeful and effective bank board leader" (July 2022).

European University Institute, Robert Schuman Centre for Advanced Studies.

• Florence School of Banking and Finance. Florence, Italy.
  • o "Navigating bank boards: competencies, skills, and tools" (Sep 2023).
  • · "Sitting on banks' boards: Suitability and better governance" (June 2022)
  • "Sitting on Boards: Better Check and Control of Risks" (June July 2021)
• Florence School of Regulation. Florence, Italy.
  • o Online course "The EU Green Deal" (April July 2023).

Universidad de Navarra. IESE Business School. Madrid & Barcelona Campus, Spain.

• Non-Executive Directors School:
  • ം

Spanish Association of Board Directors, IC-A. Madrid, Spain.

· "Functions of the Non-Executive Director and the Board" (October 2007).

Signature

In Madrid, Spain, on February 12th, 2024.

Page 4 of 4.

2024_02_12 ANNEX 1 - CV - Statement of Candidacy BL

LIST OF OFFICES OF ADMINISTRATION AND CONTROL CURRENTLY HELD IN OTHER COMPANIES

• · Sole Director of AHAOW MOMENT S.L. in Spain.
• · Member of the Board of Directors of FINCOMÚN SERVICIOS FINANCIEROS COMUNITARIOS, S.A. de E C.V., S.F.P. in Mexico.

In Madrid, Spain, on February 12th, 2024.

Signature

2024_02_12 ANNEX 2 - OFFICES HELD - Statement of Candidacy BL

INFORMATION NOTICE ON THE PROCESSING OF PERSONAL DATA BY UNICREDIT

The following information notice aims at providing you with an overview on the use of your personal data by UniCredit S.p.A. and of your rights pursuant to the General Data Protection Regulation (EU) 2016/679 (hereinafter also GDPR).

1. DATA CONTROLLER AND DATA PROTECTION OFFICER

The Data Controller is UniCredit S.p.A., with registered office in Milan, Piazza Gae Aulenti n. 3, Tower A, 20154 Milan (UniCredit).

The Data Protection Officer (DPO) can be contacted at:

UniCredit S.p.A. Data Protection Office, Piazza Gae Aulenti n. 1, Tower B, 20154 Milano, E-mail: Group.DPO@unicredit.eu, PEC: Group.DPO@pec.unicredit.eu.

2. PURPOSE AND LEGAL BASIS OF PROCESSING

UniCredit processes the personal data in its possession that is collected directly from you or the relevant local administrations to verify, among others, their accuracy for the following purposes:

A. Need to fulfil legal obligations deriving from your candidacy as a Member of the UniCredit's Board of Directors.

These obligations imply, among others, verifying - both during the selection procedures and on an ongoing basis - the compliance: i) with the eligibility requirements for taking on and maintaining the role of Director as well as of specific positions (such as integrity requirements, criteria of correctness, professional experience requirements and competence, time commitment, maximum number of offices covered, respect of the prohibition of interlocking) as required by applicable law, by UniCredit's Articles of Association and by the Corporate Governance Code (i.e. Codice di Corporate Governance) as well as with social security and fiscal obligations linked to the remuneration provided.

To comply with the above-mentioned obligations, in some cases, UniCredit is required to carry out analyses that also concern your relatives2. For this reason, we kindly ask you to let them aware of this Information Notice.

These needs represented above are the legal basis legitimising the related data processing. Data provided by you is necessary to comply with the obligations arising from your role as a member of UniCredit's Board of Directors; without your personal data, UniCredit would not be able to establish a relationship with you or comply with the law obligations.

B. Fulfilment of legal obligations and requests from Public and Supervisory Authorities concerning the process, communication and/or disclosure - also during the selection procedures - on the website www.unicreditgroup.eu and/ or on specific corporate documents (e.g. Prospectus / Corporate Governance Report, Financial Statements) of your data contained in your curriculum vitae and in the list of the tasks carried out by you in other banks and commercial companies, as required by the applicable law, and according to the Articles of Association and the Corporate Governance Code).

The needs represented above are the legal basis legitimising the related data processing. Data provided by you is necessary to comply with the legal obligations the requests from the Authorities, as well as to take on the role of a member of the Board of Directors of UniCredit; without your personal data, UniCredit would not be in a position to establish a relationship with you or to comply with the law obligations.

² The relatives scope is identified on the basis of the specific applicable regulations.

²⁰²⁴_02_12 ANNEX 3 - PRIVACY STATEMENT - Statement of Candidacy BL

3. CATEGORIES OF PERSONAL DATA PROCESSED

UniCredit processes personal data collected directly from you or third parties (e.g. relevant local administrations), which include, but are not limited to, personal data (e.g. name, surname, address, date and place of birth), banking data, information on the financial situation (e.g. patrimonial status, information on credit requests/relationships), positions held and related income, employment relationships, commercial/professional relationships.

This information may concern existing or past relationships with UniCredit as with Group Legal Entities or third parties.

3.1 JUDICIAL DATA

UniCredit may process judicial data (i.e. personal data relating to criminal convictions and offences or related security measures, including information on pending proceedings) referring to you to verify the subjective and integrity requirements and/or conditions that prevent from being appointed as a member of the Board of Directors of UniCredit.

In such cases, the processing is necessary to fulfil legal obligations and comply with requests from Public or Supervisory Authorities (e.g., filling out the questionnaire requested by the ECB). This need represents the legal basis that legitimises the related data processing. Data provided by you is necessary to comply with the legal obligations; without your personal data, UniCredit would not be able to establish a relationship with you or comply with the law obligations.

4. RECIPIENTS OR CATEGORIES OF RECIPIENTS OF PERSONAL DATA

Your data may be communicated to the natural and legal persons that are acting as "Data Processors" listed on the UniCredit premises and on the website www.unicredit.it, as well as - in the quality of persons authorised to process personal data in relation to the data necessary for the performance of the duties they are assigned to - the natural persons belonging to the following categories: employees of the Bank, seconded personnel, temporary workers, interns, consultants and the external companies appointed as Data Processors.

Your data may be communicated:

• to those subjects to whom this communication must be carried out in compliance with an obligation established by law (e.g. Bank of Italy and ECB), by a regulation or by EU legislation. Further information can be found on the website www.unicredit.it in the "Privacy" section;
• · to Legal Entities belonging to the UniCredit Group (also foreign Legal Entities), subsidiaries or associates under the terms of article 2359 of the Italian Civil Code, when such communication is permitted on the basis of a Garante per la Protezione dei Dati Personali's measure or by a law provision.

The detailed list of subjects to whom the data can be communicated is available on the website www.unicredit.it, in the "Privacy" section.

5. DATA TRANSFER TO THIRD COUNTRIES

UniCredit informs you that your personal data may also be transferred to the Cuntries outside the European Union or the European Economic Area (so-called "Third Countries") if the EU Commission states that the Third Country ensures an adequate level of protection of personal data or in case of other appropriate safeguards, namely when the supplier of UniCredit located in the Third Country contractually ensures an appropriate level of personal data protection (e.g. through the standard contractual clauses provided by the European Commission), including enforceable and effective data subject rights. Further information can be requested by writing to Group.DPO@unicredit.eu.

DATA PROCESSING MODALITIES 6.

The processing of personal data involves the usage of manual and IT instruments with modalities closely connected with the purposes defined above and, in any case, in such a way to guarantee the security and confidentiality of the data.

7. DATA SUBJECT' RIGHTS

GDPR grants and assures specific rights, including the right to know what data concerning you are held by UniCredit, as well as how they are used, and the right to obtain, under certain conditions, the copy, the erasure, the update, the rectification or, if interested, the integration of your data, as well as the right to data portability.

7.1 DATA RETENTION PERIOD AND RIGHT TO ERASURE

UniCredit processes and stores your personal data for all the time you keep the role of Director, to execute the related and connected obligations, to comply with the applicable legal, contractual and regulatory obligations, as well as for its own defensive purposes or those of third parties until the expiration of the longest mandatory retention period provided by the applicable law (i.e. 11 years) starting from the date of termination of the relationship with you. UniCredit processes and stores your personal data even after the expiry of the employment relationship when this is necessary for archiving purposes for historical research purposes, according to the methods set out in the "Ethical rules of processing for archiving purposes in the public interest or historical research"8.

At the end of the applicable mandatory retention period, your personal data will be erased or kept in a form which does not permit your identification (e.g. irreversible anonymization), unless further processing is necessary for one or more of the following purposes: i) for resolution of pre-litigation and/or litigation, started before the expiration of the mandatory retention period; ii) to follow up with investigations linspections by internal control functions and/or external authorities, started before the expiration of the mandatory retention period; iii) to follow up with requests from the Italian and/or foreign Public Authorities, received/notified to UniCredit before the expiration of the mandatory retention period.

8. PROCEDURE TO EXERCISE THE RIGHTS

The e-mail address which you can refer to for the exercise of your rights described in paragraph 7 is the following one: corporate.law@pec.unicredit.eu.

The deadline for the reply is one (1) month, which may be extended for two (2) further months in cases of particular complexity; in these cases, UniCredit informs you about such extension within one (1) month from the receipt of the request.

The exercise of rights is, in principle, free of charge.

9. COMPLAINT OR REPORTING TO THE "GARANTE PER LA PROTEZIONE DEI DATI PERSONALI"

UniCredit informs you that you have the right to lodge a complaint with or to report to the Garante per la Protezione dei Dati Personali, or else to appeal to the Judicial Authority. The contacts of the Garante per la Protezione dei Dati Personali can be consulted on the website http://www.garanteprivacy.it.

In Madrid, Spain, on February 12th, 2024.

Signature

2024_02_12 ANNEX 3 - PRIVACY STATEMENT - Statement of Candidacy BL

³ Record of the provisions 19 December 2018, n. 513

STATEMENT OF CANDIDACY AND DECLARATION ATTESTING THE INEXISTENCE OF REASONS FOR INELIGIBILITY, FORFEITURE OR INCOMPATIBILITY, AS WELL AS REGARDING THE MEETING OF THE REQUIREMENTS PROVIDED FOR BY CURRENT PROVISIONS AND OF ACCEPTANCE OF APPOINTMENT

I, the undersigned Maria PIERDICCHI, born in Schio (Italy) on il 18 September 1957, tax code PRDMRA57P58I531O, resident in Milan (Italy), Italian nationality, in relation to the office of Director in UniCredit S.p.A. ("UniCredit" or the "Bank") in light of the Agenda of the Shareholders' Meeting convened for 12 April 2024, under my own responsibility,

taking into account, among others, the provisions of Section 91 of the Directive 2013/36/EU dated June 26, 2013, as subsequently amended ("CRD"), Articles 2382 and 2387 of the Italian Civil Code, Section 26 of Legislative Decree no. 385 dated September 1, 1993 ("TUB"), Articles 147-fer and 147-quinquies of Legislative Decree no. 58 dated February 24, 1998 ("TUF"), the Ministry of Economy and Finance no. 169 dated November 23, 2020 (the "Decree"), the Ministry of Justice Decree no. 162 dated March 30, 2000, Clause 20 of the UniCredit Articles of Association and Article 2, recommendation 7, of the Corporate Governance Code (the "Corporate Governance Code")

STATE THAT

there are no reasons for my ineligibility, forfeiture or incompatibility and that I meet the requirements provided for by currently applicable provisions, as well as by the Articles of Association of UniCredit for the appointment as Director; with specific reference to the experience and independence requirements:

DECLARE THAT

EXPERIENCE

I possess the knowledge, skills and experience required by the CRD, TUB and the Decree, and, in particular, that I have accrued the appropriate overall experience of at least 3 years through the exercise of :

• activity of non-executive Director in UniCredit from April 2018 to today;
• activity of independent Director carried out at Nuove Banche Marche, Etruria e lazio, Cassa di Risparmio di Chieti and Cassa di Risparmio di Ferrara from 2015 to 2017;

Please indicate () for Directors with executive roles; management or control activities or managerial positions held in the credit, financial, securities or insurance sectors; and/or management or control activities or managerial positions held in listed companies whose size and complexity are greater than, or equal to those of UniCredit (in terms of revenues, nature and complexity of the organization or activities performed), and (ii) for Directors with non-executive roles, in addition to the above-mentioned ones; professional activities practiced in credit, financial, securities, insurance related fields or anyhow instrumental for the activities of UniCredit activities shall be sufficiently complex and performed in a continuous and significant manner, and/or university teaching (first or second level) of legal or economics subjects functional to the credit, financial, securities or insurance sectors; and/or managerial/executive functions in public organizations or public administration offices relating to the credit, financial, securities or insurance sectors provided that the entity where the officer performed such activities has a size and complexity similar to those of UniCredit.

In addition to the above, the chief executive officer shall possess a specific experience in the fields of credit, financial, securities or insurance, gained through management or control activities or managerial positions held for at least 5 years in the credit, financial, securities and insurance sectors, or in listed companies or in companies whose size and complexity are greater than, or equal to, those of UniCredit (in terms of revenues, nalure and complexity of the organization or activities performed). Moreover, the chair of the Board of Directors shall possoss at least 5 years of experience in the activities indicated under para (i) or (ii) above.

activity of CEO/Head of Southern Europe carried out at Standard & Poor's Credit Market Services from 2003 to 2015,

as they result from both the attached curriculum vitae (see Annex 1) and the list of offices of administration and control currently held in other companies (see Annex 2).

INDEPENDENCE

I meet the independence criteria pursuant to the following provisions:

1)	Article 148 TUF, para. 3 and Article 2399, para. 1 (as recalled 1 Yes by Article 2409-septiesdecies) Italian Civil Code	No
2)	Article 13 of the Decree	× Yes No
3)	Italian Corporate Governance Code	o Yes No

I, the undersigned, also:

• state to be a candidate as member to the Board of Directors of UniCredit, and, if appointed, to irrevocably accept my appointment as from today;
• state that I am not in any of the situations provided for by (i) Article 2390 Italian Civil Code. nor (ii) 36 of Law Decree no. 201 dated December 6, 2011, converted into Law no. 214 dated December 22, 2011 (i.e., interlocking);
• state that I do not exceed the limits upon the maximum number of offices to be held pursuant to applicable rules and that I am able to commit the necessary time to effectively carry out the office;
• undertake to promptly inform UniCredit of any changes in the above-mentioned circumstances and, on request by the Company, to produce any documentation suitable to confirm the truthfulness of the facts declared;
• having read the information notice on the processing of personal data reported in attachments, acknowledge the disclosure of the information above and the information indicated in the Annexes,

ANNEXES:

1) CV

• 2) List of offices of administration and control currently held in other companies
• 3) Privacy statement

Date, plac Signature

MARIA PIERDICCHI

EDUCATION

New York University, Stern Graduate School of Business Administration, New York . M.B.A. in Finance, With Honors, 1988. Visiting Scholar, PhD Program in Finance, 1986.

Università Commerciale Luigi Bocconi, Milano

BA Economics (Laurea in Economia Politica), Summa cum Laude, 1982. Awarded 2 graduate assistantships in Economics of financial intermediaries

In the Boardroom, Professional Program for NED offered by Linklaters and Egon Zehnder in collaboration with Valore D, 2015.

Several Professional programs in financial markets and leadership (Citibank, INSEAD, Columbia University, S&P)

PRESENT APPOINTMENTS

UNICREDIT Group, Non Executive Director, member of the Internal Controls and Risk Committee (2018/2023) and the Governance and Nomination Committee, (since 2023) ... Chair of Related Parties Commitee, since 2018

AIDEXA Holding, Holding controlling Banca Aidexa, Non executive director, since 2020

HUBLAB , Non executive director, since 2021

NEDCOMMUNITY , Italian association of non executive directors and statutory auditors Board member, since 2017 and President (2019-2022)

Board Member of EcoDa , European Federation of Directors Institutes, since 2022

PRIOR APPOINTMENTS

AUTOGRILL SPA , Global leader in food and beverage for travelers . Non Executive Director, Chair of Human Resources Committee, Lead Independent Director, 2017-2023

LUXOTTICA GROUP , Global leader in eyewear, since 2019 part of the group ESSILOR LUXOTTICA . Non Executive Director, 2015-2020., member of Risk Committee

S&P CMSI Italy (Italian legal entity S&P Global Ratings), Non Executive Director, April 2015-April 2018 . Consultant 2018- 2019.

Nuova Banca delle Marche, Nuova Banca Popolare dell'Etruria e del Lazio, Nuova Cassa di Risparmio della Provincia di Chieti, Nuova Cassa di Risparmio di Ferrara, Non Executive Director , 2015-2017. Appointed by the Resolution Unit of Bank of Italy as the sole Independent board member , to implement the first Italian resolution and sale plant of the four regional banks , as per Decree 180 November 16, 2015 and in line with the BRRD EU Directive. The role regional bank maintained within the UBI Group for three of the four banks following UBI's acquisition until the final merger into the group in 2017.

NB AURORA Sicaf , private equity listed company, non executive director , 2018-2020

PROFESSIONAL EXPERIENCE

STANDARD & POOR'S, McGraw Hill Financial Group, Rating Services. Managing Director and Country Head Italy and Head of Southern Europe, 2003 -2015

Responsible for managing and developing S&P activities and franchise in Italy and Iberia.

• · Managed the rating activity in the region , achieving significant growth and building leadership positions among rating agencies. Coordinated two offices with and bulling ceatership.
  based in Milan and Modrid, www.comment.com with approximately 70 professionals based in Milan and Madrid, supporting the expansion of the rating services in all practices and implementing all new policies and regulations . Responsible for strategic plans for the region in coordination with all the business units and their execution through team work combining regional capabilities with product expertise and local client knowledge.
• · Responsible for the overall regional franchise, establishing senior relationships with market participants and leading communication plans and outreach programs with investors, regulators, policy makers and key stakeholders, domestically and at European level. Key spoke person for the region.

BORSA ITALIANA SPA (Italian Stock Exchange) , Senior Director Head of New Market, 1998-2003

Designed, launched and developed the equity market for high growth companies in coordination with other major European exchanges. Nuovo Mercato became in few months the second high growth European market for capitalization and market volumes , with 45 listings companies in two years and a strong domestic and international recognition among issuers, investors and internediaries. Designed and managed research effort and marketing campaigns to identify candidates for listings and to promote the market to institutional investors. Managed investors outreach programs in USA, Israel, UK also in association with Italian diplomatic delegations and Jocal associations. Managed communications activities on the market and other SMEs related projects for Borsa Italiana. Participations initiatives to improve with stakeholders to develop new platforms and common initiatives to improve primary and secondary markets.

PREMAFIN SPA (Italian listed conglomerate), Milano 1991-1998

Director of strategic planning and control . Managed investments in listed industrial companies controlled by the holding in the area of construction, motorways and insurance. Monitored financial performance and implemented plans for recommendations to shareholders. Mombred internet of the Board of Autostrade Torino Milano. Conducted restructuring , M&A , debt renegotiations and other activities

to streamline the business and assure execution of strategic plans of the subs. Set up and managed the Investor relation function for the Group .

CITIBANK N.A., Milano, 1988-1991

Resident Vice President, Senior Financial Analyst.

Conducted M&A activity and financial strategic analysis for the corporate clients of the bank, including origination and execution in corporate finance products and services. Developed strategic and for Citibank in Italy and related segmentation of products and services. Developed

THE WORLD BANK, Washington D.C., 1985-1986

Consultant on debt rescheduling packages for Latin America countries .

UNIVERSITA' COMMERCIALE L. BOCCONI, Milano 1981-1985

Research Assistant in banking and international financial institutions. Assistant Professor of international banking for the University and SDA Business School.

AWARDS & RECOGNITIONS

Marisa Bellisario Award for Women in Finance , 2001 International Leadership Award by The McGraw Hill Companies /Standard &Poor's, 2004 Career Award. Sponsored by Italian Minister for Equal Opportunities, 2001. International Corporate Finance Award for best global transactions, Citibank, New York, 1991

OTHER

• · Member of the Board and Vice Chairman of the Italian American Chamber of Commerce, 2009-11-2015 2015
• · Founding member and member of of the Executive Board of Valore D, association for the promotion of women leadership in Italian corporations comprising 150 major corporations , 150 major corporations 2009-2015
• · Member of the Board of Collegio San Carlo, 2011-2017
• · Member of the Scientific Committee of Collegio Internazionale Ca' Foscari in Venice , 2014-2017
• · Member of the Advisory Board of Bocconi Alumni Association, 2011-2015
• · Member of the Advisory Board, Accenture Foundation , 2007-2012

Published several articles on financial topics in Italian and English. Co author of DIRECTORS,a manual of Corporate Governance for NED, Egea 2022.

Teaching activity conducted for several Italian universities and associations.

Born 09/18/1957 , Italian citizen. Fluent in English, working knowledge of French and Spanish.

ANNEX 2

list of offices of administration and control currently held in other companies

Board Member of Aidexa Holding (Previous PBI S.p.A.) Board Member of HUBLAB Eccellenze d'impresa S.r.l.

Date, place _ House 2/2/24 P Signature

Annex 3 INFORMATION NOTICE ON THE PROCESSING OF PERSONAL DATA BY UNICREDIT

The following information notice aims at providing you with an overview on the use of your personal data by UniCredit S.p.A. and of your rights pursuant to the General Data Protection Regulation -Regulation (EU) 2016/679 (hereinafter also GDPR).

1. DATA CONTROLLER AND DATA PROTECTION OFFICER

The Data Controller is UniCredit S.p.A., with registered office in Milan, Plazza Gae Aulenti n. 3, Tower A, 20154 Milan (UniCredit).

The Data Protection Officer (DPO) can be contacted at:

UniCredit S.p.A. Data Protection Office, Piazza Gae Aulenti n. 1, Tower B, 20154 Milano, E-mail: Group.DPO@unicredit.eu, PEC: Group.DPO@pec.unicredit.eu.

2. PURPOSE AND LEGAL BASIS OF PROCESSING

UniCredit processes the personal data in its possession, that is collected directly from you, or from the relevant local administrations to verify, among others, their accuracy for the following purposes:

A. Need to fulfill legal obligations deriving from your candidacy as a Member of the UniCredit's Board of Directors.

These obligations imply, among others, verifying - both during the selection procedures and on an ongoing basis - the compliance: i) with the eligibility requirements for taking on and maintaining the role of Director as well as of specific positions (such as integrity requirements, criteria of correctness, professional experience requirements and competence, independence, time commitment, maximum number of offices covered, respect of the prohibition of interlocking) as required by applicable law, by UniCredit's Articles of Association and by the Corporate Governance Code (i.e. Codice di Corporate Governance) as well as with social security and fiscal obligations linked to the remuneration provided.

To comply with the above-mentioned obligations, in some cases, UniCredit is required to carry out analyses that concern also your relatives". For this reason, we kindly ask you to let them aware of this Information Notice.

These needs represented above are the legal basis legitimizing the related data processing Data provided by you is necessary to comply with the obligations arising from your role of member of UniCredit's Board of Directors, without your personal data, UniCredit would not be in a position to establish a relationship with you or to comply with the law obligations.

B. Fulfilment of legal obligations and requests from Public and Supervisory Authorities, concerning the process, communication and/or disclosure - also during the selection procedures on the website www.unicreditgroup.eu and/ or on specific corporate documents (e.g. Prospectus / Corporate Governance Report, Financial Statements) of your data (such as data contained in your curriculum vitae and in the list of the tasks carried out by you in other banks and commercial companies, as required by the applicable law, and according to the Articles of Association and the Corporate Governance Code).

The needs represented above are the legal basis legitimizing the related data processing The recoss reprosemed absessary to comply with the legal obligations, the requests from they Authorities, as well as to take on the role of member of the Board of Directors of UniCredit, without your personal data, UniCredit would not be in a position to establish a relationship with you or to comply with the law obligations

^' The relatives scope is identified on the basis of the specific applicable regulations

3. CATEGORIES OF PERSONAL DATA PROCESSED

UniCredit processes personal data collected directly from you, or from third parties (e.g. relevant local Uniciedit processes personal data collection (on your views (e.g. name, surgame, address,
administrations), which include, but also information, on the financial situation (e administrations), which include, but all information on the financial situation (e.g. palmonial.
date and place of birth), banking data, linchine hell and celed income, emplo date and place of birth), banking data, information on the minution on tolation (olga personalism
status, information on credit requests(relationships), positions held and re Status, Imonnetcial/professional relationships.

This information may concern existing or past relationships with UniCredit as well as with Group Legal Entities or third parties.

JUDICIAL DATA 3.1

UniCredit may process judicial data (i.e. personal data relating to criminal convictions and offences on UniCredit may process judical data (i.s. pending procedings) refering to you, in order to
related security measures, including information on pendings, trefring to your in or related security measures, including in pending proceedings, conning to provent from being appointed as
verify the subjective and integrity requirements and/or conditions tha member of the Board of Directors of UniCredit.

member of the Board of Directors of Unicifornial of the Rolling as well as to comply with In such cases, the processing is necessary to filling the questions as wor to to consisted requests coming from Public or Supervisory Authorities the related data processing.
by the ECB). This need represents the legitimizes the related ata, processing. by the ECB). This need represents the legal batis that regal obligations; without your personal data.
Data provided by you is necessary to comply with you or to comply with t Data provided by you is necessary to comply win the legal bolgalons, with you or to comply with the law obligations.

4. RECIPIENTS OR CATEGORIES OF RECIPIENTS OF PERSONAL DATA

Your data may be communicated to the natural and legal persons that are acting as "Data Your data may be communication premises and on the website www.unicedit.it, as well as – in the Processors", listed in the Unicrealt premises and on the veating to the data necessary for the following quality of persons authorized to process persons and moneys of the following performance of the dutes they are assiglied to - necessories as leters, consultants and categones: employees of the Bank, soconded personalism as Dala Processors.

Your data may be communicated:

• to those subjects to whom this communication must be carried out in compliance with an to those subjects to whom this commitation indise on by a regulation or by EU legislation.
  obligation established by law (e.g. Bank of the year unicealit it it the "Privacy" obligation established by law (e.g. Ballk on the website wow unice articles) " section;
  Further information can be found on the website wow unicedit. I lead Entities), subsid
• Further information of the UniCredit Group (also foreign Legal Ergil Engli Entities), subsidianes on
  to Legal Entities belonging to the UniCredit Group (also foreign such com to Legal Entities belonging to the Unicipality of the Italian Civil Code, when such communication
  associates under the Caracele not le Retazione dei Dati Code, when such comm associates under the terms of article 2359 of the tallan OM OBE, when back of a law provision.

The detailed list of subjects to whom the data can be communicated is available on the website www.unicredit.it, in the "Privacy" section.

5. DATA TRANSFER TO THIRD COUNTRIES

UniCredit informs you that your personal data may also be transferred to the Countries outside the Unicredit informs you that your personal data may also alled "This commission
European Union or the European Economic Area (so called "This Countries in the Clouding of in ca European Union or the European Economic Area (so called Trine States of in case of
states that the Third Country ensures an adequate for Unicedit (orgent) in the Third County slates that the Third Country ensures an adequale of UniCreatit Uncated in the Third Country
other appropriate safeguards, namely when the supplier of Unicoln the signing of other appropriate safegurds, namely when the supplier of through the signing of the contractually ensures an appropriate level of personal commission), including enforceable of and standard contractual clauses provided by the European Commission, misitantial controlled by writing to Group.DPO@unicredit.eu.

6. DATA PROCESSING MODALITIES

The processing of personal data involves the usage of manual and IT instruments with modalities closely connected with the purposes defined above and, in any case, in such a way to guarantee the security and confidentiality of the data.

7. DATA SUBJECT' RIGHTS

GDPR grants and assures specific rights, including the right to know what data concerning you are held by UniCredit, as well as how they are used, and the right to obtain, under certain conditions, the nord by Entorue, the update, the rectification or, if interested, the integration of your data, as well as the right to data portability.

7.1 DATA RETENTION PERIOD AND RIGHT TO ERASURE

UniCredit processes and stores your personal data for all the time you keep the role of Director, to execute the related and connected obligations, to comply with the applicable legal, contractual and regulatory obligations, as well as for its own defensive purposes or those of third parties until the regulation of the longest mandatory retention period provided by the applicable law (i.e. 11 years) starting from the date of termination of the relationship with you. UniCredit in is annonens slores your personal data even after the expiry of the employment relationship when this is necessary for archiving purposes for historical research purposes, according, to the methods set out in the "Ethical rules of processing for archiving purposes in the public interest or historical research"?

At the end of the applicable mandatory retention period, your personal data will be erased or kept in a form which does not permit your identification (e.g. irreversible anonymization), unless the further processing is necessary for one or more of the following purposes: I) for resolution of prelitigation and/or litigation, started before the expiration of the mandatory retention period; ii) to follow up with Investigations/inspections by internal control functions and/or external autorities, started before the expiration of the mandalory retention period; fill) to follow up with requests from the Italian and/or foreign Public Authorities, received/notified to UniCredit before the expiration of the mandatory retention period.

8. PROCEDURE TO EXERCISE THE RIGHTS

The e-mail address which you can refer to for the exercise of your rights described in the paragraph 7 is the following one: corporate. law@pec.unicredit.eu.

The deadline for the reply is one (1) month, that may be extended for two (2) further months in cases es I ficalicular complexity; in these cases, UniCredit informs you about such extension within one (1) month from the receipt of the request.

The exercise of rights is, in principle, free of charge.

COMPLAINT OR REPORTING TO THE "GARANTE PER LA PROTEZIONE DEI DATI 9. PERSONALI

UniCredit informs you that you have the right to lodge a complaint with, or to report to the Garante per Uniciedit mornis you that you have the ng to appeal to the Judicial Authority. The contacts of the Ia Protezione dei Dati Personali can be consulted on the website http://www.garanteprivacy.it

	Date and place, Hilling 8/2/2/21
Signature	House Vierdul

³ Record of the provisions 19 December 2018, n. 513

STATEMENT OF CANDIDACY AND DECLARATION ATTESTING THE INEXISTENCE OF REASONS FOR INELIGIBILITY, FORFEITURE OR INCOMPATIBILITY, AS WELL AS REGARDING THE MEETING OF THE REQUIREMENTS PROVIDED FOR BY CURRENT PROVISIONS AND OF ACCEPTANCE OF APPOINTMENT

I, the undersigned PAOLA CAMAGNI, born in Milan (Italy) on December 22, 1970, tax code CMGPLA70T62F205M, resident in Milan, of Italian nationality, in relation to the office of member of the Board of Directors as well as member of the Audit Committee in UniCredit S.p.A. ("UniCredit" or the "Bank") in light of the Agenda of the Shareholders' Meeting convened for 12 April 2024, under my own responsibility,

taking into account, among others, the provisions of Section 91 of the Directive 2013/36/EU dated June 26, 2013, as subsequently amended ("CRD"), Articles 2382 and 2387 of the Italian Civil Code, Section 26 of Legislative Decree no. 385 dated September 1, 1993 ("TUB"), Articles 147-quinquies as well as Article 148 of Legislative Decree no. 58 dated February 24, 1998 ("TUF"), the Ministry of Economy and Finance no. 169 dated November 23, 2020 (the "Decree"), the Ministry of Justice Decree no. 162 dated March 30, 2000, Clause 20 of the Unicredit Articles of Association and Article 2, recommendation 7 and 9, of the Corporate Governance Code (the "Corporate Governance Code")

STATE THAT

there are no reasons for my ineligibility, forfeiture or incompatibility and that I meet the requirements provided for by currently applicable provisions, as well as by the Articles of Association of UniCredit for the appointment as member of the Board of Directors as well as member of the Audit Committee; with specific reference to the experience and independence requirements:

DECLARE THAT

EXPERIENCE

I possess the knowledge, skills and experience required by CRD, TUB and the Decree, as well as by the Decree no. 162 dated March 30, 2000 and, in particular:

• and have exercised the legal auditing of accounts for at least 3 years from May 1999 to May 2003;

• 区 that I have accrued the appropriate experience of at least 5 years through the exercise of one or more of the following activities1:

¹ With reard to UniCredit business activity exercised among the following specifying the month and year: a) activity of legal auditing of activity of administration or control or executive tasks in the credit, financial, securities or insurance sector; c) administration or executive tasks at listed companies or companies whose size and complexity is greater than, or comparable to, that of UniCredit (in terms of turnover, nature and complexity of the organisation or activity carried out); d) professional activities as a business accountant or lawyer, undertaken primarily in the credit, financial, securities or insurance sector, e) teaching, as university professor of first or second level, subjects concerning - in the field of law - banking, commercial and/or fiscal law, as well as the running of financial markets and - in the field of business/finance - banking operations, business economics, accountancy, the running of the securities markets, the running of the financial and international markets and corporate finance, as well as other subjects in any way connected with the activities of the credit, financial, securities or insurance sector; f) performing management duties, however called, within public organisations or offices of the Public Administration, relating to the credit, finance secor, or to the investment services sector or to the collective investment sector as defined in TUF, whose size and complexity are comparable with that of Unicedit. Please note that the chair of the Audit Committee must: (i) be enrolled with the Register of Auditors and have exercised the legal auditing of a period of no less than five years, or (i) have exercised, also alternatively, for a period of no less than five years, the activity of accounts or the other activities as mentioned above.

• Statutory auditor at ENI S.p.A. from May 2014 to May 2020;
• Statutory auditor at CNP UniCredit Vita S.p.A. from June 2011 to date;
• Statutory auditor at CNP Vita Assicura S.p.A. from December 2021 to date,

as they result from both the attached curriculum vitae (see Annex 1) and the list of offices of administration and control currently held in other companies (see Annex 2).

INDEPENDENCE

I meet the independence criteria pursuant to the following provisions:

1)	Article 148 TUF, para. 3 and Article 2399, para. 1 (as recalled by Article 図 Yes
	2409-septiesdecies) Italian Civil Code
2)	Article 14 of the Decree	× Yes	INO I
	3) Italian Corporate Governance Code	× Yes	ONO I

l, the undersigned, also:

• state to be a candidate to the Board of Directors of UniCredit as member, as well as a candidate to the Audit Committee as member, and, if appointed, to irrevocably accept my appointment as from today or as from the substitution of an appointed member of the Audit Committee;
• state that I am not in any of the situations provided for by (i) Article 2390 Italian Civil Code, nor (ii) 36 of Law Decree no. 201 dated December 6, 2011, converted into Law no. 214 dated December 22, 2011 (i.e., interlocking);
• state that I do not exceed the limits upon the maximum number of offices to be held pursuant to applicable rules and that I am able to commit the necessary time to effectively carry out the office;
• undertake to promptly inform UniCredit of any changes in the above-mentioned circumstances and, on request by the Company, to produce any documentation suitable to confirm the truthfulness of the facts declared;
• having read the information notice on the processing of personal data reported in attachments, acknowledge the disclosure of the information above and the information indicated in the Annexes.

ANNEXES:

• 1) CV
• 2) List of offices of administration and control currently held in other companies
• 3) Privacy statement

February 14, 2024 - Milan

Signature

ANNEX 1

PAOLA CAMAGNI CV

Born in Milan (Italy) on 22 December 1970 Resident in Milan - Italy

Education:	1989: Scientific high school diploma - Milan
	1994: Degree with honours in Economics and Business (dissertation on "International Tax Law") - Bocconi University - Milan
	1994/1995: Master in "International Tax Law" - Bocconi University - Milan
Professional Profile:	1996: Enrolled in the Chartered Accountant - Milan Association - and Accounting Auditors Register n. 91220
	At the beginning of 2016 she was appointed as member of the "Committee of Experts on Tax and Economic Policy" by the Presidency of the Italian Counsel of Ministers (DPCM May 5, 2016)
Current posts:	Founder and Managing Partner of "CAMAGNI e ASSOCIATI" tax firm
	Independent Member of the Board of Directors, member of ESG Committee and Remuneration and Nomination Committee of Telecom Italia (TIM) S.p.A. and independent member of the Board of Directors of FSI Sgr S.p.A.
	Statutory auditor/Chair of the Board of Statutory Auditors of the following companies: ENI Group: Mozambigue Rovuma Venture S.p.A. (Chair of the Statutory Board); Azule Energy Angola S.p.A. (Statutory Auditor); A.G.I. Agenzia Giornalistica Italia S.p.A. (Chair of the Statutory Board); - CNP Group: CNP UniCredit Vita S.p.A. and CNP Vita Assicura S.p.A She is also member of the relevant Watch structure ("OdV").
Professional experience:	Founder and Managing Partner of "Camagni e Asssociati" Tax firm 2013 - today: In December 2013 she established the tax firm "Camagni e Associati". With thirty years of experience as Tax advisor (Dottore Commercialista), she has been providing tax advice, issuing opinions on investment, restructuring and international tax issues to large groups as well as foreign real estate funds and companies listed on stock exchanges in Milan, New York, Amsterdam, London and Sydney. She assists clients during tax audits, in the pre-litigation and tax litigation phases and supports lawyers, as technical consultant, in case of tax assessments bearing criminal implications.
	Partner (Head of RE tax team) of Studio Tributario e Societario -

DELOITTE Milan network 2003 – November 2013

	As a partner of Deloitte Studio Tributario e Societario, she provided assistance and tax advice to leading Italian and multinational companies. Her activity was particularly focused on tax advices to RE Group, analysis of domestic and international tax issues (mainly opinions), tax structuring and assistance for M&A.
	Tax Senior Manager at Andersenlegal (than merged into Deloitte) 2000 - 2003
	Tax Senior Consultant at Studio Tributario DEIURE in Milan 1996 - 2000
	Tax Consultant at Studio Legale e Tributario - ERNST&YOUNG 1994-1996
	Main posts previously held: Statutory auditor of ENI S.p.A. (from 2014 to 2020)
	Member of the Board of Directors, Chairman of the Related Parties Committee; member of the Risk Committee; member of the Remuneration & Nomination Committee of CellularLine S.p.A (2018 - 2020)
	Chairman of the Board of the Statutory auditors of OVS S.p.A. (2017 - 2018)
	Statutory auditor of Eni Rewind (2015-2023), Oracle Italia, Zara Italia and KPNQWest Italia S.p.A.
	Board Member of Cantieri di Sarnico S.p.A. (1998 -2000)
Other activities and commissions:	Author for "Il Sole 24ore" - tax section - of different articles on tax matters
	Professor of the Master in "International tax law" at Bocconi University from 2013/2014 to 2017/2018 years
	"Expert" - at the Department of Tax Law and Comparative Tax Law of L. Bocconi University from 1996 to 2014
	Lecturer of the "Real Estate Master", held at SDA Bocconi in Milan editions 2011/12 and 2012/2013
Foreign languages:	- English: fluent; - French: basic.

February 14, 2024 - Milan

Signature

ANNEX 2

List of offices of administration and control currently held in other companies

• Member of the Board of Directors at Telecom Italia (TIM) S.p.A., as well as member of the relevant ESG . . . . . . Committee and Nomination and Remuneration Committee;
• Member of the Board of Directors of FSI Sgr S.p.A. .
• Statutory auditor of the following companies:

ENI Group: Mozambique Rovuma Venture S.p.A. (Chairman of the Statutory Board) (T); Azule Energy Angola ENI Group: Mozamonqoe Rovoma Ventore Spari: (Chairman of the Statutory Board);
S.p.A. (Statutory Auditor); A.G.I. Agenzia Giornalistica Italia S.p.A. (Chairman of the Statut

CNP Group: CNP UniCredit Vita S.p.A. (**) and CNP Vita Assicura S.p.A. (*).

(*) The term of mandate is April 2024.

(*) | The tenn of manout 15 Kpm 2001 - 12:40 pm
(**) I committed to resign from the office subject to my appointment as member of the Board of Directive starships ( subject to my appointment as member of the Board of Directors of UniCredit.

February 14, 2024 - Milan

Signature

INFORMATION NOTICE ON THE PROCESSING OF PERSONAL DATA BY UNICREDIT

The following information notice aims at providing you with an overview on the use of your personal data by UniCredit S.p.A. and of your rights pursuant to the General Data Protection - Regulation (EU) 2016/679 (hereinafter also GDPR).

1. DATA CONTROLLER AND DATA PROTECTION OFFICERS

The Data Controller is UniCredit S.p.A., with registered office in Milan, Piazza Gae Aulenti n. 3, Tower A, 20154 Milan (UniCredit).

The Data Protection Officer (DPO) can be contacted at:

UniCredit S.p.A. Data Protection Office, Piazza Gae Aulenti n. 1, Tower B, 20154 Milano, E-mail: Group.DPO@unicredit.eu, PEC: Group.DPO@pec.unicredit.eu.

2. PURPOSE AND LEGAL BASIS OF PROCESSING

UniCredit processes the personal data in its possession, that is collected directly from you, or from the relevant local administrations to verify, among others, their accuracy for the following purposes:

A. Need to fulfill legal obligations deriving from your candidacy as a Member of the UniCredit's Board of Directors.

These obligations imply, among others, verifying - both during the selection procedures and on an ongoing basis - the compliance: i) with the eligibility requirements for taking on and maintaining the role of Director as well as of specific positions (such as integrity requirements, criteria of correctness, professional experience requirements and competence, independence, time commitment, maximum number of offices covered, respect of the prohibition of interlocking) as required by applicable law, by UniCredit's Articles of Association and by the Corporate Governance Code (i.e. Codice di Corporate Governance) as well as with social security and fiscal obligations linked to the remuneration provided.

To comply with the above-mentioned obligations, in some cases, UniCredit is required to carry out analyses that concern also your relatives? For this reason, we kindly ask you to let them aware of this Information Notice.

These needs represented above are the legal basis legitimizing the related data processing. Data provided by you is necessary to comply with the obligations arising from your role of member of UniCredit's Board of Directors; without your personal data, UniCredit would not be in a position to establish a relationship with you or to comply with the law obligations.

B. Fulfilment of legal obligations and requests from Public and Supervisory Authorities, concerning the process, communication and/or disclosure - also during the selection procedures - on the website www.unicreditgroup.eu and/ or on specific corporate documents (e.g. Prospectus / Corporate Governance Report, Financial Statements) of your data (such as data contained in your curriculum vitae and in the tasks carried out by you n other banks and commercial companies, as required by the applicable law, and according to the Articles of Association and the Corporate Governance Code).

The needs represented above are the legal basis legitimizing the related data processing. Data provided by you is necessary to comply with the legal obligations, the requests from the Authorities, as well as to take on the role of member of the Board of Directors of UniCredit; without your personal data, UniCredit would not be in a position to establish a relationship with you or to comply with the law obligations.

3. CATEGORIES OF PERSONAL DATA PROCESSED

UniCredit processes personal data collected directly from you, or from third parties (e.g. relevant local administrations), which include, but are not limited to, personal data (e.g. name, surname, address, date and place of birth), banking data, information on the financial situation (e.g. patrimonial status, information on credit requests/relationships), positions held and related income, employment relationships, commercial/professional relationships.

² The relatives scope is identified on the basis of the specific applicable regulations.

This information may concern existing or past relationships with Group Legal Entities or third parties.

3.1 JUDICIAL DATA

UniCredit may process judicial data (i.e. personal data relating to criminal convictions and offences or related security measures, including information on pending proceedings) referring to you, in order to verify the subjective and integrity requirements and/or conditions that prevent from being appointed as member of the Board of Directors of UniCredit.

In such cases, the processing is necessary to fulfill legal obligations as well as to comply with requests coming from Public or Supervisory Authorities (e.g. filling the questionnaire requested by the ECB). This need represents the legal basis that legitimizes the related data processing. Data provided by you is necessary to comply with the legal obligations; without your personal data, UniCredit would not be in a position to establish a relationship with you or to comply with the law obligations.

4. RECIPIENTS OR CATEGORIES OF RECIPIENTS OF PERSONAL DATA

Your data may be communicated to the natural and legal persons that are acting as "Data Processors", listed in the UniCredit premises and on the website www.unicredit.it, as well as – in the quality of persons authorized to process personal data in relation to the data necessary for the performance of the duties they are assigned to – the natural persons belonging to the following categories: employees of the Bank, seconded personnel, temporary workers, interns, consultants and the employees of the external companies appointed as Data Processors.

Your data may be communicated:

• to those subjects to whom this communication must be carried out in compliance with an obligation established by law (e.g. Bank of Italy and ECB), by a regulation or by EU legislation. Further information can be found on the website www.unicredit.it in the "Privacy" section;
• to Legal Entities belonging to the UniCredit Group (also foreign Legal Entities), subsidiaries or associates under the terms of article 2359 of the Italian Civil Code, when such communication is permitted on the basis of a Garante per la Protezione dei Dati Personali's measure or by a law provision.

The detailed list of subjects to whom the data can be communicated is available on the website www.unicredit.it, in the "Privacy" section.

5. DATA TRANSFER TO THIRD COUNTRIES

UniCredit informs you that your personal data may also be transferred to the European Union or the European Economic Area (so called "Third Countries") if the EU Commission states that the Third Country ensures an adequate level of protection of personal data or in case of other appropriate safeguards, namely when the supplier of UniCredit located in the Third Country contractually ensures an appropriate level of personal data protection (e.g. through the standard contractual clauses provided by the European Commission), including enforceable and effective data subject rights. Further information can be requested by writing to Group.DPO@unicredit.eu.

DATA PROCESSING MODALITIES 6.

The processing of personal data involves the usage of manual and IT instruments with modalities closely connected with the purposes defined above and, in any case, in such a way to guarantee the security and confidentiality of the data.

7. DATA SUBJECT' RIGHTS

GDPR grants and assures specific rights, including the right to know what data concerning you are held by UniCredit, as well as how they are used, and the right to obtain, under certain conditions, the copy, the erasure, the rectification or, if interested, the integration of your data, as well as the right to data portability.

7.1 DATA RETENTION PERIOD AND RIGHT TO ERASURE

UniCredit processes and stores your personal data for all the time you keep the role of Director, to execute the related and connected obligations, to comply with the applicable legal, contractual and regulatory obligations, as well as for its own defensive purposes or those of third parties until the expiration of the longest mandatory retention

period provided by the applicable law (i.e. 11 years) starting from the date of termination of the relationship with you. UniCredit processes and stores your personal data even after the expiry of the employment relationship when this is necessary for archiving purposes for historical research purposes, according, to the methods set out in the "Ethical rules of processing for archiving purposes in the public interest or historical research"9.

At the end of the applicable mandatory retention period, your personal data will be erased or kept in a form which does not permit your identification (e.g. irreversible anonymization), unless the further processing is necessary for one or more of the following purposes: i) for resolution of pre-litigation, started before the expiration of the mandatory retention period; ii) to follow up with investigations by internal control functions and/or external authorities, started before the expiration period; iii) to follow up with requests from the Italian and/or foreign Public Authorities, received/notified to UniCredit before the expiration of the mandatory retention period.

8. PROCEDURE TO EXERCISE THE RIGHTS

The e-mail address which you can refer to for the exercise of your rights described in the paragraph 7 is the following one: corporate.law@pec.unicredit.eu.

The deadline for the reply is one (1) month, that may be extended for two (2) further months in cases of particular complexity; in these cases, UniCredit informs you about such extension within one (1) month from the receipt of the request.

The exercise of rights is, in principle, free of charge.

9. COMPLAINT OR REPORTING TO THE "GARANTE PER LA PROTEZIONE DEI DATI PERSONALI"

UniCredit informs you that you have the right to lodge a complaint with, or to report to the Garante per la Protezione dei Dati Personali, or else to appeal to the Judicial Authority. The Garante per la Protezione dei Dati Personali can be consulted on the website http://www.garanteprivacy.it.

February 14, 2024 - Milan

Signature

³ Record of the provisions 19 December 2018, n. 513

STATEMENT OF CANDIDACY AND DECLARATION ATTESTING THE INEXISTENCE OF REASONS FOR INELIGIBILITY, FORFEITURE OR INCOMPATIBILITY, AS WELL AS REGARDING THE MEETING OF THE REQUIREMENTS PROVIDED FOR BY CURRENT PROVISIONS AND OF ACCEPTANCE OF APPOINTMENT

I, the undersigned VILLA GABRIELE, born in Milan (MI) on 18 June 1964 tax code VLLGRL64H18F205Z, resident in Milan, of Italian nationality, in relation to the office of Member of the Board of Directors as well as Member of the Audit Committee in UniCredit" or the "Bank") in light of the Agenda of the Shareholders' Meeting convened for 12 April 2024, under my own responsibility,

taking into account, among others, the provisions of Section 91 of the Directive 2013/36/EU dated June 26, 2013, as subsequently amended ("CRD"), Articles 2382 and 2387 of the Italian Civil Code, Section 26 of Legislative Decree no. 385 dated September 1, 1993 ("TUB"), Articles 147-ter and 147-quinquies as well as Article 148 of Legislative Decree no. 58 dated February 24, 1998 ("TUF"), the Ministry of Economy and Finance no. 169 dated November 23, 2020 (the "Decree"), the Ministry of Justice Decree no. 162 dated March 30, 2000, Clause 20 of the UniCredit Articles of Association and Article 2, recommendation 7 and 9, of the Corporate Governance Code (the "Corporate Governance Code")

STATE THAT

there are no reasons for my ineligibility, forfeiture or incompatibility and that I meet the requirements provided for by currently applicable provisions, as well as by the Articles of Association of UniCredit for the appointment as Member of the Board of Directors as well as Member of the Audit Committee; with specific reference to the experience and independence requirements:

DECLARE THAT

EXPERIENCE

I possess the knowledge, skills and experience required by CRD, TUB and the Decree, as well as by the Decree no. 162 dated March 30, 2000 and, in particular:

• legal auditing of accounts for at least five years, from April 2004 to May 2010, to date;
• 区 that I have accrued the appropriate experience of at least five years through the exercise of one or more of the following activities1:
  • Edison S.p.A.: Statutory Auditor from March 2017 to present;

¹ With regard to UniCredit business activitys, please indicate the activity exercised among the following, specifying the month and year:

a) activity of legal auditing of accounts;

b) activity of administration or control or executive tasks in the credit, financial, securities or insurance sector;

c) administration or control activities or executive tasks at listed companies whose size and complexity is greater than, or comparable to, that of UniCredit (in terms of turnover, nature and complexity of the organisation or activity carried out); d) professional activities as a business accountant or lawyer, undertaken primarily in the credit, financial, securities or insurance sector:

e) teaching, as university professor of first or second level, subjects concerning – in the field of law – banking, commercial and/or fiscal law, as well as the running of financial markets and - in the field of business/finance - banking operations, business economics, accountancy, the running of the securities markets, the financial and international markets and corporate finance, as well as other subjects in any way connected with the activities of the credit, financial, securities or insurance sector;

f) performing managerial, executive or top management duties, however called, within public organisations or offices of the Public Administration, relating to the credit, financial, securities or insurance sector, or to the investment services sector or to the collective investment sector as defined in TUF, whose size and complexity are comparable with that of UniCredit. Please note that the chair must: (i) be register of Auditors and have exercised the legal auditing of accounts for a period of not less than five years, or (ii) have exercised, also alternatively, for a period of not less than five years, the activity of legal auditing of accounts or the other activities as mentioned above.

• TdE Transalpina di Energia S.p.A.: Statutory Auditor from March 2017 to present;
• Mediobanca S.p.A.: Board Member and Executive Committee Member from October 2017 to October 2023;
• Associate Professor in the Faculty of Banking, Financial and Insurance Studies, Milan, Catholic University; courses taught: Financial Reporting and International Reporting Standard; Courses taught jointly: Corporate Finance - Valuation (advanced course) from 2002 to present,

as they result from both the attached curriculum vitae (see Annex 1) and the list of offices of administration and control currently held in other companies (see Annex 2).

INDEPENDENCE

I meet the independence criteria pursuant to the following provisions:

1)	Article 148 TUF, para. 3 and Article 2399, para. 1 (as recalled by Article 図 Yes 2409-septiesdecies) Italian Civil Code		O No
2)	Article 14 of the Decree	× Yes	No I
	1 3) Italian Corporate Governance Code	& Yes	No I

l, the undersigned, also:

• state to be a candidate to the Board of Directors of UniCredit as member, as well as a candidate to the Audit Committee as member, and, if appointed, to irrevocably accept my appointment as from today or as from the substitution of an appointed member of the Audit Committee;
• state that I am not in any of the situations provided for by (i) Article 2390 Italian Civil Code, nor , (ii) 36 of Law Decree no. 201 dated December 6, 2011, converted into Law no. 214 dated December 22, 2011 (i.e., interlocking);
• . state that I do not exceed the limits upon the maximum number of offices to be held pursuant to applicable rules and that I am able to commit the necessary time to effectively carry out the office;
• undertake to promptly inform UniCredit of any changes in the above-mentioned circumstances and, on request by the Company, to produce any documentation suitable to confirm the truthfulness of the facts declared;
• having read the information notice on the processing of personal data reported in attachments, acknowledge the disclosure of the information above and the information indicated in the Annexes.

ANNEXES:

• 1) CV
• 2) List of offices of administration and control currently held in other companies
• 3) Privacy statement

Milano, 12 February 2024

Gabriele Villa

ANNEX 1

Curriculum Vitae

Place and date of birth

Milan, 18 June 1964

Academic Position

Associate Professor in the Faculty of Banking, Financial and Insurance Studies, Milan, Catholic University Courses taught: Financial Reporting and International Reporting Standards Courses taught jointly: Corporate Finance - Valuation (advanced course).

Professional experience

Chartered accountant, registered in the Milan chartered accountant's register; Qualified auditor, registered in the register of legal auditors instituted by the Italian ministry for the economy and finance. Partner, Studio Corbella Villa Crostarosa-Guicciardi, Milan, Italy.

Areas of expertise

Significant expertise in the following areas: company valuations and M&A transactions; assistance in court cases in legal proceedings before courts and/or arbitral tribunal; technical advisory services in matters pertaining to civil and criminal law; company financial reporting.

In the banking, financial and insurance sector: specific experience acquired as Director or Statutory Auditor of the following companies: Xelion Banca (Gruppo Unicredit); Credito Artigiano; CreditRas Assicurazioni; or the rotoming companis Spafid; Mediobanca. Last experience in Mediobanca Group: Mediobanca Con Vitar Piness Lancer (2007-2008); Mediobanca Statutory Auditor (2008-2017); Mediobanca Board of Directors Member and Executive Committee Member (2017-2023); Spafid – President of the Board of Directors (June 2019- 9 February 2024). Chair of the Fondazione Accademia Arti e Mestieri del Teatro alla Scala.

Milan, 12 February 2024

Gabriele Villa

ANNEX 2

LIST OF OFFICES OF ADMINISTRATION AND CONTROL CURRENTLY HELD IN OTHER COMPANIES

Edison S.p.A. Italmobiliare S.p.A. TdE - Transalpina di Energia S.p.A.

Statutory Auditor Statutory Auditor Statutory Auditor

Milan, 12 February 2024

Gabriele Villa

Cee

INFORMATION NOTICE ON THE PROCESSING OF PERSONAL DATA BY UNICREDIT

The following information notice aims at providing you with an overview on the use of your personal data by UniCredit S.p.A. and of your rights pursuant to the General Data Protection Regulation (EU) 2016/679 (hereinafter also GDPR).

1. DATA CONTROLLER AND DATA PROTECTION OFFICER

The Data Controller is UniCredit S.p.A., with registered office in Milan, Piazza Gae Aulenti n. 3, Tower A, 20154 Milan (UniCredit).

The Data Protection Officer (DPO) can be contacted at:

UniCredit S.p.A. Data Protection Office, Piazza Gae Aulenti n. 1, Tower B, 20154 Milano, E-mail: Group.DPO@unicredit.eu, PEC: Group.DPO@pec.unicredit.eu.

2. PURPOSE AND LEGAL BASIS OF PROCESSING

UniCredit processes the personal data in its possession, that is collected directly from you, or from the relevant local administrations to verify, among others, their accuracy for the following purposes:

A. Need to fulfill legal obligations deriving from your candidacy as a Member of the UniCredit's Board of Directors.

These obligations imply, among others, verifying - both during the selection procedures and on an ongoing basis - the compliance: i) with the eligibility requirements for taking on and maintaining the role of Director as well as of specific positions (such as integrity requirements, criteria of correctness, professional experience requirements and competence, independence, time commitment, maximum number of offices covered, respect of the prohibition of interlocking) as required by applicable law, by UniCredit's Articles of Association and by the Corporate Governance Code (i.e. Codice di Corporate Governance) as well as with social security and fiscal obligations linked to the remuneration provided.

To comply with the above-mentioned obligations, in some cases, UniCredit is required to carry out analyses that concern also your relatives?. For this reason, we kindly ask you to let them aware of this Information Notice.

These needs represented above are the legal basis legitimizing the related data processing. Data provided by you is necessary to comply with the obligations arising from your role of UniCredit's Board of Directors; without your personal data, UniCredit would not be in a position to establish a relationship with you or to comply with the law obligations.

B. Fulfilment of legal obligations and requests from Public and Supervisory Authorities, concerning the process, communication and/or disclosure - also during the selection procedures - on the website www.unicreditgroup.eu and/ or on specific corporate documents (e.g. Prospectus / Corporate Governance Report, Financial Statements) of your data (such as data contained in your curriculum vitae and in the tist of the tasks carried out by you in other banks and commercial companies, as required by the applicable law, and according to the Articles of Association and the Corporate Governance Code).

The needs represented above are the legal basis legitimizing the related data processing. Data provided by you is necessary to comply with the legal obligations, the requests from the Authorities, as well as to take on the role of member of the Board of Directors of UniCredit; without your personal data, UniCredit would not be in a position to establish a relationship with you or to comply with the law obligations.

3. CATEGORIES OF PERSONAL DATA PROCESSED

UniCredit processes personal data collectly from you, or from third parties (e.g. relevant local administrations), which include, but are not limited to, personal data (e.g. name, surname, address, date and place of birth), banking data, information on the financial situation (e.g. patrimonial status, information on credit requests/relationships), positions held and related income, employment relationships, commercial/professional relationships.

² The relatives scope is identified on the basis of the specific applicable regulations.

This information may concern existing or past relationships with UniCredit as well as with Group Legal Entities or third parties.

3.1 JUDICIAL DATA

UniCredit may process judicial data (i.e. personal data relating to criminal convictions and offences or related security measures, including information on pending proceedings) referring to you, in order to verify the subjective and integrity requirements and/or conditions that prevent from being appointed as member of the Board of Directors of UniCredit.

In such cases, the processing is necessary to fulfill legal obligations as well as to comply with requests coming from Public or Supervisory Authorities (e.g. filling the questionnaire requested by the ECB). This need represents the legal basis that legitimizes the related data processing. Data provided by you is necessary to comply with the legal obligations; without your personal data, UniCredit would not be in a position to establish a relationship with you or to comply with the law obligations.

4. RECIPIENTS OR CATEGORIES OF RECIPIENTS OF PERSONAL DATA

Your data may be communicated to the natural and legal persons that are acting as "Data Processors", listed in the UniCredit premises and on the website www.unicredit.it, as well as – in the quality of persons authorized to process personal data in relation to the data necessary for the performance of the duties they are assigned to – the natural persons belonging to the following categories: employees of the Bank, seconded personnel, temporary workers, interns, consultants and the employees of the external companies appointed as Data Processors.

Your data may be communicated:

• to those subjects to whom this communication must be carried out in compliance with an obligation established by law (e.g. Bank of Italy and ECB), by a regulation or by EU legislation. Further information can be found on the website www.unicredit.it in the "Privacy" section;
• to Legal Entities belonging to the UniCredit Group (also foreign Legal Entities), subsidiaries or associates under the terms of article 2359 of the Italian Civil Code, when such communication is permitted on the basis of a Garante per la Protezione dei Dati Personali's measure or by a law provision.

The detailed list of subjects to whom the data can be communicated is available on the website www.unicredit.it, in the "Privacy" section.

5. DATA TRANSFER TO THIRD COUNTRIES

UniCredit informs you that your personal data may also be transferred to the Countries outside the European Union or the European Economic Area (so called "Third Countries") if the EU Commission states that the Third Country ensures an adequate level of protection of personal data or in case of other appropriate safeguards, namely when the supplier of UniCredit located in the Third Country contractually ensures an appropriate level of personal data protection (e.g. through the signing of the standard contractual clauses provided by the European Commission), including enforceable and effective data subject rights. Further information can be requested by writing to Group.DPO@unicredit.eu.

6. DATA PROCESSING MODALITIES

The processing of personal data involves the usage of manual and IT instruments with modalities closely connected with the purposes defined above and, in any case, in such a way to guarantee the security and confidentiality of the data.

7. DATA SUBJECT' RIGHTS

GDPR grants and assures specific rights, including the right to know what data concerning you are held by UniCredit, as well as how they are used, and the right to obtain, under certain conditions, the copy, the erasure, the rectification or, if interested, the integration of your data, as well as the right to data portability.

7.1 DATA RETENTION PERIOD AND RIGHT TO ERASURE

UniCredit processes and stores your personal data for all the time you keep the role of Director, to execute the related and connected obligations, to comply with the applicable legal, contractual and regulatory obligations, as well as for its own defensive purposes or third parties until the expiration of the longest mandatory retention

period provided by the applicable law (i.e. 11 years) starting from the date of termination of the relationship with you. UniCredit processes and stores your personal data even after the expiry of the employment relationship when this is necessary for archiving purposes for historical research purposes, according, to the methods set out in the "Ethical rules of processing for archiving purposes in the public interest or historical research"3.

At the end of the applicable mandatory retention period, your personal data will be erased or kept in a form which does not permit your identification (e.g. irreversible anonymization), unless the further processing is necessary for one or more of the following purposes: i) for resolution of pre-litigation, started before the expiration of the mandatory retention period; il) to follow up with investigations/inspections by internal control functions and/or external authorities, started before the expiration of the mandatory retention period; iii) to follow up with requests from the Italian and/or foreign Public Authorities, received/notified to UniCredit before the expiration of the mandatory retention period.

PROCEDURE TO EXERCISE THE RIGHTS 8.

The e-mail address which you can refer to for the exercise of your rights described in the paragraph 7 is the following one: corporate.law@pec.unicredit.eu.

The deadline for the reply is one (1) month, that may be extended for two (2) further months in cases of particular complexity; in these cases, UniCredit informs you about such extension within one (1) month from the receipt of the request.

The exercise of rights is, in principle, free of charge.

9. COMPLAINT OR REPORTING TO THE "GARANTE PER LA PROTEZIONE DEI DATI PERSONALI"

UniCredit informs you that you have the right to lodge a complaint with, or to report to the Garante per la Protezione dei Dati Personali, or else to appeal to the Judicial Authority. The Garante per la Protezione dei Dati Personali can be consulted on the website http://www.garanteprivacy.it.

Milan, 12 February 2024

Gabriele Villa

³ Record of the provisions 19 December 2018, n. 513

STATEMENT OF CANDIDACY AND DECLARATION ATTESTING THE INEXISTENCE OF REASONS FOR INELIGIBILITY, FORFEITURE OR INCOMPATIBILITY, AS WELL AS REGARDING THE MEETING OF THE REQUIREMENTS PROVIDED FOR BY CURRENT PROVISIONS AND OF ACCEPTANCE OF APPOINTMENT

l, the undersigned JULIE B. GALBO, born in Copenhagen (Denmark) on 18 February 1971, tax code 180271-2584, resident in Copenhagen, Denmark, of Danish nationality, in relation to the office of member of the Board of Directors as well as member of the Audit Committee in UniCredit S.p.A. ("UniCredit" or the "Bank") in light of the Agenda of the Shareholders' Meeting convened for 12 April 2024, under my own responsibility,

taking into account, among others, the provisions of Section 91 of the Directive 2013/36/EU dated June 26, 2013, as subsequently amended ("CRD"), Articles 2382 and 2387 of the Italian Civil Code, Section 26 of Legislative Decree no. 385 dated September 1, 1993 ("TUB"), Articles 147-ter and 147-quinquies as well as Article 148 of Legislative Decree no. 58 dated February 24, 1998 ("TUF"), the Ministry of Economy and Finance no. 169 dated November 23, 2020 (the "Decree"), the Ministry of Justice Decree no. 162 dated March 30, 2000, Clause 20 of the UniCredit Articles of Association and Article 2, recommendation 7 and 9, of the Corporate Governance Code (the "Corporate Governance Code")

STATE THAT

there are no reasons for my ineligibility, forfeiture or incompatibility and that I meet the requirements provided for by currently applicable provisions, as well as by the Articles of Association of UniCredit for the appointment as Director/member of the Board of Directors as well as Chair/member of the Audit Committee; with specific reference to the experience and independence requirements:

DECLARE THAT

EXPERIENCE

I possess the knowledge, skills and experience required by CRD, TUB and the Decree, as well as by the Decree no. 162 dated March 30, 2000 and, in particular:

or more of the following activities1:

¹ With regard to UniCredit business activities, please indicate the activity exercised among the following, specifying the month and vear:

a) activity of legal auditing of accounts;

b) activity of administration or control or executive tasks in the credit, financial, securities or insurance sector;

c) administration or control activities or executive tasks at listed companies whose size and complexity is greater than, or comparable to, that of UniCredit (in terms of turnover, nature and complexity of the organisation or activity, raried out); d) professional activities as a business accountant or lawyer, undertaken primarily in the credit, financial, securities or insurance sector:

e) teaching, as university professor of first or second level, subjects concerning - in the field of law - banking, commercial and/or fiscal law, as well as the running of financial markets and - in the field of business/finance - banking operations, business economics, accountancy, the running of the securities markets, the running of the financial and international markets and corporate finance, as well as other subjects in any way connected with the activities of the credit, financial, securities or insurance sector;

f) performing managerial, executive or top management duties, however called, within public organisations or offices of the Public Administration, relating to the credit, financial, securities or insurance sector, or to the investment services sector or to the collective investment-management sector as defined in TUF, whose size and complexity are comparable with that of UniCredit. Please note that the chair must: (i) be register of Auditors and have exercised the legal auditing of accounts for a period of not less than five years, or (ii) have exercised, also alternatively, for a period of not the activity of legal auditing of accounts or the other activities as mentioned above.

• Deputy Director General at Danish Financial Supervisory Authority from January 2010 to June 2014;
• Various positions in Nordea from 2015 including Group Chief Risk Officer and Head of Group Business Risk Management at Nordea from January 2017 to May 2019;
• Member of the Boards and Audit and Risk and Compliance Committees of DNB and Commonwealth Bank of Australia from June 2020 to April 2024 and from September 2021 to present, respectively,

as they result from both the attached curriculum vitae (see Annex 1) and the list of offices of administration and control currently held in other companies (see Annex 2).

INDEPENDENCE

I meet the independence criteria pursuant to the following provisions:

1)	Article 148 TUF, para. 3 and Article 2399, para. 1 (as recalled by Article 図 Yes		No I
	2409-septiesdecies) Italian Civil Code
2)	Article 14 of the Decree	× Yes	No
	3) Italian Corporate Governance Code	� Yes	L No I

I, the undersigned, also:

• state to be a candidate to the Board of Directors of UniCredit as member, as well as a candidate to the Audit Committee as member, and, if appointed, to irrevocably accept my appointment as from today or as from the substitution of an appointed member of the Audit Committee;
• state that I am not in any of the situations provided for by (i) Article 2390 Italian Civil Code, nor (ii) 36 of Law Decree no. 201 dated December 6, 2011, converted into Law no. 214 dated December 22, 2011 (i.e., interlocking);
• state that I do not exceed the limits upon the maximum number of offices to be held pursuant to applicable rules and that I am able to commit the necessary time to effectively carry out the office;
• undertake to promptly inform UniCredit of any changes in the above-mentioned circumstances and, on request by the Company, to produce any documentation suitable to confirm the truthfulness of the facts declared;
• having read the information notice on the processing of personal data reported in attachments, acknowledge the disclosure of the information above and the information indicated in the Annexes.

ANNEXES:

• 1) CV
• 2) List of offices of administration and control currently held in other companies
• 3) Privacy statement

Curriculum Vitae

Personal data

Name: Date of birth:

Julie B. Galbo February 18, 1971

Career

Current positions

• · Chair of the Board, Gro Capital, (April 2023 current)
• · Member of the Board, member of the Board Risk & Compliance and the Board Audit Committees of Commonwealth Bank of Australia (September 2021-current)
• · Chairperson of the Board, Trifork AG (November 2020 current)
• · Member of the Board, DNB Bank ASA, member of the Board Risk and the Board Audit Committees (June 2020 - current)
• · Senior Advisory, EU AML/CFT Global Facility, (May 2023 current)
• · External lecturer at the Board Academy, Board Leadership Society, Copenhagen Business School. (Bestyrelsesforeningen, CBS) (2020 - current)

Previous positions

• · Member of Advisory Board, Prometeia (July 2021 September 2023)
• · Member of the Board, Velliv, (March 2021 March 2023), member of the Board Audit Committee (March 2022 - March 2023)
• Chairpersonman of the Board, Fundamental Fondsmæglerselskab A/S (June 2020 August 2021)

Nordea

January 2019 - May 2019 Group Executive Management (GEM), Head of Group Business Risk Management

• · Launched the Credit Risk Infrastructure Programme in order to automate most credit risk processes and to enhance the data foundation for modelling and risk management purposes
• · Continued the AML build-up in order to achieve material compliance with legal requirements
• · Responsible for strengthening Nordea's capabilities within information security.
• · Group Executive Management participation; e.g. Financial Statements, Strategy, People Strategy, Supervisory Board participation.
• · Appx. 2500 employees

January 2017 - December 2018 Group Executive Management, Group Chief Risk Officer, Head of Group Risk Management and Control

· Responsible for rebuilding the risk control organization of approximately 500 employees by recruiting a mostly new management team, delayering the organization and repurposing the

organization in line with ECB requirements across all risk areas. Significantly improving Risk Appetite Framework, Risk Management Framework and risk reporting. Establishing Balance Sheet Risk Management function and stress testing capabilities. Reorganizing credit risk processes, participation in credit risk decisions including credit risk committees. Built Risk Models organization to address weaknesses in IRB, IMM and IMA models. Contributing to enhancement of capital management framework etc.

• · Leading the transition of Nordea into the Banking Union by redomiciliation of Nordea into Finland.
• · Approved as Group Chief Risk Officer of Nordea (global SIFI) by SSM
• · Group Executive Management participation; e.g. Financial Statements, Strategy, People Strategy, Supervisory Board interaction etc.

April 2015 - December 2016 Chair of Legal Structure Program, Head of Regulatory Change Management

• · Responsible for changing the legal structure of the Nordic banking entities in Nordea into one legal entity covering regulatory, company law and all operational and IT aspect of possibly the most complex and largest simultaneous cross border mergers ever within EU
• · Responsible for building organization with end-to-end responsibility for regulatory implementation across the Nordea Group and for managing interaction with supervisors across the Nordea Group

July 2014 - March 2015 Head of Alternatives & Manager Selection, Senior Executive Management, Nordea Asset Management

· Defining and implementing strategy for alternative investments, benchmarking and selection of external managers

Danish FSA

January 2010 - June 2014 Deputy Director General

• · Main responsibilities include strategy review, all legal affairs, international affairs, supervision of risks in financial institutions, markets, investment products, consumer protection and remuneration, appx. 80 FTEs
• · Main achievements include establishing liquidity supervision of banks, improving efficiency in UCITS and Markets departments, developing AIFM legislation and supervisory approach
• · Resolving more than 30 ailing banks under changing resolution regimes, various tasks supporting financial stability
• · Heading FSA involvement in Danish EU presidency, setting up organization and steering joint Ministry and FSA task force handling all negotiations of financial files
• · ESMA, Management Board, Board of Supervisors, Chair of Corporate Reporting Standing Committee
• · Public Interest Oversight Board, Member, appointed by European Commission

Ministry of Economics and Business Affairs

February 2009 - December 2009 Head of Division, State Capital Injections

· Managing Task Force for implementation of Act on State-Funded Capital Injections resulting in injections of 46 billion DKK in 43 credit institutions of structured hybrid contingent core capital including issuer conversion options

· Responsible for recruiting and managing 13 employees and coordination of financial and legal advisors, establishing methodology for credit risk categorization and valuation of credit institutions, setting out legal framework, and in tailoring loan terms and conditions to satisfy rating agency requirements and secure State exit opportunities.

Nordea

January 2008 - January 2009 Executive Advisor, Head of Management Support, Private Banking Denmark

· Responsible for strategy, budget and regulatory issues as part of Danish Private Banking Management Group, managing 2 employees.

August 2006 - December 2007 Project Manager, MiFID implementation, Markets

· Cross border, cross organizational change management project to meet new regulatory requirements. Sales processes, organizational setup, trading infrastructure, and renaulatory reporting in scope. Budget of 3.4 million EUR. Project staff during 2007 approve 60 PTF s.

August 2005 - July 2006 Chief Compliance Officer, Markets

· Hired to reestablish a Danish compliance function, Counsel to management regarding implementation of new legislation and business development due to structural changes.

Danish Financial Supervisory Authority

September 2003 Deputy Director, Markets Division

• · Supervision of the financial instruments markets in Denmark including on-site inspections of these markets
• · Danish and international legislative work pertaining to the Markets Abuse Directive, the Prospectus Directive, the Transparency Directive, the Take-over Directive and the Markets in Financial Instruments Directive (MiFID) and legal opinions pertaining to the Danish Securities Act and executive acts, including assessment of new financial products, new markets, prospectuses, take-overs, listing conditions etc.

March 1998 - August 2003 Deputy Financial Inspector, Markets, Banking and Mortgage Credit Divisions

• · On-site inspections of banks and savings banks, including analyzing credits and funds and assessing relevant contracts and documents. Revision of the processes for on-site inspections
• · Participated in negotiations of European Union directives including negotiation in ECB regarding financial stability, credit registers, interpretation of directives etc.

Other activities

• · Member of Centre for European Policy Studies' Task Force on long-term investing and retirement savings 2014
• · Member of Danish Government Committee on Causes for the Financial Crisis 2012-2013
• · Member of the Board, AIDA, Danish Chapter of Association Internationale Droit d'Assurance 2010-2015
• · Member of the Advisory Board of the Forum for Company Law and Financial Market Law, University of Copenhagen 2010-2015
• · Faculty, South East Asian Centralbank Education Network, (eg. general risk management and liquidity risk management/ILAAP,) 2016 - current
• · IACPM Advisory Council 2021 current

Education

1998: 2010: 2019:

Master of Law, University of Copenhagen Executive Management Programme, INSEAD/Business Kolding Board Leadership Masterclass 2019, Global Board Leadership Forum, Copenhagen Business School

Languages

Danish: Native English: Fluent Norwegian, Swedish: Fluent

1/2 20241

<-- PDF CHUNK SEPARATOR -->

ANNEX 2

LIST OF OFFICES OF ADMINISTRATION AND CONTROL CURRENTLY HELD IN OTHER COMPANIES

I the undersigned Julie B. Galbo declare the following current board affiliations:

• Chair of the Board of Trifork AG
• Chair of the Board of Gro Capital
• Member of the Board of Directors, member of Audit Committee and of Risk & Compliance Committee of Commonwealth Bank of Australia
• DNB Bank ASA, (*).

(*) With reference to DNB Bank ASA the mandate terminates in April 2024 and I will inform DNB that I'm not available for reelection.

Annex 3

Information notice on the processing of personal data by UniCredit

The following information notice aims at providing you with an overview on the use of your personal data by UniCredit S.p.A. and of your rights pursuant to the General Data Protection - Regulation (EU) 2016/679 (hereinafter also GDPR).

1. DATA CONTROLLER AND DATA PROTECTION OFFICER

The Data Controller is UniCredit S.p.A., with registered office in Milan, Piazza Gae Aulenti n. 3, Tower A, 20154 Milan (UniCredit).

The Data Protection Officer (DPO) can be contacted at:

UniCredit S.p.A. Data Protection Office, Piazza Gae Aulenti n. 1, Tower B, 20154 Milano, E-mail: Group.DPO@unicredit.eu, PEC: Group.DPO@pec.unicredit.eu.

2. PURPOSE AND LEGAL BASIS OF PROCESSING

UniCredit processes the personal data in its possession, that is collected directly from you, or from the relevant local administrations to verify, among others, their accuracy for the following purposes:

A. Need to fulfill legal obligations deriving from your candidacy as a Member of the UniCredit's Board of Directors.

These obligations imply, among others, verifying - both during the selection procedures and on an ongoing basis - the compliance: i) with the eligibility requirements for taking on and maintaining the role of Director as well as of specific positions (such as integrity requirements, criteria of correctness, professional experience requirements of specific positions (soch as mestiment, maximum number of offices covered, respect of the and compectice, moependente, wired by applicable law, by UniCredit's Articles of Association and by the promotion of internance Code (i.e. Codice di Corporate Governance) as well as with social security and fiscal obligations linked to the remuneration provided.

To comply with the above-mentioned obligations, in some cases, UniCredit is required to carry out analyses that ro compy with the above music and the reason, we kindly ask you to let them aware of this Information Notice.

These needs represented above are the legal basis legitimizing the related data processing. Data provided by you is necessary to comply with the obligations arising from your role of member of UniCredit's Board of Directors; your is needsbury to compty whichedit would not be in a position to establish a relationship with you or to comply with the law obligations.

B. Fulfilment of legal obligations and requests from Public and Supervisory Authorities, concerning the process, communication and/or disclosure - also during the selection procedures - on the website www.uniceditgroup.eu commonication and/or of ofsetsoore - enets (e.g. Prospectus / Corporate Governance Report, Financial Statements) of your data (such as data contained in your curriculum vitae and in the tasks carried out by you in other banks and commercial companies, as required by the applicable law, and according to the Articles of Association and the Corporate Governance Code).

The needs represented above are the legal basis legitimizing the related data processing. Data provided by rne hecessary to comply with the legal obligations, the requests from the Authorities, as well as to take on the role of member of the Board of Directors of UniCredit; without your personal data, UniCredit would not be in a position to establish a relationship with you or to comply with the law obligations.

3. CATEGORIES OF PERSONAL DATA PROCESSED

Unicredit processes personal data collected directly from you, or from third parties (e.g. relevant local onninistrations), which include, but are not limited to, personal data (e.g. name, surname, address, date and place of birth), banking data, information on the financial situation (e.g. patrimonial status, information on credit or orely, oationships), positions held and related income, employment relationships, commercial/professional relationships.

² The relatives scope is identified on the basis of the specific applicable regulations.

This information may concern existing or past relationships with UniCredit as well as with Group Legal Entities or third parties.

3.1 JUDICIAL DATA

UniCredit may process judicial data (i.e. personal data relating to criminal convictions and offences or related security measures, including information on pending proceedings) refering to you, in order to vierify the subjective and integity requirements and/or conditions that prevent from being appointed as member of the Board of Directors of UniCredit

In such cases, the processing is necessary to fulfill legal obligations as well as to comply with requests coming from Public or Supervisory Authorities (e.g. filling the questionnaire requested by the ECB). This need represents the legal basis that legitimizes the related data processing. Data provided by you is necessary to comply with the legal obligations; without your personal data, UniCredit would not be in a position to establish a relationship with you ot to comply with the law obligations.

RECIPIENTS OR CATEGORIES OF RECIPIENTS OF PERSONAL DATA

Your data may be communicated to the natural and legal persons that are acting as "Data Processors", listed in the Unicedit premises and on the website www.unicredit.it, as well as -- in the quality of persons authorized to process personal data in relation to the data necessary for the performance of the duties they are assigned to – the paties a persons belonging to the following categories: employees of the Bank, seconded personnel, temporary workers, interns, consultants and the employees of the external companies appointed as Data Processors.

Your data may be communicated:

• to those subjects to whom this communication must be carried out in compliance with an obligation established by law (e.g. Bank of Italy and ECB), by a regulation or by EU legislation. Forther information can be found on the website www.unicredit.it in the "Privacy" section;
• . to Legal Entities belonging to the UniCredit Group (also foreign Legal Entities), subsidiaries or associates under the terms of article 2359 of the Italian Civil Code, when such communication is permitted on the basis of a Garante per la Protezione dei Dati Personali's measure or by a law provision.

The detailed list of subjects to whom the data can be communicated is available on the website www.unicredit.it, in the "Privacy" section.

5. DATA TRANSFER TO THIRD COUNTRIES

Unicredit informs you that your personal data may also be transferred to the Countries outside the European Union or the European Economic Area (so called "Third Countries") if the EU Commission states that the Third County ensures an adequate level of protection of personal data or in case of other appropriate safeguards, nemely when he supplier of UniCredit located in the Third Country contractually ensures an appropriate level of personal dra protection (e.g. through the standard contractual clauses provided by the European Commission), including enforceable and effective data subject rights. Further information can be requested by writing to Group.DPO@unicredit.eu.

6. DATA PROCESSING MODALITIES

The processing of personal data involves the usage of manual and IT instruments with modalities closely connected with the purposes defined above and, in any case, in such a way to guarantee the security and confidentiality of the data.

7. DATA SUBJECT' RIGHTS

GDPR grants and assures specific rights, including the right to know what data concerning you are held by UniCredit, as well as how they are used, and the right to obtain, under certain conditions, the copy, the erasure, the update, the rectification or, if interested, the integration of your data, as well as the right to data portability.

7.1 DATA RETENTION PERIOD AND RIGHT TO ERASURE

Unicredit processes and stores your personal data for all the time you keep the role of Director, to execute the related and connected obligations, to comply with the applicable legal, contractual and regulatory obligations as well as for its own defensive purposes or third parties until the expiration of the longest mandatory retention

period provided by the applicable law (i.e. 11 years) starting from the elate of termination of the elationship with period provided of the uppliadors your personal data even after the expiry of the employment relationship when your onleases and stores your for historical research purposes, according, to the methods set out in the "Ethical rules of processing for archiving purposes in the public interest or historical research"3.

At the end of the applicable mandatory retention period, your personal data will be erased or kept in a form which At the end of the upptication (e.g. irreversible anonymization), unless the further processing is necessary for one or more of the following purposes: i) for resolution of pre-litigation, startet before the one of the mandatory retention period; ii) to follow up with investigations/inspections by intenal control ill) to follow up expiration of the manutery recention of the expiration of the mandator retention period, illi, to fillow up roliticions and/or excension octiontes, series oblic Authorities, received/notified to UniCredit before the expiration of the mandatory retention period.

8. PROCEDURE TO EXERCISE THE RIGHTS

The e-mail address which you can refer to for the exercise of your rights described in the paragraph 7 is the following one: corporate.law@pec.unicredit.eu.

The deadline for the reply is one (1) month, that may be extended for two (2) further months in cases of particular me beadline for the repy is one informs you about such extension within one (1) month from the receipt of the request.

The exercise of rights is, in principle, free of charge.

9. COMPLAINT OR REPORTING TO THE "GARANTE PER LA PROTEZIONE DEI DATI PERSONALI"

UniCredit informs you that you have the right to lodge a complaint with, or to report to the Garante per la Protezione onicleon morns you the you nove the ludicial Authority. The contacts of the Garante per la Protezione dei Dati Personali can be consulted on the website http://www.garanteprivacy.it.

³ Record of the provisions 19 December 2018, n. 513

UniCredit S.p.A. Joint stock company - Registered Office and Head Office: Piazza Gae Aulenti, 3 Tower A, 20154 Milan, Italy - Registered in the Register of Banking Groups and Parent Company of the UniCredit Group, with code 02008.1; ABI code 02008.1 - Fiscal Code, VAT number and Registration number with the Company Register of Milan-Monza-Brianza-Lodi: 00348170101 - Member of the National Interbank Deposit Guarantee Fund and the National Compensation Fund - Stamp duty paid virtually, if due - Auth. Agenzia delle Entrate, Ufficio di Roma 1, no. 143106/07 of 21.12.2007.