Privacy Dutch

Privacy notice for suppliers, service providers, consultants, investors and other business partners of OEP Master B.V.

For OEP Master B.V. (hereinafter "OEP") the protection of your personal data and your privacy is an important concern. The purpose of this privacy notice is to inform you which personal data of our suppliers, service providers, consultants, investors and other (potential) business partners or their contact persons (hereinafter collectively "business partners") we process and which rights you are entitled to in accordance with Regulation (EU) 2016/679 (General Data Protection Regulation – GDPR) with regard to the processing of your personal data.

1. Responsibility for the processing of personal data

OEP Master B.V., 2 Amsterdam – Eduard van Beinumstraat 30, 1077 CZ Amsterdam, Netherlands, is the controller for the processing of your personal data for the purposes set out under section 3.

2. Personal data processed

We process the following categories of personal data of our business partners:

• Professional contact and organisational data (e.g. name, title, business address, business telephone number and email address, job title/position, bank details if necessary);
• Communications data (content and traffic data, particularly emails);
• Further information that is required to comply with ‘know your customer’ (KYC) and anti-money laundering obligations (e.g. passport/ID copies, AML letters, information provided in KYC questionnaires);
• Information on criminal convictions and offences of co-investors who invest or are contemplating an investment in the Dutch OEP funds or portfolio companies of the Dutch OEP funds, if this is allowed or required under applicable data privacy laws;
• Information that is contained in contracts, communication and other documentation relating to M&A transactions, investments and other deals which we obtain in the course of such deals, in particular about persons related to the relevant target company and its business dealings or who are otherwise involved in such deal, e.g. employees or business partners (e.g. share/asset purchase agreements with names, signatures, dates of birth, residential addresses and tax identification numbers of the parties’ representatives);
• Other information that you provide to us or that we become aware of in the course of our business relationship and communications.

3. Purposes of the processing

We process your personal data for the following purposes:

• Managing the receipt of goods (e.g. IT equipment and consumables) and services (e.g. consultancy services);
• Management, optimisation and processing of our business relationships (including the performance of our contracts) with our business partners as well as the initiation or establishment of new business relations;
• Management of operations of OEP's portfolio companies, including reporting to investors and organising board meetings and shareholder meetings;
• Prevention and investigation of fraud or other criminal activities;
• Verifying investors’ identities, including for background checks, anti-money laundering and ‘know your customer’ checks, reports and disclosures, and due diligence;
• Security of our IT systems, architecture and networks;
• Compliance with legal obligations of OEP and other companies of the OEP Group (including compliance with orders of public authorities) as well as for legal and tax advice.

4. Legal basis of the processing

We process your personal data on the basis of the following legal grounds:

• for the performance of the contract concluded with you or in order to take steps at your request prior to entering into a contract (Article 6 para. 1 lit. b GDPR);
• to comply with legal obligations to which we are subject (e.g. to comply with tax and anti-money laundering obligations; Article 6 para. 1 lit. c GDPR); and
• to the extent the processing is necessary for the purposes of legitimate interests pursued by us or a third party and these interests are not overridden by your interests or fundamental rights and freedoms (Article 6 para. 1 lit. f GDPR), in particular to enable cooperation with other companies within the OEP Group, to maintain and safeguard business operations and company processes, to protect OEP and our employees, to perform contracts with a business partner with whom you are employed, to operate and administer our portfolio companies and other investments, to improve our services and identify new ways to develop and grow our business, and to establish, exercise or defend legal claims.

**5. Recipients of the personal data

We will transfer your personal data to the following categories of recipients and grant them access to the extent necessary in each case and, where necessary, on the basis of a data processing agreement concluded between us and the recipient:

• Employees of OEP;
• Other companies of the OEP Group;
• Technical service providers (particularly IT system providers and cloud service providers);
• Legal and tax consulting firms;
• Courts and other public authorities;
• Third parties in the event of any contemplated or actual reorganization, merger, sale, joint venture, assignment, transfer or other disposition of all or part of the business or assets of OEP (including any insolvency or similar proceedings), if applicable; and
• Other third parties and service providers, to the extent this is necessary in individual cases.

6. Place of processing of personal data

Your personal data will be processed within the European Union ("EU") and the European Economic Area ("EEA") as well as outside the EU/EEA in so-called third countries by the parties specified in section 5, in particular by service providers in the UK and the USA. In doing so, we take into account contractual confidentiality and non
disclosure obligations as well as the applicable data protection laws. We will not disclose your personal data to parties who are not authorized to process them.
Please note that there may be differences with regard to the applicable data protection laws between the respective member states of the EU/EEA and all other countries. The level of protection of personal data, especially when processed outside the EU/EEA, may therefore be lower than within the Netherlands. If processing takes place outside the EU or EEA, we will ensure that the recipient of your personal data guarantees an adequate level of protection (in particular by concluding the so-called EU standard contractual clauses and, if necessary, by implementing additional protective measures).

7. Data sources

We process personal data that we have received in the course of our business relationship from you, the company that employs you, other business partners or third parties, or from publicly accessible sources.

8. Retention periods

We store your personal data only as long as it is necessary for the purpose pursued with the respective processing and as long as we are legally obliged to store it (e.g. due to retention obligations under commercial or tax law).

9. Rights of the data subject

Under the applicable data protection laws and provided that the relevant statutory prerequisites are met, you as a data subject have various rights against any controller, e.g. a right to request from us access to your personal data. Furthermore, these rights may include a right to rectification, erasure or restriction of processing as well as the right to data portability.

**Where we process your data on the basis of the legitimate interests of OEP or a third party, you have the right to object to such processing on grounds relating to your particular situation at any time. In this case, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or for the establishment, exercise or defence of legal claims.

You can exercise these rights by sending a request to Dunja Mauser, who can be contacted by email at dunja.mauser@oneequity.com.

Furthermore, you have the right to lodge a complaint about the processing of your personal data with the competent data protection authority.