Europe-Asia Investment Bank Limited (“EAIBank”, “the Bank” or “We”) values the confidentiality and security of personal information and is committed to protecting the personal information and privacy of clients and other relevant information agents (collectively referred to as “Information Agent” or “You”) as per laws. Hence we have prepared this Personal Information and Privacy Policy (“the Policy”) to help you understand the purpose, method and scope of our collection and utilization of personal information, our practices on personal information and privacy protection, your rights and interests in personal information and privacy, and your ways of rights and interests protection.

The Policy applies to the personal information about you and relevant parties involved in accessing, browsing, using our website, applying for or using our products or services, conducting business in the Bank or transactions with us, participating in our marketing activities, questionnaire surveys, and communicating with us in any way, either provided by you or relevant parties, or collected or obtained from other sources by us in accordance with laws, regulations, stipulations, or authorizations/consents by either you or relevant parties.

We will collect, use, store, disclose, and protect the personal information of you and relevant parties in accordance with the Policy. If the terms and conditions of a separate agreement or protocol between you, or the relevant parties you represent or are relevant to, and us are inconsistent with the Policy, such special agreement or protocol shall prevail.

I.The way we protect your personal information

1. Information security is our primary concern. Therefore, we will endeavor to ensure that your personal information shall not be obtained, processed or damaged by unauthorized or accidental access to it at any time. We shall take appropriate physical, electronic and administrative measures to protect your personal information so as to fulfill our commitment toward information security. If your information should be subject to unauthorized access, public disclosure, alteration or destroy due to our reasons, resulting in damage to your legitimate rights and interests, we shall bear the corresponding legal responsibility and liability according to law.

2. Our website security area supports the secure sockets layer protocol and the 128-bit encryption technology which is the current industry standard for data security protection on the Internet. When you provide sensitive personal information via our website, the information will be automatically encrypted for subsequent secure transmission. Our website servers are protected by firewalls and our systems are under surveillance in case of any unauthorized access.

3. We have strict security systems to prevent any unauthorized person from accessing your information. We execute strict control over employees who may have access to your information, including but not limited to different authority controls for different positions, agreements on confidentiality obligations with relevant employees, development and implementation of rules and regulations on information confidentiality and security, and provision of relevant training.

4. We shall never disclose your personal information to any third party unless in compliance with laws, regulations or regulatory provisions or unless it is stipulated by the Policy, other corresponding separate agreements (if any), or on the basis of other explicit consents or authorizations from you or relevant parties. When services by external facilitating agencies/persons should be needed, we also agree with them upon strict confidentiality obligations to process personal information in close compliance with our privacy policy and security standard.

5. You share the equally important responsibility as we do for your information security. You should appropriately keep your personal information, including your bank account information, authentication information (such as user name, password and verification code), and the files, devices or other media that may relate to or record such information, and should use such information and relevant documents only in a safe and secure environment. At no time, you shall disclose such information or relevant documents to any one or authorize any one to use them. If you believe that your personal information and/or relevant documents have been disclosed, lost or stolen, or under other conditions that may affect your safe utilization of our products or services, you shall immediately notify us so as to take appropriate measures and to prevent the further losses.

6. If there should be an unfortunate personal information security incident, we will launch an emergency scheme and take corresponding handling and remedial measures to prevent the incident from escalation and prevent the loss from expansion. Meanwhile, we will notify you, as per laws and regulations, the basic circumstances and possible impact of the security incident, the measures we have been taking or about to take, the recommendations that you can take to mitigate those risks by yourself, and the applicable remedial measures. We will keep you informed of the incident via email, letter, phone, text message, notification or other appropriate ways. If it is difficult to inform the subject of personal information one by one, we will make an announcement via a reasonable and effective channel. Simultaneously, we will report the personal information security incident and its countermeasures to the regulatory authorities as per laws, regulations and regulatory requirements.

II.The way we collect your personal information

1. In order to provide you or relevant parties with various products and services, to contact and to communicate with you for understanding the needs of you or of relevant parties so as to improve the quality of products and services, to establish, to review and to maintain our relationships with you or relevant parties as per laws, regulations and regulatory requirements, we will receive or retain the personal information pro-actively offered by you or relevant parties; or we may also collect, query and verify the personal information of you and relevant parties from third parties (including but not limited to credit information services, information service providers, relevant authorities, employers, counter parties, co-applicants, contacts, close relatives and other agencies/persons) in an appropriate manner as per laws, regulations, regulatory requirements or the authorizations or consents by you or relevant parties.

2. The personal information collected by us may be electronic or in any other formats.

3. When you apply for or have already become an individual customer of the Bank, we will collect your personal information as following based on your authorization or consent so as to provide you with our products/services and to handle relevant corresponding banking businesses for you:

(1) The information on personal identity, including personal name, gender, nationality, citizenship, the type, number and expiry date of identity certificate, occupation, telephone number, email address, contact information, age, date of birth, place of birth, family background, family address, company address, photos, social insurance information, personal virtual identification and its identification information (e.g. online banking account), and whether you are relevant to political leaders or senior managers of international organizations and the information on such relationship;

(2) The information on personal properties, including personal income status, actual beneficiary status, real estate status, movable properties (vehicles, financial assets and other properties) status, liability status, investment status, tax payment, tax resident status, taxpayer identification number, etc.;

(3) The information on personal images, such as electronic photos, audio recordings and videos;

(4) The information on personal account, including account number, opening time of account, opening bank, account balance, account transactions, etc.;

(5) The information on personal financial transactions, including the transaction information retained during any investment, payment, settlement or other banking businesses, the transaction information arising from those business relations with insurance companies, securities firms, fund companies, futures companies, payment institutions and other third-party institutions via us and other transaction information;

(6) Personal trading or risk appetite, risk tolerance, investment intentions, investment objectives, investment knowledge and investment experience;

(7) Other information obtained during establishing and maintaining our business relationships so as to fulfill the contractual, legal and regulatory compliance obligations, such as the time and the venue (including the specific locations and network addresses) that you make transactions and use services; your correspondence and other communications with us (including audio and video records, call records, correspondence records and those specific contents); the model, identifier, serial number of hardware, operating system, software version number, IP addresses and network service providers of devices you have used.

The above information is necessary for us to provide you with products or services, to fulfill our agreements entered with you, and to enable us to perform our legal liability and regulatory compliance obligation. If you should fail to provide the required information (or if the information provided by you should be incomplete, inaccurate or inauthentic), we will be unable to provide you with those corresponding products or services.

4. When you are an affiliated person of a non-individual client or applicant of the Bank (for the purposes of the Policy, the affiliated person means any person who has a relationship with a non-individual client or applicant, including but not limited to, any company director, supervisor, employee, partner or partnership member of a partnership organization, shareholder, any principal owner, controller, beneficial owner, trustee, principal or guarantor of a trust, designated account holder, designated payee, any representative, agent or designated person of account holder, the principal of account holder (when he or she acts as an agent)), we will collect your personal information as following according to the authorization or consent by you or the relevant client:

(1) The information on personal identity, including personal name, gender, nationality, the type, number and expiry date of identity certificate, working unit, duty, your relationship with the relevant client (such as tenure, shareholding and investment relationships), telephone number, email address, contact information, date of birth, place of birth, home address, company address, photos of company, personal virtual identification and its identification information (e.g., the login credentials to access the corporate banking website and its application), and whether you are relevant to political leaders or senior managers of international organizations and the information on such relationship;

(2) The information on personal images, such as electronic photos, audio recordings and videos;

(3) The information on personal credit, including the sources of personal properties and funding, the information on litigation, investigations and penalty, and other information reflecting your personal credit status;

(4) The personal information concerning the relevant client investigations, such as the personal information needed for the customer due diligence, and the sanction and anti-money laundering investigation;

(5) Other information obtained during the establishment and maintenance of business relationships so as to fulfill the contractual, legal and regulatory compliance obligations; for example, the personal information contained in customer files; the personal information needed for discovering and investigating any suspicious or unusual activities; correspondence and other communications with us (audio and video records, call records, correspondence records and those specific contents); the model, identifier, serial number of hardware, operating system, software version number, IP addresses and network service providers of devices you have used.

The above information is necessary for us to provide the relevant client with products or services, to fulfill our agreements entered with you or the relevant client, and to enable us to perform our legal liability and regulatory compliance obligation. If you refuse to provide the aforesaid information (or if the information provided by you should be incomplete, inaccurate or inauthentic), we will be unable to provide you or the relevant client with those corresponding products or services, or handle those relevant businesses.

5. Please understand that those services we provide for you are under constant update and development. If you choose to use other services not covered in the aforesaid description, and your information needs to be collected based on the service, we will inform you of the purpose, manner and scope of the information collected via prompt, notification, interaction process, protocol, agreement or other appropriate channels, and act upon your consent. We will use, store, provide and protect your information as per the Policy and a separate agreement (if any); if you choose to withhold the relevant information, you may be unable to use a certain service or part of services. Nevertheless, it shall not affect your use of other services provided by us.

III.The way we use your personal information

1. When you apply for, or have become a personal client of the Bank, or an affiliated person of non-personal client of the Bank, we will use your information for the following purposes:

(1) Provide you or relevant parties with products or services; identify and verify your or relevant parties’ identity(ies); approve, manage, handle, execute or fulfill any transaction required or authorized by you or relevant parties;

(2) Comply with the requirements of any applicable norms, and execute the orders of any applicable authorities;

(3) Fulfill the compliance responsibilities of the Bank (including regulatory compliance, taxation compliance and compliance obligations under any applicable norms or requested by any applicable authorities), or implement the policies and procedures formulated by the Bank for the performance of compliance responsibility;

(4) Safeguard the security and stability of financial services, prevent or prohibit illegal or rule-violating activities, control or reduce risks; detect, investigate and prevent any real, suspected or potential financial criminal activities (including money laundering, terrorist financing, bribery, embezzlement, tax evasion, fraud, escaping from the economic or trading sanctions and/or any act or attempt to circumvent or violate any applicable norm in respect of such matters), and manage the financial crime risks;

(5) Collect any debts from defaulters;

(6) Exercise or defend the right of the Bank, and fulfill the obligation of the Bank;

(7) Meet the reasonable operating requirements of the Bank (including the credit and risk management, statistics, analysis, processing, handling, archiving and backup, the design, research, development and improvement of systems, products and services, planning, insurance, audit and management);

(8) Promote relevant products or services to you or relevant parties, evaluate your or relevant parties’ interests in those relevant products or services, and conduct market and satisfaction surveys based on the authorization by you or relevant parties;

(9) Access or use management, consultation, telecommunication, computer, payment, data storage/processing, outsourcing and/or other third-party services.

2. The aforesaid contents on information collection and utilization in the Policy shall not affect our utilization of your information for the purposes separately and specifically agreed between you and us.

IV.The way we store your personal information

When collecting or processing your information, we will store your information for the shortest time period necessary for meeting the information collection purpose and utilization according to laws, regulations, regulatory requirements, filing, accounting, auditing, reporting requirements and the purposes and uses described in the Policy. We will destroy, delete or anonymize the relevant information at the expiry date of the corresponding retention period. However, according to laws, regulations, regulatory requirements, filing, accounting, auditing, reporting requirements and the specific agreement between you and us, we may provide records to you, regulatory authorities and other relevant authorities so as to clear up the credit and debt relationship between you and us. Therefore, the information for those purposes shall be retained.

V.To whom we may disclose your personal information

1.Commissioned Processing and Sharing

(1) For the aforesaid purposes and uses in the Policy, we will provide and disclose some or all of your personal information to the following recipients (who may also use, process and disclose such information for the above-mentioned purposes and uses, provided that appropriate protective measures have been taken as per laws or our requirements), provided that necessary and appropriate protective measures have been taken (see section I of the Policy, “The way we protect your personal information”):Relevant contractors, subcontractors, agencies, service or product suppliers, licensors, professional consultants, business partners or affiliated persons of EAIBank;

(2) Any regulatory institutions or other authorities of the Bank, or any institute or person designated thereby;

(3) Any person authorized by you to act on your behalf as per laws, the payee, beneficiary, account nominee, intermediary bank, correspondent bank and agency bank (for example, the correspondent and agency banks in CHAPS, BACS and SWIFT systems), clearing house, clearing or settlement system, market counter party or any person making payment to you;

(4) Any person or relevant party who has rights or obligations, receives benefits or bears risks in respect of any of our products and services received by you, any business handled in the Bank or any transaction with us;

(5) Other financial institutes, industry associations, banknets, credit rating agencies, credit information services and information service providers;

(6) Third parties receiving intermediary agency businesses and services from the Bank;

(7) Any party concerning the transfer, reorganization, disposal (including asset securitization), merger, division or acquisition of business/asset in the Bank.

If and only if the aforesaid recipient involves overseas institutions/persons, such provision and disclosure may involve the cross-border personal information transmission, including the transmission to or the access from an overseas location. Your personal information, whether processed domestically or overseas, will be protected by the confidentiality and security standards abiding by the Bank, EAIBank, its employees and third parties according to applicable personal information or data protection laws.

2.Transfer

We shall never transfer your personal information to any company, organization or person unless it is upon your express consent or involves any of our business/asset transfer, reorganization, disposal (including asset securitization), merger, separation and acquisition when a transfer is required. If the personal information transfer is involved, we will require the new company, organization or person holding your personal information to continue to be subject to the Policy. Otherwise, we shall request the company, organization or person to ask for your authorization and consent again.

3.Public disclosure

We will not publicly disclose your personal information unless it is under your express consent. If the disclosure is necessary, we will notify you of the purpose of the public disclosure, the type of information to be disclosed publicly and the sensitive information that may be concerned.

VI.The special situations for collection, use and disclosure of information

We may collect, use and disclose your personal information without your consent in the following circumstances to the extent permitted by laws and regulations:

(1)Situations that directly concern national security and national defense security;

(2)Situations that directly concern public safety, public health and crucial public interests;

(3) Situations that directly concern criminal investigation, prosecution, judgment and execution of sentences;

(4) Situations that are necessary and urgent to safeguard the life, property and other major legal rights and interests of you or other individuals but are difficult to obtain your authorization and consent;

(5) The relevant information is disclosed publicly by yourself;

(6) Information acquired via legitimate public channels, such as legitimate news reports, and information disclosure by government or other competent authorities;

(7) Situations that are necessary to fulfill the obligations by laws and regulations, or of financial regulatory compliance;

(8) Situations that are necessary for signing and performing the contract according to your requirements.

VII.Your rights regarding the personal information

1. You have the right to require us to protect the security of your personal information as per laws, regulations and the Policy.

2. You have the right to inquire with us if we hold your personal information and to access the personal information provided by you.

3. You have the right and obligation to ensure that relevant information is accurate and up to date by promptly updating your personal information in the Bank. You have the right to require us to facilitate your personal information update and to correct any inaccurate information about you.

4. When it comes to personal credit or guarantee, you have the right to ask for your personal information we disclose to the credit information services so that you can assert a claim to the relevant credit information services for information check and correction.

5. You have the right to require us to delete or otherwise properly handle your personal information beyond the retention period as per laws, regulations, the Policy and the agreement between you and us.

6. The way to contact us

You can assert a claim to us for accessing, correcting and deleting your personal information, revoking your authorization, handling your personal information beyond the retention period, or requesting the privacy policy text so as to understand our practices on personal information and privacy protection through the contact information below:

Company Name: Europe-Asia Investment Bank Limited

Address: Unit 5(J), Main Office Tower, Financial Park Complex Labuan, Jalan Merdeka, 87000 Federal Territory of Labuan

We will respond within at most 15 working days upon receipt of your request, or within a shorter time period stipulated by laws and regulations (if applicable).

You will not be charged for the aforesaid access, correction or other reasonable requests for handling your personal information.

Notwithstanding the aforesaid agreement, we may reject those illegal, rule-violating, unreasonably recurring requests or requests that are beyond reasonable limits or are technically impractical. We may not be able to respond to your request for legal and regulatory reasons under the following situations:

(1)Situations that directly concern national security and national defense security;

(2)Situations that directly concern public safety, public health and crucial public interests;

(3) Situations that directly concern criminal investigation, prosecution, judgment and execution of sentences;

(4) There are ample evidences to show that you have subjective malice or abuse of rights;

(5) It will cause serious damage to the legitimate rights and interests of you, other individuals or organizations if we respond to your request;

(6) Situations that concern commercial secrets.

7. We will not send the marketing message directly to you unless we have obtained your prior consent. If you do not want us to use your personal information or provide your personal information to other persons for advertising and promotional purposes, you shall have the right to exercise your option by notifying us and refusing to receive such advertisement and promotion. If you choose to reject such advertisement and promotion, please send us an email (vip@eaibbank.com). We will take corresponding measures as soon as possible upon receiving your request (no later than 30 days after receiving your request in general) to make sure that no further promotional messages shall be sent to you.

8. You have the right to supervise or offer recommendations on our practices in terms of personal information and privacy protection, and to lodge a complaint or claim against us or our employees for any infringement of your rights and interests concerning your personal information and privacy.

9. If you have any question, complaint, feedback, comment or suggestion, please send us an e-mail. You can also access our official website at www.eaibbank.com or send us an email (vip@eaibbank.com).

10. The Policy shall not limit your rights under laws as the subject of personal information.

VIII. Protection on juvenile personal information

1. We pay special attention to the protection on juvenile personal information. We have no intension to collect any juvenile personal information unless we have obtained the consent of their parents or guardians and the information is necessary for us to provide the relevant products or services them (for example, the juvenile shall be the right successors of our clients).

2. If you are under 18 years old, we recommend that your parents or guardian shall read the Policy carefully and then you can submit any of your personal information after the consent of your parents or guardian. Besides, we also recommend that you shall use any of our products and services under instruction of your parents or guardians. If your parents or guardians do not agree with your submission of your personal information or of you using any of our products and services, please immediately terminate your information submission or stop using our products and services, and then notify us of the situation as soon as possible so that we can take appropriate actions.

3. If you are under 18 years old, for your personal information collected by us upon the consent of your parents or guardians, we will only use and disclose it upon the permission by laws and regulations and the express consent of your parents or guardians, or under conditions that are necessary for the juvenile rights and interests protection.

VIII.Formulation, effectiveness, renewal and other matters on the Policy

1. We formulate and publish the Policy on our official website. The Policy shall come into effect on the date of publishing. The Policy may be modified and updated from time to time, especially following significant changes as below:

(1) Our service model has seen significant changes, such as the purpose and the type to process personal information, and the way to use personal information.

(2) We have seen significant changes in our ownership structure, organizational framework and other aspects; for example, the change of ownership due to business adjustment, bankruptcy, merger and acquisition, etc.

(3) Main objects to whom our personal information is offered, transferred or disclosed publicly have been changed;

(4) Your rights to participate in the processing of personal information and the way to exercise those rights have seen significant changes;

(5) Our contact ways for handling personal information and those complaint channels have changed;

(6) There are other changes that may significantly impact your rights and interests in personal information.

We will publish those changes or updates to the Policy on the official website via pop-up or in the form of announcement. Changes to the Policy shall not reduce or limit your rights under laws as the subject of personal information.

2. If you provide us with the personal information of another person, you shall ensure that he/she has been aware of the Policy, and shall specifically inform him/her of the way we will use his/her information. You can recommend him/her to read the Policy or provide him/her with a copy of the Policy.