Nordea Asset Management 1 December 2023

Nordea Asset Management Data Privacy Policy

Nordea Asset Management is fully committed to protecting your individual rights and keeping your personal data safe. This Privacy Policy Is meant to help you understand what personal data we collect about you, why we collect it our storing and sharing practices, how the personal data are protected and what your privacy rights are.

In addition to this Privacy Policy, you can read more details about setting and use of cookies by visiting the Cookies Policy in the footer of our webpages.

Nordea Asset Management (“NAM”) is the functional name of the asset management business owned by NAM Holding and conducted by the legal entities Nordea Investment Funds S.A. and Nordea Investment Management AB and their branches, subsidiaries and representative offices. When we write “we”, “us” or “our” in this Privacy Policy, we mean NAM and each direct or indirect subsidiaries/branches of NAM.

The entity that you contract with is the controller of your personal data. A list of data controllers in NAM is available in section 9 of this Privacy Policy

We process individuals’ personal data for a number of reasons in line with all applicable privacy and data protection laws. In this Privacy Policy, when we write «you», we mean you as an individuals whose personal data is processed by NAM, including a (potential) customer, customer’s employee, officers, agents or representative. It can also mean other relevant parties, such as beneficial owners, authorised representatives and managers, beneficiaries, shareholders and associated parties.

This Privacy Policy covers the following areas:

1. What personal data do we collect?

Personal data is information relating to an individual, which can be used either alone or with other sources of information to identify that individual.

In most cases we collect personal data directly from you or it’s generated as part of the use of our services, products and channels, including mobile applications. Sometimes additional information is required to keep information up to date or to verify the information we collect. In some cases we also collect and process personal data about individuals associated with you, for example employees, beneficial owners, board members, signatories, legal representatives and persons who are in contact with NAM in respect of trading transactions, and other individuals with whom we interact and collaborate with.

1.1 The types of personal data we collect

The categories of personal data that we collect and use are listed below. We have provided examples of the types of personal data that fall within each category. Please note that the list of examples is not exhaustive. The type of personal data that we collect from you will depend on the service or the product we are providing to you as a customer.

Identity and contact information such as name, e-mail address, address, phone number, correspondence/meeting preferences, country of residence and tax residences, citizenship/nationality, date of birth, gender, languages spoken, unique government identifier, including national identification number, passport number, ID copy, photography, place of birth, preferred salutation.

Sensitive personal data such as indirect political opinions for political exposed persons (PEP’s) as part of anti-money laundering documentation

Third party details such authorised representatives, name, details of beneficiaries, external advisors.

Details of Nordea internal identifiers such as account linkage, customer number, details of contract between Nordea entities, intermediaries and individuals, hashed identifiers, relationship manager.

Regulatory data such as individual and family details for anti-money laundering, politically exposed person checks, and prevention of insider trading, compliance approval status, and conflict of interest disclosure.

Marketing and communications data:marketing and communication preferences.

Monitoring data such as call recordings and CCTV, to the extent permitted by applicable law.

Financial details such as credit rating, documentation on supporting investor status, employment status, financial history, bank account details, investment preferences, restrictions and objectives, investor status/classification, net worth & estimated income, professional and academic background, risk profiles, tax codes/classification identification numbers, third party account details/custody

Transaction details such as intermediary and industry identification numbers, investment details, payee/investee details, product details, transaction details and identification numbers

Technical data such as name of version of the OS, processor model, language on mobile phone/tablets. Other data which might be collected via cookies, please visit the Cookies Policy in the footer of our webpages.

1.2 The sources from which we gather your personal data

From you

We collect information you provide directly to us. For example, when becoming a representative or contact of a customer or collaboration partner, we collect personal data, such as name, e-mail address and phone number. For most individuals, work as opposed to private contact information is the only contact information we collect or process.

We collect national identification number, other identity information, regulatory data and third party details for verification and compliance purposes. Some financial details and transaction details we collect for compliance purposes and others in order to provide you with our services and products and validate performance.

We also collect information which you provide to us, such as messages you have sent us as feedback, a request in our digital channels or use our applicable form.

From third parties

To be able to offer you our products and services and to comply with statutory requirements, we collect personal data from third parties, such as publicly available and other external sources. For example, to fulfil legal requirements for anti-money laundry and prevention of financial crime we may collect information in registers held by governmental agencies (tax authorities, company registration offices, enforcement authorities), sanction lists (held by international organisations such as the EU and UN), registers held by other commercial information providers providing information on e.g. beneficial owners and politically exposed persons.

We also collect information from other entities within NAM, the Nordea Group or other entities which we collaborate with.

1.3 Recording of telephone conversations, online meetings and storage of chat conversations

To the extent permitted by applicable law, we record and log telephone calls and chat conversations for documentation of customer request, verification of orders, security and fraud management purposes and to fulfil legal requirements. For example, online meetings, telephone and chat conversations may be stored to document what happened and was said during the conversation, including any agreements entered into. Moreover, we record conversations that lead or may lead to securities transactions.

1.4 Video surveillance

For security purposes, including crime prevention, we may have cameras in our offices. In NAM premises, camera surveillance is used as part of our security work. Areas that are under camera surveillance are marked with signs. The purpose of camera surveillance is to prevent and investigate crime and increase security for customers and employees. It is necessary for the legitimate interest in preventing and investigating crime. In case of suspicion of a crime, we process personal data so that legal claims can be established, asserted or defended. Recorded material can be shared with authorities if it is necessary for criminal investigation.

2. How do we use your personal data and what is the lawful basis for doing so?

We use and process your personal data to comply with legal obligations and purposes described below

2.1 Necessary to perform an agreement with you

One reason we process personal data is to collect and verify the data prior to giving an offer and entering into a contract with you. We also process personal data to document and complete tasks in order to fulfil our contractual obligations towards you, e.g. to provide and administer our products and services to you.

Examples of activities necessary to perform an agreement with you:

• Collecting information needed to verify your identify in order to provide you with our products and services

• Collecting your contact information to provide you with customer service during the contract period, including customer care and customer administration and communication with you

2.2 Legal requirements

We mainly process personal data to fulfil obligations under law, regulations or authority decisions in the countries where our offices are located.

Examples of processing due to legal obligations:

• Know Your Customer requirements Preventing, detecting, and investigating money laundering, terrorist financing, and fraud Sanctions screening

• Bookkeeping regulation

• Reporting to tax authorities, police authorities, enforcements authorities, supervisory authorities

• Creating and maintaining legal contracts, fund documentation and corporate governance related documentation

• Other obligations related to service or product specific legislations, for example securities or funds

2.3 Legitimate interest

We use your personal data where necessary to further our legitimate interests, as long as those legitimate interest are not overridden by your interests or fundamental rights and freedoms.

Examples of our processing based on legitimate interests:

• Relationship and vendor management. We collect and use personal data for ongoing oversight, management of the relationship and interaction with you.

• Compliance with legal obligations under e.g. financial and tax regulation. For example we may collect and use your contact details when processing invoices for your company

• Portfolio decisions. We use personal data when documenting that portfolio decisions (e.g. redemptions, subscriptions or investment guidelines) are implemented on behalf of the correct customers

• Investment decision. As part of making investment decisions we process personal data such as contact information, when collecting research from you as an external brokers

• Corporate actions. When managing, implementing and maintaining corporate actions we process personal data with the purpose of instructing the custodians

• Security trading. We process personal data for the purpose of trading and settling security trading.

• System testing. In a limited number of cases we may use personal data for system testing and development. The testing process is by design limited to key identifiers necessary to perform the testing and all other directly or indirectly identifiable personal information are masked.

2.4 Consent

There may be situations where we will ask for your consent to process your personal data. Information about the purpose, processing activity, types of personal data and your right to withdraw your consent will be provided when you are asked to give NAM your consent. If you have given consent to processing of your personal data you can always withdraw the consent at any given time.

3. Who do we disclose your personal data to?

Your personal data can be shared with others to the extent we are under statutory obligation to do so and to fulfil services and agreements we have with you. We may share your personal data with others such as public authorities, NAM entities, Nordea Group companies, suppliers, service providers and business partners. Before sharing, we will always ensure that we respect relevant financial industry secrecy obligations and that we comply with applicable data protection regulation.

To provide our services to you, we disclose data about you data that is necessary to identify you and perform an assignment or agreement with companies that we cooperate with. This include, but is not limited to, instructing custodians on specific custody accounts, to trade and settle securities, distribution services cash account reconciliation, invoicing and reporting, balance monitoring and payments.

We may also disclose personal data to authorities to the extent we are under statutory obligation to do so. This includes, but is not limited to, facilitating reclaims and financial reporting.

We disclose your personal data to:

• Authorities: we disclose personal data to authorities to the extent we are under statutory obligation to do so. Such authorities include tax authorities, police authorities, enforcements authorities and supervisory authorities in relevant countries.

• NAM entities and Nordea Group Companies: we disclose personal data internally in the Nordea Group with your consent or if this is permitted pursuant to legislation

• External business partners: we disclose personal data to external business partners with your consent or if this is permitted pursuant to legislation. External business partners include for example correspondent banks and custodians.

• Suppliers: Nordea Group have entered into agreements with selected suppliers, which include processing of personal data on behalf of us. This can be suppliers of IT development, maintenance, hosting and support.

3.1 International transfer and transfer to service providers

To provide our services and in the course of running of our business, we transfer personal data to entities as referenced above in third countries (countries outside of the European Economic Area) which might not have the same level of privacy and data protection law. Such transfers can be made if any of the following conditions apply:

• The European Commission has decided that there is an adequate level of protection in the country in question

• The standard contractual clauses (EU model-clauses) approved by the European Commission. You can access a copy of the relevant EU model-clauses for transfers by going to EUR-LEX or www.eur-lex.europa.eu and searching for 32021D0914.

• Exceptions in special situations, such as to fulfil a contract with you or you consent to the specific transfer.

3.2 Meeting and webinars

NAM uses external suppliers for meetings and webinar. When you participate in meetings or webinars your personal data will be collected by the external supplier directly, and they will be data controller. Information on which personal data the external suppliers collects, for which purpose, usage, storage and more can be found in the external suppliers privacy policy or privacy notice available through the application.

Some external suppliers make available and/or stored personal data in USA and any other countries which may not offers protection equivalent to the one provided by in the European Union or European Economic Area. This can create certain risks for example unauthorized data access to personal data, including requests from foreign government agencies, excessive data collection and retention and unwanted commercial solicitation.

The impact of these risks can be lessened by using the meeting or webinar application in a way that is as minimally invasive as possible for your given purpose. Communicating sensitive personal data such as personal health information, credit card information, and SIN numbers should be avoided. NAM has configured the settings of certain meeting and webinar application to be minimally invasive.

3.3 External website and Social Media Platforms

Our websites contains links to external web pages. We also use social media to communicate with the NAM community. Please note that NAM is not responsible for the privacy practices or content of external webpages and applications. NAM encourage you to read all applicable third party privacy policy before visiting external sites or engaging with us via social media.

4. How we protect your personal data?

Keeping your personal data safe and secure is important to our business. We use appropriate technical, organizational and administrative security measures to protect any information we hold from loss, misuse, and unauthorized access, disclosure, alteration and destruction.

5. What are your privacy rights?

You have the following rights in respect of the personal data hold about you;

a) Right to request access to your personal data

You have a right to access to the personal data we are keeping about you. Your right to access may, however, be restricted by legislation, protection of other persons’ privacy and consideration for NAM’s business concept and business practices. NAM’s know-how, business secrets as well as internal assessments and material may restrict your right of access.

b) Right to request correction of incorrect or incomplete data

If the data we are keeping about you is incorrect or incomplete, you are entitled to have the data corrected, with the restrictions that follow from legislation.

c) Right to request erasure

You have the right to request erasure of your data in the following cases;

• You withdraw your consent to the processing and there is no other legitimate reason for processing
• You object to the processing and there is no justified reason for continuing the processing
• You object to processing for direct marketing
• Processing is unlawful
• When processing personal data on minors, if the data was collected in connection with the provision of information society services

Due to the financial sector legislation we are in many cases obliged to retain personal data concerning you during your customer relationship, and even after that, e.g. to comply with a statutory obligation or where processing is carried out to manage legal claims.

d) Right to request limitation on processing of personal data
If you contest the correctness of the data which we have registered about you or lawfulness of processing, or if you have objected to the processing of the data in accordance with your right to object, you may request us to restrict the processing of these data. The processing will be restricted to storage only, until the correctness of the data can be established, or it can be checked whether our legitimate interests override your interests.

If you are entitled to erasure of the data which we have registered about you, but the data is necessary for you to defend a legal claim, you may request that we restrict the processing to storage only, if you want to keep the data.

Even when processing of your data has been restricted as described above, we may process your data in other ways if this is necessary to enforce a legal claim or you have given your consent.

e) Right to object to processing based on our legitimate interest
You can we object to the processing of personal data if the processing is based on NAM’s legitimate interest, including direct marketing and profiling in connection to such marketing.

f) Right to withdraw consent(s) previously given to us at any time
When the lawful basis for a specific processing activity is your consent, you have a right to withdraw your consent at any given time. Information about your right to withdraw it is provided when you are asked by NAM to give your consent

g) Right to data portability
You have a right to receive personal data that you have provided to us in a machine-readable format. This right applies to personal data processed only by automated means and on the basis of consent or of fulfilling a contract. Where secure and technically feasible the personal data can also be transmitted to another data controller by us.

Your request to exercise your rights as listed above will be assessed given the circumstances in the individual case. Please note that we may also retain and use your information as necessary to comply with legal obligations, resolve disputes, and enforce our agreements.

6. How long do we process your personal data?

We will keep your data for as long as they are needed for the purposes for which your data was collected and processed or required by laws and regulations.

This means that we keep your data for as long as necessary the performance of a contract and as required by retention requirements in laws and regulations. Where we keep your data for other purpose, such as for anti-money laundering, bookkeeping and financial regulatory requirements, we keep the data only if necessary and/or mandated by laws and regulations for the respective purpose.

The data retention obligations will differ within NAM, subject to applicable local law.

Examples of storage times:

• Preventing and detection of money laundering and terrorist financing, and fraud: storing of Know Your Customer (KYC) information for a minimum of five years after termination of the business relationships or the performance of the individual transaction

• Service or product specific regulations such as securities markets: storing your financial information for ten years after termination of the client relationship

• Bookkeeping regulations: storing legally required information for up to ten years

• Details on performance of an agreement: storing information related to your agreement with us for up to ten years after end of customer relationship

• Client reporting: your contact information is stored five years after as of end of the year of the reporting.

• Client CRM information: information stored about you in our CRM system is stored until 2 weeks after end of business relationship.

7. How to contact us or the data protection authority?

7.1 Contact the Data Protection Officer

If you have any questions regarding the Privacy Policy, are dissatisfied with how we process your personal data or want to exercise your individual rights (as described above in section 6), you can do so by contacting the NAM Data Protection Office directly by sending your message to [email protected] or by sending a letter to: Nordea Asset Management, Data Protection Office, Nicolai Eigtveds Gade 8, 1402 Copenhagen K, Denmark.

7.2 Complaint to the data protection authority

You can also lodge a complaint or contact the data protection authority in any of the countries where we provide services or products to you.

8. How are changes made to this Privacy Policy?

We are constantly improving and developing our services, products and websites. Consequently, we may change this Privacy Policy from time to time. If the changes to the Privacy Policy are significant, we will provide a notice, when we are required to do so by applicable law.

9. Who are the data controllers of NAM?

Within NAM the data controller will be legal entity you have a relationship with. This lists provides an overview of details of data controllers per country including contact details.

Luxembourg: Nordea Investment Funds S.A. 562 Rue de Neudorf, L-2220 Luxembourg

Sweden: Nordea Investment Management AB M 540
SE-105 71 Stockholm / Nordea Asset Management Alternative Investments AB M540
SE-105 71 Stockholm

Denmark: Nordea Investment Management AB, Danmark Filial af Nordea Investment Management AB, Sverige / Nicolai Eigtveds Gade 8, DK
1402 Copenhagen K

Finland: Nordea Investment Management AB, Finnish branch Satamaradankatu 5
00020 Nordea

Norway: Nordea Investment Management AB, NUF filial Norge Olav Kyrres gate 22
5014 BERGEN

Germany: Nordea Investment Management AB, German Branch Hauptstrasse 15
D-61462 Königstein im Taunus

Schweizerland: Nordea Asset Management Schweiz GmbH Seefeldstrasse 104, 8008 Zurich

For language versions, please go to your local website