The purpose of this privacy notice is to explain to you how ila (“ila”, “we”, “us”, and “our”), a retail branch of Arab Banking Corporation (B.S.C.) (“Bank ABC”), may process your personal data.

This privacy notice should be read together with Terms and Conditions including the Data Protection and digital terms and conditions.

Who is your data controller?

Your data controller is ila with whom you have entered into a banking relationship and operate an account with, including through the use of our digital platform and mobile application. ila is a retail branch of Bank ABC. You can find ila’s contact details at the end of this privacy notice. For more information about ila please visit www.ilabank.com.

What personal information do we collect about you?

The personal data we collect about you includes information that we collect when we setup, administer, and manage our relationship with you, such as the following.

• Full name, nationality, date of birth, gender, residential address, country of birth, email addresses, biometric data, video selfie images, telephone numbers, identity documents, proof of address documents, identity document number, employment status, employment information, tax status, tax identification number, FATCA forms, details of source of income and source of wealth, information on monthly income, average account financial activity.

• Personal data that we gather from publicly available sources, including social media, such as biographies held on the internet or other information that is available online.

• Personal data relating to transactions such as type, dates, amounts, currencies, payer, and payee details.

• Personal data we learn about you from the way you operate our products, services, and use the ila mobile application; including the technology you use for this, language preferences, mobile phone location data, and engagement data.

• Personal data that we gather from our interaction with you such as correspondence and records of interactions, social media messages, and complaints.

• Internet online identifiers and other technical personal data. These may leave traces which, when combined with unique identifiers and other information received by servers, may be used to identify you. Internet online identifiers may include internet protocol addresses (IP addresses) and cookie identifiers. Technical personal data may include mobile network information, unique device identified, traffic data including web logs.

• Personal data relating specifically to transactions carried out on our digital platform by you. Whilst our banking relationship is with you, we will be collecting information specific to transactions carried out by other customers that may relate to you (e.g., when another customer enters your IBAN/phone number for transactions, etc.).

• Security codes, including all confidential codes, usernames, user identifications and passwords, PIN/Password and information or a physical device (for example, an ATM card, a debit card, credit card, prepaid card, security token, or electronic key) that the user you must use to confirm your identity when accessing our digital platform. We may record calls, email, text messages, social media messages and other communications between you and employees of ila.

Closed-circuit television (“CCTV”) may be used in and around our premises and ATM locations for the purposes of security and preventing crime, therefore we may have images of you captured by our CCTV cameras.

How is the personal information collected?

We collect personal data from a number of sources, including the following.

• Personal data received and collected via the mobile application named “ila” (the “ila App”).

• Personal data we receive directly by your engagement with us and our social media platforms.

• Personal data that we learn through your use of our services and products such as when you visit the ila App or our websites or when you speak to us by way of the contact centre.

• Personal data we receive directly from you or from a person acting on your behalf.

• Personal data we obtain from third parties such as credit reference, debt recovery, fraud prevention or government agencies, which may have originated from publicly accessible sources.

• Personal data that we gather from publicly available sources such as the internet and/or other local trade registers.

• Information provided by affiliates or third parties of ila (such as through ila webinar sign-up),

• From servers in relation to your use of our digital platform and the ila App.

How will we use your personal information, with whom will we share it, and what is the legal basis for this?

We will use your personal data for the following reasons as permitted by applicable laws, including data protection laws.

Processing that is necessary to set up, maintain and administer the contractual relationship with you.

• To enable you to manage your account with us and to assist you to transact with us.

• To operate and manage your ila account and to manage your cards (debit and/or credit) that you have with ila.

• To communicate with you and to resolve your queries.

Processing that is necessary for our own legitimate interests (including those of ila’s affiliates) or those of third parties to do the following.

• To collect due and outstanding debt which may involve passing your personal information to debt collection agencies.

• To keep records of communications in order to evidence what has been discussed, keep a record of your instructions, and to prevent or detect crime.

• To record customer account activities where we have reason to believe that fraud or other crimes are being committed or where we suspect non-compliance with anti-money laundering regulations to which we are subject.

• To test the performance of our products, services, and internal processes to ensure that your personal information is only collected as needed and is held and processed securely.

• To develop statistics and for market research and analysis including to develop and improve our products and services so that we can offer new and enhanced products and services to the customer, which may include converting your personal information into statistical or aggregated data which cannot be used to identify you.

• To administer ila’s internal operational requirements (including credit, compliance, and risk management, market research, system and product development, staff training, quality control, accounting, and for audit purposes).

• To keep records of communications and customer account activities (as described above) including (but not limited to) transactions and other activity effected on our digital platform, such as date and time of logging in and for how long the user is logged in.

• When sharing personal information with the following third parties:

- Any ila affiliate to allow you to access our products and services. This includes our affiliates’ IT support teams for digital platform services.

- Any intermediary to whom we provide instructions or referrals.

- Our legal and professional advisers such as auditors and external legal counsel.

- Any sub-contractors, agents, or service providers (including our digital identity service provider) engaged by ila and/or Bank ABC (including their employees), such as backup and server hosting providers, IT software and maintenance providers, document storage providers and suppliers of other back-office functions.

- Credit reference, debt recovery, or fraud prevention agencies.

- Tax authorities, including those based overseas.

- Persons and financial institutions acting on behalf of the customer, payment recipients, beneficiaries, account nominees, correspondent, and agent banks.

Processing that is necessary to comply with the following legal obligations.

• To comply with laws that require us to verify the identity of our customers and to detect and prevent financial crime.

• To comply with tax regulations that require us to report the tax status of our customers.

• When enforcing or defending our rights, or those of any ila affiliate or a third party employed by us.

• To process requests relating to the exercise of your rights under applicable data protection laws.

• When sharing personal data with the following third parties:

- any governmental, banking, taxation, or other regulatory authorities or similar bodies with jurisdiction over any part of ila or Bank ABC, or under the rules of a relevant stock exchange, including those which are based overseas; and

- the courts, and as may otherwise be necessary for the administration of justice, to protect vital interests and to protect the security and integrity of Bank ABC’s business operations or those of ila.

Processing based on your consent.

• To manage ila website registration page for newsletter sign-up.

• To communicate with you about promotions, new features and offers (including direct marketing) through email or other channels of communications. If you wish to opt-out of receiving marketing communications, you may click on unsubscribe on the email or contact our team on +973 1723456 to opt-out from the SMS communication.

• ila may share your personal information with other persons where you have provided your explicit consent to do that.

Identity verification and fraud prevention checks.

The personal information we have collected from you will be shared with fraud prevention agencies who will use it to prevent fraud and money-laundering and to verify your identity. If fraud is detected, you could be refused certain services, finance, or employment.

Your rights under data protection laws.

Your rights are as follows (noting that these rights do not apply in all circumstances and that some of these rights are only relevant from the date of this policy notice):

• the right to be informed about the processing of your personal information;

• the right to have your personal information corrected if it is inaccurate and to have incomplete personal information completed;

• the right to object to processing of your personal information;

• the right to restrict processing of your personal information;

• the right to have your personal information erased (the right to be forgotten); and

• the right to obtain information about how we process your personal information. If you wish to exercise any of these rights, please write to us.

Is providing your personal data obligatory?

We are unable to enter into or administer the relationship with you without some personal data about you. In cases, where providing your personal data is optional, we will make this clear, for instance by explaining this in application forms if certain data fields can be left blank. If we are seeking a consent to justify our processing of your personal data, we will make this clear.

Updates to your personal data.

If any of the personal data you have given to us should change, such as your contact details, please inform us without delay. Similarly, if we have collected personal data about you that you consider to be inaccurate, please inform us. Our contact details are below.

International transfers.

Our affiliates and third parties that we may share your personal data with may be located outside of the Kingdom of Bahrain. Some countries already have adequate protection for personal information under their applicable laws. In other countries safeguards will be applied to maintain the same level of protection of your personal data as in Bahrain. These safeguards may be contractual agreements with the overseas recipient, or requirements for recipients to subscribe to international data protection frameworks.

How long do we keep your personal data and what is the criteria used to determine this?

We need to keep your personal data for as long as necessary to fulfil the purposes for which it was collected (as described above). Even when you close the customer account with us, we must retain some of your personal data in order to comply with legal and regulatory requirements and in case of claims. We will also keep some of this information in case of queries from you.

We will continue to look after your personal data securely and your rights listed in this privacy notice remain in place until all of your personal data is safely deleted from our systems (once the regulatory retention period is achieved).

The criteria we use to determine data retention periods for your personal data includes the following.

• Retention in accordance with legal and regulatory requirements. We will retain personal data after our agreement with you has come to an end and, with respect to access to our digital platform, following the termination of such access, based on our legal and regulatory requirements.

• Retention in case of queries. We will retain some information in case of queries from you.

• Retention in case of legal claims. We will retain some information for the period in which you might legally bring claims against us.

Identity verification and fraud prevention checks.

The personal information we have collected from you will be shared with fraud prevention agencies who will use it to prevent fraud and money-laundering and to verify your identity.

If fraud is detected, you could be refused certain services, finance, or employment.

Your rights under the Personal Data Protection Law of the Kingdom of Bahrain.

Your rights are as follows (noting that these rights do not apply in all circumstances and that some of these rights are only relevant from the date of this policy notice): • the right to be informed about the processing of your personal data;

• the right to be notified upon processing of your personal data;

• the right to be notified of the decision on the automated processing of your personal data;

• the right to request rectification, blocking or erasure of your personal data;

• the right to object to the processing of your personal data causing material or moral damage;

• the right to obtain information about how we process your personal data;

• the right to withdraw your consent at any time;

• the right to object to the processing of your personal data for direct marketing purposes;

• the right to lodge a complaint. If you wish to exercise any of these rights, please write to us.

How to contact us.

If you have any questions about this privacy notice or your personal information, please contact us.

ila Service Centre

Bank ABC Tower 2

Building 152, Road 1703

Block 317, Diplomatic Area

Manama

Bahrain.

Telephone: +973 17123456

Last updated.

This Privacy Notice was last updated on June 4, 2023.