Register statement

Use of personal information

S-Pankki Oy processes personal information in accordance with the Personal Data Act and legislation on financial institutions and takes care to implement protection for privacy and banking confidentiality in the processing of personal information. Personal information is processed for the purposes of S-Bank's services and operations and for the management of customer relationships. Information is also used for marketing aimed at customers.

Bank confidentiality restricts the surrender of information held by the bank to a third party other than with the consent of the person to whom the information applies or in cases required by law. Information is obtained from the registered person himself or from his agents, from public documents kept by the authorities, from companies engaged in credit business, and from registers of credit information and customer default, and from the city register office.

In the event that a business or service transaction so requires, S-Bank shall record phone calls and messages as well as data identifying the customer to ensure the contents of the message and to verify the individual.

Register statement pursuant to section 10 of the Personal Data Act (523/99)

The keeper of the register S-Pankki Oy

Contact details Street address: Fleminginkatu 34 00510 Helsinki

Mailing address: PO Box 77 00088 S Group Tel. 010 76 8011

Website: www.s-lahjakortti.fi

Person in charge of register matters and/or contact person S-Bank's Gift Card Service Contact details: S-Pankki Oy PO Box 77, 00088 S-Group Tel. 010 76 8011

Name of register Customer register of S-Pankki Oy's Gift Card Service The purpose of processing personal information/intended use of the register The purpose of the register is the handling of functions and services related to banking business. Data contained in the register will also be used for the improvement of business operations, for customer relationship management, for direct marketing, and for handling legal obligations to notify the authorities.

In addition to S-Bank, customer information is also processed by agents of S-Bank, who are bound by the banking confidentiality obligations of the Credit Institutions Act.

The data contained in the register - name, address, postal code, town, residence municipality, phone numbers, email address - Date of start of customer relationship - date of birth, social security number or business ID - prohibition on marketing - Data on accessing (data on commissioning services, contracts, applications, or commissioning) Regulated sources of information The data in the system is acquired by the customer's bank through information obtained either contractually or in some other fashion. Also, information is obtained on the basis of the law from authorities, companies engaged in the credit business, the city register office, and agents.

Handover of the regulated information and the transfer of information outside the EU or the European Economic Area Information is handed over under the regulations as follows: - to the authorities in cases prescribed by law - to companies in the same corporate group, within the permitted legal limits.

No information is surrendered outside the EU or the European Economic Area.

The principles of the protection of the register

A. Manual materials (storage location and protection)

Contracts and other manually handled documents containing customer information are stored after initial processing in locked and fireproofed storage facilities. Only S-Bank employees within the sphere of bank confidentiality, agents and employees of companies acting on behalf of S-Bank are entitled to handle manually stored document information.

B. Information stored on computer (principles of register access entitlement and user supervision as well as the physical protection of hardware)

Only designated S-Bank employees and the employees and agents of companies operating on behalf of S-Bank are entitled to handle the register and to maintain the data in it. Each designated user has his/her own personal user ID and password. Each user is under a duty of confidentiality under banking confidentiality for the information obtained by him or her.