Privacy statement NN Group N.V.

About this privacy statement

This is the privacy statement of NN Group N.V. (“NN’). The address of NN is Schenkkade 65, 2595 AS, The Hague, The Netherlands.

NN and its subsidiaries do their best to ensure that your personal data is processed in such a way that your privacy is protected and safeguarded as far as possible. Personal data is data that tells something about you or that we can connect with you. We call the collection, retention and use of your personal data ‘processing’. NN and its subsidiaries comply in the processing of your personal data with applicable data protection legislation and regulations, such as the General Data Protection Regulation (“GDPR”).

NN Group Data Protection Framework

We have an extensive groupwide data protection framework in place to process and protect personal data in compliance with applicable data protection laws. Our (internal) Data Protection Policy addresses compliance with the GDPR and other relevant data protection laws and regulations in relationto its entire range of activities and applies to all NN entities established in the EU which process personal data or NN Group entities that process personal data of data subjects within the EU. Compliance is monitored closely and documented systematically.

Fair, transparent and secure processing of personal data

All entities within NN Group obtain and process personal data in a fair and transparent manner. Personal data is solely processed for specified legitimate business purposes and on the basis of appropriate legal grounds. Personal data is not further processed in a way incompatible with these purposes. We only share personal data with third parties (such as intermediaries and service providers/suppliers) if this is needed for a legitimate business purpose and we have a solid legal ground for doing so. Where needed we conclude adequate data processing agreements with such parties to safeguard the protection of personal data and require such third parties to maintain similar standards to ours for the protection of personal data, which is verified during our due diligence and assurance processes. We do not sell personal data to third parties.

We spend a lot of time and effort on the security of our systems and the personal data stored within them. We keep a constant watch over the security of our data traffic. We take immediate action in case something goes wrong. We resolve and register data breaches and report these to the supervisory authority and if necessary to you.

Data Protection Officers

The (internal) NN Group DPO Charter provides a mandatory framework pursuant to which the function of Data Protection Officer (“DPO”) is established. NN Group and all European business units have appointed a DPO and formally established the position, role and responsibilities of the DPO according to the aforementioned DPO Charter and the GDPR. The DPOs continuously monitor compliance with the GDPR and act as a point of contact for supervisory authorities and data subjects.

Our employees

In light of the NN Values (Care, Clear, Commit) and in accordance with the NN Code of Conduct all employees are expected to handle personal data of our customers, employees and business partners responsibly, keep confidential what is entrusted to them and act honestly, with care and diligence. The NN Code of Conduct reminds employees for example of the ‘need-to-know principle’ in requesting or providing personal data. We regularly verify who has access to our systems and personal data. In case of evident breaches disciplinary measures are imposed on employees. All employees are required to complete a GDPR e-learning. Furthermore our employees have signed a non-disclosure agreement and have taken an oath.

Record retention

On the basisof the internal NN Group Record Retention Policyall business units and legal entities must have retention schedules in place. We retain personal data for as long as required by law and no longer than necessary for the purpose for which we use the data. Data subjects can request for information on the applicable retention periods. Such information will be provided in a timely manner.

Data transfers outside the European Economic Area

Your personal data is generally processed in the European Economic Area (‘EEA’). In some cases however we can use the services of parties in countries outside the EEA. The regulations in such countries do not always provide the same level of personal data protection as in the EEA. To ensure that your personal data is safe nevertheless, we take measures in such cases by entering where needed into so-called standard contractual clauses.

Processing on NN Group website

When you visit the NN Group website, data is gathered by using cookies and similar technologies (“cookies”). NN processes log information and details of visitor behavior patterns. Your IP address can also be processed. This is the number that identifies the computer, tablet or mobile you use. NN does this to collect statistical information on the use of the website and to operate the website correctly. We can also process data for marketing purposes (to offer you customised advertisements). In our cookie statement we explain in more detail how and why we use cookies and provide information about the lifespan of cookies. NN will not further process personal data in a way incompatible with the mentioned purposes.

Specific privacy statements | other processing activities

NN can also process personal data for particular organisational and/or legal (regulatory) purposes. For more information we refer to the separate privacy statements with regard to those specific other processing activities:

• Privacy statement for Applicants: Privacy Statement | NN-Group (nn-careers.com)
• Privacy statement AGM NN Group: NN Group - Annual generalmeeting (nn-group.com)
• Privacy statement NN Whistleblower system: NN Group - Compliance (nn-group.com).

Privacy statements of NN Group entities

For more information on the processing of personal data by the various NN Group entities we refer to their (main) privacy statements:

• Dutch business units trading under the Nationale-Nederlanden brand (in English): https://www.nn.nl/My-privacy.htm?setguestlangid=42
• NN Belgium (in English): Our privacy statement in full | NN Belgium – Insurance
• NN Czech Republic (in local language): NN Česká republika - Ochrana osobních údajů
• NN Greece (in local language): https://www.nnhellas.gr/gdpr
• NN Hungary (in local language): Adatvédelmi szabályzat (nn.hu)
• NN Japan (in local language): 個人情報保護方針 | エヌエヌ生命保険 : 法人・中小企業向け保険 (nnlife.co.jp)
• NN Poland (in local language): https://www.nn.pl/Dane-osobowe.html
• NN Re (in English): Privacy statement NN Re
• NN Romania (in local language): Prelucrare date | NN
• NN Slovakia (in local language): Ochrana osobných údajov | NN Slovensko
• NN Turkey (in local language): Gizlilik Sözleşmesi | NN Hayat ve Emeklilik (nnhayatemeklilik.com.tr)
• NN Spain (in local language): Política de privacidad • Nationale-Nederlanden (nnespana.es).

Your rights under the GDPR

We have an adequate procedure in place to handle requests of data subjects with regard to the effectuation of their rights under the GDPR in a proper and timely manner. These rights are explained hereunder.

Right of access

This means that you may request which personal data we process about you and what we use it for.

Right to rectification, erasure and restriction

You are entitled to have your personal data changed if it is not correct. You are also entitled to have your personal data deleted if your personal data is unlawfully processed, no longer is necessary for the purpose for which it is processed or if you have withdrawn your previously given consent and NN no longer has any other legal grounds for processing your data. You are also entitled to restrict the use of your personal data. This right means that you may tell us temporarily not to use your data. You may exercise this right if your personal data is incorrect, unlawfully processed, no longer necessary for the purpose for which it has been collected or processed, or if you object to the processing of your data and your objection is still being handled by us.

Right to data portability

This means that you are entitled in certain cases to request us to take the personal data that you provided, and transmit it to you and another service provider.

Right to object

You may lodge an objection to the processing of your personal data, if we use your personal data for purposes other than necessary for performing a contract or necessary for fulfilling a statutory obligation. We will carefully assess your objection and stop processing your personal details, if necessary.

Questions, comments and complaints

For general questions or comments about this privacy statement, please contact External Communications: external.communications@nn-group.com.

If you have a question or a complaint about the way NN handles your personal data, you can send an e-mail to the NNGroup Data Protection Officer (dpo-office@nn-group.com). You also have the right to submit a complaint to the Dutch Data Protection Authority (Autoriteit Persoonsgegevens).

Changes - version

This privacy statement can be adjusted due to changes in legislation and/or when we change the way we process personal data. This version is dated 20 January 2023.