Samsung Galaxy S24 FE Promotion Rules

1. Organizer of the Promotion

Samsung Electronics Austria GmbH, with its registered office at Praterstrasse 31/14 Obergeschoss, Vienna, Austria, and company registration number FN 217924b (hereinafter referred to as "Samsung"), is organizing the Samsung Galaxy S24 FE device promotion.

2. Promotional Period, Delivery, and Gift

The promotion is available to users in the territory of the Republic of Serbia from July 1, 2025, to July 31, 2025, or shorter if the stock of devices or accompanying gifts intended for this promotion runs out before the previously stated (planned) promotional period.

A "user" is considered to be an individual residing in the Republic of Serbia who purchases the device for their own needs and not for resale.

Users who, during the promotional period, purchase a Samsung Galaxy S24 FE* in retail stores or via the website of Samsung sales partners listed in point 6 of these Rules, and meet all other conditions defined by these Rules, will receive the accompanying gift: a Galaxy S24 FE 8/128GB, graphite color, model SM-S721BZKDEUC (hereinafter referred to as the "Gift").

*The purchase of any memory variant of the Samsung S24 FE device is relevant.

3. Purchase Conditions

The purchase of the Samsung Galaxy S24 FE device (hereinafter referred to as the "Device") can be made from Samsung sales partners listed in point 6 of these Rules, under the following cumulative conditions:

• a. The user purchases the device during the promotion period;
• b. The device is purchased in a retail store or via the website of an authorized Samsung sales partner in the territory of the Republic of Serbia; The list of authorized partners is defined in point 6 of these Rules;
• c. The user successfully registers the device purchase using the Samsung Members application no later than August 31, 2025, according to point 4 of these Rules.

4. Registration of Purchase

The prerequisite for receiving the gift is the registration of the device purchase using the Samsung Members application, which is pre-installed on the purchased device. Registration must be completed via the purchased device. The first successfully completed registration is considered valid for the purpose of awarding the gift.

The registration process involves entering the data required for successful registration. The data collected to enable the user to claim the gift, and for the purpose of delivering the gift after successful registration, includes:

• User's first and last name,
• User's email address,
• User's home address/registered address in the Republic of Serbia (for gift delivery),
• IMEI number and serial number of the purchased device,
• Display/scan of the fiscal receipt or delivery note for the purchased device.

By clicking the data submission button, the user submits data to Samsung and its subcontractors to verify if the conditions are met, i.e., if the user is eligible for the gift, and the user hereby gives their explicit consent for the use of their personal data in accordance with the provisions of these Rules. User consent is necessary for the registration process to be successful.

NOTE: The condition for exercising the right to a gift is successful registration of the purchase using the Samsung Members application. For successful execution of the mentioned registration, the device's settings used for registration must be exclusively in Serbian.

5. Gift Delivery and Device Pickup

The purchased device will be delivered in accordance with the sales terms of the Samsung sales partner.

Gift delivery to users, provided they have successfully registered the device purchase within the Samsung Members application in accordance with these Rules, will be made no later than November 30, 2025, to the address provided during the purchase registration within the Samsung Members application. Gift delivery is possible exclusively within the territory of the Republic of Serbia and will be at the Organizer's expense.

A user who has earned the right to a gift is obliged to pick up the gift at the address they provided as the delivery address during the device purchase registration within the Samsung Members application. If, due to the user's fault, the gift cannot be delivered/handed over even within a period of 6 (six) months after the date specified as the latest delivery/handover date in the previous paragraph of this point, the user forfeits the right to the gift.

6. Authorized Samsung Partners

The purchase of Samsung devices can only be made from the following authorized Samsung sales partners:

• Yettel
• A1
• Telekom Srbija
• Bluetech
• Belltel
• BC Group
• Beoecotel
• Belotehna
• Bosmark
• BUS Computers
• Copy Xerox
• Comtrade Distribution d.o.o.
• DUDI CO.
• DOTONLINE DOO
• DR Techno
• DONIC doo
• Ekupi.rs
• GALERIJA DOO
• GSM&PC Shop
• GSM 3G COMPANY DOO BEOGRAD
• Gigatron
• ISCOM
• Komparator
• K OFFICE DOO
• MS Data Nadežda Marjanović
• METALAC
• Mobilnitelefoni.rs
• MICROHARD SZTR
• MOBILLAND STKR
• PositiveLine
• ProMobi
• Pavleri
• PTUR Dora Sistem
• Roaming Electronics
• Spektar Plus
• Shoppster
• SZTR MOBILE ZONE
• STR VANA VLADIMIR VUKIĆEVIĆ Preduzetnik Beograd
• Tehnomanija
• Telepak
• Tehnomedia
• TP TEMPO DOO
• Trgo-Ban
• Technic Trade
• Tehnospot
• Uspon
• XLS
• Ananas
• MS Data Nadežda Marjanović
• KONDOR AS D.O.O.
• TEHNOMARKET NINA DOO
• OMEGA SR NOVICA MILOSEVIC PR
• ZUKVE-KOMERC doo
• Markoni media store
• Bazzar Market Place
• Jakov Sistem
• Electronic& Cable shop
• Net Kragujevac
• Superfon doo
• NIK SERVIS Zaječar
• Repromarket
• LAPTOP CENTAR DOO Beograd
• Home Centar Vera doo
• PC practic
• GSM CENTAR SVILAJNAC
• IMPULS + ZTR
• LINKOM GROUP DOO
• M.M. MOBIL SZTR
• NIMAI SZTR
• STR TANJA STANKOVIĆ TATIJANA PREDUZETNIK, BOR
• VEKI SR
• VODOSISTEM SD TZR SAŠA JOVANOVIĆ
• SZR ETCOM-PLUS RACUNARI PR
• ELEKTROTERM MC 022
• Pixel Novi Sad
• IMIKOM GROUP D.O.O.

7. Right to Amend Terms

Samsung reserves the right to amend these Rules at any time for justified reasons, with the obligation to publish such amendments without delay.

These Rules were published on July 1, 2025, on the page www.samsung.com/rs/offer/galaxy-s24-fe-summer-promo-2025, and are effective from that date.

8. Contact

Email address for contact regarding this promotion: samsung@unitedmoment.rs

Notice on Collection and Use of Personal Data

Samsung Electronics Austria GmbH, with its registered office at Praterstrasse 31/14 Obergeschoss, Vienna, Austria (hereinafter referred to as "Data Controller"), hereby informs you about the processing of personal data:

1. Data Controller

The Data Controller is Samsung Electronics Austria GmbH, with its registered office at Praterstrasse 31/14 Obergeschoss, Vienna, Austria, through its Branch Samsung Electronics Austria GmbH Belgrade (hereinafter referred to as "Controller").

2. Data Collected

The Controller will collect and process the following personal data:

• First and last name,
• Customer's email address,
• Customer's address in the territory of RS (for gift delivery purposes),
• IMEI number and serial number of the purchased device,
• Purchase data: receipt/delivery note,
• Proof of pickup/receipt of the purchased device,

(hereinafter collectively referred to as "Personal Data").

3. Purpose of Collecting Personal Data

The Controller will collect and process the aforementioned Personal Data exclusively for the purpose of determining the fulfillment of the conditions for participation in the "Samsung Galaxy S24 FE" promotion, and for delivering the gift in case the user/customer has earned the right to it.

4. Use of Personal Data

Personal Data collected based on consent will be used exclusively for the aforementioned purposes of the Controller, and in accordance with the Personal Data Protection Law (the "Law") and the Controller's Privacy Policy attached hereto.

5. Legal Basis for Processing Personal Data

The Controller collects and processes Personal Data based on the voluntary consent of the data subject.

6. Retention Period of Personal Data

Personal Data will be stored only as long as necessary to fulfill the stated purpose, and in any case no longer than 6 months from the date of purchase.

7. Your Rights

The personal data collection controller will, upon the participant's request, supplement, modify, update, and delete Personal Data if the data is incomplete, inaccurate, or not up-to-date, and if its processing is not in accordance with the law, or if the purpose of data collection has been fulfilled. For more information, please consult our Privacy Policy or contact us by sending an email to dataprotection.sead@samsung.com.

If participants believe that the processing of their personal data infringes upon their privacy, they may contact the Data Controller or the Personal Data Protection Agency to request an explanation.

8. Other Information

For detailed information on the measures taken to protect Personal Data and the potential transfer of Personal Data, please read our Privacy Policy.

Privacy Policy

Effective Date: May 2018.

Samsung Electronics Austria GmbH and its affiliated companies (hereinafter referred to as "Samsung", "we", "us", "our") recognize the importance of privacy for our staff, suppliers, customers, and others with whom we cooperate, and strive for clarity regarding how we collect, use, disclose, transfer, and store personal data.

Below are the main topics covered by our Data Protection Policy.

• 1. Scope and Purpose
• 2. Responsibility for Compliance
• 3. Our Obligations
• 4. Definitions
• 5. GDPR Principles
• 6. Special Categories of Personal Data
• 7. Sharing of Personal Data (including transfers outside the EEA)
• 8. Profiling and Automated Decision-Making
• 9. Direct Marketing
• 10. Record Keeping
• 11. Individual Rights of Data Subjects
• 12. Procedure in Case of Data Security Breach
• 13. Policy Updates
• 14. Useful Contact Information

1. Scope and Purpose

This policy defines the rules for data protection and the legal conditions that must be met regarding the acquisition, handling, processing, storage, transfer, and destruction of personal data.

The types of information we will handle include details about current, past, and potential staff members, suppliers, customers, and other individuals with whom we communicate. Data held on paper or computer is subject to specific legal protection measures outlined in the General Data Protection Regulation ("GDPR") and applicable data protection law(s), which provide(s) restrictions on how we may use this information.

Maintaining the highest standards in our handling of personal data is both a collective and individual responsibility, and this policy applies to how we acquire, use, store, and otherwise process personal data that we use in our business operations. It outlines the key data obligations that apply to us as an organization, and includes the expectation that you will play your part in compliance.

This data protection policy applies to every Samsung employee and other personnel providing services to Samsung (including, but not limited to, contractors and agency staff) (collectively referred to as "personnel"). All personnel are required to ensure they understand this policy and adhere to it regarding any personal data they access in the course of their work.

2. Responsibility for Compliance

The responsibility for overseeing data protection compliance, including adherence to this policy, lies with our Data Protection Officer, whose contact details can be found at the end of this policy.

Individuals in management positions are responsible for data protection compliance within their teams.

If you believe the policy has not been followed regarding your personal data or the personal data of others, you should raise the issue with your immediate manager or the human resources or legal departments.

3. Our Obligations

GDPR provides for significant fines against organizations that violate its provisions. Depending on the type of violation, organizations can be fined more than 20 million euros or 4% of their total global annual turnover in the previous financial year. These high fines increase the exposure to risks related to data protection compliance.

4. Definitions

The following definitions may be useful when reading this policy:

Criminal record data is information related to criminal offenses and convictions against a specific person.

Data Controllers are individuals or organizations that determine the purpose and method of processing personal data. They are responsible for establishing practices and policies in accordance with GDPR. We are the controllers of all personal data used in our business. Our suppliers, consultants, and contractors may also be data controllers.

Data Subjects for the purpose of this policy include all living individuals whose personal data we hold, including current, past, and prospective customers, suppliers, agents, investors, as well as our personnel. A data subject does not have to be a citizen or resident of the Republic of Serbia. All data subjects have certain legal rights regarding their personal data.

Personal data refers to data relating to a living person who can be identified from that data (or from that data or other information we possess). Personal data can be factual (such as name, address, or date of birth) or it can be an opinion (such as performance evaluation). The definition of "personal data" used in GDPR and applicable law is very broad and allows a wide range of personal identifiers to be classified as personal data. This includes name, identification number, and location data.

Processing is any activity that involves the use of personal data. It includes obtaining, using, observing, recording, or holding data, or carrying out any action or group of actions including organizing, changing, retrieving, using, disclosing, deleting, or destroying data. Processing also includes the transfer of personal data to third parties.

Special categories of personal data (previously known as sensitive personal data) include information about a person's racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health or condition, or sexual life, as well as genetic and biometric data, when used to identify an individual.

5. GDPR Principles

Any person processing personal data must act in accordance with the applicable best practice principles defined in GDPR, which Samsung is obliged to adhere to.

• We will process personal data lawfully, fairly, and transparently (see section "Lawfulness, Fairness, and Transparency").
• We will collect personal data for specified, explicit, and legitimate purposes; we will not process it in a manner inconsistent with those purposes (see section "Purpose Limitation and Data Minimization").
• We will process personal data that is adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed (see section "Purpose Limitation and Data Minimization").
• We will ensure that personal data is accurate and, where necessary, kept up to date; where data is inaccurate, we will take every step to erase or correct it without delay, taking into account the purposes for which the data is processed (see section "Accuracy").
• We will not store personal data in a form that identifies the data subject for longer than is necessary for the purposes for which it is processed (see section "Storage Limitation").
• We will implement appropriate technical or organizational measures to ensure the security of personal data, including protecting it from unauthorized or unlawful processing or accidental loss, destruction, or damage (see chapter "Integrity and Confidentiality").

Further details on each of these principles are provided below.

5.1. Lawfulness, Fairness, and Transparency

The applicable data protection law(s) aim not to prevent the processing of personal data, but to ensure that it is done fairly and without detriment to the rights of the data subject.

For personal data to be processed in accordance with the law, one of the legal grounds for processing must be met. These grounds include: the data subject must give explicit and voluntary consent to the processing; processing is required by law; processing is necessary for the performance of a contract we have with the data subject; or processing is necessary for the legitimate interests of Samsung or the party to whom the data is disclosed (unless these interests are overridden by the individual's interests or fundamental rights or freedoms). Before we begin processing personal data (e.g., before collecting personal data from someone), we consider our data collection purposes and why we need that data. We also identify the legal basis that allows us to obtain and process that information lawfully.

The data subject must be provided with certain information, including (but not limited to) who the data controller is, the purpose(s) for which the data is processed, the legal basis for processing the data, the identities of any parties to whom the data may be disclosed or transferred, and the data subject's rights regarding their personal data. This information must be provided through appropriate privacy notices or fair processing notices.

5.2. Purpose Limitation and Data Minimization

Personal data may only be processed for the specific purposes for which the data subject was informed at the time of initial data collection, or for any other purposes expressly permitted by applicable data protection law(s). This means that personal data cannot be collected for one purpose and used for another. If it becomes necessary to change the purpose for which data is processed, the data subject will be informed of the new purpose before any processing takes place.

5.3. Accuracy

Personal data must be accurate and up-to-date. Information that is incorrect is inaccurate, and therefore steps must be taken to verify the accuracy of any personal data at the point of collection, and then periodically thereafter at regular intervals. Inaccurate or outdated data must be destroyed. When you become aware that personal data we process is inaccurate, you must inform your manager/data processing contact person and take the necessary steps to destroy or amend it, taking into account our data retention policy where applicable.

5.4. Storage Limitation

Personal data should be kept in a form that does not allow the identification of the data subject for longer than is necessary for the purposes for which the data is collected. This means that data must be destroyed or deleted from our systems when it is no longer needed, or the personal data should be anonymized by us. After the retention period expires, unless there is a valid business reason for retention beyond that period (e.g., if the data subject has initiated legal proceedings against us and the retained personal data is relevant to such proceedings), records containing personal data will be eliminated in a secure manner and effectively destroyed.

5.5. Integrity and Confidentiality

Maintaining data security means ensuring the confidentiality, integrity, and availability of personal data, in accordance with the following definitions:

• a) Confidentiality means that data can only be accessed by individuals authorized to use the data.
• b) Integrity means that personal data must be accurate and suitable for the purpose for which it is processed, and reliable throughout its lifecycle (i.e., it cannot be altered by unauthorized persons).
• c) Availability means that authorized users must be able to access data when they need it for permitted purposes. Personal data should therefore be stored on our central computer system rather than on individual personal computers.

Security procedures include:

• a) Access Controls. Any external person observed in controlled access areas must be reported.
• b) Securing Lockable Desks and Cabinets. Desks and cabinets should be kept locked if they contain any sensitive personal data. (Personal information is always considered confidential.)
• c) Destruction Methods. Paper documents must be shredded. Floppy disks and CD-ROMs must be physically destroyed when they are no longer needed.
• d) Equipment. Samsung company personnel must ensure that confidential data is not displayed on individual monitors to passers-by, and that they log out of their personal computers when they are unattended.

6. Special Categories of Personal Data

From time to time, it may be necessary to process special categories of personal data. We will only process special categories of personal data when we have a legal basis for processing personal data (see section 5 of this policy) and when one of the special conditions for processing special categories of data applies. These special conditions include, but are not limited to, the following cases:

• a) The data subject has given explicit consent.
• b) Processing is necessary for the exercise of the rights or obligations of Samsung or the data subject in accordance with employment law.
• c) Processing is necessary to protect the vital interests of the data subject, and the data subject is physically unable to give consent.
• d) Processing relates to personal data that the data subject has made public.
• e) Processing is necessary for the establishment, exercise, or defense of legal claims.
• f) Processing is necessary for reasons of substantial public interest.
• g) Processing is necessary for the assessment of an employee's work capacity.

Special categories of personal data will not be processed until:

• a) The aforementioned assessment has been carried out; and
• b) The data subject has been appropriately informed (through a privacy notice or otherwise) about the nature of the processing, the purposes for which it is carried out, and the legal basis.

7. Sharing of Personal Data (including transfers outside the EEA)

Personal data may only be transferred to third-party service providers who agree to adhere to the required policies and procedures, as well as any relevant contractual terms, and who agree to implement adequate measures, in accordance with the requirements.

Personal data may be shared with another member of our group (which includes our affiliates, as well as our ultimate holding company, along with its subsidiaries) if the recipient needs the information for business-related reasons, and if the transfer complies with applicable cross-border data transfer restrictions (see below).

Data protection laws restrict the transfer of data to countries outside the European Economic Area (hereinafter referred to as the "EEA") to ensure that the necessary level of data protection is not compromised. You transfer personal data across borders when you transmit, send, view, or access that data in another country or another jurisdiction. Special permission must be sought from the local legal department/data protection office before transferring personal data across borders to verify if the necessary conditions are met.

8. Profiling and Automated Decision-Making

There are significant limitations on the circumstances under which automated decisions about individuals can be made (where a decision is made solely automatically without any human intervention). This is also the case for profiling (which is the automated processing of personal data to evaluate certain matters relating to individuals, for example, whether they might like a particular product).

This type of decision-making may only be applied where it is necessary for the performance of a contract, where it is permitted by law, or in cases where the individual gives their explicit consent. Furthermore, individuals have the right to receive information about decision-making and have certain rights that must be communicated to them, including the right to request human intervention or to challenge a decision, and there are strict limitations on the use of special categories of data for this type of decision-making.

In any case, any profiling activity will be processed in full compliance with all applicable laws.

9. Direct Marketing

We respect the strict data protection requirements regarding direct marketing.

10. Record Keeping

It is important that we are able to demonstrate that we comply with data processing principles. Where required, we maintain appropriate records of our handling of personal data. This may specifically include records of our legal basis for processing personal data, records of data sent to data subjects, and records of our personal data processing.

11. Individual Rights of Data Subjects

Data must be processed in accordance with the rights of data subjects. Data subjects have the right to:

• a) withdraw their consent to data processing at any time (and this must be as easy as giving consent), if they have consented to data processing.
• b) receive clear, transparent, and easily understandable information about how their personal data is used (which is why we provide a privacy notice).
• c) request access to any data that the data controller holds about them.
• d) request the correction or rectification of inaccurate data.
• e) request that data held about them by the data controller be erased when certain conditions stipulated by applicable law(s) are met.
• f) request the restriction of processing when certain conditions stipulated by applicable law(s) are met.
• g) request the transfer of personal data to another controller when certain conditions stipulated by applicable law(s) are met.
• h) object to the processing of personal data when certain conditions stipulated by applicable law(s) are met.
• i) not be subject to a decision based solely on automated processing, including profiling, where it has legal or other significant consequences for them, unless they have expressly agreed to it, or it is necessary for the conclusion or performance of a contract with them.
• j) lodge a complaint with the Commissioner for Information of Public Importance and Personal Data Protection, regarding our data processing, providing the following details, although we encourage the data subject to inform us of any concerns they have so that we can try to resolve them.

When you know that a data subject wishes to exercise any of their rights, you should contact the Legal Affairs / Data Protection Office. It may be necessary to take appropriate steps to identify the person making the request.

A formal request for access to data from a data subject (the applicant) for information held by the Branch Samsung Electronics Austria GmbH Belgrade about them can be submitted in writing, using Appendix 2 (data subject access request form). However, data subject access requests do not have to be formal or in writing (they can be submitted, for example, via social media or by phone). Any personnel member who receives a request (whether it is submitted using the prescribed form or not) should immediately forward it to the Data Protection Officer and/or the Legal and Compliance team. If you are unsure whether a request has been submitted, you should discuss the circumstances with them.

The Data Protection Officer will respond to each request within 30 days of receipt, with certain exceptions (unless applicable law provides for a shorter period, in which case that shorter period will apply). If Samsung is unable to provide the requested personal data, the reasons for this will be fully documented, and the data subject will be informed in writing. The data subject will also be provided with the details of the relevant supervisory authority to which a complaint may be submitted, as stipulated by the applicable law(s) on data protection.

12. Procedure in Case of Data Security Breach

A data security breach is defined as a "security breach that leads to accidental or intentional destruction, loss, alteration, unauthorized disclosure, or other processing." A breach does not necessarily mean that personal data has been externally disclosed without relevant authorization, but it can mean that someone has accessed it internally without proper permission.

We are obliged to notify the relevant regulatory authority of certain data security breaches, and, in more limited cases, the data subject themselves.

13. Data Access Authorization

Authorization for access to personal data collected and/or used by the Branch Samsung Electronics Austria GmbH Belgrade is granted only to the following individuals:

• For customer personal data collected through websites established for specific marketing purposes:
• authorized legal representatives of the Branch Samsung Electronics Austria GmbH Belgrade
• marketing managers whose job responsibilities include handling personal data collected for specific marketing purposes

14. Useful Contact Information

The Data Protection Service can be contacted at:

Branch Samsung Electronics Austria GmbH Beograd Omladinskih brigada 90v, Belgrade, Republic of Serbia

Email: Please contact us by sending an email to dataprotection.sead@samsung.com