Samsung Galaxy S24 FE Promotion Rules

1. Organizer of the Promotion

Samsung Electronics Austria GmbH, with its registered office in Vienna, Austria, at Praterstrasse 31/14 Obergeschoss, and its branch Samsung GmbH, Branch Ljubljana, Letališka cesta 29A, 1000 Ljubljana, with registration number: 6398774000 (hereinafter referred to as "Samsung"), is organizing a promotion for customers purchasing Samsung Galaxy S24 FE devices (hereinafter referred to as the "device" and collectively as the "devices").

2. Participants and Promotional Period

This promotion is available to customers (end-users) of devices who have a delivery address in the Republic of Slovenia and meet the conditions prescribed by these rules.

Participants in this promotion can only be natural persons residing or having their registered office within the territory of the Republic of Slovenia, who purchase the device for their own needs and not for resale (end-users), and who meet the conditions prescribed by these rules.

The promotion is available to participants from 01.07.2025 to 31.07.2025 (hereinafter referred to as the "promotional period"). This promotion may end before the specified date if the stock of devices intended for this promotion runs out. Samsung will promptly publish a notice of any early termination of the promotion in the same manner as these rules were published.

3. Promotional Benefits

These rules govern the conditions for participation in the promotion. The promotion allows participants to purchase a Samsung Galaxy S24 FE device with any memory size from Samsung's sales partners listed in section 5 of these rules. Upon meeting the conditions of these rules, participants are entitled to a gift – a Samsung Galaxy S24 FE 8/128GB, model SM-S721BZKDEUE in graphite color (hereinafter referred to as the "gift").

Note: Samsung sales partners listed in section 5 of these rules independently determine the retail price of the device subject to this promotion. Therefore, the retail price of the device may vary depending on the selected model and the Samsung sales partner from whom the device was purchased.

In case of stock depletion of the aforementioned gift devices, Samsung reserves the right to provide the customer with an equivalent Samsung product of the same purpose as a gift.

4. Other Conditions for Participation and Claiming Benefits

To be eligible to participate in this promotion and claim the benefits, the customer must meet the following conditions:

• The device must have been purchased during the promotional period exclusively from one of Samsung's sales partners in the Republic of Slovenia, as listed in Section 5 of these rules.
• The customer must purchase the device as an end-user (end-users are exclusively natural persons residing or having their registered office in the Republic of Slovenia, who purchase the device for their own needs and not for resale or distribution).
• To claim the gift, the customer must successfully register the purchased device in the Samsung Members application. The registration process includes entering the necessary data for successful registration. Late registrations will be automatically rejected. Registration in the Samsung Members application must be completed correctly no later than 31.08.2025. In case of successful and correct registration and fulfillment of all conditions, the gift will be dispatched no later than 30.11.2025 to the address in the Republic of Slovenia provided by the customer during registration.
• By submitting data or registering to participate in this promotion, the user confirms that they have read and understood these rules.

The data collected for participation in this promotion and for the delivery of the gift are:

• Customer's full name or legal entity name,
• Customer's email address,
• Customer's phone number,
• Customer's exact home address or business address in the Republic of Slovenia (for gift delivery),
• IMEI and serial number of the purchased device,
• Proof of purchase (scan of the fiscal receipt or delivery note for the purchased device).

By submitting data or registering to participate in this promotion, the user confirms that they have read and understood these rules.

By clicking the submit data button, the user sends the data to Samsung, which will verify if the entered data complies with these rules. If the data entered during registration complies with these rules, the user will receive the appropriate gift as stated in section 3 of these rules, in the manner and within the timeframe specified in these rules.

The right to the gift, as defined by these rules, can be exercised by the first person to successfully and completely register with the serial number of the purchased device in accordance with these rules. Subsequent registrations for claiming the gift will not be considered.

In case of any technical difficulties preventing registration via the Samsung Members application on the purchased device, Samsung will endeavor to provide customer support through its sales agency and register on their behalf, provided that the customer sends the following information to Samsung or its sales agency:

• A screenshot of the purchased device's IMEI number,
• Other data required for successful registration on the promotion via the Samsung Members application, in accordance with these rules,
• Proof (screenshot) of technical difficulties (errors) preventing the customer from registering via the Samsung Members application.

One of the conditions for obtaining the gift defined in these rules is registration on the purchased device within the Samsung Members application. For the successful completion of this registration, the settings of the purchased device through which the application is used must be exclusively in the Slovenian language, and a SIM card must be inserted into the device.

Upon successful completion of the registration, the customer will immediately receive a confirmation email stating that the registration was successful and is pending approval. A SIM card must be inserted, and the device settings must be in Slovenian.

You can find the registration instructions within the Samsung Members application, which is pre-installed on your new device. Under the "BENEFITS" tab, click on "REGISTER" and fill in the required information. Once completed, you will immediately receive a confirmation email informing you that the registration was successful and is pending approval. The SIM card must be inserted, and the device settings must be in Slovenian.

5. List of Samsung Sales Partners

• Telekom Slovenija; Telekom Slovenije, d.d., Cigaletova 15, 1000 Ljubljana
• A1; A1 Slovenija, d.d., Ameriška ulica 4, SI-1000 Ljubljana
• Telemach; Telemach Slovenija, širokopasovne komunikacije, d.o.o., Brnčičeva ulica 49A, 1231 Ljubljana – Črnuče
• T2; T-2 d.o.o., Verovškova 64A, 1000 Ljubljana
• Samsung center; SGERM d.0.0. Beloruska ulica 7, Maribor, 2000 Maribor
• Big Bang; Big Bang, trgovina in storitve, d.o.o., Madžarska ulica 12, 1000 Ljubljana, Slovenija
• Mimovrste; MIMOVRSTE d.0.0., Cesta Ljubljanske brigade 21, 1000 Ljubljana
• Harvey Norman; Harvey Norman Trading družba za trgovino d.o.o., Letališka cesta 3D, 1000 Ljubljana
• Merkur; MERKUR trgovina, d.0.0., Cesta na Okroglo 7, Naklo, 4202 Naklo
• ECE; ECE d.0.0., Vrunčeva ulica 2A, Celje, 3000 Celje
• Shoppster; SHOPPSTER, spletna trgovina, d.o.o., Brnčičeva ulica 49A, 1231 Ljubljana-Črnuče
• Samsung spletna trgovina Slovenija (www.samsung.com/si)
• Petrol d.d., Dunajska cesta 50, 1000 Ljubljana
• ENTERPOINT d.0.0., Poslovna cona A 10, 4208 Šenčur

6. Delivery of Purchased Devices

Devices purchased under this promotion and in accordance with these rules will be delivered to customers by Samsung sales partners from whom they were purchased. The delivery time, schedule, and method are determined by the Samsung sales partners.

7. Obligation to Return Gift in Case of Exercising the Right to Return Goods Purchased Remotely

If a customer (promotion participant) who purchased the device subject to the promotion remotely via the online store of one of the sales partners listed in section 5 of these rules exercises their legal right to withdraw from the distance contract or return the purchased device, the customer (promotion participant) is obliged to also return the gift(s) received within the scope of this promotion.

For the return of the gift, the customer (promotion participant) must contact Samsung via email at promoS24FE@janustrade.si. Upon receiving the email from the customer (promotion participant), Samsung will inform the customer (promotion participant) of the address to which the customer (promotion participant) should return the gift.

Note: The customer is obliged to collect the gift at the address provided as the delivery address in the Samsung Members application on the purchased device. If, due to the customer's fault, the gift cannot be delivered to the customer within 6 months from the date specified in these promotion rules as the last day for gift delivery, the customer forfeits the right to the gift within this promotion.

8. Right to Amend Promotion Rules

Samsung reserves the right to amend these rules at any time for justified reasons, and undertakes to publish any amendments immediately.

9. Contact

Email address for contact regarding this promotion: promoS24FE@janustrade.si

Phone number: 080 26 20

Notice on Collection and Use of Personal Data

Samsung Electronics Austria GmbH, with its registered office at Praterstrasse 31/14 Obergeschoss, Vienna, Austria (hereinafter referred to as the "controller"), hereby informs you about the collection and processing of your personal data.

1. Controller

The data controller is Samsung Electronics Austria GmbH, with its registered office at Praterstrasse 31/14 Obergeschoss, Vienna, Austria, through its branch Samsung Electronics Austria GmbH, Ljubljana Branch (hereinafter referred to as the "controller").

2. Personal Data Collected

The controller will collect and process the following personal data:

• Full name,
• Customer's email address,
• Customer's address in the territory of the Republic of Slovenia (for gift delivery purposes),
• IMEI and serial number of the purchased device,
• Other data that may be contained in the contract with the operator or the delivery note for the purchased device (hereinafter collectively referred to as: personal data).

3. Purpose of Personal Data Collection

The controller will collect and process the aforementioned Personal Data exclusively for the purpose of verifying the fulfillment of the conditions for participation in the "SAMSUNG GALAXY S24 FE" promotion, and for the delivery of gifts if the user/customer has acquired the right to a gift.

4. Use of Personal Data

Personal data will be used exclusively for the aforementioned purposes of the controller, in accordance with applicable legislation and the privacy policy.

5. Legal Basis for Personal Data Processing

The controller collects and processes personal data for the performance of a contract to which the data subject is party (point (b) of Article 6(1) of GDPR).

6. Retention Period of Personal Data

Personal data will be retained only for as long as necessary to fulfill the stated purpose, but for a maximum of 6 months from the date of purchase.

7. Your Rights

Upon request, the controller will:

• enable access to personal data,
• supplement, correct, update, or delete personal data if it is incomplete, inaccurate, or outdated, and if its processing is not in accordance with the law or if the purpose of data collection has been fulfilled,
• restrict the processing of personal data, and
• ensure the right to data portability.

For more information, please refer to our Privacy Policy or contact us by email at dataprotection.sead@samsung.com.

If you believe that the processing of your personal data violates your privacy, you can contact the data protection officer (dataprotection.sead@samsung.com) to request clarification.

If you believe your rights have not been respected, you also have the right to lodge a complaint with the Information Commissioner (Dunajska cesta 22, 1000 Ljubljana, email: gp.ip@ip-rs.si phone: 012309730, website: www.ip-rs.si).

8. Other Information

For more detailed information on the measures taken to protect personal data, as well as on the possible disclosure of personal data, please read our Privacy Policy.

Privacy Policy

Effective Date: May 2018

Samsung Electronics Austria GmbH, Ljubljana Branch, and our branches (hereinafter referred to as "Samsung", "we", "us", "our") are aware of the importance of privacy for our staff, suppliers, customers, and other stakeholders. Therefore, we strive to ensure clarity regarding how we collect, use, disclose, transfer, and store personal data.

The following outlines the essential questions covered by our Privacy Policy. For more detailed information, please click on the links below:

1. Scope and Purpose
2. Responsibility for Compliance
3. Our Obligations
4. Definitions
5. GDPR Principles
6. Special Categories of Personal Data
7. Sharing of Personal Data (including transfers outside the EEA)
8. Profiling and Automated Decision-Making
9. Rights of Data Subjects
10. Procedure in Case of Data Security Breach
11. Authorizations for Data Access
12. Useful Contact Information

1. Scope and Purpose

This policy defines the rules for data protection and the legal conditions that must be met for the acquisition, handling, processing, storage, transfer, and destruction of personal data.

The types of information we will handle include details about current, former, and potential employees, suppliers, customers, and other individuals with whom we communicate. Data stored on paper or computer is subject to specific legal protection measures as outlined in the General Data Protection Regulation ("GDPR") and applicable data protection law(s), which provide limitations on how we may use this data.

Maintaining the highest standards in our handling of personal data is a collective and individual responsibility. This policy applies to how we obtain, use, store, and otherwise process personal data used in our business operations. It outlines the essential data obligations for us as an organization and includes the expectation that you will play your part in ensuring compliance.

This privacy policy applies to every Samsung employee and other personnel who provide services to Samsung (including, but not limited to, contractors and agency staff) (collectively referred to as "personnel"). All personnel are required to ensure they understand this policy and comply with it regarding any personal data they access in the course of their work.

Personnel will also be required to undergo training on this and related policies as required by Samsung.

This policy is not part of an employment or engagement contract with any person and may be amended at any time. Any violation of this policy will be taken seriously and may result in disciplinary proceedings, which could lead to termination of employment.

2. Responsibility for Compliance

The responsibility for overseeing data protection compliance, including adherence to this policy, lies with our Data Protection Officer, whose contact details can be found at the end of this policy.

Individual business managers are responsible for data protection compliance within their teams. If you believe the policy has not been followed concerning your data or the personal data of others, you should address this issue with your direct supervisor or the Human Resources or Legal department.

3. Our Obligations

GDPR provides for substantial fines for organizations that violate its provisions. Depending on the type of violation, organizations may be fined amounts exceeding EUR 20 million or 4% of their total global annual turnover in the previous financial year. These substantial fines increase the exposure to risks related to data protection compliance.

Furthermore, the new principle of accountability means it is more important than ever for us to demonstrate and document compliance by maintaining appropriate records, procedures, and systems (see the "Record Retention" section under point 10 below).

4. Definitions

The following definitions may assist you in reading this policy:

Criminal record data refers to information relating to criminal offenses and convictions against an individual.

Data controllers are persons or organizations that determine the purposes and means of processing personal data. They are responsible for establishing practices and policies in accordance with GDPR. We are the controller of all personal data used in our business. Our suppliers, consultants, and contractors may also be data controllers.

The term Data subjects for the purposes of this policy includes all living individuals whose personal data we hold, which includes current, former, and prospective customers, suppliers, agents, investors, and our personnel. A data subject cannot be a citizen or resident of Slovenia. All data subjects have certain legal rights regarding their personal data.

The term personal data includes data relating to a living person who can be identified from that data (or from that data and other information we hold). Personal data can be factual (such as name, address, or date of birth) or an opinion (such as an assessment of impact). The definition of "personal data" used in GDPR and in the applicable data protection law is very broad and allows for the designation of a wide range of personal identifiers as personal data. This includes name, identification number, and location data.

Processing is any activity that involves the use of personal data. It includes obtaining, using, observing, recording, or storing data, or performing any act or set of acts, including organizing, amending, returning, using, disclosing, deleting, or destroying data. Processing also includes the transfer of personal data to third parties.

Special category data (formerly known as sensitive personal data) includes information about a person's racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health or condition, or sexual life, as well as genetic and biometric data when used to identify individuals.

5. GDPR Principles

Any person processing personal data must act in accordance with the applicable principles of good practice as set out in GDPR, which Samsung must adhere to.

• We will process personal data lawfully, fairly, and in a transparent manner (see the section "Lawfulness, Fairness, and Transparency").
• We will collect personal data for specified, explicit, and legitimate purposes; we will not process it in a manner that is incompatible with those purposes (see the section "Purpose Limitation and Data Minimization").
• We will process personal data that is adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed (see the section "Purpose Limitation and Data Minimization").
• We will ensure that personal data is accurate and, where necessary, kept up to date; where personal data is inaccurate, we will take every reasonable step to erase or rectify it without delay, considering the purposes for which the data is processed (see the section "Accuracy").
• We will not store personal data in a form that allows the identification of the data subject for longer than is necessary for the purposes for which the data is processed (see the section "Storage Limitation").
• We will implement appropriate technical or organizational measures to ensure the security of personal data, which includes protecting it against unauthorized or unlawful processing and against accidental loss, destruction, or damage (see the chapter "Integrity and Confidentiality").

The following provides additional details on each of these principles.

5.1. Lawfulness, Fairness, and Transparency

The purpose of applicable data protection law(s) is not to prevent the processing of personal data, but to ensure that it is carried out fairly and without adversely affecting the rights of data subjects.

One of the legal conditions for processing must be met for personal data to be processed lawfully. These conditions include the following: the data subject must have explicitly and voluntarily consented to the processing; processing is required by law; processing is necessary for the performance of a contract with the data subject; or processing is necessary for the legitimate interests of Samsung or the persons to whom the data is disclosed (unless the interests or fundamental rights and freedoms of the individual prevail). Before we process personal data (for example, before collecting personal data from an individual), we review our data collection processes and the reason why we need this data. We also identify the legal basis that allows us to obtain and process this data lawfully.

Data subjects must be provided with certain information in accordance with the law, including (but not limited to) who the data controller is (in this case, us, Samsung Electronics Austria GmbH, Ljubljana Branch, Letališka cesta 29a, Ljubljana, Slovenia), the purpose(s) for which the data is processed, the legal basis for data processing, the identities of any persons to whom the data may be disclosed or transferred, and the data subject's rights regarding their personal data. This information can be provided in appropriate privacy notices or fair processing notices.

You may process personal data only in accordance with the Company's guidelines and the Data Protection Officer's instructions. You must also comply with all instructions and guidelines provided to you regarding the provision of data privacy notices, including the timeframes within which data must be provided.

5.2. Purpose Limitation and Data Minimization

Personal data may only be processed for specific purposes for which the data subject has been informed at the time of initial data collection, or for any other purposes expressly permitted by applicable law(s). This means that personal data cannot be collected for one purpose and then used for another. If a change of purpose for which data is processed is necessary, the data subject will be informed of the new purpose before any processing occurs.

Any data that is not necessary for the purpose(s) for which the data subject has been notified should not be collected at all. You must not obtain any personal information from an individual unless it is necessary for your work.

5.3. Accuracy

Personal data must be accurate and kept up to date. Incorrect information is inaccurate, so steps must be taken to verify the accuracy of any personal data at the point of collection and then regularly at specified intervals. Inaccurate or outdated data must be destroyed. When you become aware that personal data we process is inaccurate, you must inform your supervisor/data processing contact person and take appropriate steps to destroy or amend it, while adhering to our data retention policy requirements where applicable.

5.4. Storage Limitation

Personal data must be kept in a form that does not allow the identification of data subjects for longer than is necessary for the purposes for which the data is collected. This means that data must be destroyed or deleted from our systems when it is no longer needed, or personal data must be organized.

After the retention period expires, unless there is a good business reason for retaining it beyond that period (e.g., if a data subject has initiated legal proceedings against us, and the retained personal data is essential for such proceedings), records containing personal data will be securely removed and effectively destroyed.

You are required to comply with the requirements of our document retention policy and take all reasonable measures to destroy or delete from our systems any personal data that is no longer needed, in accordance with our data retention policies, about which you will be periodically informed by your supervisor/data protection contact person.

5.5. Integrity and Confidentiality

We must ensure that appropriate security measures are in place to protect against unlawful or unauthorized processing of data and against accidental loss or damage to personal data. Data subjects may seek compensation through the courts if they suffer damage due to such loss.

Maintaining data security means ensuring the confidentiality, integrity, and availability of personal data, in accordance with the following definitions:

• Confidentiality means that data can only be accessed by persons authorized to use the data.
• Integrity means that personal data must be accurate and relevant for the purpose for which it is processed, and reliable throughout its lifecycle (i.e., unauthorized persons cannot modify it).
• Availability means that authorized users can access data only when they need it for authorized purposes. Therefore, personal data should be stored in our central computer system rather than on individual personal computers.

Security procedures include:

• Access Controls: Any unauthorized person observed in controlled access areas must be reported.
• Securing Desks and Cabinets: Desks and cabinets must be locked if they contain any confidential information. (Personal information is always considered confidential.)
• Destruction Methods: Paper documents must be shredded. Disks and CDs must be physically destroyed when no longer needed.
• Equipment: Samsung personnel must ensure that confidential data is not displayed on individual screens and that they log out of their personal computers when leaving them unattended.

You must follow all procedures and technologies we use to maintain the security of all personal data from collection to destruction. In practice, this means you must:

• Access personal data only for which you have authorization and only for the purposes for which you are authorized.
• Do not allow any other person (including other Samsung personnel) to access personal data unless you know that person has the appropriate authorization.
• Ensure the security of personal data (e.g., by adhering to access control rules, computer access, password protection, encryption, and data storage and destruction, as well as other precautionary measures outlined in Samsung's information security policy).
• Do not remove personal data (including personal data in files) or devices containing personal data (or that can be used to access such data) from Samsung premises, unless appropriate security measures are used (such as pseudonymization, encryption, or password protection) to protect information and devices.
• Do not store personal data on local hard drives or personal devices used for work, and comply with Samsung's BYOD (Bring Your Own Device) policy.

6. Special Categories of Personal Data

It may occasionally be necessary to process special categories of personal data.

We process special categories of personal data only when we have a legal basis for processing personal data (see section 5 of this policy) and when one of the specific conditions for processing special category data applies. These specific conditions include, but are not limited to, the following cases:

• The data subject has given explicit consent.
• Processing is necessary for the purposes of exercising the rights or obligations of Samsung or the data subject under employment law.
• Processing is necessary for the protection of the vital interests of the data subject, and the individual is physically unable to give consent.
• Processing relates to personal data that has been made public by the data subject.
• Processing is necessary for the establishment, exercise, or defense of legal claims.
• Processing is necessary for reasons of substantial public interest.
• Processing is necessary for the assessment of an employee's work capacity.

Before processing any special categories of personal data where processing is not already covered by an existing policy or written justification, you must inform your Manager and/or the Data Processing Officer of the proposed processing to assess whether the processing complies with the requirements of section 5 of this policy, whether a special condition mentioned above is applied, and whether any relevant criteria need to be considered. Special categories of personal data will not be processed until:

• The above assessment is not carried out; and
• The data subject has not been adequately informed (through a privacy notice or other means) about the nature of the processing, the purposes for which it is processed, and the legal basis.

7. Sharing of Personal Data (including transfers outside the EEA)

You may transfer personal data only to third-party service providers who undertake to comply with the required policies and procedures and any relevant contractual provisions that we require, and who agree to adopt appropriate measures in accordance with the requirements.

Personal data may be shared with another member of our group (which includes our branches and our ultimate holding company, along with its branches) if the recipient has a need for the information for work-related reasons, and if the transfer complies with the applicable cross-border data transfer limitations (see below).

Data protection laws restrict the transfer of data to countries outside the European Economic Area (hereinafter referred to as the "EEA") to ensure that the required level of data protection is not compromised.

You transfer personal data originating in one country across borders when you transfer, send, view, or access that data in another country or to another country. Special permission must be requested from the local legal department/data protection office before transferring personal data across borders, to verify that the necessary conditions are met.

8. Profiling and Automated Decision-Making

There are significant limitations on the circumstances under which automated decisions can be made about individuals (where a decision is made solely automatically, without any human involvement). Such a case is profiling (which is the automated processing of personal data for the purpose of evaluating certain aspects relating to individuals, for example, whether they might like a particular product).

This type of decision-making may only be used where it is necessary for the performance of a contract, where it is permitted by law, or where the individual gives their explicit consent. Data subjects also have the right to receive information about decision-making processes, and they have certain rights that must be communicated to them, including the right to request human intervention or to object to a decision, and there are strict limitations on the use of special category data for this type of decision-making.

When you are involved in an activity that involves automated decision-making or profiling, you must act in accordance with the instructions provided by your manager or any policy/guideline we provide. In any case, any profiling activity will be carried out in full compliance with all applicable laws.

9. Rights of Data Subjects

Data must be processed in accordance with the rights of data subjects. Data subjects have the right:

• In cases where they consent to data processing, to withdraw their consent at any time (this must be as easy as giving consent).
• To receive clear, transparent, and easily understandable information about how their personal data is used (which is why we provide a privacy notice).
• To request access to any data that the data controller holds about them.
• To request the correction and rectification of inaccurate data.
• To request the deletion of data that the data controller holds about them, when the conditions provided by the applicable law(s) are met.
• To request the restriction of processing, when the conditions provided by the applicable law(s) are met.
• To request the transfer of personal data to another controller, when the conditions provided by the applicable law(s) are met.
• To object to the processing of personal data, when the conditions provided by the applicable law(s) are met.
• Not to be subject to a decision based solely on automated processing, including profiling, where it produces legal or other significant effects for them, unless they have expressly consented to it or it is necessary for the conclusion or performance of a contract with them.
• To lodge a complaint with the Information Commissioner regarding our data processing, although we encourage the data subject to contact us first if they have any concerns, so that we can try to resolve them together.

When you become aware that a data subject wishes to exercise any of their rights, you must contact the Data Protection Office. It may be necessary to take appropriate measures to identify the person making the request.

A formal request for data access by a data subject (the requester) for information that Samsung Electronics Austria GmbH, Ljubljana Branch, holds about them can be submitted in writing. However, data subject requests for access to data do not need to be formal or in writing (e.g., they can be submitted via social media or by phone). Any staff member who receives a request must immediately forward it to the Data Protection Officer and/or the Legal and Compliance team. If in doubt about whether a request has been made, consult them.

The Data Protection Officer will respond to each request within 30 days of receipt, with specific exceptions. If Samsung cannot provide the requested personal data, the reasons for this will be fully documented, and the data subject will be informed in writing. The data subject will also be provided with the details of the relevant supervisory authority to whom a complaint can be submitted, as provided by applicable law(s).

10. Procedure in Case of Data Security Breach

Data security breaches are "breaches of security that result in accidental or intentional destruction, loss, alteration, unauthorized disclosure, or other processing." A breach does not necessarily mean that personal data has been externally disclosed without authorization, but it can mean that someone has accessed it without proper authorization.

We have an obligation to notify the relevant regulatory authority of individual data security breaches and, in limited cases, the data subject themselves.

It is imperative that you immediately notify the EHQ Security team, the SEAD Data Protection Officer, and/or the Legal and Compliance team of any data breach you are aware of or suspect, so that they can take the necessary actions and, if necessary, escalate the matter.

The reporting timelines for regulatory authorities regarding data security breaches are 72 hours (including weekends) from the moment you become aware of the breach. It is important that you immediately notify the relevant persons, even if you are unsure whether a breach has occurred, so that they can assess it and any obligations that may arise from it.

11. Authorizations for Data Access

Authorization for access to personal data collected and/or used by Samsung Electronics Austria GmbH, Ljubljana Branch, is granted only to the following persons:

• For access to personal data of employees and job applicants contained in the HR systems:
• Authorized legal representatives of Samsung Electronics Austria GmbH, Ljubljana Branch
• Human Resources Manager (Samsung Electronics Austria GmbH, Ljubljana Branch)
• Employees in the Human Resources department (Samsung Electronics Austria GmbH, Ljubljana), whose job duties involve handling the personal data of staff and job applicants
• Directly supervising managers of individual employees (Samsung Electronics Austria GmbH, Ljubljana Branch)
• For personal data collected via the video surveillance system:
• Authorized legal representatives of Samsung Electronics Austria GmbH, Ljubljana Branch
• Human Resources Manager (Samsung Electronics Austria GmbH, Ljubljana Branch)
• IT service technicians (Samsung Electronics Austria GmbH, Ljubljana Branch), whose job duties involve handling personal data collected via the video surveillance system
• For visitor entry/exit records:
• Authorized legal representatives of Samsung Electronics Austria GmbH, Ljubljana Branch
• Human Resources Manager (Samsung Electronics Austria GmbH, Ljubljana Branch)
• Information desk employees (Samsung Electronics Austria GmbH, Ljubljana Branch), whose job duties involve handling visitor entry/exit records
• For personal data of customers collected via websites established for specific marketing purposes:
• Authorized legal representatives of Samsung Electronics Austria GmbH, Ljubljana Branch
• Marketing managers whose job duties involve handling personal data collected for specific marketing purposes
• For personal data of customers stored in the GCIC system:
• Authorized legal representatives of Samsung Electronics Austria GmbH, Ljubljana Branch
• Service Group Manager (Samsung Electronics Austria GmbH, Ljubljana Branch)
• Service Group employees (Samsung Electronics Austria GmbH, Ljubljana Branch), whose job duties involve handling personal data stored in the GCIC system

12. Useful Contact Information

You can contact the Data Protection Service at:

Samsung Electronics Austria GmbH, Ljubljana Branch

Letališka cesta 29 a, 1000 Ljubljana, Slovenia

Email: Please contact us by sending a message to the email address dataprotection.sead@samsung.com

Addendum to Samsung's Privacy Policy FOR SLOVENIA

Effective Date: 1 July 2024

This addendum to Samsung's Privacy Policy ("Addendum for Slovenia") describes additional personal data practices and further information about our use of personal data of Slovenian residents, and should be read in conjunction with Samsung's Privacy Policy. In case of any discrepancy between the terms in Samsung's Privacy Policy and this Addendum for Slovenia, information on how Samsung uses your personal data should be found in this Addendum for Slovenia.

WHAT DATA DO WE COLLECT?

In addition to the personal data we collect about you as stated in our Privacy Policy, we also collect the following data:

• If you order a product from us, we will collect data about your purchase and ask for your name, address, contact and delivery details, and payment method to process your order.
• To provide helpful responses when you contact our customer support, we will request data to verify your identity and the product you are inquiring about.
• Voice recordings when you contact our customer support services.
• Information collected via cookies, including your interactions with our website.

HOW DO WE USE YOUR DATA?

We use the collected data for the following purposes:

• To enable website visits and orders through our website, device replacements, insurance arrangements, and the use of coupons and promotional offers.
• To process returns and exchanges of our products.
• To provide customer support when you contact our customer support services, and to answer your questions and complaints.
• To customize our website according to your preferences.
• To provide support on our website through live chat and chatbot platforms.
• To analyze the effectiveness of our services.
• To conduct training activities.
• Based on your explicit consent for direct marketing, advertising, and marketing-related communications, including personalized advertising via email, phone calls, instant messages, push notifications, and on online platforms, including our website and social media platforms. Such communications may relate to products, initiatives, and services from both Samsung and third parties (operating, for example, in the insurance, banking, financial, tourism, publishing, manufacturing, food, industrial, retail, gas, water, and energy sectors, as well as the rental of goods and services).
• For marketing profiling activities, which include assessing certain personal aspects relating to you, for analysis or prediction of your consumer/purchase preferences, and/or for inclusion in a specific marketing target group.
• To provide coupons and/or other benefits/rewards.
• To conduct customer assessments and research (including market research and customer satisfaction surveys).
• To send direct marketing messages via email for products and services similar to those you have already purchased, unless you object in the manner specified in Samsung's Privacy Policy, or later upon receiving relevant messages.
• To provide repair services, including through our authorized service centers.
• To protect the rights, property, or safety of Samsung, our business partners, or customers, which may include accessing the IMEI number of a device sold to you through our website to disable the device remotely, in circumstances where the device has been reported lost or stolen, or when you have not provided us with a replacement device promised as part of the Samsung Trade-In program.
• To ensure compliance with laws and legal procedures, including processing and responding to your requests to exercise your data privacy rights.

Samsung processes your personal data for the above-mentioned purposes, and our legal basis for processing your personal data is:

• To perform an action you have requested, for example, to provide you with our website or to fulfill an order you have placed.
• To pursue our legitimate business interests, for example, to improve customer experience and analyze the effectiveness of our services.
• To comply with laws and legal procedures.
• With your consent, for example, for personalized marketing.

ROLES REGARDING DATA PROTECTION

For certain marketing purposes in Europe, Samsung Electronics Co., Ltd. and its European subsidiaries will act as data controllers for the effective execution of marketing activities. If you wish to receive specific information about these roles, you can contact us.

For certain marketing activities in Europe, which include joint offerings of products and services from the Samsung Electronics Group and third-party products and services, Samsung Electronics Co., Ltd. and its European subsidiaries will act as joint controllers with these third parties. You can exercise your privacy rights against Samsung Electronics Co., Ltd. or a Samsung subsidiary; the essence of the joint control agreement can be requested in the manner described in the "CONTACT US" section.

WHERE DO WE SEND YOUR DATA?

In addition to the locations mentioned in our Privacy Policy, in some cases we may send your data to other countries where our subcontractors (data processors) are located. In such cases, we will ensure that your data is processed securely and that our subcontractors (data processors) implement all appropriate security measures.

CONTACT US

If you wish to submit a privacy request, update your settings, or if you have privacy concerns, you can contact us via www.samsung.com/request-desk or by mail at:

European Data Protection Officer

Samsung Electronics (UK) Limited

Samsung House, 2000 Hillswood Drive, Chertsey, Surrey KT16 0RS, United Kingdom

or

Samsung Electronics Austria GmbH, Ljubljana Branch

Letališka cesta 29 a, 1000 Ljubljana, Slovenia