Sirius Privacy Policy (“Privacy Policy”) for processing within the UK and Guernsey

1 Scope
- 1.1 Sirius Real Estate Limited (Sirius, We, Our, Us) is committed to safeguarding the privacy and confidentiality of the Personal Data you have entrusted to us. Our business relates to the investment and development of commercial property and provision of flexible and conventional workspaces, exclusively within Germany. As a result, the majority of personal data processed by us is undertaken in Germany.
- 1.2 This Privacy Policy relates solely to our processing within the UK, (where we are listed on the London Stock Exchange) and Guernsey, where our parent company is incorporated. For processing undertaken in other jurisdictions (Germany) please see our main privacy policy https://www.siriusfacilities.com/de/sirius-facilities/datenschutzerklaerung. This Privacy Policy is addressed to:
  - (a) shareholders who have purchased shares listed on the London Stock Exchange; and
  - (b) tenants, or employees and beneficial owners of corporate tenants; to the extent that your Personal Data is processed by us in the UK or Guernsey.
- 1.3 This Privacy Policy specifically relates to processing undertaken by:
- 1.4 Sometimes, the above listed entities will also share Personal Data with Sirius Facilities GmbH, which delivers most of the operational services of our business. We can confirm which processing activities are undertaken by which entity on request.
- 1.5 Sirius’ websites may contain links to other third party websites. If you follow a link to any of those third party websites, please note that they have their own privacy policies and that Sirius does not accept any responsibility or liability for their policies or processing of your Personal Data. Please check these policies before you submit any Personal Data to such third party websites.

2 Purpose
- 2.1 The purpose of this Privacy Policy is to allow you to understand what Personal Data Sirius will collect, how we will use it, and who may access it, within the UK or Guernsey.
- 2.2 By providing your information to us, whether via our website, in person, in writing or over the phone, you acknowledge the processing set out in this Privacy Policy. Further notices highlighting certain uses we wish to make of your Personal Data together with the ability to opt in or out of selected uses may also be provided to you when we collect Personal Data from you.
3 Accountability
- 3.1 Sirius has strict policies and procedures governing how it deals with your Personal Data. Each and every one of Sirius’ employees is responsible for respecting and protecting the Personal Data to which the employee has access.
4 Personal Data that Sirius collects
- 4.1 Sirius only collects the Personal Data that we determine is required for the purposes set out at Section 6: Purposes for which we use your Personal Data. We may collect:
  - (a) Information you provide to Sirius ► Personal Data that you provide to Sirius, such as when using the contact form on our websites, including your name, email address, and other contact details; employer information, issues of interest (to the extent that this amounts to Personal Data);
  - (b) In relation to shareholders only, information relating to your shareholding ► share register services are outsourced to registrars, which hold the majority of this Personal Data. We periodically receive reports listing our shareholders;
  - (c) Your transactions and tenancies ► we receive a small amount of data relating to transactions and tenancies. Most tenancy information is processed by Sirius Facilities GmbH and is covered by our primary privacy https://www.siriusfacilities.com/de/sirius-facilities/datenschutzerklaerung however in relation to key transactions, a subset of tenant data is shared with our UK and Guernsey entities for the purpose of reporting to the Sirius Real Estate Limited board in the case of property acquisitions, disposals and CAPEX requirements.
  - (d) Our correspondence ► if you contact Sirius, we will typically keep a record of that correspondence;
  - (e) Device Information ► such as information about your operating system, browser, software applications, geolocation, security status and other device information in order to improve your experience, to protect against fraud and manage risk;
  - (f) Website and communication usage ► details of your visits to Sirius’ websites and information collected through cookies and other tracking technologies including, but not limited to, your IP address and domain name, your browser version and operating system, traffic data, location data, web logs and other communication data, and the resources that you access;
5 Purposes for which we use your Personal Data
- 5.1 When Sirius collects your Personal Data. Sirius may use or disclose it for the following purposes. Below each purpose Sirius notes the “lawful basis” that allows that use of your Personal Data. An explanation of the scope of the “lawful bases” can be found in Annex A.
  - (a) To facilitate our internal reporting and make business and investment decisions ► Property summaries are provided to Sirius Real Estate Limited (our parent company) in order to make Board decisions, for example the approval of a property acquisition/disposal or CAPEX.
  - Lawful bases: legitimate interests (to enable Sirius to make key business decisions, authorise transactions and finance transactions)
  - (b) To understand who our shareholders are and undertake reporting and analysis ► Our corporate records contain information in respect of shareholders listed on the London Stock Exchange (LSE) to include names and addresses, account designations and the amount of shares held. We share this information with our authorised brokers to undertake reporting analysis.
  - Lawful bases: legitimate interests (to understand our shareholder demographic and undertake reporting and analysis); legal obligations
  - (c) To comply with legal or regulatory requirements, or as otherwise permitted by law ► Sirius may process your Personal Data to comply with its regulatory requirements (for example, to comply with anti-money laundering or insider dealing requirements) or dialogue with its regulators or defend or prosecute claims as applicable which may include disclosing your Personal Data to third parties, the court service and/or regulators or law enforcement agencies in connection with enquiries, proceedings or investigations by such parties anywhere in the world. Where permitted, Sirius will direct any such request to you or notify you before responding unless to do so would prejudice the prevention or detection of a crime.
  - Lawful bases: legal obligations; legal claims; legitimate interests (to cooperate with law enforcement and regulatory authorities)
  - (d) To inform you of changes ► to notify you about changes to Sirius’ services and products;
  - Lawful bases: legitimate interests (to notify you about changes to Sirius’ services)
  - (e) To reorganize or make changes to Sirius’ business ► in the event that Sirius (i) is subject to negotiations for the sale of Sirius’ business or part thereof to a third party, (ii) are sold to a third party or (iii) undergo a reorganization, Sirius may need to transfer some or all of your Personal Data to the relevant third party (or its advisors) as part of any due diligence process for the purpose of analyzing any proposed sale or reorganisation. Sirius may also need to transfer your Personal Data to that reorganised entity or third party after the sale or reorganisation for them to use for the same purposes as set out in this policy;
  - Lawful bases: legitimate interests (in order to allow Sirius to change our business)
  - (f) To communicate effectively with you and conduct Sirius’ business ► to conduct Sirius’ business, including to respond to your queries, to otherwise communicate with you, or to carry out its obligations arising from any agreements entered into between you and Sirius.
  - Lawful bases: contract performance; legitimate interests (to enable Sirius to perform its obligations and provide its services to you)

6 Sharing your Personal Data (and transfers outside of the EEA)
- 6.1 Sirius will only use or disclose your Personal Data for the purpose(s) for which it was collected and as otherwise identified in this EEA Privacy Policy.
- 6.2 Sharing outside Sirius: Personal Data may be provided to third parties, including our brokers, share registrars, legal advisors, auditors, financial advisors, regulatory authorities or other self-regulatory organizations (when required to satisfy the legal or regulatory requirements of governments), regulatory or law enforcement authorities (where required or in cases of suspected criminal activity or contravention of law), or to comply with a court order or for the protection of our assets.
- 6.3 Sharing within Sirius: Sirius may share your Personal Data with other Sirius companies where Sirius does business, for legal and regulatory purposes, to manage credit risk and other business risks, to perform analytics, to ensure Sirius has correct or up to date information about you and to better manage your relationship with Sirius.
- 6.4 Transfers outside of the EEA: Your Personal Data may be accessed suppliers or other persons in, transferred to, and/or stored at, a destination outside the EEA in which data protection laws may be of a lower standard than in the EEA. Sirius will, in all circumstances, safeguard Personal Data as set out in this EEA Privacy Policy.
- 6.5 Where Sirius transfers Personal Data from inside the EEA to outside the EEA, Sirius may be required to take specific additional measures to safeguard the relevant Personal Data. Certain countries outside the EEA have been approved by the European Commission as providing essentially equivalent protections to EEA data protection laws and therefore no additional safeguards are required to export Personal Data to these jurisdictions. In countries which have not had these approvals (see the full list here http://ec.europa.eu/justice/data-protection/international-transfers/adequacy/index_en.htm), Sirius will establish legal grounds justifying such transfer, such as EU Commission-approved model contractual clauses, or other legal grounds permitted by applicable legal requirements.
- 6.6 Please contact us, see Annex B if you would like to see a copy of the specific safeguards applied to any export of your Personal Data.
7 Retention of your Personal Data
- 7.1 Sirius’ retention periods for personal data are based on business needs and legal requirements. Sirius retains your Personal Data for as long as is necessary for the processing purpose(s) for which the information was collected, and any other permissible, related purpose. For example, Sirius may retain certain transaction details and correspondence until the time limit for claims arising from the transaction has expired, or to comply with regulatory requirements regarding the retention of such data. When Personal Data is no longer needed, Sirius either irreversibly anonymises the data (and Sirius may further retain and use the anonymised information) or securely destroys the data.
8 Safeguarding your Personal Data
- 8.1 Sirius uses physical, electronic and procedural safeguards to protect against unauthorized use, access, modification, destruction, disclosure, loss or theft of your Personal Data in Sirius’ custody or control.
- 8.2 Sirius has agreements and controls in place with third party service providers requiring that any information Sirius provides to them must be safeguarded and used only for the purpose of providing the service Sirius has requested the company to perform.
- Security over the internet
- 8.3 No data transmission over the Internet or website can be guaranteed to be secure from intrusion. However, Sirius maintains commercially reasonable physical, electronic and procedural safeguards to protect your Personal Data in accordance with data protection legislative requirements.
- 8.4 All information you provide to Sirius is stored on its or Sirius’ subcontractors’ secure servers and accessed and used subject to Sirius’ security policies and standards. You are responsible for complying with any other security procedures of which you have been notified by Sirius.

9 Changes to this EEA Privacy Policy
- 9.1 From time to time, Sirius may make changes to this Privacy Policy.
- 9.2 This Privacy Policy at http://www.sirius-real-estate.com/privacy-policy/ is always the most recent version.
- 9.3 Please see Annex B to ask any questions you may have about this Privacy Policy.
10 Your Rights
- 10.1 If you have any questions in relation to Sirius’ use of your Personal Data, you should first contact Sirius as per the contact details in Annex B. Under certain conditions (in particular where Sirius has directed the use of your Personal Data from one of its European branch offices), you may have the right to require Sirius to:
  - (a) provide you with further details on the use Sirius makes of your information;
  - (b) provide you with a copy of information that you have provided to Sirius;
  - (c) update any inaccuracies in the Personal Data Sirius holds;
  - (d) delete any Personal Data that Sirius no longer has a lawful ground to use;
  - (e) where processing is based on consent, to withdraw your consent so that Sirius stops that particular processing;
  - (f) object to any processing based on the legitimate interests ground unless Sirius’ reasons for undertaking that processing outweigh any prejudice to your data protection rights; and
  - (g) restrict how Sirius uses your information while a complaint is being investigated.
- 10.2 Your exercise of these rights is subject to certain exemptions to safeguard the public interest (e.g. the prevention or detection of crime) and Sirius’ interests (e.g. the maintenance of legal privilege). If you exercise any of these rights, Sirius will check your entitlement and respond in most cases within a month.
- 10.3 If you are not satisfied with Sirius’ use of your Personal Data or Sirius’ response to any exercise of these rights you have the right to complain to the data protection regulator in the country where the Sirius company with which you deal is established. The relevant regulators are listed in Annex B.
11 Contact Us
- 11.1 If you have any questions or concerns about our privacy practices, the privacy of your Personal Data or you want to change your privacy preferences, please let Sirius know. The relevant contacts are listed in Annex B.
- 11.2 If after contacting Sirius you do not feel that Sirius has adequately addressed your concerns, you may contact the data protection regulator in the country where the Sirius company with which you deal is established.

ANNEX A: Table of Lawful Bases

Use of Personal Data under EU data protection laws must be justified under one of a number of legal “grounds” and Sirius is required to set out the grounds in respect of each use in this policy. An explanation of the scope of the grounds available is set out below. Sirius notes the grounds Sirius uses to justify each use of your information next to the use in the “Uses of your Personal Data” section of this policy.

These are the principal legal grounds that justify our use of your information:

Consent: where you have consented to Sirius’ use of your information. More information is set out at Section 4. You may withdraw your consent by Contacting us, see Annex B.

Contract performance: where your information is necessary to enter into or perform Sirius’ contract with you.

Legal obligation: where Sirius needs to use your information to comply with its legal obligations.

Legitimate interests: where Sirius uses your information to achieve a legitimate interest and Sirius’ reasons for using it outweigh any prejudice to your data protection rights.

Legal claims: where your information is necessary for Sirius to defend, prosecute or make a claim against you, Sirius or a third party.

Annex B: Sirius Entities in the UK and Guernsey

Entity name	Address	Data Protection Contact	Data Protection Regulator
Sirius Real Estate Limited	Elizabeth House, Les Ruettes Brayes, St Peter Port, Guernsey GY1 1EW, Channel Islands	website@sirius-real-estate.com +44 1481 746024	Office of the Data Protection Commissioner Guernsey Information Centre North Esplanade, St Peter Port Guernsey GY1 2LQ Telephone: +44 (0)1481 742074 Email: enquiries@dataci.org
Sirius Facilities (UK) Limited	33 St. James' Square, Pall Mall London, United Kingdom, SW1Y 4JS	website@sirius-real-estate.com +44 1481 746024	The Information Commissioner’s Office Water Lane, Wycliffe House Wilmslow - Cheshire SK9 5AF Tel. +44 1625 545 745 e-mail: international.team@ico.org.uk

From time to time, your Personal Data may also be processed by Sirius Facilities GmbH, the Group company chiefly responsible for operational delivery. The majority of processing of Personal Data undertaken by Sirius Facilities GmbH is not covered under this privacy policy and is set out here https://www.siriusfacilities.com/de/sirius-facilities/datenschutzerklaerung

Sirius Facilities GmbH

Lennéstrasse 3

10785 Berlin

Matthias Riße
Eichhorsterweg 80
13435 Berlin

Telefon: +49 30 4377 8625
E-Mail: mrisse@kedua.de

Die Bundesbeauftragte für den Datenschutz und die Informationsfreiheit

Husarenstraße 30

53117 Bonn

Tel. +49 228 997799 0; +49 228 81995 0

Fax +49 228 997799 550; +49 228 81995 550

e-mail: poststelle@bfdi.bund.de

Disclaimer - Important

TERMS OF ACCESS TO INFORMATION ABOUT A PROPOSED OFFERING (THE "TRANSACTION") BY SIRIUS REAL ESTATE LIMITED (THE "COMPANY")

Please read this notice carefully - it applies to all persons who view this site and, depending on where you are located, may affect your rights or responsibilities. The Company reserves the right to amend or update this notice at any time and you should, therefore, read it in full each time you visit the site. In addition, the contents of this part of the website may be amended at any time, in whole or in part, at the sole discretion of the Company.

The materials you seek to access are made available in good faith and for information purposes only and are subject to the terms and conditions set out below. Any person seeking to access this webpage represents and warrants to the Company that they are doing so for information purposes only and they agree to be bound by the terms and condition set out below. If you do not agree to the terms and conditions please exit this site by clicking "I disagree" box below.

Viewing the materials you seek to access may not be lawful in certain jurisdictions. In other jurisdictions, only certain categories of person may be allowed to view such materials. Any person who wishes to view these materials must first satisfy themselves that they are not subject to any local requirements that prohibit or restrict them from doing so. Any failure to comply with any such restrictions may constitute a violation of the securities laws or regulations of such jurisdiction.

The information contained in this part of the website does not constitute an offer of securities for sale or subscription or any solicitation for any offer to buy or subscribe for any securities in the United States, Australia, New Zealand Canada, and Japan and South Africa or any other jurisdiction if to do so would constitute a violation of the relevant laws of, or require registration thereunder in, such jurisdiction (each a "Restricted Jurisdiction"). If you are located or resident in the United States or any other Restricted Jurisdiction, please exit this webpage by clicking on the "I disagree" box below.

The information to which this gatepost gives access is intended exclusively for persons who are not residents of the United States and who are not physically located in the United States. The information contained in this part of the website does not constitute an offer to sell, or a solicitation of an offer to buy, securities in the United States. The securities referred to herein have not been and will not be registered under the U.S. Securities Act of 1933, or with any securities regulatory authority of any state or other jurisdiction of the United States, and may not be offered, sold, resold, transferred, delivered or distributed, directly or indirectly, in any form, in or into, the United States, except pursuant to an applicable exemption from, or in a transaction not subject to, the registration requirements under the Securities Act and in compliance with any applicable securities laws of any state or other jurisdiction of the United States. No public offering or sale of securities in the United States will be made.

You should not download, mail, forward, distribute, send or show the information or documents contained on this part of the website to any person. The information contained in this part of the website, including any material you may access, is not to be provided by you to any other person, in electronic form or otherwise, and is not to be accessed, published, copied, forwarded or otherwise disseminated in or into the United States.

Any securities referred to in the materials that follow will not be registered under the securities laws of any Restricted Jurisdiction and may be offered or sold, directly or indirectly, within such jurisdictions only pursuant to an applicable exemption from and in compliance with any applicable securities laws.

Members of the public are not eligible to take part in the placing. These materials are only addressed to and directed at: (i) persons in Member States of the European Economic Area (the "EEA") who are qualified investors within the meaning of article 2(e) of Regulation (EU) 2017/1129 and (ii) persons in the United Kingdom who are qualified investors within the meaning of article 2(e) of Regulation EU) 2017/1129 as it forms part of UK domestic law by virtue of the European Union (Withdrawal) Act 2018 who are: (a) persons who have professional experience in matters relating to investments falling within the definition of “investment professionals” in Article 19(5) of the Financial Services and Markets Act 2000 (Financial Promotion) Order 2005 (the "Order") or (b) are persons falling within Article 49(2)(a) to (d) (“high net worth companies, unincorporated associations, etc”) of the Order; and (c) other persons to whom this communication may lawfully be communicated (all such persons in (a), (b) and (c) above together being referred to as "relevant persons"). The securities described in the materials are only available to, and any invitation, offer or agreement to subscribe, purchase or otherwise acquire such securities will be engaged in only with, Qualified Investors in any Member State of the EEA and relevant persons in the United Kingdom. Any person in any Member State of the EEA who is not a Qualified Investor and any person in the United Kingdom who is not a relevant person should not act or rely on the materials or any of their contents.

If you are not permitted to view materials on this webpage or are in any doubt as to whether you are permitted to view these materials, please exit this webpage by clicking on the “I disagree” box below.

By proceeding, you agree to comply with the terms set out above and confirm that you are a resident of the country you identified earlier who is accessing this website from within that country, and you additionally represent, warrant and agree that:

You are not accessing this website from within the United States or any other Restricted Jurisdiction;
You will not print, download, or otherwise seek to copy, mail, forward, distribute or send any of the materials on this webpage to any other person at any time; and
You intend to access this webpage for information purposes only and that you have read and understood the disclaimer set out above and are permitted to proceed to electronic versions of the materials.

Privacy policy

Sirius Privacy Policy (“Privacy Policy”) for processing within the UK and Guernsey

Important

Important

Disclaimer - Important

TERMS OF ACCESS TO INFORMATION ABOUT A PROPOSED OFFERING (THE "TRANSACTION") BY SIRIUS REAL ESTATE LIMITED (THE "COMPANY")

No Access