In the following, NIPPON STEEL ENGINEERING CO., LTD. ("NSE"), its Head Office located at Osaki 1-5-1, Shinagawa-ku, Tokyo, 141-8604, Japan, provides information on the processing of personal data in the context of activities of NSE in connection with its relationship with existing and potential customers, trading companies, end users, goods and service suppliers, agents, advisors, research institutions, industrial organizations and other persons with whom NSE or any of its group company maintains or is considering to create a business relationship (each a "Business Partner") pursuant to Art. 13 and 14 of the European General Data Protection Regulation ("GDPR").

A. Categories and sources of personal data

NSE may process the following personal data:

• Profile and contact Information, such as full name, work position, work address, work telephone number, work mobile phone number, work fax number and work email address of a Business Partner who is an individual, or a person working for a Business Partner (each shall be referred to as a "Business Partner Contact");
• Further information processed in connection with the relationship between NSE and a Business Partner or voluntarily provided by a Business Partner Contact.

B. Intended purposes of processing and legal basis for processing

NSE processes the personal data indicated above in section A for the following purposes:

• Communicating with Business Partner Contacts about products and services of NSE, e.g. by responding to inquiries or requests, entering into or executing transactions for products or services, providing technical support;
• Communicating with Business Partner Contacts about the products and services of Business Partners;
• Planning, performing and managing the business relationship with Business Partners;
• Solving disputes, enforcing agreements and/or to establish, exercise or defend legal claims;
• Complying with applicable laws and regulations, including cooperating with relevant authorities and regulators.

When processing of personal data is necessary for the performance of a contract to which a Business Partner Contact is party or in order to take steps at the request of a Business Partner Contact prior to entering into a contract, the legal basis for such processing is Article 6 (1) (b) of the GDPR.

When personal data is explicitly provided by a Business Partners Contact, the legal basis for the processing is the consent given by the Business Partner Contact (Article 6 (1) (a) of the GDPR).

When processing of personal data is necessary to comply with a legal obligation, the legal basis for the processing is Article 6 (1) (c) of the GDPR.

Otherwise, the legal basis for processing of personal data indicated above in Section A by NSE is Article 6 (1) (f) of the GDPR. The legitimate legal interest pursued by NSE is the transmission and receipt of information in order to conduct its business activities, including expanding and/building a business relationship with Business Partners.

NSE generally does not seek to collect or otherwise process special categories of personal data of Business Partner Contacts, such as those revealing religious or philosophical beliefs, in the ordinary course of its business. Where it becomes necessary to process such special categories of personal data for any reason, NSE relies on the following legal bases depending on the circumstances: (i) explicit consent of the Business Partner Contact has been given (Article 9 (2) (a) of the GDPR), (ii) the personal data are manifestly made public by the Business Partner Contact (Article 9 (2) (e) of the GDPR), (iii) processing is necessary for the establishment, exercise or defense of legal claims (Article 9 (2) (f) of the GDPR).

C. Transfer and disclosure of personal data

For the purposes indicated under section B above, NSE may disclose personal data to the following recipients or categories of recipients:

• Directors, supervisory board members, senior advisors, executive officers, employees (including employees undergoing their probationary employment period), temporary employees, and any persons who correspond to such positions ("Staff") of NSE;
• External advisors such as attorneys, accountants and tax advisors ("Advisors") of NSE;
• Group companies of NSE and their Staff and Advisors whom NSE needs to share the data with for the purpose of processing;
• Other Business Partners and their Staff whom NSE needs to share the data with for the purpose of processing;
• Governmental agencies, boards, commissions, officers, officials or entities exercising legislative, judicial, regulatory or administrative functions.

Recipients of personal data may be located in countries and areas outside of the European Economic Area ("Third Countries"). NSE transfers personal data to external recipients in Third Countries only in case: (i) the respective recipient is located in a country or area which has received an adequacy decision from the European Commission, (ii) the respective recipient entered into Standard Data Protection Clauses/Standard Contractual Clauses pursuant to Article 46 (2) (c) of the GDPR with NSE, (iii) in case of US recipients - the recipient is certified under the EU-US Privacy Shield, (iv) the Business Partner Contact explicitly consents to the transfer of his/her personal data, or (v) another requirement under Article 49 of the GDPR is met. In case of (ii), Business Partner Contacts can receive a copy of the Standard Data Protection Clauses/Standard Contractual Clauses by contacting NSE through the contact information in section F below.

D. Period for which personal data will be stored

Unless indicated otherwise, NSE will retain personal data for as long as is necessary for the purpose for which they were collected or otherwise processed (including as required by applicable law or regulation or for the exercise or defense of legal claims).

E. Rights of the data subject

I. Access, rectification, erasure, restriction, data portability

With regard to the processing of his/her personal data, a Business Partner Contact has the following rights within the limits set forth in the GDPR:

• Right to request from NSE access to his/her personal data pursuant to Art. 15 GDPR.
• Right to request from NSE rectification of his/her personal data pursuant to Art. 16 GDPR
• Right to request from NSE erasure of his/her personal data pursuant to Art. 17 GDPR
• Right to request from NSE restriction of processing pursuant to Art. 18 GDPR
• Right to data portability pursuant to Art. 20 GDPR

II. Right to object

A Business Partner Contact has the right to object on grounds relating to his/her particular situation, at any time to processing of his/her personal data which is based on Art. 6(1) (f) of the GDPR (see section B above), including profiling (if any) based on the same provision pursuant to Art. 21 (1) of the GDPR.

If personal data is processed for direct marketing purposes, a Business Partner Contact has the right to object at any time to processing of his/her personal data for such marketing, which includes profiling (if any) to the extent that it is related to such direct marketing pursuant to Art. 21 (2) of the GDPR.

III. Right to withdraw consent

Where the processing is based on his/her consent (Art. 6(1) (a) or Art. 9(2) (a) of the GDPR), a Business Partner Contact has the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.

IV. Right to lodge a complaint

A Business Partner Contact has the right to lodge a complaint with a supervisory authority pursuant to Art. 57 (1) (f) GDPR.

F. Data Privacy Contact

If a Business Partner Contact has a question with regard to processing of his/her personal data or wants to exercise any of the above rights in section E above, he/she may contact NIPPON STEEL ENGINEERING CO., LTD. at: nsengi_EEA_rep@eng.nipponsteel.com

NSE will endeavor to address and settle any requests or complaints brought to its attention. In addition to the above, there is a possibility of approaching the competent data protection authority with requests or complaints.

As of: 28 June, 2021