CHARGESIGHT PRIVACY NOTICE

HELIOXGROUP B.V. and AFFILIATES - June 2021


Dear Supplier,

Heliox has over 30 years of Professional Power Conversion experience and is a Global Market Leader in charging infrastructure for electric buses. Our products are being used in the world’s largest opportunity DC charging projects in Europe. Our excellent R&D capabilities enable us to create and develop, together with our customers and suppliers, innovative and high quality future proof charging solutions in the most demanding markets.

Heliox has a strong focus on Compliance and Corporate Social Responsibility. We care about the impact we have on our customers, suppliers, our people, our environment and future generations to come. Part of it is personal data of the persons we are doing our business with.

Heliox (“we”, “Heliox”) and Heliox Affiliated Companies  take the protection of your personal data seriously. We are committed to process your personal data held by us in accordance with the applicable legislation and regulations for the protection of personal data.

DATA CONTROLLER

For the purpose of this Heliox Privacy Notice Suppliers (“Privacy Notice”), the data controller is Heliox Group B.V., with registered offices at De Waal 24, (5684 PH) Best.

Heliox Affiliated Companies may also receive and process your personal data, either in the capacity of controller or processor and this Privacy Notice applies equally to them.

Michael Colijn, CEO Heliox

We believe that taking care of people and the environment is fundamental to the success of our business.

[1] “Affiliate” means a (legal) entity that is affiliated with,or that directly or indirectly controls, is controlled by or is under commoncontrol with, Heliox. ‘Control’ meaning ownership of 50% (fifty percent) ormore of the share capital or the right to exercise 50% (fifty percent) or moreof the voting rights in the appointment of the directors of such company, firm,partnership or other legal entity, but any such legal entity shall be deemed tobe an Affiliate only as long as such liaison exists.

1. TYPES OF SUPPLIER PERSONAL DATA WE COLLECT

We process the following types of personal data about the contact persons of our Suppliers:

Identification data - name and last name, signature, civil status (for salutation), passport data, social security number, date of birth, gender;

Contact data - telephone number, email, (physical) address (when relevant) and language of these contact persons;

Financial data - banking data, cost centre required for invoicing or payments, credit status, creditworthiness;

Other business detail - business title or professional role, resume/CV, Supplier ID, (digital) signature, training records, qualifications data, fulfilment of our contractual obligations, contract data, tender data, records relating to queries/questions/complaints/order;

Electronic identification data - in case you visit our websites, there are certain data processed by the website browser and cookies. More information can be found in the Heliox Privacy Notice Digital Platforms;

Criminal conviction and offences - personal data can screened based on the sanction list to the extent required for the purposes of the international obligations of Heliox (Know Your Supplier and Anti-Money Laundering obligations).

2. SOURCES OF THE PERSONAL DATA:

We collect your personal data when as an individual you:

- provide goods or services to us;

- are designated by your employer as our contact for the submitting proposals, managing Heliox’s assignments, invoicing, or for managing the service relationship and paying invoices; or

- otherwise provide us or any of our employee with your contact details or other personal data.

Personal data may also be obtained from published sources (e.g. Chamber of Commerce (Kamer van Koophandel) to confirm for example signatory powers, social media) and from Heliox Affiliated Companies.

3. PURPOSES OF THE PERSONAL DATA PROCESSING

We process your personal data:

• to purchase and receive from our Suppliers their products or services (to communicate regarding your purchases and requested services);

• to select our suppliers (tender process), to instruct our suppliers and services providers and compensate them for their services;

• to correspond with our business or professional contacts;

• to provide Supplier support and trainings, business or professional contacts (providing targeted information on products or services);

• to send administrative information (changes to our terms and conditions or policies);

• to participate to our surveys, promotions, contests and to administer these activities;

• to finance and share accounting services, providing record to report and purchase to pay services;

• for other business purposes (analysing and managing our businesses, market research, audits, developing new products, improving our services and products, determining the effectiveness of our promotional campaigns;

• as we believe necessary or appropriate (to comply with our legal obligations (e.g. to comply with economic and trade sanctions), to monitor credit status, to respond to requests from public and government authorities, to enforce our terms and conditions, to protect our operations or those of any of Heliox Affiliated Companies, to protect our rights, privacy, safety or property, and/or that of Heliox Affiliated Companies, you or others, and to allow us to pursue available remedies or limit the damages that we may sustain).

4. LEGAL BASIS OF THE PERSONAL DATA PROCESSING

The mentioned processing activities are necessary to:

(i) enter into and perform a contract with you;

(ii) to serve our legitimate business interests; or

(iii) to comply with our legal obligations.

We will ask your consent for the activities described in this Privacy Notice when required by applicable law and the activities are not covered by one of the above mentioned legal basis for personal data processing.

If you do not want to provide us with your personal data and they are necessary for the purposes described above, we will not be able to enter into a contract with you or conduct business with you.

5. HOW WE DISCLOSE OR TRANSFER YOUR PERSONAL DATA

To the extent permissible by applicable laws and in line with this Privacy Notice, we may disclose your personal data:

to Heliox Affiliated Companies, for purposes consistent with this Privacy Notice. We take precautions to limit the access to your personal data only to those staff members who have a legitimate business need to access it in accordance with this Privacy Notice;

to our third-party services providers or our clients such as payment or invoicing processing, IT services, website hosting, order fulfilment, infrastructure provision, security, auditing services and other services, to enable them to provide their services;

to any competent law enforcement body, regulatory, government agency, court or other third party, such as without limitation, the police authorities, the tax authorities, the social security authorities, when such transfer is necessary (i) as a matter of applicable law or regulation, (ii) to exercise, establish or defend our legal rights, (iii) to protect your vital interests or the ones of any other individual, or (iv) based on a court order;

to our auditors, advisors, legal representatives and similar agents in connection with advisory services they provide to us for legitimate purposes and in accordance for the purposes described in this Privacy Notice;

in the event that we, or any portion of our assets, are acquired, we may share all types of personal data with the acquiring company.

We do not transfer your personal data to third parties outside the EEA (European Economic Area) other than to Heliox Affiliated Companies, except in the following cases:

• you have explicitly consented to the transfer;

• the transfer is necessary for the performance of a contract between you and us or the implementation of pre-contractual measures taken at your request;

• the transfer is necessary for the conclusion or performance of a contract concluded in your interest between us and another natural or legal person;

• the transfer is necessary for important reasons of public interests;

• the transfer is necessary for the establishment, exercise or defence of legal claims;

• the transfer is necessary in order to protect your vital interest or of other persons, where the data subject is physically or legally incapable of giving consent;

• when using standard EU model clauses; or

• when authorized by the data protection authority.

We always put adequate safeguards (European Commission or Standard Contractual Clauses) and take necessary measures to protect your personal data while transferring your personal data to the third parties within or outside EU or EEA.

6. HOW WE PROTECT YOUR  PERSONAL DATA

We take technical and organizational measures to adequately protect your personal data and to maintain its quality. We make improvements to this protection on an ongoing basis in line with technical progress. We use a range of physical, electronic and managerial measures to ensure that we keep your personal data secure.

7. HOW LONG WE KEEP YOUR PERSONAL DATA

We retain your personal information for the period necessary to fulfil the purposes mentioned above:

• as long as you remain a Supplier or a business stakeholder; or

• as long as the statutory limitation period to initiate a claim or legal action; or

• for a longer retention period if it is required or permitted by law (e.g. health and safety legislation, in case of a litigation).

8. HOW CAN YOU EXERCISE YOUR RIGHTS?

You have a number of rights under the applicable data protection laws.

Right to be informed - You have the right to be informed about how we process your personal data. This is the purpose of this Privacy Notice.

Right to access - You have the right to access your personal data and review your personal data.

Right to have your data erased - You have the right to have your personal data deleted.

Right to have your data corrected - You have the right to have your personal data to be corrected or updated.

The right to restrict data processing - You have the right to object or restrict processing of your personal data.

The right to data portability - You have the right to ask portability of your personal data and to receive your personal data in a structured, machine-readable format for your own purposes or to request to share it with a third party.

Right not to be subject to a decision based on an automated process - You have the right not to be subject to a decision based solely on an automated process, including profiling, which produces legal effects concerning you or similarly significantly affect you.

Right to withdraw your consent -You have the right to withdraw your consent at any time, where we rely on it to process your personal data.

The above rights may be subject to some legal conditions. To exercise any of your above mentioned rights, or if you have any questions on this Privacy Notice, please contact us at this email address: legal@heliox-energy.com

We will take all reasonable steps to respond to your request in accordance with applicable data protection laws. When you exercise any of the above mentioned rights, we will ask you to provide us with a copy of a valid identification document (e.g. your ID card) in order to authenticate you.

You may also use the above mentioned contact details if you have any concern or wish to make a complaint to us relating to how we process your personal data.

You have also the right to complaint to your local data protection authority in your jurisdiction.

9. UPDATE TO THIS PRIVACY NOTICE

We may update this Privacy Notice from time to time. To let you know when we make changes to this Privacy Notice, we will amend the revision date at the top of the page. The new modified or amended Privacy Notice will apply from the revision date. Therefore, we encourage you to periodically review this Privacy Notice to be informed about how we are processing your personal data.