Approval of the Rule for Providing Information to a Credit Information Bureau in Georgia

Order of the President of the National Bank of Georgia Order №195/04 August 27, 2018, Tbilisi On the Approval of the Rule for Providing Information to a Credit Information Bureau on the Territory of Georgia, Recording and Accessing Information in the Database of the Credit Information Bureau In accordance with sub-paragraph "g" of the first paragraph of Article 15, and the first, 3rd, and 4th paragraphs of Article 52¹ of the Organic Law of Georgia "on the National Bank of Georgia," I hereby order: Article 1 To approve the attached Rule for Providing Information to a Credit Information Bureau on the Territory of Georgia, Recording and Accessing Information in the Database of the Credit Information Bureau. Article 2 This Order shall enter into force on September 1, 2018. President of the National Bank Koba Gvenetadze

Rule for Providing Information to a Credit Information Bureau on the Territory of Georgia, Recording and Accessing Information in the Database of the Credit Information Bureau Article 1. General Provisions

1. The purpose of this Rule is to ensure financial stability and the protection of consumer rights within the mandate of the National Bank of Georgia.
2. This Rule regulates the supervision of the activities of a Credit Information Bureau on the territory of Georgia, including the procedure for the provision of credit, non-credit, and other relevant information by lending organizations and information recipients/providers to the Credit Information Bureau, the recording of information, data processing, access, claim review procedures, and other issues related to the activities of the Credit Information Bureau.
3. This Rule does not apply to the activities of a Platform as provided for by the Order №193/04 of the President of the National Bank of Georgia of August 27, 2018, "On the Approval of the Rule for Registration, Cancellation of Registration, and Regulation of a Credit Information Bureau in the National Bank of Georgia." Order of the President of the National Bank of Georgia №121/04 of September 13, 2022 - website, 14.09.2022. Article 2. Definition of Terms
4. For the purposes of this Rule, the terms used herein have the following meanings: a) Credit Information Bureau (hereinafter – the Bureau) – an entrepreneurial entity that collects, stores, processes, and issues credit information about a person; b) Credit Information – information about a natural and/or legal person (including an organizational entity that is not a legal person) regarding a loan/credit and off-balance sheet liabilities (bank guarantee, letter of credit, etc.); c) Information Recipient/Provider – any person, other than a lending organization/entity, who, in accordance with the procedure defined by this Rule, transfers credit/non-credit and other relevant information about a person to the Bureau on the grounds provided for by the legislation of Georgia and, if necessary, receives appropriate information from the Bureau under the conditions established by this Rule; d) Bureau's Database – a set of structured data stored in an electronic information system, in which credit/non-credit information and other relevant data about a person are collected, processed, and stored; e) Lending Organization – a commercial bank, microbank, microfinance organization, non-bank deposit-taking institution – credit union, lending entity, and payment service provider, who transfer credit/non-credit information and other relevant data about a person to the Bureau and, if necessary, receive appropriate information from the Bureau under the conditions established by this Rule; f) Lending Entity – any person or a group of interconnected persons towards whom more than 20 natural persons (including individual entrepreneurs) have a loan/credit obligation simultaneously;

g) Claim – any statement (oral or written) or complaint by a user/data subject, by which they express their dissatisfaction or disagreement with the Bureau or any of its services, as well as with the data held about them in the Bureau; h) Cancelled Claim – a claim that the creditor themselves waives in accordance with the procedure established by law; i) Expired Claim – a court decision that has entered into legal force and/or a case provided for by law, on the basis of which a creditor's claim against a debtor is considered expired; j) Solvency Analysis – an analysis of the income, expenses, and liabilities of the borrower/co-borrower, as well as the guarantor and the provider of collateral; k) Non-credit Information – any information and other relevant data arising from the obligatory legal relationship of a natural and/or legal person (including an organizational entity that is not a legal person); l) Data Subject (Person/User) – any natural/legal person (including an organizational entity that is not a legal person) about whom credit/non-credit information and other relevant data is collected, stored, or processed at the Bureau (including a borrower, co￾borrower, guarantor, and provider of collateral); m) Data Processing – shall be interpreted in accordance with the Law of Georgia "on Personal Data Protection"; n) Internet Banking – provision of banking services via the Internet. The user has access to their bank account and can perform various banking operations from a device connected to the Internet; o) Mobile Banking – based on mobile internet technology. It allows the user to manage and control their accounts (bank, electronic money) via a mobile phone, as well as to perform payment operations; p) Working Day – a day other than Saturday, Sunday, and public holidays provided for by the Organic Law of Georgia "Labor Code of Georgia"; q) Unauthorized Liability – a negative balance arising in a data subject's account without the consent/permission of the lending organization; r) Income Received from a Money Transfer – income received in the form of a money transfer from a foreign country; s) Right to Unconditionally Extend the Term of a Loan/Credit – the case specified in Note 2 of Annex №1 of the Regulation approved by the Order №44/04 of the President of the National Bank of Georgia of March 13, 2020, "On the Approval of the Regulation on the Lending to Natural Persons." 2. Other terms used in this Rule shall have the meanings defined by the current legislation of Georgia. Order of the President of the National Bank of Georgia №33/04 of March 09, 2020 - website, 11.03.2020. Order of the President of the National Bank of Georgia №121/04 of September 13, 2022 - website, 14.09.2022. Order of the President of the National Bank of Georgia №201/04 of August 3, 2023 - website, 04.08.2023. Article 3. Authority of the National Bank of Georgia In terms of regulating the Bureau, the National Bank of Georgia: a) Supervises compliance with the requirements defined by this Rule;

b) For the purpose of exercising its supervisory functions, is authorized to impose any requirement and/or restriction on the Bureau (including financial and/or operational requirements) for the purposes of this Rule, as well as to issue written instructions; c) Is authorized to require the Bureau to develop appropriate procedures, establish a structural unit, allocate human resources, and implement appropriate technical support to protect consumer rights; d) Is authorized to conduct both on-site and remote, scheduled and unscheduled inspections of the Bureau; e) Is authorized to require the Bureau to make changes, additions/removals to the data displayed in the data subject's reports (including Annex №1 and Annex №2); f) Is authorized to require the Bureau to remove, disconnect, or restrict access for an information recipient/provider/lending organization from the Bureau's list of users (lending organizations and information providers); f¹) Is authorized to request any information/documentation from the Bureau regarding a lending organization and/or an information recipient/provider; g) Shall exercise other powers provided for by the Organic Law of Georgia "on the National Bank of Georgia." Order of the President of the National Bank of Georgia №121/04 of September 13, 2022 - website, 14.09.2022. Article 4. Providing Information to, Recording, and Accessing Information in the Bureau

1. All lending organizations, which in turn mandatorily provide information to the Bureau and meet the requirements established by this Rule, have the right to equal access to the Bureau's data (in accordance with the legislation of Georgia and within the limits defined by this Rule).

2. An information recipient/provider, which is not a lending organization, has the right to receive credit/non-credit and other relevant information held in the Bureau in accordance with Annex №2 of this Rule only on the basis of the data subject's relevant consent (in the manner prescribed by legislation), if it simultaneously provides the Bureau with credit/non-credit and/or other relevant information about the person.

3. The purpose of requesting/verifying credit/non-credit or other relevant information about a person from the Bureau by a lending organization and an information recipient/provider must be the solvency analysis of the person.

4. For the purpose of exercising its supervisory functions and/or monitoring and controlling the execution of this Rule, the Bureau is obliged to provide the National Bank of Georgia with immediate, direct, and unrestricted access to its available databases, data, and systems.

5. The Bureau is obliged to provide the National Bank of Georgia with detailed information on changes made to its products and services that are available to the Bureau's users (lending organizations and information providers/recipients), as well as on internal policies/procedures. For the purposes of this paragraph, information includes, among other things, statistical, behavioral, and other assessment models.

6. A lending organization is obliged to provide credit information daily (current day's data) to all bureaus registered by the National Bank of Georgia in accordance with this Rule. The National Bank of Georgia is authorized to establish a different procedure for providing information. 6¹ To ensure the daily receipt of credit information provided for in paragraph 6 of this Article from lending organizations, the Bureau is obliged to properly set up its electronic information system.

7. The lending organization must provide the Bureau with the detailed, accurate, and reliable information at its disposal, in accordance with Annex №1 of this Rule, regarding all (with the exceptions provided for in this Rule) loans/credits and off-balance sheet liabilities (letter of credit, guarantee, etc.) of the data subject.

8. (Repealed - 31.12.2024, №328/04).

9. (Repealed - 31.12.2024, №328/04).

10. (Repealed - 31.12.2024, №328/04). 10¹ A lending organization is authorized not to provide the Bureau with information about a person's unauthorized liability in the amount of up to and including 100 (one hundred) GEL or its equivalent in foreign currency (the initial amount of the liability).

11. If 5 (five) years have passed since the repayment of a credit/loan, off-balance sheet liability (letter of credit, guarantee, etc.), or other type of financial obligation, information about this obligation should be available to lending organizations and information recipients/providers without the identifying data of the data subject. The Bureau must store information on repaid loans/credits, off-balance sheet (letter of credit, guarantee, etc.), or other types of financial obligations for a minimum of 35 (thirty-five) years from the end of the credit/loan, off-balance sheet, or other type of financial relationship. The periods shall be calculated for each individual loan/credit, off-balance sheet (letter of credit, guarantee, etc.), or other type of financial obligation separately. Information on money transfers must be stored by the Bureau for 5 (five) years from the cashing of the money transfer.

12. Overdue credit/loan, off-balance sheet (letter of credit, guarantee, etc.), or other types of financial obligations shall be assigned the status - "Expired Claim" - in accordance with a court decision that has entered into legal force and/or in a case provided for by legislation, on the basis of which the claim is considered expired. In the case where the creditor themselves waives the claim in the manner prescribed by law, the status shall be defined as - "Cancelled Claim". For these purposes, the lending organization or information recipient/provider is obliged to immediately notify the Bureau of this and to cease further processing of the loan/credit/off-balance sheet (letter of credit, guarantee, etc.) or other type of financial obligation, while the Bureau, no later than 2 working days after receiving the information, shall assign the appropriate status to the credit/loan/off-balance sheet (letter of credit, guarantee, etc.) or other type of financial obligation.

13. From the assignment of the status specified in paragraph 12 of this Article, the information of the data subject with identifying data is available to the Bureau's users (lending organizations and information recipients/providers) for 5 (five) years. After the "Expired Claim" and "Cancelled Claim" statuses are assigned, the Bureau must store the information for a minimum of 35 (thirty-five) years. The periods shall be calculated for each individual loan/credit, off￾balance sheet (letter of credit, guarantee, etc.), or other type of financial obligation separately.

14. For the purposes of this Article, other relevant information with identifying data is available in the Bureau for 5 years. After the 5-year period expires, the Bureau must store the information

for a minimum of 35 (thirty-five) years. The periods shall be calculated for each individual data point separately. 15. The storage of credit, non-credit, and other relevant information about a person must be carried out in compliance with appropriate security conditions that preclude accidental and/or unauthorized access, accidental and/or illegal alteration, and/or destruction of data. 16. Unilateral exchange (provision/receipt) of information with the Bureau in a different format is permissible only with the prior consent of the National Bank. 17. The Bureau is authorized to act as an intermediary between state agencies and lending organizations for sharing the type of information necessary for the solvency analysis of a person. The information may include, among other things, information receivable from the unified database of socially vulnerable families administered by the LEPL Social Service Agency, in the manner prescribed by law and contract. Order of the President of the National Bank of Georgia №33/04 of March 09, 2020 - website, 11.03.2020. Order of the President of the National Bank of Georgia №121/04 of September 13, 2022 - website, 14.09.2022. Order of the President of the National Bank of Georgia №163/04 of November 17, 2022 - website, 17.11.2022. Order of the President of the National Bank of Georgia №201/04 of August 3, 2023 - website, 04.08.2023. Order of the President of the National Bank of Georgia №328/04 of December 31, 2024 - website, 31.12.2024. Article 5. Obligations of the Bureau

1. The Bureau is obliged to: a) Have appropriate policies-procedures that ensure the proper processing (including receipt/issuance/blocking) of credit, non-credit, and other relevant information about a person. Also, to have adequate and well-functioning internal policies/procedures that define the conditions for relations with lending organizations and information recipients/providers, including the terms for granting and terminating access to the Bureau's services/database; a¹) Grant access to the database only to those persons who are officially authorized to process credit/non-credit and other relevant information about a person, in order to avoid the non-purposeful processing of credit, non-credit, and other relevant information about a person; b) Require lending organizations and information recipients/providers to provide reliable, accurate, and objective information about the data subject; c) Notify the National Bank of Georgia 10 working days in advance about the commencement of contractual relations with an information recipient/provider and/or a lending organization; d) Upon commencement of the contractual relationship, receive data in a test mode for a minimum of 3 months and a maximum of 6 months;

e) During the test mode period, not make the information provided to the Bureau by the information recipient/provider and the lending organization available to the Bureau's existing users until the Bureau, based on its own or outsourced services, is convinced that the provided information is adequate, contains no errors, and complies with the requirements of the National Bank of Georgia; f) Before commencing a contractual relationship, check the internal operational processes of the information recipient/provider and the lending organization and their proper functioning, which includes obtaining the data subject's consent for both receiving and providing information (there must be a relevant purpose and basis for verification); g) Within the obligations established by the legislation of Georgia and this Rule, ensure the accuracy of credit, non-credit, and other relevant information about a person; h) In accordance with the conditions established by the legislation of Georgia and/or this Rule, carry out the systematization, recording, timely updating, and storage of information, the processing of credit, non-credit, and other relevant information about a person, and the issuance of corresponding reports; i) Issue credit/non-credit and other relevant information about a person to an authorized person only in cases provided for by the legislation of Georgia and this Rule; j) Maintain a record/systematization of requests for and issuances of credit/non-credit and other relevant information about a person (data subject); k) Carry out checks/verifications of credit/non-credit and other relevant information about a person and the consents expressed by them on a random basis with lending organizations and information recipients/providers at a reasonable frequency (according to risk factors) based on contractual provisions. For the purposes of this sub-paragraph, the National Bank of Georgia is authorized to require the Bureau to conduct a special inspection of a specific lending organization/information recipient/provider; l) Agree in advance with the National Bank of Georgia on the list of credit/non-credit and other relevant information about a person (other than the information presented in Annex №1 and №2) that it receives/issues (including the frequency, format, and storage period of receipt and issuance) from a lending organization or an information recipient/provider. The relevant information must be directly and/or indirectly related to the solvency analysis of the person, and its addition must have a legitimate purpose; m) In the contract to be concluded with lending organizations and information recipient/provider persons, indicate the authority of the National Bank of Georgia, including the authority provided for in sub-paragraph "f" of Article 3 of this Rule regarding the termination of the contract; n) Reflect the information provided for in Article 7¹ of this Rule, regarding cashed money transfers, in a report separate from a credit or other type of report, to which only lending organizations will have access; o) Comply with the requirements established by the legislation of Georgia and the legal acts of the National Bank of Georgia for the identification of a person (data subject). 2. If a data subject has requested the Bureau to correct/block/amend the information held about them, the Bureau is obliged to notify the data subject of the relevant decision and, if

the request is satisfied, to provide the data subject's updated information to them free of charge no later than the next working day after the update. To make a decision, the Bureau shall conduct appropriate consultations with the information recipient/provider and the lending organization. 3. The fee established by the Bureau for the provision/receipt of credit/non-credit and other relevant information about a person must be consistent with business needs and reality. 4. The contract concluded/to be concluded with a lending organization and an information recipient/provider must provide for the right of recourse in the event that the Bureau is subjected to a monetary fine or incurs any kind of monetary obligation towards third parties due to the culpable actions of the lending organization or information recipients/providers. 5. The Bureau is obliged, based on contractual provisions, to oblige any lending organization and information recipient/provider to carry out the proper provision/receipt of information on a data subject in compliance with the requirements of the Law of Georgia "on Personal Data Protection" and to make non-compliance with this a basis for fining. Order of the President of the National Bank of Georgia №33/04 of March 09, 2020 - website, 11.03.2020. Order of the President of the National Bank of Georgia №121/04 of September 13, 2022 - website, 14.09.2022. Order of the President of the National Bank of Georgia №328/04 of December 31, 2024 - website, 31.12.2024. Article 6. Rights and Obligations of the Lending Organization

1. A lending organization is obliged to have appropriate policies-procedures for both receiving from and providing to the Bureau credit (including that provided for in Annex №1) and other relevant information about a person.
2. A lending organization is obliged to grant access to the Bureau's database only to those employees who are officially authorized to process credit/non-credit and other relevant information about a person for the purpose of assessing solvency, and to prevent the non￾purposeful processing of credit, non-credit, or other relevant information about a person.
3. A lending organization is obliged to have established with the Bureau a technical means of information exchange that guarantees the maximum protection and security of information and ensures compliance with other requirements defined by this Rule.
4. A lending organization shall not provide the Bureau with credit/non-credit and other relevant information about a person if the data subject's loan/credit or off-balance sheet liabilities (letter of credit, guarantee, etc.) are fully secured by a deposit (in the case where the currency of the deposit and the loan are different, the collateral coverage ratio at the time of loan issuance shall be taken into account). For the purposes of this paragraph, the term of the loan/credit or off-balance sheet liabilities (letter of credit, guarantee, etc.) shall not exceed the term established by the deposit agreement. In the case where the loan/credit or off-balance sheet liabilities (letter of credit, guarantee, etc.) are partially secured by a deposit, the lending organization is obliged to provide the Bureau with information only on the unsecured portion of the loan/credit or off-balance sheet liabilities (letter of credit, guarantee, etc.). For the purposes of this paragraph, for the portion of the loan/credit or off￾balance sheet liabilities (letter of credit, guarantee, etc.) not secured by a deposit, lending organizations must also provide the Bureau with the information specified in Annex №1.

Loans/credits or off-balance sheet liabilities (letter of credit, guarantee, etc.) that are partially secured by a deposit shall be assigned the status "Loan partially secured by deposit". 4¹. A lending entity is authorized not to provide the Bureau with credit/non-credit and other relevant information about a person if a loan of up to 3,000 (three thousand) GEL secured by movable property is issued to a natural person borrower, and at the same time, the claim of the lending entity against the natural person borrower is considered satisfied solely by carrying out actions provided for by the legislation of Georgia with respect to the collateral (including by the sale and/or taking ownership of the property). 5. If a borrower/co-borrower has credit/loan or off-balance sheet liabilities (letter of credit, guarantee, etc.) towards a lending organization, the lending organization is authorized, during the term of the liabilities, to verify the credit, non-credit, and other relevant information of this person (borrower/co-borrower) in the Bureau without the additional consent of the data subject, for the purposes of monitoring the data subject's existing liability and/or assessing the solvency for a new credit/loan or off-balance sheet liability (letter of credit, guarantee, etc.), except in the case where the borrower/co-borrower has only an unauthorized liability towards the lending organization. 5¹. At the request of the National Bank of Georgia, a lending organization does not require consent from the data subject when verifying a person's data in the Bureau. In such a case, the lending organization must be able to present the instruction from the National Bank of Georgia to verify the specific persons. 6. If a claim is filed by a user, the lending organization is obliged, upon the Bureau's request, as promptly as possible within its technical capabilities, but no later than 5 (five) working days, to provide the Bureau with the requested information and to act in accordance with the relevant agreement concluded between the Bureau and the lending organization. If, after the expiration of the period provided for in this paragraph, the lending organization has not been able to fully investigate the claim, the lending organization is obliged to provide the Bureau with information on the current details and is authorized, if necessary, on the basis of a relevant justification, to use an additional period of no more than 15 (fifteen) working days to fully study the issue related to the claim and to complete the review. 7. For a lending organization to provide the Bureau with credit and other relevant information about a data subject/user, the consent of the data subject/user is not mandatory, but the data subject/user must be mandatorily informed about the sending of data to the Bureau (Annex №6 and Annex №8). The burden of proof that the data subject/user was informed lies with the lending organization. 8. A lending organization is obliged to have the consent of the data subject/user to verify their data in the Bureau in accordance with Annex №5 and/or Annex №5.1 of this Rule. According to Annex №5.1 of this Rule, consent may be obtained only if the person is a registered user of internet banking/mobile banking, the consent can be revoked via internet banking/mobile banking, and the information about the revocation of consent is indicated in a conspicuous place and is also formulated in a way that is understandable to the data subject/user. When verifying data in the Bureau, no more than 30 (thirty) working days for natural persons, and no more than 60 (sixty) working days for legal persons, should have

passed since obtaining consent in accordance with Annex №5 of this Rule, while no more than 90 (ninety) working days should have passed since obtaining consent in accordance with Annex №5.1 of this Rule. These requirements do not apply to data that is publicly available by law, or that the data subject/user has made publicly available. The lending organization is obliged to use Annex №5 and Annex №5.1 of this Rule without alteration and to ensure its signature/confirmation by the data subject/user in an independent form. 8¹. When obtaining consent remotely, the identification of the person must be carried out in accordance with Article 3 of the Rule approved by Order №48/04 of the President of the National Bank of Georgia of March 30, 2021, "On the Approval of the Rule for the Electronic Implementation of Preventive Measures by an Accountable Person," or a process agreed upon with the National Bank of Georgia. The lending organization, upon request, is obliged to submit to the Bureau and/or the National Bank of Georgia the consent of the data subject/user in accordance with Annex №5, Annex №5.1, Annex №7 of this Rule, or the refusal in accordance with Annex №9, as well as the identification method, electronic logfiles, and the internet protocol (IP) address (if any) from which the consent was obtained. In exceptional cases, it is permissible to obtain/acquire consent/refusal with a modified text, if the content of the consent/refusal is fully conveyed and the modified text is agreed upon with the National Bank of Georgia. The electronic logfile must include the information provided for in Annex №10 of this Rule. 8². When obtaining consent/refusal remotely, for the purpose of carrying out the person's authentication, the lending organization is obliged to comply with the requirements of Chapter II of the Rule approved by Order №156/04 of the President of the National Bank of Georgia of September 2, 2020, "On the Approval of the Rule of Strong Customer Authentication," or to conduct the process of authenticating the person when obtaining consent/refusal remotely in a manner agreed upon in advance with the National Bank of Georgia. 9. A lending organization is obliged to provide information to the data subject regarding the processing of their data in compliance with the requirements of the Law of Georgia "on Personal Data Protection." 10. In the event that it is discovered that the information about the data subject is incorrect or has been unlawfully processed, the lending organization is obliged to correct, update, add, block, delete, or destroy the data accordingly. 11. In the case of a request for information within the scope of an inspection, the lending organization is obliged to provide the Bureau with the requested information as promptly as possible, but no later than 5 (five) working days. 12. The consents obtained by the lending organization in accordance with Annexes №5, №5.1., №7, and №9 of this Rule must be stored for a minimum period of 1 (one) year, unless otherwise established by the legislation of Georgia. 13. The lending organization is obliged to provide the Bureau with information on money transfers in accordance with Article 7¹ of this Rule. Order of the President of the National Bank of Georgia №273/04 of December 14, 2018 - website, 17.12.2018. Order of the President of the National Bank of Georgia №151/04 of August 16, 2019

• website, 20.08.2019. Order of the President of the National Bank of Georgia №33/04 of March 09, 2020 - website, 11.03.2020. Order of the President of the National Bank of Georgia №121/04

of September 13, 2022 - website, 14.09.2022. Order of the President of the National Bank of Georgia №328/04 of December 31, 2024 - website, 31.12.2024. Article 7. Principles of Relationship between the Bureau and Information Recipients/Providers

1. Agreements concluded between the Bureau and information recipients/providers must include and take into account compliance with the requirements defined by the legal acts of the National Bank of Georgia.
2. An information recipient/provider is obliged to have appropriate policies-procedures for both receiving from and providing to the Bureau credit, non-credit, and other relevant information about a person. The Bureau must receive this assurance upon signing the agreement with the information recipient/provider and throughout the duration of the agreement.
3. An information recipient/provider is obliged to grant access to the Bureau's database only to those employees who are officially authorized and have a need to process credit/non￾credit and other relevant information about a person for the purpose of assessing solvency, and to prevent the non-purposeful processing, issuance, or disclosure of credit/non-credit and other relevant information about a person.
4. An information recipient/provider is obliged to have established with the Bureau a technical means of information exchange that guarantees the maximum protection and security of information and ensures compliance with other requirements defined by this Rule.
5. In the event that a claim is filed by a user, the information recipient/provider is obliged, upon the Bureau's request, as promptly as possible within its technical capabilities, but no later than 5 (five) working days, to provide the Bureau with the requested information and to take appropriate actions based on the agreement concluded between the Bureau and the information recipient/provider.
6. An information recipient/provider is obliged to provide information to the data subject regarding the processing of their data in compliance with the requirements of the Law of Georgia "on Personal Data Protection."
7. At the moment of providing data to the Bureau, the information recipient/provider must have the consent of the data subject in the manner prescribed by the legislation of Georgia (Annex №6.1).
8. An information recipient/provider is obliged to have the consent of the data subject/user to verify their data in the Bureau in accordance with Annex №5 of this Rule. When verifying data in the Bureau, no more than 30 (thirty) working days for natural persons, and no more than 60 (sixty) working days for legal persons, should have passed since obtaining consent in accordance with Annex №5 of this Rule. These requirements do not apply to data that is publicly available by law, or that the data subject has made publicly available. The information recipient/provider is obliged to use Annex №5 of this Rule without alteration and to ensure its signature/confirmation by the data subject in an independent form.
9. When obtaining consent remotely, the identification of the person must be carried out in accordance with Article 3 of the Rule approved by Order №48/04 of the President of the

National Bank of Georgia of March 30, 2021, "On the Approval of the Rule for the Electronic Implementation of Preventive Measures by an Accountable Person," or a process agreed upon with the National Bank of Georgia. The information recipient/provider, upon request, is obliged to submit the consent of the data subject/user in accordance with Annex №5 of this Rule, as well as the identification method, logfiles (if any), and the internet protocol (IP) address (if any) from which the consent was obtained. The electronic logfile must include the following information: the personal number, name, and surname of the data subject/user; the date and time of online registration/identification; the date and time of the data subject's/user's identification (except for internet banking/mobile banking); the form in which the data subject's/user's identification was carried out; the full text of the consent to which the data subject/user agreed; when and in what form the user agreed to this text; when and in what form the data subject/user consented to providing information to the Bureau. 10. In the case of a request for information within the scope of an inspection, the information recipient/provider is obliged to provide the Bureau with the requested information as promptly as possible, but no later than 5 (five) working days. 11. Consents obtained in accordance with Annexes №5 and №6.1 of this Rule must be stored for at least 1 (one) year, unless otherwise established by the legislation of Georgia. Order of the President of the National Bank of Georgia №151/04 of August 16, 2019 - website, 20.08.2019. Order of the President of the National Bank of Georgia №33/04 of March 09, 2020 - website, 11.03.2020. Order of the President of the National Bank of Georgia №121/04 of September 13, 2022 - website, 14.09.2022. Article 7¹. Reporting on Income Received from Money Transfers

1. A lending organization is obliged to reflect the following information in the report about a money transfer cashed with it: a) The country from which the transfer was made; b) The date of the transfer (if the type of money transfer allows for obtaining this information); c) The date of cashing; d) The recipient's personal number (in the case of a foreign citizen – the number of the identity document); e) The recipient's citizenship; f) The amount of the sum; g) The currency.
2. A lending organization is obliged to provide the information stipulated in the first paragraph of this Article to the Bureau daily (current day's data), unless otherwise agreed with the National Bank of Georgia.
3. A lending organization is obliged to have the consent of the data subject/user to verify the information about their income received from a money transfer in the Bureau, in accordance with Annex №7 of this Rule. The lending organization is obliged to use Annex

№7 of this Rule without alteration and to ensure its signature/confirmation by the data subject/user in an independent form. In the case of obtaining consent remotely (Annex №7), the requirements provided for in paragraph 8¹ of Article 6 of this Rule shall apply. 4. For a lending organization to provide the Bureau with information about a data subject's/user's income received from a money transfer, the consent of the data subject/user is not mandatory, but the data subject/user must be mandatorily informed about the provision of the data to the Bureau (Annex №8). If the data subject/user does not agree to the provision of the information stipulated in this paragraph to the Bureau at the moment of being informed, the lending organization must have the data subject's/user's refusal regarding this matter (Annex №9). In the case of obtaining the data subject's/user's refusal remotely (Annex №9), the requirements defined in paragraph 8¹ of Article 6 of this Rule must be taken into account. 5. Information about a data subject's/user's income received from a money transfer will be available to lending organizations in the Bureau's database for a period of 1 (one) year. 6. The Bureau is obliged to reimburse a reasonable cost to a payment service provider who provides the Bureau with information about money transfers but does not itself request information of a similar type, which the payment service provider needs for the proper functioning of this service. Order of the President of the National Bank of Georgia №121/04 of September 13, 2022 - website, 14.09.2022. Order of the President of the National Bank of Georgia №201/04 of August 3, 2023 - website, 04.08.2023. Order of the President of the National Bank of Georgia №328/04 of December 31, 2024 - website, 31.12.2024. Article 8. Protection of User Rights

1. A user (data subject) has the right to have access to the information held about them in the Bureau.1 Specifically, the user has the right to request at any time and receive, within the period established by law, the information held about them in the Bureau, free of charge, in physical and/or electronic form. The Bureau has the right to set a service fee for information generated instantly through a special electronic portal and/or electronic application. However, the Bureau must ensure that by using the special electronic portal and/or electronic application, it is possible for the user to receive information free of charge at least three times a year, in the shortest possible time, but no later than one working day from the receipt of the request, while also ensuring that the conditions provided for in paragraph 5 of this Article are met. When providing credit/non-credit and other relevant information about a person in both physical and electronic form, it is mandatory to carry out the person's identification in the manner prescribed by the legislation of Georgia. The data must include any information held in the Bureau about the user (data subject), including a detailed indication of the creditors and the persons requesting/seeking credit/non-credit and other relevant information about the person, and the number of searches they have conducted.
2. The user has the right to file any type of claim related to the Bureau's activities, including regarding the records about them in the Bureau's databases, the time of reflection of information and/or information changes, the accuracy of data, and the processing of information without a legal basis, directly with the Bureau and/or the National Bank of

Georgia or the Personal Data Protection Service, and to request the relevant change/blocking/deletion of data in the manner and cases prescribed by law. 3. Claims from a user regarding the Bureau's activities, as well as the reflection of information and/or information changes about the user and the accuracy of data in the Bureau's databases, shall be reviewed by the Bureau and/or the National Bank. Claims regarding a violation of the rules of informing (Annex №6) by an information recipient/provider or a lending organization, the legal basis for processing information (including provision), including processing without the user's consent, shall be reviewed by the Bureau and/or the Personal Data Protection Service in the manner prescribed by the legislation of Georgia. 4. For the purpose of protecting user rights, a corresponding memorandum shall be concluded between the National Bank of Georgia and the Personal Data Protection Service to ensure the protection of personal data. 4¹. To promote the strengthening of its reputation as a reliable partner among users, the Bureau is obliged to adhere to the norms of morality and best business practices in its relations with users and to act on the principles of good faith, transparency, and fairness. 5. The user has the right to request information from the person responsible for processing (the Bureau, the lending organization, and the information recipient/provider) about the processing of their data in accordance with the Law of Georgia "on Personal Data Protection." Order of the President of the National Bank of Georgia №33/04 of March 09, 2020 - website, 11.03.2020. Order of the President of the National Bank of Georgia №121/04 of September 13, 2022 - website, 14.09.2022. Order of the President of the National Bank of Georgia №328/04 of December 31, 2024 - website, 31.12.2024. Article 9. Obligations of the Bureau regarding a User's Claim

1. The Bureau must have a standard procedure for receiving and reviewing claims in written and electronic form, which must be agreed upon with the National Bank of Georgia.
2. The Bureau is obliged to accept claims from the user in oral, standard written (Annex №3), or electronic forms and to study the user's claim in detail.
3. If a user wishes to file a claim, the Bureau is obliged to offer the user the standard written or electronic form for filing a claim. In the case where the Bureau receives a claim in oral form, it is obliged to offer the user the alternative of expressing the claim in the standard written or electronic form.
4. Upon receiving a claim, except in cases of oral submission, the Bureau is obliged to confirm/notify the claimant in writing/electronically of the receipt of the claim no later than 1 (one) working day from the application. 4¹. The Bureau is obliged to provide the data subject/user with the accurate and reliable detailed information at its disposal during the process of reviewing the claim.
5. The Bureau is obliged to review the user's claim, including, where necessary, in consultation with the lending organization, as well as the relevant information recipient/provider, and after completing the study of the claim, no later than 10 (ten) working days from the user's application and identification, to immediately inform the claimant, except in cases of oral submission, in writing or electronically (in agreement with

the user and/or identical to the method of filing the claim) of the results of the study of the issue and, if possible, to offer conditions for resolving the claim. If the study of the claim is not completed within the period provided for in this paragraph due to reasons beyond the Bureau's control, the Bureau is obliged, no later than 10 (ten) working days from the user's application and identification, to inform the user of the current information it has investigated on the matter and the expected deadline for completing the review of the issue, which shall not exceed 30 (thirty) working days. The Bureau is obliged to immediately provide the user with information on the results of the study of the issue upon completion of the review, in writing or electronically. 6. In the case of determining the legitimacy of a user's request to correct/change/delete data, the Bureau is obliged to satisfy the request immediately, but no later than within 1 (one) working day, except in cases provided for by the legislation of Georgia. 7. The Bureau is obliged to maintain updated records of received claims, except for those in oral form, which must contain the following mandatory information: data of the person filing the claim, the nature of the claim, the content of the Bureau's response, the measures taken to resolve the problem stated in the claim, and the final result. Upon request, these records must be provided to the National Bank of Georgia. 8. The Bureau is obliged to maintain statistical reporting on user claims according to the form provided in Annex №4 of this Rule and to provide this data monthly, no later than the 10th day of the following month, to the National Bank of Georgia at the email address cp@nbg.gov.ge, as well as to upload it to the corresponding module of the consumer protection management software (CPMCS software). The provided and uploaded data must include the statistics of claims received up to and including the last day of the past month, as well as statistics on claims recorded with an "unfinished" status in the data provided and uploaded in the previous reporting month. 9. The requirements of paragraphs 5 and 8 of this Article do not apply to the Bureau if the Bureau has already reviewed the same claim from the same user in written or electronic form and the Bureau determines that no additional significant facts and circumstances exist regarding the issue. 10. The Bureau is obliged to provide the information requested by the National Bank of Georgia, including through the requested electronic channels, no later than 5 (five) working days from the request. However, if the failure to provide the information within this period is due to reasons beyond the Bureau's control, it is obliged to provide the National Bank of Georgia with the reason for the delay and the expected deadline for providing the information within one week. If the provided information is insufficient or requires clarification, the supplementary/clarifying information requested by the National Bank of Georgia must be provided immediately or within a reasonable timeframe agreed upon with the National Bank of Georgia. 11. The Bureau is obliged to create a website, on which at least the following information must be placed: a) Legal acts that regulate the Bureau's activities; b) Internal rules concerning the services offered by the Bureau and regulating the management of claims and dispute resolution by the Bureau; c) Information about the services that the Bureau offers to third parties; d) Tariffs related to the Bureau's services defined for the data subject; e) A list and

details of information recipients/providers; f) The rights of the data subject and the mechanism for realizing these rights. 12. The information placed by the Bureau on its own website must be accurate/correct and must be updated no later than 5 (five) working days after any change is made. Order of the President of the National Bank of Georgia №33/04 of March 09, 2020 - website, 11.03.2020. Order of the President of the National Bank of Georgia №121/04 of September 13, 2022 - website, 14.09.2022. Order of the President of the National Bank of Georgia №201/04 of August 3, 2023 - website, 04.08.2023. Order of the President of the National Bank of Georgia №328/04 of December 31, 2024 - website, 31.12.2024. Article 10. Sanctions

1. The sanctions specified for the violations provided for in this Article shall be imposed in each specific case by the National Bank of Georgia. The party against whom a sanction is applied has the right to appeal it in court.

2. The National Bank of Georgia is authorized to apply the following types of sanctions for the violation by the Bureau of the Organic Law of Georgia "on the National Bank of Georgia," other regulatory norms of the National Bank of Georgia, the requirements defined by this Rule, as well as written instructions, sequentially, or, depending on the seriousness of the violation and the existing or possible risk – non-sequentially: a) Send a written warning to the Bureau; b) Establish special measures, including restricting certain operations and/or prohibiting the distribution of dividends or imposing additional requirements; c) Require the relevant body of the Bureau to suspend the signature authority of an administrator; d) Cancel the registration; e) Impose the following type of monetary fine: e.a) For failure to record credit information about a data subject in the Bureau's database in a timely manner, incorrect recording, or violation of the rules of access, in each case in the context of a loan/credit product – shall result in a fine on the Bureau in the amount of 1,000 (one thousand) GEL for each fact of violation; e.b) Non-fulfillment of other requirements established by this Rule and/or the Rule approved by Order №193/04 of the President of the National Bank of Georgia of August 27, 2018, "On the Approval of the Rule for Registration, Cancellation of Registration, and Regulation of a Credit Information Bureau in the National Bank of Georgia" – shall result in a fine on the Bureau in the amount of 1,000 (one thousand) GEL, in each case of violation; e.c) Violation of the requirements established by the written instructions of the National Bank of Georgia – shall result in a fine on the Bureau in the amount of 10,000 (ten thousand) GEL for each fact of violation of such requirements.

3. After a monetary fine has been imposed on the Bureau, in case of non-fulfillment of the same requirement, the Bureau shall be fined double the amount of the imposed fine.

4. The sanction must correspond to the seriousness of the violation and/or the damage caused to the Bureau's assets and/or the possible threat.

5. The amount of the monetary fine imposed in accordance with this Article shall be directed to the state budget of Georgia.

6. The National Bank of Georgia shall issue an individual administrative-legal act regarding the imposition of a monetary fine on the Bureau. The individual administrative-legal act shall be issued in the form of an order of the President or Vice-President of the National Bank, in which the procedure for its execution will be indicated.

7. The individual administrative-legal act issued by the National Bank of Georgia on the imposition of monetary fines on the Bureau is in force upon its notification to the Bureau. The National Bank is authorized to ensure the execution of the fine imposed in accordance with this Rule after the unsuccessful expiration of the appeal period specified in the relevant administrative-legal act. Order of the President of the National Bank of Georgia №121/04 of September 13, 2022 - website, 14.09.2022. Article 11. Transitional Provisions

8. In the event that a person wishing to carry out the activities of a Bureau does not meet the requirements established by this Rule and the legal act of the National Bank of Georgia at the time of registration with the National Bank of Georgia, they are obliged to submit, along with the documentation/information for registration, a reasonable plan for coming into compliance with these requirements. The National Bank of Georgia will review the compliance plan and either grant consent or refuse the person's registration as a Bureau. In case of failure to comply with the compliance plan, the National Bank of Georgia will take actions provided for by law.

9. The Bureau is obliged to bring the agreements concluded with any user (lending organization/information recipient/provider) into compliance with the requirements established by this Rule within the timeframes specified in paragraphs 3-5 of this Article.

10. A commercial bank is obliged to meet the requirements established by this Rule by March 1, 2019, except for paragraphs 2 and 6-10 of Article 6 of this Rule. During this period, the exchange of credit/non-credit and other relevant information about a person shall be carried out in accordance with the existing agreements between commercial banks and the Bureau, in the manner prescribed by the legislation of Georgia.

11. A microfinance organization and a non-bank deposit-taking institution – credit union are obliged to meet the requirements established by this Rule by March 1, 2019, except for paragraphs 2 and 6-10 of Article 6 of this Rule. During this period, the exchange of credit/non-credit and other relevant information about a person shall be carried out in accordance with the existing agreements between microfinance organizations/non-bank deposit-taking institutions – credit unions and the Bureau, in the manner prescribed by the legislation of Georgia.

12. The Bureau is obliged to ensure that the agreements/arrangements concluded with an information recipient/provider are brought into compliance with the requirements stipulated by this Rule within 4 (four) months from the entry into force of this Rule. During

this period, the exchange of credit/non-credit and other relevant information about a person shall be carried out in accordance with the existing agreements between the Bureau and the information recipient/provider, in the manner prescribed by the legislation of Georgia. 6. Lending entities are obliged to meet the requirements established by this Rule by March 1, 2019, except for paragraphs 2 and 6-10 of Article 6 of this Rule. During this period, the exchange of credit/non-credit and other relevant information about a person shall be carried out in accordance with the existing agreements between the lending entity and the Bureau, in the manner prescribed by the legislation of Georgia. 7. Commercial banks, microfinance organizations, non-bank deposit-taking institutions – credit unions, and lending entities are obliged to meet paragraphs 2 and 6-10 of Article 6 of this Rule from January 1, 2019. 8. Paragraph 4¹ of Article 6 of this Rule shall be declared null and void from July 1, 2021. Order of the President of the National Bank of Georgia №288/04 of December 28, 2018 - website, 28.12.2018. Order of the President of the National Bank of Georgia №33/04 of March 09, 2020 - website, 11.03.2020.