Athens Water Supply and Sewerage S A : INFORMATION REGARDING THE PROTECTION OF PERSONAL DATA

EYDAP S.A. SHAREHOLDERS INFORMATION ON THE PROTECTION OF PERSONAL DATA

Introduction

"EYDAP S.A.", which is based in Galatsi Attica (156, Oropou Street) (hereinafter referred to as the "Company" or «Responsible for Processing») with VAT number 094079101, G.E.MI. Number 121578960000, as legally represented, is committed towards its shareholders, under the current national and European legislative framework (General Data Protection Regulation EU 2016/679, hereinafter GDPR) and the current legislation on the protection of personal data, with respect to their privacy and by being vigilant in order to ensure the confidentiality and security of their personal data.

Purpose of information -Definitions

The purpose of this is to provide transparent information on the type of personal data and how the Company processes those of its current and former registered shareholders and their representatives, for those who derive or exercise rights on the Company shares and their representatives and for those who participate in the Company's General Meetings (hereinafter referred to as «GM») under any capacity (hereinafter referred to all the above categories of natural persons and for reasons of brevity "Shareholders" or "Shareholder") either live or remotely via video conference, which is conducted in accordance with the legal formalities and after a relevant invitation of the Shareholders on a specified day, but also in each adjourned, after interruption or repeated General Meeting) as well as the rights arising therefrom the process of their personal data.

In the context of this briefing, EYDAP SA as the Responsible for Processing, taking into account the current legal framework on General Data Protection, provides more specific information to individuals other than the Shareholders, who will participate in the scheduled for July 11th 2024 Hybrid GM, such as the Members of the Board of Directors of EYDAP SA, its executives, auditors and other third parties, that it processes the personal data concerning them, which are collected directly from the subjects for the purposes of legal interests the Company seeks for such processing.

It is noted that, for reasons of understanding "personal data" is any information concerning an identified or identifiable natural person, i.e. one whose identity can be verified, directly or indirectly, in particular by reference to an identity item, such as name, ID number, in location data.

Processing of personal data means any use or series of transactions carried out with or without the use of automated means, in personal data or in personal data sets, such as the collection, registration, organization, structure, storage, adaptation or alteration, retrieval, collection of information, use, disclosure by transmission, dissemination or any other form of disposal, association or combination, restriction, deletion or destruction.

Processing Manager is a natural or legal person, public authority, service or other entity which, individually or jointly with others, determines the purposes and manner of processing personal data; where the purposes and manner of such processing are specified by the law of the Union or the law of a Member State, the Manager or the special criteria for his appointment may be provided by the law of the Union or the law of a Member State, in this case EYDAP SA.

The executor of the processing is the natural or legal person, the public authority, the service or other body that processes personal data on behalf of the person in charge of the processing, in this case the limited company with the name "Greek Central Securities Depository SA " with the distinctive title "ATHEXCSD" with TIN 094449050, DOY FAE Athens, which has been assigned by EYDAP the organization of the hybrid General Meeting, on July 11th 2024.

3. Data subject to processing and collection sources

I. General Information:

The shares of EYDAP S.A. are registered and listed on the Athens Stock Exchange, are registered in the Data Security Standard and are subject to the Regulations of the Data Security Standard (hereinafter "DSS Regulation") as applicable. The Société Anonyme under the name "Greek Central Securities Depository S.A.", (ATHEXCSD) as the administrator of the DSS, holds an Investor Share, in which the shareholder identification information provided for in Article 4 of the DSS Regulation is registered. That information shall be made available to EYDAP through electronic records from the "Greek Central Securities Depository S.A." in every case provided for by the Law and the DSS Regulation. Information that relates, in particular, to the Company's shareholder base and its share transactions (e.g. transfer operations) is taken into account by EYDAP from the "Greek Central Securities Depository S.A." (pursuant to DSS Regulation) at the end of each trading day on the Athens Stock Exchange.

Therefore, Shareholders' personal data are available directly by them for the realization of matters concerning them either by third parties authorized by the Shareholders or according to the above by the limited company with the name " Greek Central Securities Depository SA", in its role as administrator of DSS.

In any case, the Company considers the personal data held in the Investor Division of the Data Security Standard as valid and up-to-date the, where the Shareholders are required to notify any changes.

The information kept in the EYDAP Shareholder Record Book is:

Full name

Father's name

DSS Investor Share Code

Shareholder Registry Number

Details of the shares and rights held by them

VAT number

Tax office

Address

Phone

Occupation / Activity

Citizenship

ID number/ Passport number (date of issue, issuing authority, country of issue)

B. Correspondence data with the Shareholders

C. Data on the capacity under which the Shareholder participates in the General Meeting of the Company and the relevant supporting documents

D. Data concerning the participation and exercise of the Shareholder's voting right in the General Meeting of the Company, data of various requests submitted from time to time to the Company, signatures of Shareholders and in general any other information within the legal framework governing financial instruments markets.

II. Specific information for the hybrid conduct of the July 11th2024 General Meeting:

EYDAP SA notifies the Shareholders that for reasons of their participation in the remote General Meeting on July 11th 2024 or any Repeat, the passwords of the Shareholders on the internet platform https://axia.athexgroup.gr, through which they will be given the opportunity to participate and vote remotely in the General Meeting (hereinafter "Internet Platform" ) will be collected and processed by the executor of the processing " Greek Central Securities Depository SA." to which EYDAP has assigned the organization of the remote G.M. in the context of contract execution and implementation.

Also, EYDAP informs the Shareholders that, according to article 131 (voting method at the General Meeting) par. 2 of Law 4548/2018, the distance voting is open and the exercise of the voting right by the Shareholder and its content of his vote, if requested, may be notified to the other participants in the General Meeting, Shareholders.

EYDAP informs the Shareholders that the General Meeting will be recorded in order to prepare the minutes of the General Meeting. The recording is available only to the secretariat of the Board and only for the drafting of minutes.

EYDAP SA further informs that it will process the following data of natural persons, in addition to the Shareholders, who will participate in the video conference of the remote General Meeting, such as the Members of the Board of Directors of EYDAP, EYDAP executives, auditors and other third parties, which are collected directly from the subjects in question, for the purposes of legal interests pursued by EYDAP for the said processing:

1. Identification data, such as name, middle name, ID card, passport or other equivalent document.
2. Data relative to the capacity, based on which these persons are entitled to participate in the General Assembly.

1. Electronic address (email), mobile phone number, for the purpose of the participation of the natural person in the teleconference.
   4. Reasons for processing personal data and legal basis

The Company collects and processes the personal data of the Shareholders for the following

purposes:

• Participation and exercise of Shareholders' Rights in General Meetings (Statement of Beneficiaries Participation under Article 124 of Law 4548/2018)
• Shareholder Identification
• Verification of the possibility and legality of exercising the rights of Shareholders in accordance with current legislation
• Keeping Book of Shareholders (article 40 of Law 4548/2018)
• Dividend Distribution (Dividend Beneficiaries Identification File under Article 29 of DSS Regulation) and fulfillment of any contractual obligation of EYDAP to Shareholders (Article 6 par. 1 b EGDPR)
• Implementation of corporate transactions executed through DSS (e.g. share capital increase - Rule 25 of DSS Regulation)
• Notification to the Athens Stock Exchange of obliged persons (4.1.3.8. of the Athens Stock Exchange Regulation in conjunction with section 13 par.2 of Law 3340/2005)
• Off-exchangetransfer of EYDAP shares due to inheritance or entailment (Article 47 of DSS Regulation)
• Fulfillment of obligations arising from the provisions of tax law and other mandatory legal provisions (Article 6 par. 1 c of EGDPR)
• Any action necessary to serve EYDAP's legitimate interests, unless the interests or fundamental rights and freedoms of the data subject that impose the protection of personal data override those interests. An indicative example is the presentation of a detailed stock listing when required for the participation of the Company in development programs (Article 6 par. 1 par. of EGDPR)
• Publication of the Company's acts and data on General Commercial Registry, the Athens Stock Exchange or on the EYDAP website when required by law
• Provision of answers and clarifications to specific questions or requests addressed to the Company by the Shareholders.
• Keeping a file of the Company's Shareholders

Therefore, the processing of the shareholders' data is carried out in the context of the relationship between us (article 6 par. 1 par. b' GDPR), compliance with the current legislation

(article 6 par. c' GDPR) for any action necessary for the service of the legal interests of EYDAP, unless over those interests the interest or the fundamental rights and freedoms of the data subject that impose the protection of personal data prevail.

In an exceptional case where you are asked for your consent (article 6 par. 1 per a' GDPR) to take a photograph for example, this will be provided only after you have been informed of the specific purpose and the processing will be carried out after your free consent for the specific purpose has been provided.

5. Data retention period

The time period during which the shareholders' personal data are retained within the context of their shareholder status is determined for the entire duration of the Company, for the purposes of protecting the Hellenic Capital Market Commission. The period of retention of personal data collected under a statutory provision shall be maintained for the time period prescribed by law or for the time period required to defend EYDAP's legal interests (litigation) or fulfill its contractual obligations.

6. Data Recipients-Transfer to Third Parties

EYDAP may provide access to or transmit the personal data of its Shareholders to:

1. Natural and legal persons to whom the Company entrusts the performance of specific tasks on its behalf, including to service providers such as lawyers, accountants, and providers of technical and support services to file storage and management companies, to postal service providers, to e-mail service providers, to web hosting services, including cloud services, to external consultants and associates of the Company.
2. In the limited company with the name "Greek Central Securities Depository SA". which has been assigned by EYDAP as the executor on behalf of EYDAP, the organization of the remote General Meeting as well as the subcontractor of the limited company " Greek Central Securities Depository SA." Cisco Hellas SA, which provides the WEBEX tool / services team that enables video conferencing through cloud services held within the European Economic Area (EEA). See here and here the Privacy Policy for each company.

In those cases, such processing shall be carried out under the control of EYDAP and shall be subject to the same protection policy, the persons who perform services on behalf of the Company are bound beyond the legal framework for the protection of personal data governing their services and by clauses of secrecy and confidentiality of information. The Company has legally ensured that those who process personal data on its behalf, provide sufficient assurances for the implementation of appropriate technical and organizational

measures, so that such processing meets the requirements of the GDPR and the applicable legislation and regulations to ensure the protection of data and the privacy of individuals.

1. Supervisory, audit, tax, independent, judicial, public and / or other authorities and bodies within the framework of their statutory powers and duties. Indicatively, the Athens Stock Exchange, Greek Central Securities Depository S.A., the Hellenic Capital Market Commission, the Central Securities Depository, the Deposits and Loans Fund and the General Registry, when the law or other regulatory act obliges it to provide or transmit such data or when the disclosure is required to serve its legitimate interests.
2. On a case-by-case basis and under legal conditions to other Shareholders of the Company.

Special mention is made that in the event that the transfer of personal data outside the European Economic Area (EEA) or to international organizations is required, such transfer and processing in general will always be carried out in accordance with the GDPR and the general legal framework on the protection of personal data and provided that the relevant provisions are in compliance with and that adequate guarantees are provided for the protection of personal data.

7. Personal data protection and security measures

In order to protect your privacy, we apply the best practices for securing your personal data, through the implementation of the necessary technical and organizational measures set out in the applicable legal framework. Data is protected from loss of availability, integrity and confidentiality of information, as well as from unauthorized or unlawful processing, accidental loss, destruction or deterioration, alteration, prohibited dissemination or access and generally from any other form of unfair processing.

In any case, we ask you, as before your participation in the conduct of the hybrid General Meeting on July 11th 2024, to be informed about the terms and conditions and technical details in the Update «Terms and Conditions for the hybrid General Meeting 07.11.2024»

1. 8. Shareholders' Rights

2. Right of access, correction, deletion

Pursuant to Articles 15, 16 and 17 of the EGDPR, Shareholders may be informed of their personal data held by the Company and may request modification, correction or deletion if those are collected directly by EYDAP and not through an interface with the "Greek Central Securities Depository S.A.". In the case of legal or reasonable right of the Company to refuse to process the claim, this (the refusal) will be specifically and explicitly justified.

b) Right to limit processing

In the cases provided for in Article 18 of the EGDPR, Shareholders have the right to restrict the further use of their personal data. The Company will be able to store their personal data

but will not be able to process it further unless such processing is with their consent or is necessary for either the foundation, exercise or defense of legitimate claims of the Company either for the protection of another person's rights or for reasons of public interest.

c) The right to object

Shareholders may object at any time and for reasons related to their particular situation in the processing of their personal data, based on Article 6 par. 1 (e) or (f) of the EGDPR. In such case, EYDAP shall no longer process personal data unless it demonstrates imperative and legal reasons for processing that override the interests, rights, and freedoms of shareholders or for the foundation, exercise or support of legal claims. It should be noted that in the event that a decision is taken solely on the basis of automated processing, including profiling, if it produces legal effects which concern or affect the subject in a similar way, the subject has the right to object, unless there are specific reasons under current legislation (article 22 GDPR).

d) Right to portability of personal data

Shareholders have the right to receive the data concerning them provided to EYDAP in a structured, commonly used and machine-readable format or to request the transfer of their said data to any other processor, provided that the processing is based on consent and is carried out by automated means and without prejudice to the legal rights and obligations of EYDAP for data retention (Article 20 GDPR)

1. Right to withdraw your already given consent (article 7 GDPR), i.e. to withdraw your consent at any time for processing based on consent. The legality of the processing of your data is not affected by the withdrawal of consent until the time at which you requested the revocation.
2. Right to complain to GDPA, right to appeal to the competent supervisory authority, General Data Protection Authority (1-3 Kifissias Ave., Athens, PC 115 23, +30 210 6475600, contact@dpa.gr), if you consider that your rights are violated in any way and that the processing of your data is done in violation of the applicable legislation.

You have every right to exercise your rights by filling in the relevant Form for Exercising Rights and sending it by email to the email address dpo@eydap.gr or by snail mail to the address 9 Ilision, Athens 157 71. Responsible to answer, resolve and clarify any questions you may have is Ms. Marianna Alboura, Data Protection Officer (DPO). Please submit your relevant requests in accordance with the clear instructions listed in the Rights Exercise Form, which is provided on the EYDAP website and be accompanied by the appropriate identification documents of your person, with the express reservation of «EYDAP SA» to request the provision of additional information in order to identify and confirm your details.

The Company reserves the right, after examining your relevant request, to proceed within a period of one month or more, in case of justified delay, to its satisfaction and provided that it is legal and reasonable. Before we provide you with personal information, we may ask for proof of your identity and sufficient information about your transactions with us from which we can identify your personal information.

If you decide to unsubscribe from a service or communication, we will try to delete your data as soon as possible, although we may need some time and / or information before we can

process your request. The Company reserves the right to maintain your personal data in those cases where there is a legal obligation or the exercise of legal claims or the fulfillment of its obligations in the context of the relationship between us.

9. Policy Update

EYDAP unilaterally reserves the right to update, amend or revise this policy in order to improve its services, harmonize it with the provisions of current legislation (internal and Community) on general data protection. To this end, please check this Privacy Policy and Privacy Statement regularly to be informed of changes made to the Website www.eydap.gr

1. 10. Contact info

2. Data Processing Manager: EYDAP SA

Address: 156, Oropou Str.

Phone number: + 30-210 214 4201 Fax: + 30-210 214 4159

Email: grammateia@eydap.gr

1. Data Protection Officer (DPO): Marianna Alboura
   Phone number: + 30- 210 749 5156 & + 30-210 749 556
   E-mail: dpo@eydap.gr
2. Hellenic Data Protection Authority (HDPA):

Offices: 1-3 Kifissias Str., 115 23,

Athens Call Center: + 30-210 647 5600 Fax: + 30-210 647 5628

E-mail: contact@dpa.gr

Information Statement

By reading this, the shareholder is aware of the aforementioned treatment in accordance

with Regulation 2016/679 and its recitals, solely for the purposes stated above and for

purposes consistent with them.