In addition to collecting Personal Data directly from you, we may collect Personal Data from third parties, such as credit reference agencies or publicly available sources, as required or permitted by local law. The legal basis for us processing your Personal Data will typically be one of the following: for the performance of an agreement or contract with you or a relevant party; to fulfil our legitimate business interests or comply with our legal obligations; or based on your consent. We will only use your Personal Data as described in this Notice to:

• • comply with our obligations under AML, CTF and other FCC laws, which include:

  • - to identify and verify identity;

  • - to detect and prevent criminal activity;

  • - to screen and monitor against watchlists including sanctions;

• • manage and service accounts to enable us to perform our contract with you or a relevant party;

• • trace and recover debts to address our legitimate interests;

• • to manage complaints to meet our contractual obligations with our customers or other third parties; and

• • complete financial risk modeling to assess and manage various risks in our portfolio.

We may share Personal Data with other entities within the GE Group (being the General Electric Company and its wholly and majority-owned and/or serviced entities) or with third parties who all perform FCC services on our behalf and with law enforcement authorities and governmental entities, connected to criminal investigations or to establish, exercise, or defend our legal rights. In the event all, or some, of our business (or its assets) is sold, we may transfer Personal Data to any successor entities or parties. Wherever we share Personal Data we will exercise measures to safeguard it and ensure it is only processed as strictly necessary to fulfill a contractual task or legal obligation.

Only where we have to do so in the performance of the contract or where you specifically request us to do so, we may transfer or process Personal Data worldwide. Where no satisfactory data protection laws exist in the country to which we are transferring the Personal Data, we will put equivalent contractual safeguards in place to protect it.

We have also entered Binding Corporate Rules which govern our data handling practices: www.ge.com/bcr. For further information on these safeguards please contact us at the address at the end of this Notice.

We maintain administrative, technical, and physical safeguards, consistent with legal requirements where the Personal Data is obtained, to protect the integrity, confidentiality, security, and availability of Personal Data. Personal Data is retained only for as long as it is needed to fulfil the purpose for which it was obtained in accordance with the principle of data minimization under GDPR and subject to additional legal retention requirements.

You have the right to access all Personal Data we maintain about you; to request that we update, correct, amend, erase, or restrict it; and to exercise your right to data portability. You may also withdraw your consent at any time and/or object to the processing of your Personal Data on legitimate grounds based upon your circumstances. To exercise these rights, or otherwise contact us, please submit a written request to: Chief Privacy Officer, General Electric Company, 33-41 Farnsworth Street, Boston, MA 02210, United States.

If you elect to exercise your rights and are not satisfied with our response, you may also have the right to file a complaint with a supervisory authority or other governmental regulator, as permitted by local law.