COMPANY POLICY FOR PERSONAL DATA PROCESSING

1 Background and Purpose 1.1 ApartDirect Cars AB values the privacy of its customers, suppliers, partners, and employees and is always committed to complying with the applicable data protection regulations. Everyone has the right to the protection of their personal data. 1.2 ApartDirect Cars AB has therefore adopted this Policy for the processing of personal data to ensure that everyone within the organization complies with data protection rules. This document is intended to provide you, as an employee, with guidance on how to handle personal data. 1.3 The General Data Protection Regulation (GDPR) started to apply on May 25, 2018. It brings enhanced protection for individuals whose personal data is processed and places more and stricter requirements on organizations that process personal data. 1.4 If the processing of personal data were to contravene the provisions of the GDPR, there is a risk of infringement of the personal privacy of the data subjects, as well as the risk of reputational damage to ApartDirect Cars AB. Furthermore, the company may be required to pay damages or be subject to an administrative fine of up to twenty million euros or 4% of the total worldwide annual turnover, whichever is higher. To avoid such consequences, all employees are required to follow these guidelines.

2 Scope and Application 2.1 This policy applies to all employees and consultants of ApartDirect Cars AB, in all markets and at all times. 2.2 The Board of ApartDirect Cars AB must ensure compliance with this Policy, which includes, among other things, providing training for all employees. Information to employees should also include information that violating the policy may lead to, for example, employment law consequences.

3 Fundamental Principles 3.1 The fundamental principles described below must always be observed when processing personal data. ApartDirect Cars AB is responsible for and must be able to demonstrate compliance with these principles. 3.1.1 Lawfulness, fairness, transparency – Personal data must be processed lawfully, fairly, and transparently in relation to the data subject. This means that each type of processing must be based on a valid legal basis, such as the performance of a contract, compliance with a legal obligation, performance of a task carried out in the public interest, legitimate interest, or consent (see section 5 below). If a valid legal basis for the processing cannot be identified, the processing must not be carried out. The basis for this principle is clear communication with the data subject regarding, among other things, the purposes for which the data are processed, the type of processing carried out, if and how the data is shared with others, how long the data is stored, and how to contact ApartDirect Cars AB. Data subjects should therefore be provided with clear and transparent information about the processing of their personal data. 3.1.2 Purpose limitation – Personal data may only be collected and otherwise processed for specific, explicitly stated, and legitimate purposes and may not later be processed in a manner incompatible with those purposes. 3.1.3 Data minimization – Personal data processed must be adequate, relevant, and not excessive in relation to the purposes for which they are processed. Ensure that the data collected are truly needed and do not request information just because it might be useful to have. 3.1.4 Accuracy – Personal data processed must be accurate and, where necessary, kept up to date. Take appropriate measures to ensure that inaccurate or incomplete data is corrected, for example, procedures for updating address records when moving, with a summary of systems and registers where the address is stored. However, avoid storing copies of data in multiple systems to avoid sources of error or outdated information being saved. 3.1.5 Storage limitation – Personal data must not be stored longer than necessary in relation to the purposes of the processing. When the data is no longer needed, they must be disposed of, meaning that they must either be deleted or anonymized. 3.1.6 The accountability principle means that ApartDirect Cars AB must be able to demonstrate compliance with the GDPR. The company must, for example, document the implemented and planned processes and measures regarding data protection issues.

Furthermore, there must be a register of all types of processing of personal data carried out, and ApartDirect Cars AB must be able to present such a register to the supervisory authority when required.

4 Personal Data 4.1 Personal data means any information relating to an identified or identifiable natural person who can be identified, directly or indirectly. Examples of personal data include name, contact details, location data, or factors specific to a person's physical, economic, cultural, or social identity. Data that may not, individually, meet these requirements may, collectively, still constitute personal data. 4.2 All processing of personal data is subject to the GDPR and its rules. Processing means any operation or set of operations performed on personal data, whether or not by automated means. Personal data found in emails, documents on servers, in a simple list, on websites, and in other unstructured material are also covered. 4.3 Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, as well as processing of genetic data, biometric data, health data, or data concerning a person's sex life or sexual orientation (so-called special categories of personal data), is as a rule prohibited. For such processing to be allowed, a valid exception to the prohibition is required. The most common exceptions are that the data subject has given consent or has made the data public themselves, to exercise rights or fulfill obligations under labor law, to establish, exercise, or defend legal claims, or for health care purposes. 4.4 Processing of personal identity numbers may only be carried out if it is clearly justified by the purpose of the processing, the need for secure identification, or another worthy reason. 4.5 Processing of data concerning criminal offenses (criminal convictions and offenses or related security measures, but probably not suspicion of crime) may only be carried out in certain specific cases. Processing may be performed if it is necessary to establish, exercise, or defend legal claims in individual cases, or for anti-money laundering checks.

5 Legal Grounds for the Processing of Personal Data 5.1 The processing of personal data is only lawful if and to the extent that one of the following grounds applies.

5.1.1 The data subject has given their consent to the processing of their personal data for one or more specific purposes. There are specific requirements that must be met for consent to be valid. 5.1.2 The processing is necessary for the performance of a contract to which the data subject is a party or to take steps at the request of the data subject before entering into such a contract. 5.1.3 The processing is necessary for compliance with a legal obligation to which ApartDirect Cars AB is subject. An example can be providing tax information to the Tax Agency. 5.1.4 The processing is necessary to protect interests of fundamental importance to the data subject or another natural person (e.g., in life-threatening situations). 5.1.5 The processing is necessary for purposes relating to the legitimate interests of ApartDirect Cars AB or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data (balance of interests). There are special documentation requirements concerning the assessment carried out in a balance of interests.

6 Security Measures, Access Control, and Deletion 6.1 Personal data must be processed in a way that ensures appropriate security for the data using technical and organizational measures. Organizational security measures may mean using access control for systems containing personal data, logging access to personal data, or ensuring that computers or similar devices containing personal data are stored so as to hinder unauthorized access and are not left unattended. Examples of technical measures that must be checked include whether the company has adequate backup routines, sufficient firewalls, password-protected wireless networks, updated virus protection, password protection for mobile devices such as mobile phones and tablets, protection against unauthorized internal access, password requirements, encryption where needed, logging of, access to, and use of IT systems, etc. 6.2 Personal data may not be retained longer than necessary for the purposes for which they are processed. By establishing and following a deletion procedure for each database/processing, structured deletion work is ensured. Even personal data in what is known as unstructured material, such as in documents on servers, in a simple list, on websites, etc., must be deleted when the purpose of the processing has been fulfilled.

7 Transfer to Third Countries 7.1 Special rules apply to the transfer of personal data to countries outside the EU and EEA (so-called third country transfers). The GDPR means that all EU member states as well as EEA countries have equivalent protection for personal data and privacy and, therefore, personal data can be transferred freely within that area without restriction. For countries outside this area, there are no general rules that guarantee equivalent protection, meaning third country transfers may only take place under specific conditions. This applies to any transfer of information across borders, such as many online IT services, cloud services, external access services, or global databases, etc., and must be specifically analyzed.

8 Impact Assessment 8.1 ApartDirect Cars AB has a specific routine in place to identify and manage particular privacy risks within its operations and for structured follow-up. Particular risks to the rights and freedoms of data subjects may arise in connection with certain types of data processing, especially sensitive data, processing on a large scale, the use of new technology, or similar factors. 8.2 If new or changed personal data processing is likely, in any respect, to result in a high risk for the rights and freedoms of individuals, the procedure must be followed and an assessment made of the effects of the intended processing for the protection of personal data before processing begins. 8.3 Before such personal data processing commences, the person responsible within the company must be contacted to investigate whether an impact assessment is required, and if necessary, an impact assessment is carried out together with the person responsible by [answering certain specific questions, work meetings, and risk assessment].

9 Register Extracts and Disclosure 9.1 The GDPR grants data subjects several rights regarding the processing of personal data. It is ApartDirect Cars AB's duty to fulfill these rights and ensure that there are sufficient processes to accommodate data subjects. 9.1.1 The data subject has the right to information when personal data are collected. This information must be provided in an easily accessible written form and in clear and plain language. The GDPR prescribes a number of specific requirements that must be met, and the requirements vary depending on whether the information was collected directly from the data subject or from a third party. 9.1.2 The data subject has the right to obtain confirmation as to whether or not personal data concerning them are being processed, and if so, to receive a copy of the personal data (register extract). This right applies regardless of the location where the data is processed.

9.1.3 If the processed personal data are incorrect or incomplete, the data subject may request rectification. If the data subject demonstrates that the purpose for which the data are processed is no longer permissible, necessary, or reasonable under the circumstances, the relevant personal data must be deleted, unless otherwise provided by law. 9.1.4 The data subject has the right to transfer personal data that they have provided to ApartDirect Cars AB to another data controller (right to data portability) if the processing is based on the legal grounds of contract or consent. The personal data must be provided to the data subject in a structured, commonly used, and machine-readable format. If it is technically possible, the data subject may request that the information be transferred directly to another data controller. This right applies only to the personal data that the data subject has provided to ApartDirect Cars AB. 9.1.5 The data subject has, in certain circumstances, the right to demand that ApartDirect Cars AB restrict the processing of their personal data, i.e., limit processing to certain specific purposes. The right to restriction applies, among other things, when the data subject believes the information is inaccurate and has requested rectification of the data. The data subject can then request to restrict processing while the accuracy of the data is being investigated. When the restriction ends, the individual must be informed of this. 9.1.6 The data subject has the right to object to processing of personal data based on legitimate interest as a legal ground. Upon objection, the company must cease processing unless it can demonstrate compelling legitimate grounds for the processing that outweigh the interests, rights, and freedoms of the data subject, or if the processing is carried out for the establishment, exercise, or defense of legal claims. 9.1.7 In some cases, the data subject has the right to request erasure of their personal data (“the right to be forgotten”). An example is when consent is the legal ground for processing and the data subject withdraws their consent. 9.1.8 When personal data is processed for direct marketing, the data subject has the right to object at any time to processing for such purposes. If a data subject objects to processing for direct marketing purposes, such processing must cease.

10 Personal Data Breaches 10.1 A personal data breach is a security incident that results in the accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of or access to personal data. Examples of personal data breaches include theft of a customer register, accidental disclosure of salary information via email to the wrong recipient, an employee bringing home an unencrypted work computer that is later stolen in a break-in and leads to the disclosure of information about employees or customers, personal data mistakenly published online, a laptop containing personal data being lost or stolen, etc. 10.2 Personal data breaches may have to be reported to the supervisory authority within 72 hours of discovering the incident if it is likely that there is a risk to the rights and freedoms of data subjects. Incidents must be documented, and it may be necessary to notify affected data subjects. 10.3 In case of a suspected personal data breach, contact the responsible person at ApartDirect Cars AB immediately. It is then the responsible person's role to assess whether the supervisory authority or the data subjects need to be notified.

11 Other 11.1 For definitions of terms used in this policy, refer to the GDPR. 11.2 This policy should be updated annually or as necessary based on instructions from the Board of ApartDirect Cars AB.

12 Questions For any questions related to the processing of personal data, please contact the responsible person at ApartDirect Cars AB.

Policy adopted by the Board of ApartDirect Cars AB on 19-11-2025.