The processing of personal data is necessary for the execution of contracts signed between One Crna Gora and customers. If we did not process this data, it would not be possible for us to fulfill contractual obligations towards customers.

We process personal data to ensure that the services we provide match what is specified in the subscription agreement.

To fulfill our obligations under the contract with the customer, we need to process their personal data. It is based on this data that One Crna Gora identifies the customer as the contracting party, the terms of the relevant tariff package, and so on.

We process personal data in order to provide the contracted services.

To provide and properly charge the contracted services, we need to process customer data, including basic data, contract data, and traffic data. To provide the service at all, it is necessary for the customer's mobile phone to connect to a specific base station in our network, where the base station covers the appropriate physical area. This processing also involves processing data on the approximate location of the user of the service.

We process customer data to maintain our mobile network and information systems.

To prevent, detect, localize, and learn how to fix network and information system errors, including preparing responses to customer complaints and claims, we need to process personal data, including traffic data.

We process customer data for interconnection payments.

In order for users of different operators and networks to establish mutual connections, operators and networks must be interconnected. For this purpose, two operators enter into an agreement under which their networks are interconnected. Based on this agreement, operators are required to pay each other for calls made by their subscribers.

We process customer data for roaming services with our roaming partners.

To enable One Crna Gora customers to use roaming services (i.e., outside the territory of Montenegro), One Crna Gora must regulate its relations with operators whose mobile networks are used by customers abroad. For this reason, One Crna Gora enters into agreements with the relevant mobile operators. Based on these agreements, One Crna Gora is required to pay the partner every time a One Crna Gora customer uses services provided over the network of another mobile operator.

We process customer data for billing and invoicing purposes.

For this purpose, we process basic data, contract data, and traffic data, all in order to create invoices for the customer, verify their correctness, and then issue invoices for the services provided to customers.

We process customer data to administer payments.

When a customer makes a payment under a contract with One Crna Gora, as well as every time a customer wants to postpone payment obligations to One Crna Gora, we record their basic data, contract data, obligations, and payment data.

We process customer data to provide them with notifications.

To fulfill our obligations regarding informing customers about upcoming changes, amendments, or circumstances affecting the provision of our services, we process the following personal data: basic data, contract data, contract obligations data, payment data, traffic data, and communication data with customers, among others.

We process customer data to fulfill their requests.

In order to process a customer's request, we need to process their basic data, data related to relevant contracts, as well as data on obligations and/or payments (if applicable).

• To top up a prepaid SIM card, we need to process the customer's basic data and data related to the payment made for the top-up.
• To fulfill customer requests for SIM card replacement (e.g., in case of damage or loss), we need to process their personal data, as well as data related to the contract.
• To fulfill customer requests (e.g., for activating or deactivating roaming or mobile internet services, and so on), we need to process their basic data, contract-related data, and other data relevant to the request.

We process customer data in order to care for them adequately.

We process the personal data of our customers to provide them with quality and timely customer support, including but not limited to processing customer suggestions, requests, inquiries, and/or complaints. The type and extent of personal data we process in such cases depend on the nature and content of the relevant suggestion, complaint, request, and/or complaint.

We process customer data when transferring phone numbers from One Crna Gora's network or to One Crna Gora's network.

To process a request for transferring a phone number from One Crna Gora's network or to One Crna Gora's network, it is necessary to process the personal data of the customer.

We process customer data to prevent, detect, investigate, and stop abuses.

In order to prevent, detect, investigate, and stop unlawful acts that are contrary to the terms of use of our services or that violate applicable laws, we process personal data, as well as traffic data.

We process personal data of customers when necessary to enforce our rights under contracts concluded with them.

The contracts that One Crna Gora concludes with customers define rights for both parties. In case of failure to fulfill contractual obligations, One Crna Gora is entitled to take steps in order to exercise its rights, which may include the initiation of procedures for the collection of outstanding claims, which requires the processing of personal data.

We Proces Customer Data for Past and Bad Debts Collection

If a customer fails to pay their debt as agreed in the contract, One Company has the right to seek the debt through extrajudicial means or through legal proceedings. For this purpose, the following customer data must be processed: basic data, contract data, obligations data, payment data, as well as contact information if provided by the customer. If a customer disputes the charges being billed, One Company may also process relevant traffic data to prove the correctness of the bill. During the process of extrajudicial debt collection, One Company may engage the services of third-party debt collection agencies, to which such data may be disclosed. When carrying out legal debt collection obligations, One Company may engage the services of lawyers and/or law firms to whom such data may be disclosed.

In certain cases, the applicable legislation of Montenegro requires One Crna Gora to process personal data of its customers for specific purposes, in a certain manner, and/or for a specific period. Examples of cases in which One Crna Gora processes personal data to fulfill its legal obligations are provided below.

We process personal data when we are obligated by the applicable legislation to provide information to competent authorities.

Montenegro's legislation requires One Crna Gora to retain certain customer personal data for a specific period. For example, data related to communication and location are considered "retained data" concerning electronic communications, and we are obliged to retain them for 12 months (for voice traffic and SMS messages) or 6 months (for internet traffic), in accordance with the Law on Electronic Communications and the Regulation on Categories of Retained Data for Electronic Communications. If there are legal requirements, the data processed by One Crna Gora must be disclosed to the competent authorities.

We process customer personal data when we are obligated by the applicable legislation to provide assistance to competent state authorities during inspections.

Considering One Crna Gora's business activities, which involve providing electronic communication services and networks, our operations may be subject to inspections by various state authorities, such as the Electronic Communications and Postal Agency (EKIP), the Agency for Personal Data Protection and Free Access to Information, the Market Inspectorate, and others. During inspections, these authorities have the authority to request that One Crna Gora provide documents and information it possesses. The necessary documents and information may include customer personal data.

We process personal data because, in accordance with applicable laws, we are obligated to ensure the security of our networks and information systems (including the security of our customers' personal data).

In order to prevent, detect, investigate, and/or resolve:

(a) security breaches and/or violations,or

(b) personal data breaches,
we must process customer personal data in certain cases.

We process personal data to provide a warranty for a product in accordance with the Consumer Protection Law.

When a customer purchases a product from us, One Crna Gora is obligated, under the Consumer Protection Law, to provide repair or replacement at no charge if the product was defective at the time of delivery and if such a defect occurs within two years from the date of purchase. To fulfill this obligation, One Crna Gora needs to process customer basic data (which determines the right to file a claim) as well as data related to the relevant contract (which determines whether the product is within the warranty period).

One Crna Gora processes customer personal data for other purposes if the customer has given consent for it. Customers can withdraw their consent at any time, free of charge, using one of the following methods: by submitting a written request at our branch or through the My One mobile application.

The withdrawal of consent does not affect:

• - The legality of processing personal data based on consent before withdrawal.
• - The processing of personal data for purposes that do not require consent, as per the provisions of this Privacy Notice.

With the prior consent of the customer, we process traffic data, approximate location data, and device data to prepare the best offers, services, and products for the customer (for the purpose of creating personalized offers/direct marketing).

Based on customer consent, One Crna Gora processes their personal data for the purpose of conducting a credit assessment when customers wish to purchase a device in installments or at a discounted price with an appropriate tariff package. Such consent is voluntary. In the event that a customer refuses to undergo the assessment, they can only purchase the desired device at the full price.

In order to enter into a contract or register a prepaid card, the customer needs to provide their personal data. Providing such data allows us to identify the individual as a party to the contract and as the holder of rights/obligations under the contract.

The full name of the customer, ID card number or passport number, and address are part of the minimum set of data for every mobile/fixed services contract. In the event that the customer refuses to provide them, One Crna Gora will not be able to conclude the contract or register the prepaid card.

During the contract conclusion process, data from the customer's personal documents are also processed to verify their validity, as the purpose of such verification is to prevent potential fraud attempts and/or misuse of personal data.