Data Privacy Provisions Applicable to Participants Outside the European Union/European Economic Area/United Kingdom (“EEA+”).

Data Privacy. The Participant hereby acknowledges that:

International Data Transfers. The Personal Data will be transferred from the Participant’s country to the U.S., where the Company and its service providers are based. The Participant understands and acknowledges that the U.S. might have enacted data privacy laws that are less protective or otherwise different from those applicable in the Participant's country of residence. For example, the EU Commission has issued only a limited adequacy finding with respect to the U.S. that applies solely if and to the extent companies self-certify and remain self‑certified under the EU/U.S. Privacy Shield program. In the absence of such certification, an appropriate level of protection can be achieved by implementing safeguards such as the Standard Contractual Clauses adopted by the EU Commission.

Data Privacy Consent. If the Participant is located in a jurisdiction outside the EU/EEA, the Participant hereby unambiguously consents to the collection, use and transfer, in electronic or other form, of Personal Data, as described above and in any other grant materials, by and among, as applicable, the Employer, the Company and any affiliate for the exclusive purpose of implementing, administering and managing the Participant’s participation in the Plan. The Participant understands that he or she may, at any time, refuse or withdraw the consents herein, in any case without cost, by contacting in writing [[Email]]. If the Participant does not consent or later seeks to revoke his or her consent, the Participant’s employment status or service with the Employer will not be affected; the only consequence of refusing or withdrawing consent is that the Company would not be able to grant equity awards to the Participant or administer or maintain such awards. Therefore, the Participant understands that refusing or withdrawing consent may affect his or her ability to participate in the Plan. For more information on the consequences of refusal to consent or withdrawal of consent, the Participant should contact NetApp’s Global Chief Privacy Officer at [[Email]] or at the mailing address in Section 20(c).

Data Protection (Jurisdictions other than European Union/European Economic Area/United Kingdom).

Finally, upon request by the Company or the Employer, the Participant agrees to provide an executed data privacy consent form (or any other agreements or consents) that the Company and/or the Employer may deem necessary to obtain from the Participant for the purpose of administering the Participant’s participation in the Plan in compliance with the data privacy laws in the Participant’s country, either now or in the future. The Participant understands and agrees that the Participant will not be able to participate in the Plan if the Participant fails to provide any such consent or agreement requested by the Company and/or the Employer.

If the Participant is based in the EU or EEA (including, for the avoidance of doubt, the United Kingdom), the Company’s legal basis for the processing of Personal Data is the necessity of the processing for the Company's performance of its obligations under the Plan and, where applicable, the Company’s legitimate interest of complying with contractual or statutory obligations to which it is subject.

Data Privacy. The following provision supplements the Data Privacy Notification and Consent provision above in this Appendix:

Personal Data Transfers. The Receiving Party shall, other than to countries approved, from time to time, as having equivalent protection for Personal Data as under European Data Protection Laws by the EC, not Process such Personal Data outside the EEA unless where the Receiving Party complies with the data importer’s obligations set out in the EU Standard Contractual Clauses for transfers from data controllers in the European Union or European Economic Area to controllers established outside the European Union or European Economic Area pursuant to EU Commission Decision 2004/915/EC (as amended or replaced from time to time) (the “Controller to Controller Clauses”) which are hereby incorporated into and form part of this Agreement (and for the purposes of [Annex B] of such Controller to Controller Clauses, categories of Data Subjects, purpose of transfer, types of Personal Data, recipients and categories of sensitive Personal Data shall be as set out in Articles 9.15 to 9.20 below.

Upon request of the Company or the Employer, the Grantee agrees to provide a separate executed data privacy consent form (or any other agreements or consents that may be required by the Company and/or the Employer) that the Company and/or the Employer may deem necessary to obtain from the Grantee for the purpose of administering the Grantee's participation in the Plan in compliance with the data privacy laws in the Grantee's country, either now or in the future. The Grantee understands and agrees that he or she will not be able to participate in the Plan if the Grantee fails to provide any such consent or agreement requested by the Company and/or the Employer.