GDPR

Purpose

The purpose of this Due Diligence Specialist (DDS) Brand Global Data Protection Policy (“Policy”) is to outline DDS Brand of AF1 Protective Agency’s practices for the Processing of Client Data and Candidate Data on a worldwide basis, in accordance with the EU General Data Protection Regulation (“GDPR”) and other applicable laws. Unless it is otherwise Client Data or Candidate Data, this Policy does not apply to the Processing of information relating to online visitors.

This Policy is designed to provide a global minimum standard for Group with respect to its Processing of Client Data and Candidate Data. Where specific local laws require stricter standards than those prescribed in this Policy, DDS Brand will Process Client Data in accordance with applicable local law and may develop specific local policies in this regard. Where applicable local law provides a lower level of protection of Client Data and Candidate Data than that established by this Policy, then the standard required by this Policy will apply.

Revision History

Scope

This Policy applies to all Due Diligence Specialist (DDS) Brand Clients globally.

Definitions

All defined terms contained herein shall have the meaning ascribed to them in the Data Protection Glossary unless otherwise defined herein.

Responsibilities

 DDS the brand’s Office of the General Counsel (“OGC”) Team is responsible for managing this, Policy. The DDS the brand Data Protection Team is responsible for responding to any requests by Clients or Candidates to access their Data held by the DDS the brand, or to any actual or potential violations of this Policy.

Additional Documentation (as described below)

Data Protection Glossary DPIA Standard

Data Protection Impact Assessment (DPIA) Template

Data Classification Policy Data Classification Standard

Enterprise Risk Assessment Standard Access & Correction Standard Personal Data

Erasure Standard Data Protection Training Standard Data Protection Audit Standard Consent Standard

Data Processing Register Standard Individual Recourse Standard Information Security Standards Policy

Processing of Client Data and Candidate Data

1.- What is Processing?

In the course of its relationships with DDS the brand Clients and Candidates, DDS the brand will Process Client Data and Candidate Data.

In addition to the general definition in the Data Protection Glossary, the term ‘processing’ also means any action taken in connection with Client Data and/or Candidate Data, including:

collection, handling, use, transfer and disclosure by transmission, dissemination or otherwise making available, as well as recording, organization, storage, retention, adaptation or alteration, access, retrieval, consultation, alignment or combination, blocking, anonymizing, erasure, disposal or destruction.

2.- What is DDS the brand’s General Processing Principles?

DDS the brand respects the privacy rights and interests of each DDS the brand Client and Candidate and adheres to the following general principles when Processing Client Data and Candidate Data:

Client Data and Candidate Data will both be Processed fairly and lawfully and in accordance with this Policy. Client Data and Candidate Data will both be collected for legitimate before DDS the brand collects Client Data or Candidate Data, DDS brand Clients or Candidates will be informed about: the purposes for which their Data is collected and used; how they can make inquiries or complaints about the Processing of their Data; the types of third parties to which DDS brand discloses their Data; the means DDS brand offers for limiting the use and disclosure of their Data; and the security measures that DDS the brand adopts to safeguard their Data. Client Data and Candidate Data will be accurate and kept up to date. Reasonable steps will be taken to rectify or delete Client Data or Candidate Data that is inaccurate or subject to certain exceptions, DDS the brand Clients and Candidates will have the opportunity to choose not to have their Client Data or Candidate Data disclosed to a third party (other than those who are acting as agents for DDS the brand under its instructions) or used for a legitimate purpose which is incompatible with the original purpose for DDS the brand Clients will be given a clear and conspicuous, readily available and affordable mechanism by which to exercise their choice. Client Data and Candidate Data will be relevant to, and not excessive for, the purposes for which it is collected and used. Subject to applicable local record retention laws and any other applicable legal requirements, Client Data and Candidate Data will be held by DDS the brand only as long as it is necessary for the purposes for which it was collected and Processed. DDS the brand will not Transfer Client Data or Candidate Data to any third party unless the third party provides at least the same level of privacy protection as is required by this reasonable precautions will be taken to prevent: unauthorized or accidental destruction, alteration or disclosure of; accidental loss of; unauthorized access to; misuse of; unlawful Processing of; or damage to, Client Data and Candidate Data.

3.- What are the Purposes of Processing?

DDS the brand collects and uses Client Data and Candidate Data in order to: service requests for pre- employment or pre-board appointment background checks on Candidates; conduct pre-transaction background checks on individuals; and conduct other services in furtherance of its business relationship with Client.

For example, the following is an illustrative, but not exhaustive, list of DDS brand’s business activities all requiring the Processing of Client Data and Candidate Data in the context of DDS brand’s business relationships with Clients:

-DDS brand Client identification.

-Reimbursement of DDS brand Client expenses.

-Compliance and risk management.

-Communication with DDS brand Clients.

-Pre-employment, pre-board appointment and pre-transaction background investigations, including civil and criminal litigation checks.

-Reporting on financial history and credit reviews of Candidates.

 -Regulatory and licensing checks of Candidates.

 -Press, internet, and social media reporting about Candidates.

 -Verifying employment and education of Candidates.

 -Conducting searches in global risk compliance databases (“watchlists”).

 -Identifying past and present corporate affiliations.

 -Searching driving records.

 -Business development and growth opportunities.

 -Compliance with applicable legal transfers of Personal Data.

4.- When Will DDS brand Share Client Data or Candidate Data Amongst its Various Entities?

A Transfer of Client Data or Candidate Data between DDS brand companies will only occur if the Transfer is based on a clear business need and is for the purposes described in Section 8.A.3. above.

5.- What Client Data or Candidate Data Transfers Outside of DDS brand May Be Made?

 DDS brand may, from time to time, Transfer Client Data or Candidate Data outside of DDS brand:

-Where required as a matter of law.

-Where required to protect its legal rights (e.g., to defend litigation).

 -At the direction of the relevant DDS brand Client.

 -To select third parties, where permitted by applicable local to select third parties, as described.

6.- Under What Circumstances May Disclosures Be Made to Service Providers and Customers?

 DDS brand may disclose Client Data or Candidate Data to select third parties:

That have been engaged to provide services to or on behalf of DDS brand (e.g., conducting background checks) (‘Vendors’). In such circumstances, DDS brand will only disclose Client Data that is necessary for, and material, relevant and limited to, the Vendor’s provision of those services.

That obtain services from DDS brand and that require specific information concerning the DDS brand Clients involved in the provision of those services for the purposes of safety, security and the protection of the Client’s resources. In such circumstances, DDS brand will only disclose Client Data that is necessary for, and material, relevant and limited to, those purposes; or where otherwise permitted under applicable local rules.

7.- What Requirements Will Be Imposed on Vendors?

DDS brand will require that Vendors undertake by written contract to guarantee at least the same levels of protection afforded under this Policy when Processing DDS brand Clients’ Client Data.

8.- Security and Confidentiality

DDS brand is committed to taking appropriate technical, physical and organizational measures to protect Client Data and Candidate Data (including Sensitive Client Data and Sensitive Candidate Data) against unauthorized or accidental destruction, alteration or disclosure; accidental loss; unauthorized access; misuse; unlawful Processing; or damage.

These measures include equipment, application and information security, access security, and training of DDS brand Workers who are required to Process DDS brand Clients’ Client Data and Candidates’ Candidate Data about this Policy and the appropriate Processing of Client Data and Candidate Data.

The level of the relevant measures reflecting the risks and nature of the different types of Client Data and Candidate Data will be reviewed and updated periodically consistent with DDS the brand’s Information Security policies.

Sensitive Client Data and Sensitive Candidate Data

9.- How Will DDS brand Treat Sensitive Client Data and Sensitive Candidate Data?

Sensitive Client Data and Sensitive Candidate Data may be Processed for the purposes set out above. DDS brand will endeavor to limit the Processing of Sensitive Client Data and Candidate Data to that strictly necessary for the purposes for which it was collected.

A DDS the brand Client’s explicit Consent to the Processing of his/her Sensitive Client Data will be obtained, except as otherwise allowed by law. Similarly, a DDS the brand Candidate’s explicit Consent to the Processing of his/her Sensitive Candidate Data will be obtained, except as otherwise allowed by law.

10.- What Are DDS brand Clients’ or Candidates’ Rights to Access Their Data?

Any DDS brand Client or Candidate, as the case may be, may inquire as to the nature of his/her Data held by DDS brand. DDS brand will endeavor to respond to an inquiry without excessive delay and within the time limits prescribed by applicable local law (if any) or otherwise within a reasonable time period.

A DDS brand Client or Candidate wishing to access his/her Data held by DDS brand should contact the Data Protection Team at [email protected].

In responding to a request for access, DDS brand may request that the requesting DDS brand Client or Candidate, as the case may be:

Provide DDS brand with sufficient information to allow it to confirm the DDS brand Client’s or Candidate’s identity.

In order to locate responsive information, to identify his/her concerns which led to or motivated the request.

Identify which DDS brand companies the DDS brand Client or Candidate interacted with and the nature of the Data requested.

DDS brand may, at its discretion and to the extent permitted to do so under applicable local law, require that a DDS brand Client or Candidate, as the case may be, pay his/her reasonable costs of providing access.

11.- When Might Requests for Access to or Amendments to Client Data Be Refused?

DDS brand may refuse a DDS brand Client’s or Candidate’s request for access to his/her Data in certain circumstances. For example, depending on the circumstances of the request, access may not be provided where:

The burden or expense of providing access would be disproportionate to the risks to the requester.

The rights or interests of an individual other than the requester would be violated, such as where access would reveal another DDS brand Client’s Client Data or Candidate’s Candidate Data.

Access would reveal information which DDS brand has taken steps to protect from disclosure, where disclosure would help a competitor in the market (‘Confidential Commercial Information’), such as where Confidential Commercial Information cannot be readily separated from the Client Data or Candidate Data.

The execution or enforcement of the law, including prevention, investigation or detection of offences or the right to a fair trial would be interfered with a DDS the brand internal investigation or grievance proceeding would be prejudiced.

Any confidentiality that may be necessary: for limited periods in connection with DDS brand Client or Candidate succession planning and corporate re-organizations; or in connection with monitoring, inspections or regulatory functions connected with sound economic or financial management, would be prejudiced.

A court or other authority of appropriate jurisdiction determines that DDS the brand is not required to provide access.

A legal or other professional privilege or obligation would be breached; or

There is no legal requirement for DDS the brand to provide such access, including because the local legal requirements for a valid data subject access request have not been met.

If a request for access or rectification is refused, the reason for the refusal will be communicated to the DDS the brand Client or Candidate. In this case the DDS the brand Client or Candidate affected may make use of the dispute resolution Processes described in ‘Grievance Mechanism’ below.

12.- What Are DDS brand Clients’ or Candidates’ Rights to Amend Their Data?

If a DDS the brand Client’s Client Data or Candidate’s Candidate Data is inaccurate or incomplete, the DDS the brand Client or Candidate may request that his/her Data be rectified.

Transfer of EEA Data Outside of the EEA

Client Data or Candidate Data (including EEA and Non-EEA Data from jurisdictions with cross-border data Transfer restrictions) is shared with DDS the brand companies around the world in accordance with applicable local law and/or under one or more inter-company agreements which safeguard the integrity of the Client Data or Candidate Data and the privacy rights of the DDS brand Client whom the Client Data or Candidate Data concerns.

Grievance Mechanism

If at any time a DDS the brand Client or Candidate believes that his/her Data has been Processed in violation of this Policy, the DDS the brand Client or Candidate may report the concern to the Data Protection Team at [email protected].

If a complaint of the nature described above concerns EEA Data and the complaint remains unresolved after referral to the Data Protection Team, DDS the brand will cooperate with the EEA Data Protection Authorities and/or their representatives (‘DPAs’), as appropriate, for investigation and resolution of the complaint.

If the DPAs take the view that DDS the brand needs to take more specific action to comply with the GDPR, DDS the brand will comply with the advice of the DPAs, which may include:

1. reversing or correcting the effects of any non-compliance, insofar as is feasible;
2. ensuring that future EEA Client Data and Candidate Data Processing will be in conformity with the GDPR; and
3. where possible, ceasing the Processing of the relevant EEA Client Data and Candidate

DDS the brand will provide the DPAs with written confirmation of the actions it has taken to comply with the advice of the DPAs.

Communication about this Policy

DDS the brand is committed to communicating this Policy and how it may be accessed to all current and new DDS the brand Clients and Candidates. DDS the brand will make this Policy available on its website.                                                                                                 

Assessment Procedures

DDS the brand will monitor its compliance with this Policy on an ongoing basis. DDS the brand will periodically verify that this Policy continues to conform to and comply with the GDPR. A statement affirming successful completion of any such assessment will be signed by a corporate officer or other authorized representative of DDS the brand at least once per year and made available upon request by a DDS the brand Client or Candidate or in the context of an investigation or complaint about compliance.

Policy Governance

This Policy supersedes and replaces any and all prior policies, guidelines and practices, written and unwritten, regarding its subject matter. Subject to any applicable local law requirements, the Company reserves the right to change, replace, or cancel this Policy with or without notice at its sole discretion at any time.

DDS the brand is committed to ensuring that this Policy is observed by DDS the brand Clients and Candidates. DDS the brand Clients and Candidates must comply with this Policy. Non-compliance with this Policy could result in termination of any business relationship, contractual or otherwise, with a DDS the brand Client or Candidate.

In some countries, violations of regulations designed to protect Client Data may result in administrative sanctions, penalties, and/or claims for compensation and/or damages.

Compliance with this Policy may be verified through various methods, including internal and external audits.

Resources

Clients or Candidates should contact the DDS the brand Office of General Counsel Team at [email protected] with any questions about this Policy. Clients or Candidate should contact the Data Protection Team at [email protected] with any concerns about possible violations of this Policy.