We adhere to the principles relating to processing of personal data set out in the GDPR which require personal data to be: 1. Processed lawfully, fairly and in a transparent manner (Lawfulness, Fairness and Transparency). 2. Collected only for specified, explicit and legitimate purposes (Purpose Limitation). 3. Adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed (Data Minimisation). 4. Accurate and where necessary kept up to date (Accuracy). 5. Not kept in a form which permits identification of Data Subjects for longer than is necessary for the purposes for which the data is processed (Storage Limitation). 6. Processed in a manner that ensures its security using appropriate technical and organisational measures to protect against unauthorised or unlawful processing and against accidental loss, destruction or damage (Security, Integrity and Confidentiality). 7. Not transferred to another country without appropriate safeguards being in place (Transfer Limitation); and 8. Made available to Data Subjects and Data Subjects allowed to exercise certain rights in relation to their Personal Data (Data Subject's Rights and Requests). We are responsible for and must be able to demonstrate compliance with the data protection principles listed above (Accountability).

Personal data must be processed lawfully, fairly and in a transparent manner in relation to the Data Subject. We may only collect, process and share personal data fairly and lawfully and for specified purposes. The GDPR restricts our actions regarding personal data to specified lawful purposes. These restrictions are not intended to prevent processing but ensure that we Process personal data fairly and without adversely affecting the Data Subject. The GDPR allows processing for specific purposes, some of which are set out below: 1. The Data Subject has given his or her Consent; 2. The processing is necessary for the performance of a contract with the Data Subject; 3. To meet our legal compliance obligations; 4. To protect the Data Subject's vital interests; 5. To pursue our legitimate interests for purposes where they are not overridden because the processing prejudices the interests or fundamental rights and freedoms of Data Subjects. The purposes for which we process personal data for legitimate interests are set out in our Privacy Notices. The GDPR requires us to provide detailed, specific information to Data Subjects depending on whether the information was collected directly from Data Subjects or from elsewhere. Such information must be provided through an appropriate Privacy Notice which must be concise, transparent, intelligible, easily accessible, and in clear and plain language so that a Data Subject can easily understand them. Whenever we collect personal data directly from Data Subjects, including for employment purposes, we must provide the Data Subject with all the information required by the GDPR including our identity, how and why we will use, process, disclose, protect and retain that Personal Data through a Privacy Notice which must be presented when the Data Subject first provides the personal data. When personal data is collected indirectly (for example, from a third party or publicly available source), we must provide the Data Subject with all the information required by the GDPR as soon as possible after collecting/receiving the data. We must also check that the personal data was collected by the third party in accordance with the GDPR and on a basis which contemplates our proposed processing of that personal data.

Personal data must be collected only for specified, explicit and legitimate purposes. It must not be further processed in any manner incompatible with those purposes. We cannot use personal data for new, different or incompatible purposes from that disclosed when it was first obtained unless we have informed the Data Subject of the new purposes and they have consented where necessary.

Personal Data must be adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed. Staff members may only process personal data when performing their job duties requires it. Staff members cannot process personal data for any reason unrelated to their job duties. When personal data is no longer needed for specified purposes, it must be deleted or anonymised in accordance with our company procedures.

Personal Data must be accurate and, where necessary, kept up to date. It must be corrected or deleted without delay when inaccurate. All staff members must ensure that the personal data we use and hold is accurate, complete, kept up to date and relevant to the purpose for which we collected it. Staff members must check the accuracy of any personal data at the point of collection and at regular intervals afterwards. All reasonable steps must be taken to destroy or amend inaccurate or out-of-date personal data.

Personal data must not be kept in an identifiable form for longer than is necessary for the purposes for which the data is processed. We must not keep Personal Data in a form which permits the identification of the Data Subject for longer than needed for the legitimate business purpose or purposes for which we originally collected it including for the purpose of satisfying any legal, accounting or reporting requirements.

Personal data must be secured by appropriate technical and organisational measures against unauthorised or unlawful processing, and against accidental loss, destruction or damage. We will develop, implement and maintain safeguards appropriate to our size, scope and business, our available resources, the amount of personal data that we own or maintain on behalf of others and identified risks (including use of encryption and Pseudonymisation where applicable). We will regularly evaluate and test the effectiveness of the relevant safeguards to ensure security of our processing of Personal Data. The GDPR requires data controllers to notify any Personal Data Breach to the ICO and, in certain instances, the Data Subject. We have put in place procedures to deal with any suspected Personal Data Breach and will notify Data Subjects and/or the ICO where we are legally required to do so. For further information, please refer to our Data Breach Procedure.

The GDPR restricts data transfers to countries outside the EEA in order to ensure that the level of data protection afforded to individuals by the GDPR is not undermined. Personal data is transferred when it originates in one country and is transmitted to, send to, viewed in or accessed in a different country. We shall only transfer Personal Data outside the EEA if one of the following conditions applies: 1. the European Commission has issued a decision confirming that the country to which we transfer the personal data ensures an adequate level of protection for the Data Subjects' rights and freedoms; 2. appropriate safeguards are in place such as binding corporate rules (BCR) or standard contractual clauses approved by the European Commission; 3. the Data Subject has provided explicit consent to the proposed transfer after being informed of any potential risks; or 4. the transfer is necessary for one of the other reasons set out in the GDPR.

We acknowledge that Data Subjects have rights when it comes to how we handle their personal data. These include rights to: 1. Withdraw consent to processing at any time; 2. Receive certain information about our processing activities; 3. Request access to the personal data that we hold; 4. Prevent our use of their Personal data for direct marketing purposes; 5. Ask us to erase personal data if it is no longer necessary in relation to the purposes for which it was collected or processed or to rectify inaccurate data or to complete incomplete data; 6. Restrict processing in specific circumstances; 7. Challenge processing which has been justified on the basis of our legitimate interests or in the public interest; 8. Request a copy of an agreement under which personal data is transferred outside of the EEA; 9. Object to decisions based solely on Automated processing, including profiling (ADM); 10. Prevent processing that is likely to cause damage or distress to the Data Subject or anyone else; 11. Be notified of a personal data Breach which is likely to result in high risk to their rights and freedoms; 12. Make a complaint to the ICO; and 13. In limited circumstances, receive or ask for their personal data to be transferred to a third party in a structured, commonly used and machine-readable format.

We acknowledge that we are obliged to implement appropriate technical and organisational measures in an effective manner, to ensure compliance with data protection principles. We are responsible for, and must be able to demonstrate, compliance with the data protection principles. We must have adequate resources and controls in place to ensure and to document GDPR compliance including: 1. keeping and maintaining accurate records of our data processing activities and the legal bases upon which such processing is carried out; 2. implementing “Privacy by Design” when processing personal data and completing Data Privacy Impact Assessments where processing presents a high risk to rights and freedoms of Data Subjects; 3. integrating data protection into internal documents including this Privacy Standard, Related Policies, Privacy Guidelines, Privacy Notices or Fair processing Notices; 4. regularly training our staff members on the GDPR and our policies on data protection. We shall maintain a record of training which is attended or completed by our staff members; and 5. regularly testing the privacy measures implemented and conducting periodic reviews and audits to assess compliance, including using results of testing to demonstrate compliance improvement effort.

In general terms, most of the communications which we are likely to send to our Data Subjects fall within the scope of the actual services which we are providing and are not marketing communications. However, in some cases we may wish to send marketing communications. We acknowledge that we are subject to certain rules and privacy laws when marketing to our customers. For example, a Data Subject's prior consent is required for electronic direct marketing (for example, by email, text or automated calls). The limited exception for existing customers known as "soft opt in" allows organisations to send marketing texts or emails if they have obtained contact details in the course of a sale to that person, they are marketing similar products or services, and they gave the person an opportunity to opt out of marketing when first collecting the details and in every subsequent message. The right to object to direct marketing must be explicitly offered to the Data Subject in an intelligible manner so that it is clearly distinguishable from other information. A Data Subject's objection to direct marketing must be promptly honoured. If someone opts out at any time, their details should be suppressed as soon as possible. Suppression involves retaining just enough information to ensure that marketing preferences are respected in the future.

Generally, we are not allowed to share personal data with third parties unless certain safeguards and contractual arrangements have been put in place. We shall only share the personal data we hold with another employee, agent or representative of our group if the recipient has a job-related need to know the information and the transfer complies with any applicable cross-border transfer restrictions. We shall only share the personal data we hold with our service providers if: 1. they have a need to know the information for the purposes of providing the contracted services; 2. sharing the personal data complies with the Privacy Notice provided to the Data Subject; 3. the third party has agreed to comply with the required data security standards, policies and procedures and put adequate security measures in place; 4. the transfer complies with any applicable cross border transfer restrictions; and 5. a fully executed written contract with appropriate third party clauses has been obtained. Due to the nature of our business, we will frequently share information with third parties for legitimate business reasons. Our Privacy Notice specifies the parties with whom we shall share personal data. We shall seek express consent whenever we need to share: 1. a Candidate’s personal data with a Client; 2. a Client Contact’s personal data with a Candidate; or 3. a Referee’s personal data with a Client.

ABOUT THIS PROCEDURE We acknowledge that a Data Subject is entitled to submit a request for erasure of their details from time to time (Erasure Request) i.e. the right to be forgotten. The right to make an Erasure Request applies to both (i) external Data Subjects, such as Candidates, Client Contacts, Referees and Supplier Contacts and (ii) internal Data Subjects, such as Applicants and Employees. However, the extent to which we can comply with an Erasure Request shall vary, depending on the type of Data Subject.

EXTERNAL DATA SUBJECTS: Upon receipt of an Erasure Request, we shall: 1. Verify the identity of the Data Subject; and 2. If appropriate, check whether the Data Subject wishes (i) to be erased from our business records or (ii) to remain within our business records but suppressed so that the Data Subject is not contacted by us. If the Data Subject wishes to have their personal data Erased: 1. We shall consider whether there is any lawful reason or legal requirement to retain the personal data as: a. The Conduct of Employment Agencies and Employment Businesses Regulations 2003 require us to keep records of any work-finding services which we have provided for not less than 12 months. b. If we have placed the Data Subject in a permanent role or on a temporary assignment, we will usually retain any relevant personal data for seven years so that we can defend ourselves from any legal claim which may arise and maintain auditable records for tax compliance reasons. 2. We shall within one month of receiving the Erasure Request, confirm the outcome of such Erasure Request, the steps which we have taken and the extent to which any personal data has been retained. 3. If we have retained personal data for any reason, this shall not be used for recruitment purposes and the relevant Data Record shall be [removed from our front-office database system] or [marked as Pending Deletion]. 4. We shall ensure that any (i) joint Data Controller or (ii) third party which is processing relevant Data Subject’s data on our behalf is informed that the Data Subject has made an Erasure Request and takes appropriate steps to comply with such Erasure Request. 5. If the request is manifestly unfounded or excessive, for example, because of its repetitive character, we may charge a reasonable fee, taking into account the administrative costs of erasure, or refuse to act on the request. 6. If we are not going to respond to the request, we shall inform the Data Subject of the reasons for not taking action and of the possibility of lodging a complaint with the ICO. If the Data Subject does not wish to have their personal data erased but would prefer to have their record marked as Do Not Contact, we shall record this in the relevant data record. Once marked as Do Not Contact: 1. The Data Subject’s record shall then be subject to our standard data retention procedures; and 2. Will be deleted after three years or more of inactivity, subject to any legal right or obligation for us to retain the data for compliance purposes.

INTERNAL DATA SUBJECTS: An Internal Data Subject has a limited right to make an Erasure Request where: a) The personal data is no longer necessary for the purpose which we originally collected or processed it; b) We have processed the personal data unlawfully; or c) There is a legal obligation for the personal data to be erased e.g. a court order. If we receive an Erasure Request from any Internal Data Subject: 1. We shall verify the Data Subject’s identity where appropriate. This will not usually be necessary for current employees. 2. We shall acknowledge the request in writing and then, within one month of receiving the Erasure Request, confirm the outcome of such Erasure Request. 3. If appropriate, we shall ensure that any (i) joint Data Controller or (ii) third party which is processing relevant Data Subject’s data on our behalf is informed that the Data Subject has made an Erasure Request and takes appropriate steps to comply with such Erasure Request. 4. If the request is manifestly unfounded or excessive, for example, because of its repetitive character, we may charge a reasonable fee, taking into account the administrative costs of erasure, or refuse to act on the request. 5. If we are not going to respond to the request, we shall inform the Data Subject of the reasons for not taking action and of the possibility of lodging a complaint with the ICO.

ABOUT THIS PROCEDURE This Subject Access Request Procedure sets out our procedure in relation to any Subject Access Request which we may receive from a Data Subject. The Directors are responsible for overseeing this procedure. Any questions about the operation of this procedure should be submitted to a Director.

RECEIVING A SAR Data Subjects have the right to request access to their personal data processed by us. Such requests are called subject access requests (SARs). When a Data Subject makes a SAR, we shall take the following steps: 1. acknowledge the SAR in writing 2. log the date on which the request was received (to ensure that the relevant timeframe of one month for responding to the request is met); 3. confirm the identity of the Data Subject who is the subject of the personal data. For example, we may request additional information from the Data Subject to confirm their identity; 4. search databases, systems, applications and other places where the personal data which are the subject of the request may be held; and 5. confirm to the Data Subject whether or not personal data of the Data Subject making the SAR are being processed.

FEES FOR HANDLING A SAR We shall not usually charge a fee to the Data Subject for carrying out a SAR (i.e. as the previous statutory £10 fee is no longer in force.) If the SAR is manifestly unfounded or excessive, for example, because of its repetitive character, we may charge a reasonable fee, taking into account the administrative costs of providing the personal data.

PROVISION OF INFORMATION If personal data of the Data Subject are being processed, we shall provide the Data Subject with the following information in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in writing or by other (including electronic) means: • the purposes of the processing; • the categories of personal data concerned (for example, contact details, bank account information and details of sales activity); • the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients overseas (for example, US-based service providers); • where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period; • the existence of the right to request rectification or erasure of personal data or restriction of processing of personal data or to object to such processing; • the right to lodge a complaint with the Information Commissioner's Office (ICO); • where the personal data are not collected from the Data Subject, any available information as to their source; • the existence of automated decision-making and meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the Data Subject; and • where personal data are transferred outside the EU, details of the appropriate safeguards to protect the personal data. We shall also, unless there is an exemption, provide the Data Subject with a copy of the personal data processed by us in a commonly used electronic form e.g. PDF documents, unless the Data Subject either did not make the request by electronic means or has specifically requested not to be provided with the copy in electronic form. We shall usually submit the data to the Data Subject within one month of receipt of the request. Before providing the personal data to the Data Subject making the SAR, we shall review the personal data requested to see if they contain the personal data of other Data Subjects. If they do, we may redact the personal data of those other Data Subjects prior to providing the Data Subject with their personal data, unless those other Data Subjects have consented to the disclosure of their personal data.

EXTENDING THE TIME TO RESPOND If the request is complex, or there are a number of requests, we may extend the period for responding by a further two months. If we extend the period for responding, we shall inform the Data Subject within one month of receipt of the request and explain the reason(s) for the delay.

REFUSING A SAR If the SAR is manifestly unfounded or excessive, for example, because of its repetitive character, we may refuse to act on the request. It would be unusual for us to refuse to act upon a SAR but may be appropriate if we consider the SAR to have been made in a vexatious or malicious manner to cause disruption to our business. If we are not going to respond to the SAR, we shall inform the Data Subject of the reason(s) for not taking action and of the right to lodge a complaint with the ICO.

ABOUT THIS PROCEDURE This policy sets out the procedure which we will follow in the event of a Data Breach. The Directors are responsible for overseeing this procedure. Any questions about the operation of this procedure should be submitted to a Director.

WHAT IS A DATA BREACH? A Data Breach may take various forms but often involves the unauthorised disclosure of personal data to a third party. Data Breaches might typically occur when someone: • Accidentally sends personal data to the incorrect party; • Accidentally leaves confidential documents on a train; • Has a laptop containing personal data stolen from their bag or vehicle; • Deliberately extracts information from our database and transfers it out of our business; • Hacks into our computer network to remove confidential or sensitive information; or • Throws away company records without ensuring that they are shredded or otherwise destroyed. A Data Breach could also involve the accidental or unlawful destruction, alteration or loss of access to Personal Data. This means that, for example, deliberate tampering with a Data Record by an employee would be a Data Breach, even if the Personal Data is not transferred anywhere.

PREVENTING DATA BREACHES We take active steps to avoid Data Breaches by: • Training our staff members about the importance of Data Security and the potential financial and reputational damage which can result from a Data Breach; and • Putting in place technical and organisational measures to minimise the risk of a Data Breach occurring. We do however acknowledge that, even if we take active steps to prevent breaches, they may still occur through human error or malicious conduct.

STEPS TO TAKE IN THE EVENT OF A DATA BREACH 1. If you become aware of a Data Breach, you must take action. You must not ignore the issue or try to hide it. You must therefore notify a Director in person or by telephone without delay. If you are unable to speak with a Director, you must speak to the next most senior person in the business. 2. You must preserve all evidence of the Data Breach and do nothing that might compromise any enquiry or investigation in relation to such Data Breach. 3. The relevant Director must arrange for a full investigation into the Data Breach without delay. Whilst the overall responsibility rests with the Director to ensure that this investigation is carried out, any relevant members of staff may be required to co-operate with the investigatory process. 4. The investigation must be carried out as quickly as possible. There is a 72 hour deadline to report the breach to the Information Commissioner’s Office, where applicable. 5. On completion of the initial investigation into the Data Breach, the Director shall keep a record of the investigation and outcome in the company’s central Data Protection file. This information shall be used to determine whether we need to disclose the Data Breach to: a. The Information Commissioner’s Office, which is the supervisory authority in the UK; and/or b. The individual Data Subjects whose Personal Data was the subject of the Data Breach.

NOTIFYING THE INFORMATION COMMISSIONER’S OFFICE Recital 85 of the GDPR gives the following guidance on the risk to rights and freedoms: A personal data breach may, if not addressed in an appropriate and timely manner, result in physical, material or non-material damage to natural persons such as loss of control over their personal data or limitation of their rights, discrimination, identity theft or fraud, financial loss, unauthorised reversal of pseudonymisation, damage to reputation, loss of confidentiality of personal data protected by professional secrecy or any other significant economic or social disadvantage to the natural person concerned. The Director must determine whether the Data Breach is likely to result in a risk to the rights and freedoms of the Data Subjects affected by the breach. In reaching a decision, the Director shall assess the following factors: • Type of breach. • Nature, sensitivity and volume of personal data. • Ease of identification of individuals. • Severity of consequences for individuals. • Special characteristics of the individual (for example, vulnerable individuals may be at greater risk). • Number of individuals affected. The decision as to whether or not to report the breach must be recorded in the company’s Central Data Protection file. If the Director concludes that the Data Breach should be reported to the Information Commissioner’s Office, the ICO’s reporting process at: https://ico.org.uk/for-organisations/report-a-breach/ must be followed. This must happen within 72 hours of the Data Breach occurring. The ICO will typically require the following information: • A description of the nature of the personal data breach including, where possible: • The categories and approximate number of individuals concerned; and • The categories and approximate number of personal data records concerned; • The name and contact details of the data protection officer or other contact point where more information can be obtained; • A description of the likely consequences of the personal data breach; and • A description of the measures taken, or proposed to be taken, to deal with the personal data breach, including, where appropriate, the measures taken to mitigate any possible adverse effects.

NOTIFYING THE INDIVIDUAL The requirement to communicate a breach to individuals is triggered where a breach is likely to result in a high risk to their rights and freedoms. The threshold for communicating a breach to individuals is therefore higher than for notifying the ICO. In practice, where notification to individuals is required, notification to the ICO will always be required. Although the deadline for notifying the ICO is set at 72 hours by law, there is no fixed deadline for notifying individuals. Notification must occur without undue delay. Whether individuals should be notified will depend on the circumstances of the breach. For example, a loss of data which can be confirmed as encrypted and where the encryption key has not been compromised, may represent a very low risk, and would not require notification to individuals (or the ICO). However, even where data is encrypted, if there are no comprehensive backups of the data, then this could have negative consequences for individuals and notification may be appropriate. The following information should be included in a breach notification to individuals: • The name and contact details of the data protection officer (if applicable) or other contact point where more information can be obtained. • A description of the likely consequences of the personal data breach. • A description of the measures taken, or proposed to be taken, to deal with the personal data breach, including, where appropriate, actions taken to mitigate any possible adverse effects. After notifying individuals of a Data Breach, it is inevitable that some individuals will have further questions or significant concerns about the security of their data. Whilst there is nothing to stop any individual taking further action after a Data Breach, it is less likely that they will do so if their concerns are dealt with appropriately. With this in mind, any enquiries from affected individuals must be: • Logged in the company’s Central Data Protection record; • Promptly acknowledged in writing; and • Responded to, in full and courteously, without undue delay.