The Company collects and processes personal data relating its employees to manage the employment relationship and as part of any recruitment process relating to job applicants. The Company is committed to being transparent about how it collects and uses that data and to meeting its data protection obligations. The Company is committed to being transparent about how it handles your personal information, to protecting the privacy and security of your personal information and to meeting its data protection obligations under the General Data Protection Regulation (“GDPR”) and the Data Protection Act 2018. The purpose of this privacy notice is to make you aware of how and why we will collect and use your personal information both during and after your working relationship with the Company. We are required under the GDPR to notify you of the information contained in this privacy notice. This privacy notice applies to all current and former employees, workers, contractors and all job applicants, whether they apply for a role directly or indirectly through an employment agency. It is non-contractual and does not form part of any employment contract, casual worker agreement, consultancy agreement or any other contract for services.

What Information does the Company Collect?

The Company collects and processes a range of information about you; this includes: • Recruitment information such as your application form and CV, references, qualifications and membership of any professional bodies and details of any pre-employment assessments. • Your contact details and date of birth. • The contact details for your emergency contacts. • Your gender. • Your marital status and family details. • Information about your contract of employment (or services) including start and end dates of employment, role and location, working hours, details of promotion, salary (including details of previous remuneration), pension, benefits and holiday entitlement. • Your bank details and information in relation to your tax status including your national insurance number. • Your identification documents including passport and driving licence and information in relation to your immigration status and right to work for us. • Information relating to disciplinary or grievance investigations and proceedings involving you (whether or not you were the main subject of those proceedings). • Information relating to your performance and behaviour at work. • Absence records. Page 2 of 6 CoLaw Ltd © Copyright: FCF-HR20/L01/V1 • Training records. • Electronic information in relation to your use of IT systems/swipe cards/telephone systems. • Your images (whether captured on CCTV, by photograph or video). • Information about your termination of employment (or services) including resignation, dismissal and redundancy letters, minutes of meetings, settlement agreements and other related correspondence. • Any other category of personal data which we may notify you of from time to time.

How does the Company Collect your Personal Information?

The Company may collect personal information about employees, workers and contractors in a variety of ways. It is collected during the recruitment process, either directly from you or sometimes from a third-party such as an employment agency. We may also collect personal information from other external third-parties, such as references from former employers, information from background check providers, information from credit reference agencies and criminal record checks from the Disclosure and Barring Service (DBS). We will also collect additional personal information throughout the period of your working relationship with us. This may be collected in the course of your work-related activities. Whilst some of the personal information you provide to us is mandatory and/or is a statutory or contractual requirement, some of it you may be asked to provide to us on a voluntary basis. We will inform you whether you are required to provide certain personal information to us or if you have a choice in this. Your personal information may be stored in different places, including in your personnel file, in the Company's HR management system and in other IT systems, such as the e-mail system.

Why does the Company Process Personal Data?

The Company needs to process data for contractual purposes to enter into an employment contract with you and to meet its obligations under your employment contract. For example, it needs to process your data to provide you with an employment contract, to pay you in accordance with your employment contract and to administer benefit, pension and insurance entitlements. In some cases, the Company needs to process data to ensure that it is complying with its legal obligations. For example, it is required to check an employee's entitlement to work in the UK, to deduct tax, to comply with health and safety laws and to enable employees to take periods of leave to which they are entitled. In other cases, the Company has a legitimate interest in processing personal data before, during and after the end of the employment relationship. We may also occasionally use your personal information where we need to protect your vital interests (or someone else’s vital interests). Processing employee data allows the Company to: • Decide whether to employ (or engage) you. • Decide how much to pay you, and the other terms of your contract with us. • Check you have the legal right to work for us. Page 3 of 6 CoLaw Ltd © Copyright: FCF-HR20/L01/V1 • Carry out the contract between us including where relevant, its termination. • Decide whether to promote you. • Carry out a disciplinary or grievance investigation or procedure in relation to you or someone else. • Monitor and protect the security (including network security) of the Company, of you, our other staff, customers and others. • Paying tax and national insurance. • Provide a reference upon request from another employer. • Running our business and planning for the future. • Prevention and detection of fraud or other criminal offences. • CCTV footage and other information obtained through electronic means such as swipe card records. • For any other reason which we may notify you of from time to time.

Why does the Company Process Sensitive (Special Categories) Personal Data?

We will only collect and use your sensitive personal information, which includes special categories of personal information and information about criminal convictions and offences, when the law allows us to. Some special categories of personal information, ie. information about your health or medical conditions and trade union membership, and information about criminal convictions and offences, is processed so that we can perform or exercise our obligations or rights under employment law or social security law and in line with our Data Protection Policy. Information about health or medical conditions may also be processed for the purposes of assessing the working capacity of an employee or medical diagnosis, provided this is done under the responsibility of a medical professional subject to the obligation of professional secrecy, eg. a Doctor, and again in line with our Data Protection Policy. We may also process these special categories of personal information, and information about any criminal convictions and offences, where we have your explicit written consent. In this case, we will first provide you with full details of the personal information we would like and the reason we need it, so that you can properly consider whether you wish to consent or not. It is entirely your choice whether to consent. Your consent can be withdrawn at any time. The purposes for which we are processing, or will process, these special categories of your personal information, and information about any criminal convictions and offences, are to: • Assess your suitability for employment, engagement or promotion. • Comply with statutory and/or regulatory requirements and obligations, eg. carrying out criminal record checks. • Comply with the duty to make reasonable adjustments for disabled employees and workers and with other disability discrimination obligations. • Administer the contract we have entered into with you. • Ensure compliance with your statutory and contractual rights. • Operate and maintain a record of sickness absence procedures. • Ascertain your fitness to work. • Manage, plan and organise work. • Enable effective workforce management. Page 4 of 6 CoLaw Ltd © Copyright: FCF-HR20/L01/V1 • Ensure payment of SSP or contractual sick pay. • Meet our obligations under health and safety laws. • Make decisions about continued employment or engagement. • Operate and maintain a record of dismissal procedures. • Ensure effective HR, personnel management and business administration. • Ensure adherence to Company rules, policies and procedures. • Monitor equal opportunities. • Pay trade union premiums. Where the Company processes other special categories of personal information, ie. information about your racial or ethnic origin, religious or philosophical beliefs and sexual orientation, this is done only for the purpose of equal opportunities monitoring and in line with our Data Protection Policy. Personal information that the Company uses for these purposes is either anonymised or is collected with your explicit written consent, which can be withdrawn at any time. It is entirely your choice whether to provide such personal information. We may also occasionally use your special categories of personal information, and information about any criminal convictions and offences, where it is needed for the establishment, exercise or defence of legal claims.

Who has Access to Data?

Your personal information will be shared internally within the Company, including with members of the HR department, payroll staff, your Line Manager, other Managers in the department in which you work and IT staff if access to your personal information is necessary for the performance of their roles. The Company may also share your personal information with third-party service providers (and their designated agents), including: • Recruitment agencies. • External organisations for the purposes of conducting pre-employment reference and employment background checks. • External HR/Employment Law support consultants - CoLaw Ltd • Payroll providers. • Benefits providers and benefits administration, including insurers - Aviva, Lutine Assurance, Widerplan • Pension scheme provider and pension administration - NOW, Royal London, Transact • Occupational health providers. • External IT services. • External auditors - Baldwins • Professional advisers, such as lawyers and accountants - Browne Jacobson, Pannone, Aevitas, Percy Bidco Limited, Perwyn • Home Office, HMRC or other Government agency as required by law. The Company may also share your personal information with other third-parties in the context of a potential sale or restructuring of some or all of its business. In those circumstances, your personal information will be subject to confidentiality undertakings. Page 5 of 6 CoLaw Ltd © Copyright: FCF-HR20/L01/V1 We may also need to share your personal information with a regulator or to otherwise comply with the law. We may share your personal information with third-parties where it is necessary to administer the contract we have entered into with you, where we need to comply with a legal obligation, or where it is necessary for our legitimate interests (or those of a third-party).

Transfer of Data Outside the European Economic Area

The Company will not transfer your data to countries outside the European Economic Area.

How does the Company Protect Data?

The Company has put in place measures to protect the security of your personal information. It has internal policies, procedures and controls in place to try and prevent your personal information from being accidentally lost or destroyed, altered, disclosed or used or accessed in an unauthorised way. In addition, we limit access to your personal information to those employees, workers, agents, contractors and other third-parties who have a business need to know in order to perform their job duties and responsibilities. You can obtain further information about these measures from our Data Compliance Manager. Where your personal information is shared with third-party service providers, we require all third-parties to take appropriate technical and organisational security measures to protect your personal information and to treat it subject to a duty of confidentiality and in accordance with data protection law. We only allow them to process your personal information for specified purposes and in accordance with our written instructions and we do not allow them to use your personal information for their own purposes. The Company also has in place procedures to deal with a suspected data security breach and we will notify the Information Commissioner’s Office (or any other applicable supervisory authority or regulator) and you of a suspected breach where we are legally required to do so.

For How Long does the Company Keep Data?

The Company will only retain your personal information for as long as is necessary to fulfil the purposes for which it was collected and processed, including for the purposes of satisfying any legal, tax, health and safety, reporting or accounting requirements. The Company will generally hold your personal data for the duration of your employment or engagement. The periods for which your data is held after the end of employment are set out in our Data Protection Retention Policy which forms part 2 of our Data Protection Policy and also contained in Record of Personal Data Processing Activities available from the Data Controller’s representative.

Your Rights

As a data subject, you have a number of rights. You can: • Access and obtain a copy of your data on request. • Require the Company to change incorrect or incomplete data. • Require the Company to delete or stop processing your data, for example where the data is no longer necessary for the purposes of processing. • Object to the processing of your data where the Company is relying on its legitimate interests as the legal ground for processing. Page 6 of 6 CoLaw Ltd © Copyright: FCF-HR20/L01/V1 If you would like to exercise any of these rights, please contact the Data Controllers representative. If you believe that the Company has not complied with your data protection rights, you can complain to the Information Commissioner.

What if you do not Provide Personal Data?

You have some obligations under your employment contract to provide the Company with data. In particular, you are required to report absences from work and may be required to provide information about disciplinary or other matters under the implied duty of good faith. You may also have to provide the Company with data in order to exercise your statutory rights, such as in relation to statutory leave entitlements. Failing to provide the data may mean that you are unable to exercise your statutory rights. Certain information, such as contact details, your right to work in the UK and payment details, have to be provided to enable the Company to enter a contract of employment with you. If you do not provide other information, this will hinder the Company's ability to administer the rights and obligations arising as a result of the employment relationship efficiently.

Automated Decision Making

We do not take automated decisions about you using your personal data or use profiling in relation to you or your employment. However, you will be notified if this position changes.

Changes to this Privacy Notice

The Company reserves the right to update or amend this privacy notice at any time, including where the Company intends to further process your personal information for a purpose other than that for which the personal information was collected or where we intend to process new types of personal information. We will issue you with a new privacy notice when we make significant updates or amendments. We may also notify you about the processing of your personal information in other ways.

Further Information

If you have any questions about this privacy notice or how we handle your personal information, please contact the Data Controllers representative and/or refer to our full Data Protection Policy contained in our Employee Handbook or available from the Data Controllers representative whose contact details appear at the beginning of this privacy notice