The Group recognises that the correct and lawful treatment of Personal Data will maintain trust and confidence in the organisation and will provide for successful business operations. Protecting the confidentiality and integrity of Personal Data is a critical responsibility that we take seriously at all times. Failing to adhere to the relevant Data Protection Laws could expose the Group and/or each Operating Unit to
significant fines.

All Group operating companies and individuals must comply with the applicable Data Protection Laws in force from time to time in the jurisdiction in which they are operating, including any formal registration requirements for the processing of Personal Data.

This Policy applies to all employees, officers, consultants and contractors of the Group and its operating companies, and all agents, representatives or other third-party intermediaries providing services to Group companies who manage, collect or otherwise carry out processing of Personal Data in connection with providing services to Group companies.

This Policy sets out:
• how the Group and each operating company handles the Personal Data of its employees, consultants, contractors, customers, prospective customers, suppliers and third parties; and
• what we expect from you when handling Personal Data to enable the Group and operating companies’ to comply with the applicable Data Protection Laws.

We will:
• treat personal information with respect and sensitivity and in accordance with any obligations of privacy;
• take disciplinary action against employees who are found to have violated any provision of this Policy which may lead to dismissal or termination of employment and, if appropriate, criminal proceedings;
and
• terminate business relationships with any agent or third-party representative that violates any provision of this Policy.

This Policy has been adopted by the Group and will be updated or modified as appropriate.

The Executive Board of Hill & Smith PLC has overall responsibility for ensuring that the group’s operating companies comply with this Policy. The senior leaderships teams of each operating company are responsible for compliance with the applicable Data Protection Laws and the detailed oversight of the operation of the Policy and reporting to the Group’s Board as and when appropriate matters arise, except where the Group are acting as the data controller in which case it will be the Group Company Secretary, as the Group’s nominated Data Protection Officer.

The Group has adopted the UK GDPR definition of Personal Data and processing for the purposes of this Policy.

‘Data Protection Laws’ means any applicable law to which the Group or operating company is subject from time to time in any territory in which they Process Personal Data and which relates to the protection of individuals with regards to the Processing of Personal Data and privacy rights.
‘Personal Data’ means any information relating to an identified or identifiable natural person (a “Data Subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social
identity of that natural person.
‘Processing’ or ‘Process’ means any activity that involves the use of Personal Data, which includes obtaining, recording or holding the data, or carrying out any operation or set of operations on the data, including: (a) organising, adapting, altering,; (b) retrieving, using, (c) erasing or destroying it, or (d) disclosing, transmitting, disseminating or otherwise making available the data to third parties.

Each Group operating company must be able to respond to a Data Subject wishing to exercise their rights under the applicable Data Protection Laws. Each operating company should have processes in place to ensure that rights can be exercised promptly and within any applicable statutory time limits.

The Group and each Operating Unit will:
• only collect or use Personal Data for Operating Unit business purposes;
• only process Personal Data in accordance with the Data Protection Laws;
• ensure that individuals whose Personal Data we hold are aware as to the purpose such information will be used for;
• keep Personal Data and information securely, whether it is held electronically or on paper and put in place processes to prevent unauthorised or accidental disclosure or loss;
• restrict access to Personal Data to those who need to know;
• ensure that Personal Data is accurate and up to date;
• delete or destroy Personal Data in accordance with the relevant Data Protection Law and the Group’s Data Retention Policy;
• ensure that individuals who handle Personal Data understand their responsibilities in terms of this Policy and any applicable Data Protection Laws;

The Group and each Operating Unit will not:
• sell or trade Personal Data belonging to the Group or Operating Unit to third party companies such as marketing companies;
• transfer Personal Data without adequate protection.

Each Operating Unit must be aware of the powers of any regulator who has authority in their jurisdiction. All contact from the regulator must be escalated to the Group Company Secretary, as soon as practicable, and no response must be given without the authority of the Group.

If you know or suspect that a Personal Data Breach has occurred, do not attempt to investigate the matter yourself. Immediately contact the Group Company Secretary. You should preserve all evidence relating to the potential Personal Data Breach.

Where there is a requirement to report data breaches to any regulator, this should not be done without first escalating the matter to the Group Company Secretary/Data Protection Officer.

All Personal Data must be securely held, and reasonable controls be in force to prevent unauthorised or accidental disclosure or loss, and/or inaccuracies. This includes the use of passwords, physical security
measures and IT software and hardware security.

Personal Data must be handled with care at all times and should not be left unattended or on view to unauthorised employees, agents, sub-contractors, or other parties any time.

Personal Data must not be shared informally or outside or beyond the terms of any data sharing agreement or contract in place with an agent, sub-contractor, or other party working on behalf of the Group or Operating Unit.

When any Personal Data is to be erased or otherwise disposed of for any reason (including where copies have been made and are no longer needed), it should be securely deleted and disposed of in accordance with the Group Data Retention Policy.

Individuals must comply with local IT user policies as well as the Group’ Business Code of Conduct.

Sometimes you know what the right thing to do is but sometimes there is an element of doubt. If you are unsure then ask and remind yourself:

• Does it comply with this Policy and the Group Code of Business Conduct?
• Would I be embarrassed if anyone within our outside of the Group or operating company knew about the situation or my actions?
• Would I be happy to have my own Personal Data or information used in such a way?

Helpful Documents

• Group’s Data Retention Policy
• Group Data Retention Schedule
• Privacy Notice
• Group Code of Business Conduct

Other Contacts

Your Line Manager/Human Resource Manager/local Finance Director/Managing Director
Group Legal Department
Group Company Secretary Tel: +44 (0)121 704 7430
Email: compliance@hsgroup.com