1. EXECUTIVE SUMMARY
1.1 Any information collected, held or processed by the company relating to any individual (including partners, members of staff, contractors, clients, suppliers and third parties) is subject to this policy. This policy sets out the rights of individuals with respect to their personal data (as defined in paragraph 2.1 below) and the responsibilities of the directors, members of staff and the company with respect to access to and use of that personal data. For the purposes of this policy, the term members of staff includes partners, employees, self-employed associates, consultants, agency staff, independent contractors and temporary workers.

1.2 Processing of personal data outside this policy is not permitted by the company. If a director or member of staff unlawfully obtains, discloses, sells or otherwise processes any personal data collected, held or processed by, or on behalf of, the company, he or she may be guilty of an administrative or criminal offence or liable to pay damages. Breach of this Data Protection Policy can also lead to disciplinary action (including, in serious cases, dismissal). Supervisory authorities and other government bodies have a wide range of enforcement powers, including the ability to impose fines of up to 4% of annual worldwide turnover under the EU General Data Protection Regulation. If in doubt, please ask the Management or, where there is one, your Data Protection Officer.

1.3 The requirements of this policy are in addition to, not in substitution for, any other requirements under applicable law or rules in your jurisdiction, including in relation to data protection or privacy².This policy applies even where there is no data protection or privacy legislation in your jurisdiction.

2. DATA PROTECTION
2.1 Data protection and privacy legislation regulates how the company collects and deals with information from which a living individual can be directly or indirectly identified, whether from that information alone or together with other information held by the company or others (personal data)³.

2.2 Personal data includes, but is not limited to, an individual's name, an identification number (such as an employee number), location data (such as a GPS reference from an individual's mobile device), an online identifier (such as an IP or email address) or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person. This might include a photograph, biometric information or health-related information from which the individual may be identified, directly or indirectly. It includes expressions of opinion about the individual and information regarding the intention of the company towards the individual⁴.

2.3 This policy, and applicable data protection legislation, applies to personal data, whether or not it is in the public domain, and to the personal data of any individual, including members of staff, contractors, job applicants, secondees, work experience students, clients, visitors to our offices and even third parties with no direct connection to the company (such as the individuals whose personal data is included in the information clients provide to us for the purposes of advising).

2.4 Special rules apply to certain categories of personal data relating to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, sex life or sexual orientation, genetic data or biometric data used for identification purposes (sensitive personal data).⁵ Please see paragraph 4.2(f) below for more detail.
‍
3. PROCESSING
3.1 This policy applies to the processing of personal data. This is very widely defined to include almost anything that can be done with data. This includes, but is not limited to, the collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of data. For instance, the storage of personal data on a computer hard drive, server or USB stick constitutes processing.

3.2 Paper-based or other manual records are also subject to this policy where the records are stored or ordered so that personal data is accessible and identifiable, for instance a filing system which is in chronological or alphabetical order.

4. DATA PROTECTION PRINCIPLES
4.1 The company must comply with six data protection principles in relation to the personal data it processes. Everyone in the company will deal with and create personal data in the course of their work and they must comply with these principles when doing so.

4.2 Lawfulness, Fairness and Transparency
(a) You must have a valid lawful basis in order to process personal data. There are six available lawful bases for processing:⁶

(i) Consent: the individual has given clear consent to the processing of their personal data for a specific purpose;⁷
(ii) Contract: the processing is necessary for a contract between the company and the individual, or because they have asked the company to take specific steps before entering into a contract with them (e.g. payroll or obtaining references);
(iii) Legal obligation: the processing is necessary for the company to comply with the law (not including contractual obligations);
(iv) Vital interests: the processing is necessary to protect someone's life;⁸
(v) Public task: the processing is necessary to perform a task in the public interest or for an official function⁹, and the task or function has a clear basis in law;¹⁰ and
(vi) Legitimate interests: the processing is necessary for the purposes of the legitimate interests of the company or a third party,¹¹ unless there is a good reason to protect the individual's personal data which overrides those legitimate interests.¹²

(b) Most lawful bases require that processing is 'necessary'. If you can reasonably achieve the same purpose without the processing, the basis will not be lawful.<sup>13

‍</sup>(c) The company is required to determine the applicable national lawful basis before it can begin processing and to include it in applicable privacy notices. The lawful basis for the processing of the personal data of clients and others external to the company is set out in the privacy policy in the legal notices section of the company's website. If you are unsure whether the processing you are proposing to carry out is covered by one of these lawful bases, please contact the Management.

(d) Where the lawful basis of processing is consent, that consent must be unambiguous, freely given, specific to the processing (rather than bundled up with other activities or terms) and involve a clear affirmative action¹⁴. You must be able to demonstrate that consent has been given, so you need to keep a record of the consent. Where the individual is an employee, it may be more difficult to demonstrate that consent has been freely given. The individual must also be able to withdraw consent at any time, as easily as when they gave it and the company will no longer be able to process the relevant personal data. Therefore, if the company must continue to carry out the processing for another purpose, for instance to satisfy a legal requirement or to take or defend legal proceedings, consent is not an appropriate basis for processing.

(e) In order for the processing to be fair and transparent, the individuals whose data is being processed must be provided with certain information at the point of data collection. This is usually done through the provision of a privacy notice (see paragraph 4.2(c) above). If you are unsure whether the processing you are proposing to carry out is covered by an existing privacy notice (for instance if it relates to a new business venture), please contact the Management for advice.

Sensitive Personal Data
(f) If you are processing sensitive personal data, as defined in paragraph 2.4 above, you need to identify both a lawful basis for general processing under paragraph 4.2(a) above and an additional condition for processing.¹⁵ Those most likely to be relevant to processing carried out by the company are:

(i) the individual has given their consent to the processing (see paragraph 4.2(d) above for more information on the form of consent);
(ii) compliance with employment¹⁶, social security and social protection law obligations (e.g. a legal obligation to maintain equal opportunity records¹⁷);
(iii) protecting the vital interests of the individual or of another person where the individual is physically or legally incapable of giving consent;
(iv) the processing relates to personal data which is manifestly made public by the data subject; and
(v) the processing is necessary for reasons of substantial public interest.

4.3 Purpose Limitation
(a) Personal data should be collected for specified, explicit and legitimate purposes only and must not be further processed in a manner that is incompatible with those purposes.

(b) Personal data should only be processed for specific and lawful purposes each of which has been disclosed to the individual. This is usually done through an appropriate privacy notice (see paragraph 4.2(c) above). The personal data must not be processed in any manner incompatible with the stated purposes.

4.4 Minimisation
Personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed. You should only obtain and use personal data which is necessary to achieve your purpose and take care not to over-share personal data, whether by email or otherwise. Always minimise the amount and type of personal data when designing systems and processes that will process and share personal data. Consider whether it is possible to achieve the purpose without processing personal data, for instance by anonymising it (see paragraph 4.2(b) above).

4.5 Data Accuracy
Personal data stored must be accurate and, where necessary, kept up-to-date¹⁸. Every reasonable step must be taken to ensure that inaccurate personal data is erased or rectified without delay, having regard to the purpose for which it is used. This is particularly important where the information is used to make decisions or carry out actions in relation to the individual.

4.6 Storage Limitation and Data Retention
Personal data should not be kept for any longer than is necessary having regard to the purpose for which it is used. Each member of staff must ensure that the data for which they are responsible is retained and destroyed in accordance with the company’s Privacy Policy and the procedures put in place by their department or office to give effect to the policy.

4.7 Integrity, Confidentiality and Security
Appropriate technical and organisational security measures must be taken to safeguard personal data, including protection against unauthorised or unlawful processing, accidental loss, destruction or damage. The level and type of security must fit the nature of the personal data and the harm or distress that might result from its loss or a breach of security. Additional security measures should be put in place when dealing with large volumes of personal data or when dealing with sensitive personal data, access to which should only be granted on a strict 'need to know' basis.¹⁹

5. DATA BREACH HANDLING AND REPORTING
A data breach incident is a breach of security which may lead to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data or confidential information. Immediate action is required in order to protect the company and its reputation and affected individuals and to enable the company to meet its reporting obligations under data protection legislation²⁰ (which can be as short as 24 hours from becoming aware of the incident) and client engagement terms. Any actual or suspected data breach incident must be reported immediately to Information Security in accordance with the global Data Breach Response Policy.

6. INTERNATIONAL DATA TRANSFERS
6.1 Personal data must not be transferred to any country outside the European Economic Area (which consists of Norway, Iceland and Liechtenstein as well as the 28 EU Member States) (EEA)²¹ unless:
‍
(a) the country or territory to which it is transferred ensures an adequate level of protection for the rights and freedoms of individuals, as determined by the European Commission (for a list of those countries see the European Commission website).
(b) appropriate safeguards are in place to protect the rights and freedoms of the individuals whose data is being transferred. These measures include standard data protection clauses that have been pre-approved by the European Commission as providing adequate safeguards for personal data.

6.2 EU standard contractual clauses are in place between all company entities that share and process personal data. Where any third party service providers process personal data outside the EEA, including where they will only view the data on a screen, our written agreement with them must include appropriate safeguards in accordance with paragraph 6.1(b) above (please also see paragraph 7 below).

6.3 Please contact the Management before sending any personal data to a third party outside the EEA to ensure the appropriate requirements are met, including whether any derogation is available. This excludes any data transfers by third party service providers that have been subject to review by the Legal team and/or the Management as part of the company’s procurement processes or otherwise.

7. THIRD PARTY DATA PROCESSORS
7.1 Where the company makes the decisions about the purpose and means of processing of personal data, it is a data controller and is responsible for complying with data protection legislation in respect of that personal data.²² Where the company engages a third party to process data, which includes personal data, on its behalf it must meet various legal requirements, including:

(a) carrying out appropriate due diligence to ensure that appropriate technical and organisational measures are in place to protect personal data, including an information security review;
(b) carrying out a data privacy impact assessment in appropriate circumstances to identify and address high risks to individuals, including identifying any transfers of personal data outside the EEA (see paragraph 6 above); and
(c) putting a written agreement in place, including mandatory data protection clauses where appropriate.²³

7.2 Please contact the Management ‘before sharing any personal data with an external service provider where they will be processing personal data in the EEA or which originates in the EEA (eg it includes the personal data of individuals located in the EEA), other than third party service providers that have been subject to review by the Legal team and/or the Management as part of the Company’s procurement processes.

8. INDIVIDUAL RIGHTS
8.1 In some jurisdictions (including all those in the EU), data protection or privacy laws provide certain rights for individuals. These rights will vary depending on the jurisdiction in which the personal data is processed and are subject to various limitations and conditions, but include a right for individuals to²⁴:

(a) find out what information the company holds about them and how it is processed;
(b) request the correction and/or deletion or destruction of personal data;
(c) request the restriction of the processing of personal data, or object to that processing;
(d) withdraw their consent to the processing of personal data where it is processed by the company on the basis of their consent (see paragraph 4.2(d) above);
(e) prevent the use of their personal data for purposes of direct marketing purposes;
(f) request receipt or transmission to another organisation, in a machine-readable form, of personal data provided by them to the company;
(g) complain, including to an EU data protection supervisory authority or relevant government body in non-EU jurisdictions,²⁵ and including in relation to decisions which significantly impact on them being made by wholly automated means;
(h) compensation for any damage as a result of breach of applicable data protection or privacy legislation; or
(i) apply to the court for a remedy where they consider their personal data is being processed contrary to applicable data protection legislation.

8.2 If you receive a request from an individual seeking to exercise these rights, please immediately inform [the Data Privacy Team or your local HR team].

9. COMPLIANCE
If you have knowledge of unauthorised access, use or disclosure of personal data, you should immediately report it to the Management. Unauthorised access, use or disclosure of personal data or failure to report such unauthorised access, use or disclosure can lead to disciplinary action (including, in serious cases, dismissal).

In order to ensure that we comply with our regulatory obligations, please inform the Management (email“admin@sevencleanseas”)] if you are or become aware of any matter which may constitute a breach of this policy.

Please contact the Management if you have any questions or would like further guidance.

April 2024

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Suspendisse varius enim in eros elementum tristique. Duis cursus, mi quis viverra ornare, eros dolor interdum nulla, ut commodo diam libero vitae erat. Aenean faucibus nibh et justo cursus id rutrum lorem imperdiet. Nunc ut sem vitae risus tristique posuere.

‍