Introduction

This Privacy Statement explains what we do with your personal data, whether we are in the process of assisting you verify your identity, continuing our relationship with you once have, providing you with a service, receiving a service from you, using your data to ask for your assistance in relation to a user of our services, or you are visiting our website.

It describes how we collect, use and process personal data, and how, in doing so, we comply with our legal obligations.

This Privacy Statement applies to the personal data of our website users, clients, suppliers and other people and organisations whom we may contact digitally to find out more about users of our services or whom they indicate is an emergency contact. It also applies to the emergency contacts of W2 Global Data Solutions Ltd staff.

For the applicable data protection legislation (including but not limited to the General Data Protection Regulation (Regulation (EU) 2016/679)) (the “GDPR”), the company responsible for your personal data is W2 Global Data Solutions Ltd or “us”.

It is important to point out that we may amend this Privacy Policy from time to time.

Please just visit this page if you want to stay up to date, as we will post any changes here. If you are dissatisfied with any aspect of our Privacy Policy, you may have legal rights and, where relevant, we have described these here as well.

This Privacy Statement applies in relevant countries throughout our international network. Different countries may approach data privacy in slightly diverse ways. W2 Global Data Solutions Ltd wishes to ensure that it is compliant with all applicable data privacy protections, no matter where you are.

Statement Purpose

This statement (together with our Terms of Use and all other W2 Global Data documents referred to in it) sets out the basis on which any personal data that W2 Global Data collects from you, through its interactions with you and through its services, and/or which is provided to us by a third party on your behalf and/or which we otherwise obtain in the course of providing our services to you, and how it uses that data.

It is very important you read the statement carefully to understand our views and practices regarding the processing of personal information and how W2 Global Data will treat it.

By visiting the W2 Global Data website and/or providing your information to us via use of any of our services, you are accepting and consenting to the practices described in this statement.

When using W2 Global Data services, our clients will require you to provide explicit consent to the collection and use of any personal information you may provide to us, and to transfer of your personal information, for the purposes of validation and verification, to W2 Global Data and its partners located in the UK or elsewhere as outlined in this statement. Please notethat this includes your explicit consent to the processing of any sensitive personal information you may provide, as described herein.

If you do not agree with any of the content of this statement: please do not use W2 Global Data services or this site.

Your Privacy Matters

Your privacy is important to us, and W2 Global Data is committed to protecting the rights and freedoms of data subjects and safely and securely processing their data in accordance with all its legal obligations and it values your right to control what personal information is collected about you and how this information is used.

While information is the foundation for providing you with superior service, protecting the privacy of your personal information is of highest importance to us. W2 Global Data believes that responsible stewardship of the information entrusted to us is crucial in developing and maintaining the public trust essential for our continued success.

We are sensitive to your privacy concerns and are committed to letting youknow how the information collected is being used and what choices you haveregarding the collection and use of the information you have provided. Inseeking to protect personal data and ensure that our staff understand therules governing their use of the personal data to which they have accessduring their work; staff must ensure that the Data Protection Officer (DPO)is consulted before any significant new data processing activity isinitiated to ensure that relevant compliance steps are addressed.

All information supplied by you to the W2 Global Data service will be usedand protected by us in accordance with current applicable data protectionlaw and this Privacy Statement.

The Data Protection Principles We Work To

W2 Global Data seeks to comply with the principles of data protection (thePrinciples) enumerated in the EU General Data Protection Regulation andmakes every effort possible in all that we do to do so. The Principles are:

• Lawful, fair and transparent; data collection must be fair, for a legalpurpose and we must be open and transparent as to how the data will beused.

• Limited for its purpose; data will only be collected for a specificpurpose.

• Data minimisation; any data collected must be necessary and not excessivefor its purpose.

• Accurate; the data we hold must be accurate and kept up to date.

• Retention; we will not store data longer than necessary.

• Integrity and confidentiality; the data we hold will be kept safe andsecure.

Who We Are

W2 GLOBAL DATA SOLUTIONS LIMITED; a UK Registered Company with Company No7669978) of Clarence House, Clarence Place, Newport, NP19 7AA, UK.References to ‘W2 Global Data Solutions Limited’, ‘W2 Global Data SolutionsLtd.’, ‘W2 Global Data’, ‘we’, ‘us’ and ‘our’ in this Privacy Policy are toW2 Global Data and include W2 Global Data services, websites, apps andsoftware. References to ‘you’ or ‘your’ in this Privacy Policy are to youas a user of the W2 Global Data website and services, client or supplier toW2 Global Data Solutions Limited.

W2 Global Data is responsible for the processing of any personalinformation you provide to it while using its services to engage with you.W2 Global Data Solutions Limited is registered in the United Kingdom withthe UK Information Commissioner’s Office under Registration No: Z2736945.

In the event you provide W2 Global Data with personal data, W2 Global willin that instance be what’s known as the ‘Controller’ of any personal datayou provide to us. In the event you provide W2 Global Data with personaldata through one of our clients, W2 Global will in that instance be what’sknown as the ‘Processor’ of any personal data you provide to us.

What We Do

W2 Global Data provide a wide range of online screening tools and servicesto help organisations make time critical and informed decisions about thepeople and businesses they are interacting with.

What Kind of Personal Data Do We Collect?

W2 Global Data collects data from users of its services and this website;its suppliers and others and it does so to operate effectively and providethe best possible service.

SERVICE USERS (the end-user of a W2 Client) – PERSONAL DATA: You have choices about the data we collect at W2 Global Data. When youare asked to provide personal data, you may decline or, the end users maydecline. The data we collect depends always on the context of theinteractions between end-user and W2 Client and in turn, with W2 GlobalData. The personal data shared will depend upon the choices made, and theservices and features chosen.

If you submit personal details or documents on request from an enterpriseusing a W2 Global Data service or do so direct to W2 Global Data, dependingon the relevant circumstances and applicable local laws and requirements,we may collect some or all of the information listed below to enable us tooffer you services which are tailored to your circumstances and the W2Global Data client you may be engaged with, including:

• Name and contact data. We collect your first and last name, emailaddress, postal address, phone number and other similar contact data if youprovide such data.

• Age/Date of birth information.

• Sex/Gender information.

• Credentials. We collect passwords, password hints and similar securityinformation used for authentication and account access.

• Demographic data. We collect data about you such as your age, gender,address, country of origin and residence, ethnicity, religious affiliationif you provide such data.

• Status data. We collect data about your current circumstances includingnationality, citizenship, residency, employment, household, dependants,financial, criminal, immigration, academic, medical, well-being,dependencies and more.

• Achievement data. We collect data about you such as your personalattainments including educational history and results achieved, andprofessional and/or vocational qualifications and memberships if youprovide such data.

• Employment data. We collect data about you such as your employment statusand employment history if you provide such data including details aboutyour current remuneration, pensions and/or benefits arrangements where itapplies.

• Diversity information including racial or ethnic origin, religious orother similar beliefs, and physical or mental health, includingdisability-related and well-being information.

• Social information including but not limited to information on yourinterests and needs, both collected directly and inferred.

• Payment data. We collect data necessary to process your payment if youmake purchases.

• Financial information (where we need to carry out financial backgroundchecks).

• National Insurance or Social security information (or equivalent in yourcountry) and other tax-related information.

• Photographs and documents. We may collect data about your driving licenceand/or passport/identity card and/or other documents containing personalinformation and we may collect facial images of you which you provide forfacial recognition purposes.

• Criminal Conviction information (where/if it applies).

• Device and Usage data. We collect data about your device and how you andyour device interact with W2 Global Data and our services.

• Interests and favourites. We collect data about your interests andfavourites if you provide such data.

• Contacts and relationships. We collect data about your emergency andreferee contacts and your relationships to those contacts if you providesuch data.

• Extra information you choose to tell us.

• Extra information referees choose to tell us about you.

• Extra information that W2 Global Data clients may tell us about you orthat we receive from other sources including but not limited to creditreference agencies and other data providers.

• Location data. For products with location-enhanced features, we collectdata about your location, which can be either precise or imprecise. Preciselocation data can be Global Navigation Satellite System (GNSS) data (e.g.GPS), as well as data identifying nearby cell towers and Wi-Fi hotspots, wecollect when you enable location-based products or features. Impreciselocation data includes, for example, a location derived from your IPaddress or data that indicates where you are located with less precision,such as at a city or postcode level.

• Content. We collect the content of any files you upload directly to oursystems.

• IP address

• The dates, times and frequency with which you access our services; and

• Geo-location information relating to you.

(Please note: that the above list of categories of personal data we maycollect is not exhaustive and to the extent that you access our website wewill also collect certain data from you).

W2 Global Data – CLIENT DATA: The data we collect about our clients is actually very limited. Wegenerally only need to collect company contact details and/or the detailsof individual contacts at a client organisation (such as their names,telephone numbers and email addresses) to enable us to ensure that ourrelationship runs smoothly. We also hold information relating to a client’sengagement with user’s profiles through their use of our services. We mayalso hold extra information that someone in a client organisation haschosen to tell us and to the extent that they access our website we willalso collect certain data from them.

W2 Global Data – SUPPLIER DATA: We don’t collect much data about our suppliers – we simply need to makesure that our relationships run smoothly. We’ll collect the details for ourcontacts within supplier organisations, such as names, telephone numbersand email addresses. We’ll also collect bank details, so that we can paythem. We may also hold extra information that someone in a supplierorganisation has chosen to tell us and to the extent that they access ourservices, we will also collect certain data from them.

PEOPLE WHOSE DATA WE RECEIVE FROM SERVICE USERS SUCH AS REFEREES ANDEMERGENCY CONTACTS: All we need from referees is confirmation of what they already know aboutour service user. Emergency contact details give our clients somebody tocall on in an emergency. To secure references, we’ll obviously need refereecontact details (such as name, email address and telephone number). We’llalso need these details if our service user has put provided anyone astheir emergency contact so that clients can contact you in the event of anaccident or an emergency.

WEBSITE USERS: We collect a limited amount of data from our website users which we useto help us to improve your experience when using our website and to help usmanage the services we provide. This includes information such as how youuse our website, the frequency with which you access our website, yourbrowser type, the location you view our website from, the language youchoose to view it in and the times that our website is most popular. If youcontact us via the website, for example by using the contact form function,we will collect any information that you provide to us, for example yourname and contact details.

How Do We Collect Your Personal Data?

SERVICE USER DATA (the end user of a W2 Client): We collect service user personal data in three primary ways:

• Personal data that you give to us; such as when you create a W2 GlobalData account, administer your organisation’s account, are invited by a W2Global Data client to complete a process step for a reason you will beaware, upload a document, purchase a service, or contact us for support.

• Personal data that we receive from other sources; including from serviceproviders that help us determine the validity of any data element you haveprovided for example, to verify a document or confirm your address on anelectoral roll; and publicly-available sources such as open governmentdatabases or other data in the public domain. We protect data obtained fromthird parties according to the practices described in this statement, plusany additional restrictions imposed by the source of the data.

• Personal data that we collect automatically; by recording for example howyou interact with our site or services using technologies like cookies.

W2 CLIENT DATA: We collect client personal data in three ways:

• Personal data that we receive directly from you; We both share the samegoal – to enable better, faster trust decisions. We will receive datadirectly from you principally in two ways: 1. where you contact usproactively, usually by phone or email; and/or 2. where we contact you,either by phone or email, or through our consultation activities moregenerally.

• Personal data that we receive from other sources; Where appropriate andin accordance with any local laws and requirements, we may seek moreinformation about a client organisation and its employees from othersources generally by way of due diligence or other market intelligenceactivity including from third party market research and by analysing onlineand offline media (which we may do ourselves, or employ other organisationsto do for us) and from other limited sources and third parties.

• Personal data that we collect automatically; To the extent that youaccess our website or read or click on an email from us, where appropriateand in accordance with any local laws and requirements, we may also collectyour data automatically or through you providing it to us.

WEBSITE USERS: When you visit our website, there is certain information that we mayautomatically collect, whether you decide to use our services. Thisincludes your IP address, the date and the times and frequency with whichyou access the website and the way you browse its content. We will alsocollect data from you when you contact us via the website, for example byusing the contact form function. We collect your data automatically viacookies, in line with cookie settings in your browser.

How Do We Use Personal Data?

SERVICE USER DATA (in other words, the end user of a W2 Client): In general terms, when W2 Global Data collects personal data, it uses thedata it collects for four basic purposes:

1. to operate its business and provide (including improving andpersonalising) the services it offers,

2. to provide you with the services you have chosen to engage with in linewith the requirements of the enterprise that has invited you to provide W2Global Data with personal details

3. to send communications, including promotional communications, and

4. to validate and/or verify the data you have provided with third partiesincluding for the purposes of establishing or proving identity as describedin the “How Do We Use Personal Data” section of this statement.

In carrying out these purposes, W2 Global Data combines data that itcollects to provide a more seamless, consistent and complete experience. W2Global Data will not collect any personal data from you it does not need toprovide and oversee a service to you.

Where we collect information, which may be classified as ‘sensitive’personal information and where slightly stricter data protection rulesapply to it; we will in all cases need to obtain your explicit consentbefore we can use it. We’ll ask for your consent by offering you an opt-in.This means that you must explicitly and clearly tell us that you agree tous collecting and using this information.

Where we may need to collect other sensitive personal data about you, suchas health-related information, religious affiliation, or details of anycriminal convictions if this is appropriate in accordance with local lawsand is required for the service you are using; we will never do thiswithout your explicit consent.

Whatever else, service users can be certain that W2 Global Data has a DataProtection regime in place to oversee the effective and secure processingof all personal data provided, always, which includes the following keyprinciples, namely:

1. The personal data you provide to us and which we process with yourconsent is processed by our staff in the UK.

2. For the purposes of IT hosting and maintenance your data is located onservers within the European Union.

3. No 3rd parties have access to your personal data unless the law allowsthem to do so.

4. W2 Global Data may disclose any of the information it collects about youto other W2 Global Data companies and information may be hosted outside ofthe European Economic Area by such W2 Global Data companies.

5. W2 Global Data may provide aggregated data about the use of its servicesto select third parties for such purposes as we deem, in our solediscretion, to be appropriate.

6. W2 Global Data may equally segment its users by age, geographiclocation, gender, etc. If you would like to be excluded from aggregatedresearch at any time you should contact the enterprise that has invited,you to use this service for assistance.

7. Aggregated or segmented data will not ever contain personal informationabout you and will not enable you to be identified or located.

8. W2 Global Data engages third parties to assist in the provision ofspecific verification and validation related services and the uses of theinformation as described in this statement. It does so with your explicitconsent, always.

9. Third party service providers who have access to your personalinformation for these purposes are authorised to use this information onlyin a manner consistent with this statement and for no other unrelatedpurpose.

10. In most all cases where we process sensitive personal data, W2 GlobalData will require your explicit consent, as the data subject, to do thisunless exceptional circumstances apply, or we are required to do so by law(e.g. to comply with legal obligations to ensure health and safety atwork).

11. Any such consent given by you to us will always clearly identify whatthe relevant data is, why it is being processed and to whom it will bedisclosed. Your consent can be revoked at any time.

12. W2 Global Data uses the basic personal data it collects to communicatewith you and personalise it communications with you. For example, we maycontact you by phone or email or other means to remind you about youroutstanding items or actions, update you or enquire about a request yousubmitted, or tell you that you need to act to keep your account active.

13. W2 Global Data does not use anything data you provide includinganything you say in email, or your documents, photos or other personalfiles to target ads to you directly or indirectly and it will not sell,rent or otherwise make available any personal information relating to youto any persons or companies who could use your personal information forsales purposes or in any manner unintended by you without your consent.

14. Information about you collected by W2 Global Data on your behalf to theenterprise that has invited you to use the W2 Global Data service will bedisplayed to you and be available to you at any time.

15. Information collected on your behalf from sources other than freely andpublicly available sources will only be displayed to you at the discretionof the enterprise that has invited you to provide your details.

W2 CLIENT DATA: In general terms, when W2 Global Data collects client data it uses theclient information it collects for three basic purposes: namely

1. Marketing activities: including storing your details (and updating themwhen necessary) on our database, so that we can contact you in relation tomarketing activities, keeping records of our conversations, emails andmeetings, so that we can provide targeted services to you; Undertakingcustomer satisfaction surveys and processing your data for targetingappropriate marketing campaigns. Please note that in certain of thejurisdictions in which we operate, we comply with additional local lawrequirements regarding marketing activities. Subject to any applicablelocal laws and requirements, we will not, as a matter of course, seek yourconsent when sending marketing materials.

2. Service provision & maintenance: including use of contactinformation collected in the ordinary day-to-day activities of supporting aclient relationship and service; and

3. To help us establish, exercise or defend legal claims: where we may useor be required to use your personal data.

W2 SUPPLIER DATA: To find the right balance, we will only use supplier information:

1. To store (and update when necessary) your details on our database, sothat we can contact you in relation to our agreements;

2. To offer services to you or to obtain support and services from you;

3. To perform certain legal obligations;

4. To help us to target appropriate marketing campaigns; and

5. In more unusual circumstances, to help us to establish, exercise ordefend legal claims.

We may use your personal data for these purposes if we deem this to benecessary for our legitimate interests. We will not, as a matter of course,seek your consent when sending marketing messages to a corporate postal oremail address. If you are not happy about this, in certain circumstancesyou have the right to object and can find out more about how to do so inthis statement. Please note that in certain of the jurisdictions in whichwe operate, we comply with additional local law requirements.

PEOPLE WHOSE DATA WE RECEIVE FROM SERVICE USERS SUCH AS REFEREES ANDEMERGENCY CONTACTS: We will only use the information that service users give us about you forthe following three purposes:

1. If our service users provide your information as an emergency contact,we’ll provide access to your information to our client organisation tocontact you in the case of an accident or emergency affecting the serviceuser; or

2. If you were put down by our service user as a referee, we will contactyou to take up a reference. This is an important part of our service useridentity assurance process.

3. We may use your personal data for these purposes if we deem this to benecessary for our legitimate interests. If you are not happy about this,you have the right to object and can find out more about how to do so inthis statement.

Who Do We Share Personal Data With?

Where appropriate and in accordance with local laws and requirements, wemay share your personal data with your consent, in many ways and forassorted reasons, with the following categories of people or organisations:

1. Any of our group companies;

2. A W2 Global Data client organisation for or through which you arecompleting a W2 Global Data process;

3. Individuals and organisations who hold information related to areference including current, past or prospective employers, educators andexamining bodies and employment and recruitment agencies;

4. Tax, audit, or other authorities, when we believe in good faith that thelaw or other regulation requires us to share this data (for example,because of a request by a tax authority or in connection with anyanticipated litigation);

5. Third party service providers who perform functions on our behalf(including external consultants, business associates and professionaladvisers such as lawyers, auditors and accountants, technical supportfunctions and IT consultants carrying out testing and development work onour business technology systems);

6. Third party outsourced IT and document storage providers where we havean appropriate processing agreement (or similar protections) in place;

7. Marketing technology platforms and suppliers; and

8. Third party reference data sources including credit reference agencieswhere there is a requirement to validate or verify your identity or anyattribute of the information or documents you have provided to us.

9. Banks and other entities that process payment transactions or provideother financial services, and for fraud prevention and credit riskreduction when you make a payment to us.

W2 Global Data shares your personal data with your consent or as necessaryto complete any transaction or provide any service outcome you haverequested or authorised. We will however access, transfer, disclose andpreserve personal data, including your content, when we have a good faithbelief that doing so is necessary to:

1. comply with applicable law or respond to valid legal process, includingfrom law enforcement or other government agencies. If this happens W2Global Data will only disclose the information necessary to comply with therequest. We may also, if we deem it necessary, disclose information toprevent a violation of the law and by accepting this statement, you consentto our doing so, in our sole discretion;

2. protect our customers, for example to prevent spam or attempts todefraud users of our products, or to help prevent the loss of life orsevere injury of anyone;

3. operate and maintain the security of our services, including to preventor stop an attack on our computer systems or networks; or

4. protect the rights or property of W2 Global Data, including enforcingthe terms governing the use of the services – however, if we receiveinformation indicating that someone is using our services to traffic instolen intellectual or physical property belonging to W2 Global Data, wewill not inspect a user’s private content ourselves, but we may refer thematter to law enforcement.

How Do We Safeguard Your Data?

We are committed to taking all reasonable and appropriate steps to protectthe personal information that we hold from misuse, loss, or unauthorisedaccess. We do this by having in place a range of appropriate technical andorganisational measures. These include measures to deal with any suspecteddata breach.

If you suspect any misuse or loss of or unauthorised access to yourpersonal information, please let us know immediately. Details of how tocontact us can be found in this statement.

How Long Do We Keep Your Personal Data For?

W2 Global Data retains personal data for as long as necessary to providethe products and fulfil the transactions you have requested, or for otheressential purposes such as complying with our legal obligations, resolvingdisputes and enforcing our agreements and it retains such information forno longer than is necessary. Because these needs can vary for differentdata types in the context of various products, actual retention periods canvary significantly.

What is “necessary” will depend on the circumstances of an individual’scase, considering the reasons that the personal data was obtained, but isalways determined in a manner consistent with our data retentionguidelines; the criteria used to determine these which include:

1. How long is the personal data needed to provide the W2 Global Dataservices and operate our business? This includes such things as maintainingand improving the performance of the services, keeping our systems secureand maintaining appropriate business and financial records. This is thegeneral rule that establishes the baseline for most data retention periods.

2. Do users provide, create or maintain the data with the expectation W2Global Data will retain it until they affirmatively remove it? Examplesinclude a document you may upload e.g. a passport. In such cases, wemaintain the data until you actively delete it or request it be deleted.

3. Is there an automated control, such as in the W2 Global Data onlinesystem, that enables you to access and delete the personal data at anytime? If there is not, a shortened data retention time will generally beadopted.

4. Is the personal data of a sensitive type? If so, a shortened retentiontime would generally be appropriate.

5. Has the user provided consent for a longer retention period? If so, wewill retain data in accordance with your consent.

6. Is W2 Global Data subject to a legal, contractual, regulatory or similarobligation to retain the data? Examples can include mandatory dataretention laws in an applicable jurisdiction; government orders to preservedata relevant to an investigation or data that must be retained for thepurposes of litigation.

In general terms, we will otherwise delete personal data from our systemsif we have not had any meaningful contact with you (or, where appropriate,the W2 Global Data client organisation through which you were using ourservices) for two years unless you have consented otherwise (or for suchlonger period as we believe in good faith that the law or relevantregulators require us to preserve your data). After this period, it islikely your data will no longer be relevant for the purposes for which itwas collected.

When we refer to “meaningful contact”, we mean, for example, communicationbetween us (either verbal or written), or where you have or are activelyengaging with our online services. Your receipt, opening or reading of anemail or other digital message from us will not count as meaningful contact– this will only occur in cases where you click-through or reply directly.

How Can You Access, Amend, or Take Back the Personal Data You HaveGiven to Us?

The GDPR exists to protect and clarify the rights of EU citizens andindividuals in the EU with regards to data privacy. This means that youretain various rights in respect of your data, even once you have given itto us. You have rights to your data which we must respect and comply withto the best of our ability. These are described in more detail here. To getin touch about these rights or if you have any concerns whatsoever, pleasecontact us via the contact information options provided in this statement.We will seek to deal with your request without undue delay, and in anyevent within one month (subject to any extensions to which we are lawfullyentitled). Please note that we may keep a record of your communications tohelp us resolve any issues which you raise.

W2 Global Data adheres to applicable data protection laws in the EuropeanEconomic Area, and therefore, we must where applicable ensure individualscan exercise their rights in the following ways:

Right to be Informed: by being provided with privacy notices which are concise, transparent,intelligible and easily accessible, free of charge, that are written inclear and plain language, particularly if aimed at children and by keepinga record of how we use personal data to demonstrate compliance with theneed for accountability and transparency.

Right of Access: which we satisfy by enabling individuals to access their personal dataand supplementary information and by allowing individuals to be aware ofand verify the lawfulness of our processing activities.

Right to Object: this right enables you to object to us processing your personal datawhere we do so for one of the following four reasons:

1. our legitimate interests;

2. to enable us to perform a task in the public interest or exerciseofficial authority;

3. to send you direct marketing materials; and

4. for scientific, historical, research, or statistical purposes.

If your objection relates to us processing your personal data because wedeem it necessary for your legitimate interests, we must act on yourobjection by ceasing the activity in question unless:

1. we can show that we have compelling legitimate grounds for processingwhich overrides your interests; or

2. we are processing your data for the establishment, exercise or defenceof a legal claim.

If your objection relates to direct marketing, we must act on yourobjection by ceasing this activity.

Right to Withdraw Consent: Where we have obtained your consent to process your personal data forcertain activities (for example, for our marketing arrangements orautomatic profiling), you may withdraw this consent at any time and we willcease to carry out the particular activity that you previously consented tounless we consider that there is an alternative reason to justify ourcontinued processing of your data for this purpose in which case we willinform you of this condition.

Data Subject Access Requests (DSAR): You may ask us to confirm what information we hold about you at any time,and request us to modify, update or delete such information. We may ask youto verify your identity and for more information about your request. If weprovide you with access to the information we hold about you, we will notcharge you for this unless your request is “manifestly unfounded orexcessive”. If you request further copies of this information from us, wemay charge you a reasonable administrative cost where legally permissible.Where we are legally permitted to do so, we may refuse your request. If werefuse your request, we will always tell you the reasons for doing so.

Please note that in certain of the jurisdictions in which we operate, wecomply with additional local law requirements regarding data subject accessrequests and may refuse your request in accordance with such laws.

Right to Erasure: You have the right to request that we erase your personal data in certaincircumstances. Normally, the information held must meet one of thefollowing criteria:

1. the data is no longer necessary for the purpose for which we originallycollected and/or processed them;

2. where previously given, you have withdrawn your consent to us processingyour data and there is no other valid reason for us to continue processing;

3. the data has been processed unlawfully (i.e. in a manner which does notcomply with the GDPR);

4. it is necessary for the data to be erased for us to comply with ourlegal obligations as a data controller; or

5. if we process the data because we believe it necessary to do so for ourlegitimate interests, you object to the processing and we are unable todemonstrate overriding legitimate grounds for our continued processing.

Please note that in certain of the jurisdictions in which we operate, wecomply with additional local law requirements regarding data subject rightto erasure and may refuse your request in accordance with local laws. Wewould only be entitled to refuse to comply with your request to erasure forone of the following reasons:

1. to exercise the right of freedom of expression and information;

2. to comply with legal obligations or for the performance of a publicinterest task or exercise of official authority;

3. for public health reasons in the public interest;

4. for archival, research or statistical purposes; or

5. to exercise or defend a legal claim.

When complying with a valid request for the erasure of data we will takeall reasonably practicable steps to delete the relevant data.

Right to restrict processing: You have the right to request that we restrict our processing of yourpersonal data in certain circumstances. This means that we can onlycontinue to store your data and will not be able to carry out any furtherprocessing activities with it until either:

1. one of the circumstances listed below is resolved;

2. you consent; or

3. further processing is necessary for either the establishment, exerciseor defence of legal claims, the protection of the rights of anotherindividual, or reasons of important EU or Member State public interest.

The circumstances in which you are entitled to request that we restrict theprocessing of your personal data are:

1. where you dispute the accuracy of the personal data that we areprocessing about you. In this case, our processing of your personal datawill be restricted for the period during which the accuracy of the data isverified;

2. where you object to our processing of your personal data for ourlegitimate interests. Here, you can request that the data be restrictedwhile we verify our grounds for processing your personal data;

3. where our processing of your data is unlawful, but you would prefer usto restrict our processing of it rather than erasing it; and

4. where we have no further need to process your personal data but yourequire the data to establish, exercise, or defend legal claims.

If we have shared your personal data with third parties, we will notifythem about the restricted processing unless this is impossible or involvesdisproportionate effort. We will, of course, notify you before lifting anyrestriction on processing your personal data. We are permitted to storepersonal data if it has been restricted, but not process it further. Wemust retain enough data to ensure the right to restriction is respected inthe future.

Right to Rectification: You also have the right to request that we rectify any inaccurate orincomplete personal data that we hold about you. If we have shared thispersonal data with third parties, we will notify them about therectification unless this is impossible or involves disproportionateeffort. This must be done without delay, and no later than one month. Thiscan be extended to two months with permission from the DPO. Whereappropriate, we will also tell you which third parties we have disclosedthe inaccurate or incomplete personal data to. Where we think that it isreasonable for us not to comply with your request, we will explain ourreasons for this decision.

Right of Data Portability: If you wish, you have the right to transfer your personal data betweendata controllers. In effect, this means that you can transfer your W2Global Data account details to another online platform. To allow you to doso, we will provide you with your data in a commonly used machine-readableformat that is password-protected so that you can transfer the data toanother online platform. Alternatively, we may directly transfer the datafor you.

This right of data portability applies to:

1. personal data that we process automatically (i.e. without any humanintervention);

2. personal data provided by you; and

3. personal data that we process based on your consent or to fulfil acontract.

Rights in relation to Automated Decision Making and Profiling: which require us to respect the rights of individuals in relation toautomated decision making and profiling including ensuring that individualsretain their right to object to such automated processing, have therationale explained to them, and request human intervention.

Right to lodge a Complaint with a Supervisory Authority: You also have the right to lodge a complaint with your local supervisoryauthority. Details of how to contact them can be found in this statement.

If you would like to exercise any of these rights or withdraw your consentto the processing of your personal data (where consent is our legal basisfor processing your personal data), details of how to contact us can befound in this statement. Please note that we may keep a record of yourcommunications to help us resolve any issues which you raise.

Cookies & Similar Technologies

Cookies may be used by W2 Global Data to provide you with customisedinformation from our web service. A cookie is an element of data that a website can send to your browser, which may then store it on your system.Cookies allow us to understand who has seen which pages and advertisements,to determine how frequently particular pages are visited and to determinethe most popular areas of our web site.

Cookies may also allow us to make our web site more user friendly by, forexample, allowing us to save your password so that you do not have tore-enter it every time to visit our web site. Some website browsers canremember website passwords, to save you having to enter the password eachtime you visit a website. If you choose to let your browser remember yourpassword for this site, one of our cookies helps this to happen. Yourbrowser should not remember your password unless you have allowed it to.Your browser settings will allow you to erase password data at any time.

We use cookies so that we can give you a better experience when you returnto our web site. Most web browsers automatically accept cookies. You do nothave to accept cookies, and you should read the information that came withyour browser software to see how you can set up your browser to notify youwhen you receive a cookie, this will give you the opportunity to decidewhether to accept it. If you disable cookies from your browser, you may notbe able to access certain features of a web site.

How Do We Store and Transfer Your Personal Data?

W2 Global Data is committed to protecting the security of your personaldata. We use a variety of security technologies and procedures to helpprotect your personal data from unauthorised access, use or disclosure. Forexample, we store the personal data you provide on computer systems thathave limited access and are in controlled facilities. When we transmithighly confidential data (such as a credit card number or password) overthe Internet, we protect it using encryption. When we transfer personaldata from the European Economic Area, we do so using a variety of legalmechanisms.

W2 Global Data takes all reasonable steps to ensure that the data wecollect under this privacy statement is processed according to theprovisions of this statement and the requirements of applicable lawwherever the data is located. Because W2 Global Data operates throughoutthe world in providing its goods and services, we on occasion transferpersonal data from the European Economic Area and Switzerland to othercountries, some of which have not been determined by the EuropeanCommission to have an adequate level of data protection, includingtransfers:

1. between and within W2 Global Data entities;

2. to third parties (such as advisers or other suppliers to the W2 GlobalData business);

3. to overseas W2 Global Data clients;

4. to W2 Global Data clients within your country who may, in turn, transferyour data internationally;

5. to cloud-based storage providers; and

6. to other third parties, as referred to in this statement.

If we do so, we use a variety of legal mechanisms, including contracts, tohelp ensure your rights and equivalent protections travel with your data.Above all else, we want to make sure that data is stored and transferred ina way which is secure. We will therefore only transfer data outside of theEuropean Economic Area or EEA (i.e. the Member States of the EuropeanUnion, together with Norway, Iceland and Liechtenstein) where it iscompliant with data protection legislation and the means of transferprovides adequate safeguards in relation to your data, for example:

1. by way of data transfer agreement, incorporating the current standardcontractual clauses adopted by the European Commission for the transfer ofpersonal data by data controllers in the EEA to data controllers andprocessors in jurisdictions without adequate data protection laws; or

2. by signing up to the EU-U.S. Privacy Shield Framework for the transferof personal data from entities in the EU to entities in the United Statesof America or any equivalent agreement in respect of other jurisdictions;or

3. transferring your data to a country where there has been a finding ofadequacy by the European Commission in respect of that country’s levels ofdata protection via its legislation; or

4. where it is necessary for the conclusion or performance of a contractbetween ourselves and a third party and the transfer are in your interestsfor the purposes of that contract (for example, if we need to transfer dataoutside the EEA to meet our obligations under that contract if you are aclient of ours); or

5. where you have consented to the data transfer.

Our Legal Bases for Processing Your Data

LEGITIMATE INTERESTS

Article 6(1)(f) of the GDPR is the one that is relevant here – it says thatwe can process your data where it “is necessary for the purposes of the legitimate interests pursued by[us] or by a third party, except where such interests are overridden bythe interests or fundamental rights or freedoms of [you] which requireprotection of personal data.”

However, you do have the right to object to us processing your personaldata on this basis.

We have our own obligations under the law, which it is a legitimateinterest of ours to insist on meeting! If we believe in good faith that itis necessary, we may therefore share your data in connection with crimedetection, tax collection or actual or anticipated litigation.

CONSENT

In certain circumstances, we are required to obtain your consent to theprocessing of your personal data in relation to certain activities.Depending on exactly what we are doing with your information, this consentwill be opt-in consent or soft opt-in consent.

Article 4(11) of the GDPR states that (opt-in) consent is “any freely given, specific, informed and unambiguous indication of thedata subject’s wishes by which he or she, by a statement or by a clearaffirmative action, signifies agreement to the processing of personaldata relating to him or her.” In plain language, this means that:

1. you must give us your consent freely, without us putting you under anytype of pressure;

2. you must know what you are consenting to – so we’ll make sure we giveyou enough information;

3. you should have control over which processing activities you consent toand which you don’t. We provide these finer controls within our privacypreference centre; and

4. you need to take positive and affirmative action in giving us yourconsent – we’re likely to provide a tick box for you to check so that thisrequirement is met in a clear and unambiguous fashion.

We will keep records of the consents that you have given in this way.

We have already mentioned that, in some cases, we will be able to rely onsoft opt-in consent. We can market products or services to you which arerelated to the recruitment services we provide if you do not activelyopt-out from these communications. Please note that in certain of thejurisdictions in which we operate, we comply with additional local lawrequirements regarding consenting to receive marketing materials. As wehave mentioned, you have the right to withdraw your consent to theseactivities. You can do so at any time by contacting us.

ESTABLISHING, EXERCISING OR DEFENDING LEGAL CLAIMS

Sometimes it may be necessary for us to process personal data and, whereappropriate and in accordance with local laws and requirements, sensitivepersonal data in connection with exercising or defending legal claims.Article 9(2)(f) of the GDPR allows this where the processing “is necessary for the establishment, exercise or defence of legal claimsor whenever courts are acting in their judicial capacity”. This may arise for example where we need to take legal advice inrelation to legal proceedings or are required by law to preserve ordisclose certain information as part of the legal process.

Reporting Breaches

W2 Global Data personnel have an obligation to report actual or potentialdata protection compliance failures. This allows us to:

1. Investigate the failure and take remedial steps, if necessary

2. Maintain a register of compliance failures

3. Notify the relevant supervisory authority of any compliance failuresthat are material either or, as part of any pattern of failures.

Changes to This Privacy Policy

W2 Global Data will update this privacy policy when necessary to reflectchanges in its services or policies and the way it processes your personalinformation, and/or changes in legislation. We encourage you toperiodically review this privacy statement to learn how W2 Global Data isprotecting your information. Your continued use of W2 Global Data serviceswill signal your acceptance of any such changes.

How to Contact Us

W2 Global Data’s Data Protection Officer has overall responsibility for theday-to-day implementation of this privacy statement if, at any time, you:

• wish to access, amend or take back the personal data that you have givento us;

• suspect any misuse or loss of or unauthorised access to your personalinformation;

• wish to withdraw your consent to the processing of your personal data(where consent is the legal basis on which we process your personal data);

• have any comments or suggestions concerning this Privacy Policy; or

• want to make a complaint on how W2 Global Data has handled your personaldata.

You can write to us at the following address:

W2 Global Data Solutions Ltd, Clarence House Clarence Pl, Newport NP19 7AA,UK.

Alternatively, you can send an email to: [email protected]

W2 Global Data takes complaints very seriously and will respond tocomplaints within 30 days.

Unless otherwise stated, W2 Global Data Solutions Ltd is a processor forthe personal data we collect through the services we provide which aresubject to this statement.

How to Contact Your Local Supervisory Authority

If you are not satisfied with our response or believe we are processingyour personal data not in accordance with UK law and the requirements ofGDPR; you can complain to the UK Information Commissioner’s Office: You cancontact them in the following ways:

• Phone: 0303 123 1113

• Email: [email protected]

• Web: www.ico.org.uk

• Post: Information Commissioner’s Office, Wycliffe House, Water Lane,Wilmslow, Cheshire, SK9 5AF. UK

_______________________________________________________________________________________________

Our Short Form Privacy Notice: Transparency of Data Protection

Being transparent and providing accessible information to individuals abouthow we will use personal data is important for W2 Global Data. Thefollowing are key details on how we collect data and what we do with it:

What information is being collected?

Personal data provided to W2 Global Data by one of its clients with andonly with, the data subject’s consent.

Who is collecting it?

W2 Global Data Solutions Ltd.

How is it collected?

Personal data is provided to W2 Global Data by the data subject by one ofits clients utilising W2 Global Data’s secure online platform(s).

Why is it being collected?

Data is collected through W2 Global Data’s platform(s) at the invitationalrequest of an enterprise with whom the data subject may be engaging forwhatever their mutual purpose may be.

How will it be used?

We must and will process personal data fairly and lawfully in accordancewith an individual’s’ rights. This generally means that we should notprocess personal data unless the individual whose personal details we areprocessing has consented to this happening. The processing of all data mustbe necessary to deliver our services, in our legitimate interests and notunduly prejudice an individual’s privacy.

The personal data you provide to us and which we process with your consentis processed by our staff in the UK. However, for the purposes of IThosting and maintenance this information is located on servers within theEuropean Union. No 3rd parties have access to your personal data unless thelaw allows them to do so.

We have a Data Protection regime in place to oversee the effective andsecure processing of your personal data. We use the information you provideto us and the information we collect about you to provide a service(s) tothe enterprise that has invited you to provide your details, and forvalidating and verifying your identity which may include searches withthird parties.

Who will it be shared with?

We may disclose any of the information we collect about you to other W2Global Data companies and information may be hosted outside of the EuropeanEconomic Area by such group companies.

W2 Global Data engages third parties to assist in the provision of specificverification and validation services and the uses of the information asdescribed in this Policy. Third party service providers who have access toyour personal information are authorised to use this information only in amanner consistent with this Policy and for no other unrelated purpose.

We may provide aggregated data about the use of our services to selectthird parties for such purposes as we deem, in our sole discretion, to beappropriate. This aggregated data will not contain personal informationabout you and will not enable you to be identified or located. We maysegment our users by age, geographic location, gender, etc. If you wouldlike to be excluded from aggregated research, you should contact theenterprise that has invited you to use this service for assistance.

Contact details

W2 Global Data Solutions Ltd, a company registered in the UK under companyregistration no: 7669978 is the Data Controller (ICO Data ProtectionRegistration Number Z2736945).

Registered Office Address:

W2 Global Data Solutions Limited, Clarence House, Clarence Place, Newport,NP19 7AA, UK.

Email: [email protected]

Details of transfers to third country and safeguards

In most cases where we process sensitive personal data we will require thedata subject’s explicit consent to do this unless exceptional circumstancesapply, or we are required to do so by law (e.g. to comply with legalobligations to ensure health and safety at work). Any such consent willalways clearly identify what the relevant data is, why it is beingprocessed and to whom it will be disclosed.

We maintain reasonable administrative, technical and physical safeguards toprotect against unauthorised access, use, modification and disclosure ofpersonal information in our custody and control. All information youprovide to us is stored on our secure servers.

Children are not eligible to use our services and we ask that minors(persons under the age of 18 years or under the age majority in theirjurisdiction of residence, if that is different than 18 years of age) donot submit any personal information to us online or attempt to use ourservices.

We may disclose any of the information we collect about you to other W2Global Data companies and information may be hosted outside of the EuropeanEconomic Area by such group companies. You should be aware that W2 GlobalData engages third parties to assist in the provision of specificverification and validation services and the uses of the information asdescribed in this Policy.

Third party service providers who have access to your personal informationare authorised to use this information only in a manner consistent withthis Policy and for no other unrelated purpose.

Retention period

We are required under UK tax law to keep your basic personal data (name, address, contact details) for a minimum of 6 years after which time it will be destroyed. We must however retain personal data for no longer than is necessary. What is necessary will depend on the circumstances of an individual’s case, considering the reasons that the personal data wasobtained, but is always determined in a manner consistent with our dataretention guidelines.

Updated: 1st May 2018