REMUNERATION CONSULTANTS GROUP DATA PROTECTION POLICY

LAST UPDATED: 7 APRIL 2020

INTRODUCTION

The Remuneration Consultants Group Limited ("RCG", "we" or "us") exists to administer a Code Of Conduct ("Code"). This role does not require it to hold or process material amounts of data. However, we recognise that everyone has rights regarding the way in which their personal data in handled. During the course of our activities, we may collect, store and process very limited amounts of personal data, being email and potentially other contact details for our members or other stakeholders and personal data of our directors and secretary to enable us to administer our payroll and other necessary or normal activities. We recognise that this information must be collected and dealt with appropriately.

We do not have clients or customers and do not normally act as a data processor. Any data which we hold is as a data controller (i.e. the personal data we hold in respect of our directors and secretary and any contact information which we may hold from time to time).

Our directors and secretary and any agents acting on our behalf are obliged to comply with this policy when processing personal data on our behalf. Any breach of this policy may result in disciplinary action.

The RCG Compliance Officer is our Secretary, David Tankel, who can be contacted at [email protected]

The key terms used in this policy are defined in the attached Appendix.

OUR DATA PROTECTION POLICY - ACTING AS A DATA CONTROLLER

When the RCG acts as a data controller, it is responsible for establishing practices and policies in line with the Data Protection Policy set out in sections 1-11 below.

1. Data protection principles

We will adhere to the data protection principles, as detailed in the data protection legislation. Specifically, those principles require that personal data shall be:

(a)processed lawfully, fairly and in a transparent manner in relation to a data subject;

(b)collected and processed for a purpose that is specified, explicit and legitimate;

(c)adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;

(d)accurate and, where necessary, kept up to date;

(e)kept for no longer than is necessary for the purposes for which the personal data are processed; and

(f)processed in a manner that ensures appropriate security of the personal data, using appropriate technical or organisational measures.

2. Fair and lawful processing

We will ensure that personal data is processed lawfully, on the basis of one of the following:

(a)Consent: the data subject has given consent for us to process their personal data for a specific purpose.

(b)Contract: the processing is necessary for a contract we have with the data subject, or because they have asked us to take specific steps before entering into a contract.

(c)Legal obligation: the processing is necessary for us to comply with a legal obligation to which the data controller is subject.

(d)Vital interests: the processing is necessary to protect someone's life.

(e)Public task: the processing is necessary for us to perform a task in the public interest and the task or function has a clear basis in law.

(f)Legitimate interests: the processing is necessary for compliance with the legitimate interests of a data controller or the legitimate interests of a third party, unless there is a good reason to protect the data subject's personal data which overrides those legitimate interests.

If and when sensitive personal data is being processed, we will ensure that any additional conditions specified in the data protection legislation are met.

In practice, we interpret this as meaning that we hold normal payroll information and share that with our accountants (who act as data processor of such information). In addition, we maintain contact details for representatives at each member firm which we share with our data processors in order to fulfil our purpose of administering the Code. In the normal course, we do not maintain a database for mailings although, in the course of our activities, we receive email and other contact information for our members (and partners and staff at those member firms, as well as RCG Board members and the Company Secretary) and may from time to time hold contact information on persons we interact with in pursuing our activities, such as contact details of persons interviewed as part of a review of the Code or of its effectiveness. Any emails or other correspondence sent by the Company Secretary of the RCG will invite the recipient if they wish to be removed from our database. We shall action any such request without delay. Similarly, if a director, secretary or member firm requests the removal of certain data, we shall do so to the extent that it does not contravene our legal obligations. At the end of each periodic review of the Code and review of the Effectiveness of the Code we shall cleanse our database of any information that is no longer required .

3. Notifying data subjects

We will keep data subjects informed about how we will use their personal data. Any information we supply about the processing of personal data will be:

(a)concise, transparent, intelligible and easily accessible;

(b)written in clear and plain language; and

(c)free of charge.

4. Accurate data

We will ensure that personal data we hold is accurate and kept up to date. We will check the accuracy of any personal data at the point of collection and at regular intervals afterwards. If we are notified that personal data is inaccurate or incomplete, we will take all reasonable steps to amend inaccurate or out-of-date data.

If we have disclosed the personal data in question to others, we will contact each recipient and inform them of the rectification - unless this proves impossible or involves disproportionate effort.

5. Erasure of data

We will not keep personal data longer than is necessary for the purpose or purposes for which they were collected. We will take all reasonable steps to destroy, or erase from our systems, all personal data if:

(a)a data subject has demonstrated sufficient grounds to require such erasure (and assuming that there is no compelling reason for its continued processing); or

(b)the personal data is no longer required.

In practice, this means that once a data subject (such as a remuneration committee chairman) has been interviewed as part of a review of the Code and that year's Code review has been completed, the data subject's personal details will be removed by the person at the RCG which had contact with that individual. At the end of each review of the Code/effectiveness of the Code, the secretary will ask all directors to confirm that they have done so.

We will also contact each recipient of the personal data in question and inform them of the requirement to erase the data - unless this proves impossible or involves disproportionate effort.

6. Processing in line with data subject's rights

We will process all personal data in line with data subjects' rights, in particular their right to:

(a)request access to any data held about them by us;

(b)object to the processing of their data;

(c)restrict processing; or

(d)obtain and reuse their personal data for their own purposes.

The above data subject's rights are subject to our obligations and rights under the data protection legislation and the rights of other affected parties (e.g. data controllers, data processor, etc.)

7. Data security

We will take appropriate technical and organisational measures against unlawful or unauthorised processing of personal data, and against the accidental loss of, or damage to, personal data.

In particular, all email data is encrypted (where possible) and all attachments including personal data which is transmitted by email is password protected (with the passwords sent separately to the personal data).

We have put in place procedures and technologies to maintain the security of all personal data from the point of collection to the point of destruction. Personal data will only be transferred to a data processor if it agrees to comply with those procedures and policies, or if it puts in place adequate measures.

8. Transferring personal data to a country outside the UK or EEA

We may transfer any personal data we hold to a country outside the United Kingdom or the European Economic Area (EEA), provided that one or more of the following conditions applies:

(a)the European Commission has decided that the country to which the personal data are transferred ensures an adequate level of protection for the data subjects' rights and freedoms;

(b)where the organisation receiving the personal data has provided adequate safeguards;

(c)the data subject has given his informed consent;

(d)the transfer is necessary for one of the reasons set out in the data protection legislation (including, but not limited to, the performance of a contract, or to protect the vital interests of the data subject); or

(e)the transfer is legally required on important public interest grounds or for the establishment, exercise or defence of legal claims.

9. Disclosure of personal data

Notwithstanding the terms of this policy, we may disclose, or be required to disclose, personal data we hold (including sensitive personal data) to a third party in certain circumstances (e.g. matters of public interest, in order to comply with an order of a court or tribunal, etc.).

10. Dealing with data subject access requests

Data subjects must make a formal request in writing for information we hold about them. We will not disclose personal data as a result of a telephone enquiry unless:

(a)the caller puts their request in writing (including in electronic form addressed to the secretary at [email protected]); or

(b)we are able to verify the caller's identity to make sure that information is only given to a person who is entitled to it.

We will respond to a request as soon as possible and within at least one month of receipt.

We reserve the right to charge a reasonable fee for a data subject access request if it is manifestly unfounded or excessive.

11. Personal data breach

In the event of a personal data breach we will:

-assess the likelihood and severity of the risk to the data subject's rights and freedoms;

-notify the Information Commissioner's Office (or equivalent supervisory authority) if there is a risk to the data subject's rights and freedoms;

-inform the data subject if there is a high risk of adversely affecting the data subject's rights and freedoms; and

-keep a record of any personal data breaches.

APPENDIX: DEFINITIONS

The following expressions have the following meanings in the Data Protection Policy:

"data" is information which is stored electronically, on a computer, or in certain paper- based filing systems.

"data controllers" are the people who, or organisations which, determine the purposes for which, and the manner in which, any personal data is processed.

"data processors" include any person or organisation that is not a data user that processes personal data on our behalf and on our instructions.

"data protection legislation" means the legal obligations in respect of data protection, including the Data Protection Act 2018 and relevant sections of the General Data Protection Regulation.

"data subjects" for the purpose of this policy include all living individuals about whom we hold personal data. A data subject need not be a UK national or resident. All data subjects have legal rights in relation to their personal information.

"data users" are our partners and those of our employees whose work involves processing personal data. Data users must protect the data they handle in accordance with this data protection policy and any applicable data security procedures at all times.

"personal data" means data relating to a living individual who can be identified from that data (or from that data and other information in our possession). Personal data can be factual (for example, a name, address or date of birth) or it can be an opinion about that person, their actions and behaviour.

"personal data breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.

"processing" is any activity that involves use of the data. It includes obtaining, recording or holding the data, or carrying out any operation or set of operations on the data including organising, amending, retrieving, using, disclosing, erasing or destroying it. Processing also includes transferring personal data to third parties.

"sensitive personal data" includes information about a person's racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health or condition or sexual life, or about the commission of, or proceedings for, any offence committed or alleged to have been committed by that person, the disposal of such proceedings or the sentence of any court in such proceedings. Sensitive personal data can only be processed under strict conditions, including a condition requiring the express permission of the person concerned.