Ver 1 Data Protection and Data Security Policy Page 2 of 8

1. PURPOSE OF POLICY

LJF Powder Coating Ltd (the Employer) is committed to ensuring that all personal information handled by us will be processed accordingly to legally compliant standards of data protection and data security.

The purpose of this policy is to help us achieve our data protection and data security aims by:

• • Notifying our Employees of the types of personal information that we may hold about them and what we do with that information.
• • Ensuring Employees understand our rules and the legal standards for handling personal information relating to staff and others.
• • Clarifying the responsibilities and duties of staff in respect of data protection and data security.

This is a statement of policy only and does not form part of your contract of employment. We may amend this policy at any time, at our absolute discretion.

2. RESPONSIBLITIES

The Company is the “Data Controller” and is responsible for maintaining appropriate standards of data protection and data security is a collective task shared between the Company and Employees. This policy and the rules contained in it apply to all Employees of the Company, irrespective of seniority, tenure and working hours, including all Employees, Directors and Officers, Consultants and Contractors, casual or agency staff, trainees, homeworkers and fixed term staff and any volunteers.

The Managing Director has overall responsibility for ensuring that all personal information is handled in compliance with the law and has an appointed Data Protection Officer with day to day responsibility for data processing and data security.

All Employees have personal responsibility to ensure compliance with this policy, to handle all personal information consistently with the principles set out here and to ensure that measures are taken to protect the data security.

Managers also have a responsibility to lead by example and for monitoring and enforcing compliance.

Any breach of this policy will be taken seriously and may result in disciplinary action.

3. WHY WE PROCESS YOUR DATA

• We process your personal data primarily on the basis of legitimate interest as a business but only if necessary for the purpose we collected it for. We will also process data on the basis of contractual and transactional obligation where necessary. We may process your data for;

• Sales and marketing activities such as calls, emails and other types of communications

• Understanding how you interact with the website and social media

• Account activity such as, email, written and verbal communications and agreements Ver 1 Data Protection and Data Security Policy Page 3 of 8

• To perform obligations under a contract with you or a business you may work for

• We will only store your data, for as long as we need it to undertake any of the processes listed above.

4. HOW WE USE YOUR INFORMATION

• About you: when you use our website, send us an email or communicate with us in any way, you are voluntarily giving us information that we collect.

• That information may include either your name, email address, ip address, phone number, as well as details including occupation, location, survey responses and feedback. By giving us this information, you agree to this information being collected, used, disclosed, transferred within the eu (our main data storage centre is located in scotland) and stored by us as described in this privacy policy.

• automatically: when you browse our website we may collect usage information about your visit to our website and your web browsing. that information may include your ip address, your operating system, your browser id, your browsing activity, and other information about how you interacted with our website or service. we may collect this information as a part of log files as well as through the use of cookies or other tracking technologies. our use of cookies and other tracking technologies is discussed more below, and in more detail in our cookie policy

• Website cookies and link tracking: cookies allow us to provide important site functionality, so you don’t have to re-enter lots of information. They also allow us to remember what links and pages have been clicked or viewed during a session. If you have provided us with personal data, completing a contact form for example, we may associate this personal data with other information. This will allow us to identify and record what is most relevant to you. By using your browser controls, you are always in control of the cookies we store and access on your computer. More information on how to control cookies and limit personal data processing can be found at youronlinechoices.com/uk/five-top-tips. For comprehensive information on how to change your cookie settings in a wide variety of different web browsers, visit www.aboutcookies.org.

• Google analytics cookies: google analytics is a website monitoring tool that allows users to see volumes of website visitors, their source, and to analyse how the content of their website is viewed and navigated. This in turn allows optimisation of the content and pages and the marketing programmes that drive traffic to the website. Google analytics does not store any personal information about website visitors, but does use persistent cookies to identify repeat visitors. You may universally opt-out of all google analytics tracking used by all websites by visiting the following url – https://tools.google.com/dlpage/gaoptout

5. PERSONAL INFORMATION

This policy covers personal information: Ver 1 Data Protection and Data Security Policy Page 4 of 8

• • Which relates to a living individual who can be identified either from that information in isolation or be reading it together with other information we possess.
• • Is stored electronically or on paper in a filing system.
• • In the form of statements of opinion as well as facts.
• • Which relates to Employees (present, past or future) or to any other individual whose personal information the Business handles or controls.
• • Which the Company obtains, holds or stores, organises, discloses or transfers, amend, retrieve, use, handle, process, transport or destroy.

6. INFORMATION PROCESSED

The Company collects personal information about its Employees which:

• • the Employee provides or the Company gathers before or during the Employment or Engagement with the Company.
• • is provided by third parties, such as references or information from suppliers or another party that the Company does business with.
• • is in the public domain.

The types of personal information that the Company may collect, store and use about its Employees include records relating to the Employees:

• • Personal contact details such as name, address, date of birth, gender, marital status and dependants title, addresses, telephone numbers and personal email addresses.
• • Next of kin and emergency contact information.
• • Payroll information (including National insurance number, bank account details, payroll records and tax status).
• • Salary, annual leave, pension and benefits information.
• • Recruitment information (including copies of right to work documentation, references and other information included in a CV, application form or cover letter or as art of the application process.
• • Employment records (including job titles, work history and location, working hours, training records and professional memberships).
• • Performance, disciplinary and grievance information.
• • Documentation and professional certificates, approvals or licences where applicable.
• • Information obtained through electronic means such as swipe card records.
• • Information about your use of our information and communications systems.
• • Photographs.

The Company may also collect, store and use the following “special categories” of more sensitive personal information.

• • Information about your race or ethnicity and or sexual orientation.
• • Information about your health, including any medical conditions, health and sickness records.

By Employees providing the Company with their personal information, Employees agree to the use of their personal information (including any sensitive personal data) in accordance with this Policy. Ver 1 Data Protection and Data Security Policy Page 5 of 8

If you fail to provide certain information when requested, we may not be able to perform the contract we have entered into with you (such as paying you or providing a benefit), or we may be prevented from complying with our legal obligations (such as health and safety of our Employees). Any failure may result in a contract with you being terminated or disciplinary action.

7. PURPOSE

The Company will use information to carry out Business, to administer Employees employment or engagement. We will only use your personal information when the law allows us to. Most commonly, we will use your personal information in the following circumstances: –

• • Where we need to comply with a legal obligation.
• • Where we need to perform the contract, we have entered into with you.

In particular, the situations in which we may process your personal information are as follows: –

• • Checking you are legally entitled to work in the UK.
• • Administering the contract, we have entered into with you including identifying education, training and development requirements.
• • Paying you and deducting tax and national insurance contributions.
• • Providing benefits to you (including liaising with your pension provider).
• • Business management and planning, including accounting and auditing.
• • Dealing with legal disputes involving you, or other employees, workers, contractors or third parties, including accidents at work and complying with health and safety obligations.
• • Managing your sickness absence, ascertaining your fitness to work and communicating with our providers of private medical or other insurance cover.
• • Monitoring your use of our information and communication systems and compliance with any IT polices.
• • Equal opportunities monitoring to conduct monitoring for equal opportunities purposes and to publish anonymised aggregated information about the breakdown of the Employers workforce.
• • Disciplinary, Grievance or Legal matters: in connection with any disciplinary, grievance, legal, regulatory or compliance matters or proceedings that may involve an Employee.
• • Performance Reviews: to carry out performance reviews.
• • Dealing with the necessary due diligence in connection with any business transfer.

Some personal information needs even more careful handling “Special Categories” of particularly sensitive personal information require a higher level of protection. We need to have further justification for collecting, storing and using this type of information.

This includes information about a person’s racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health or condition or sexual life or about criminal offences. Strict conditions apply to processing this sensitive personal information and the Employee must normally have given specific and express consent to each way in which the information is used. Ver 1 Data Protection and Data Security Policy Page 6 of 8

We may process special categories of personal information in the following circumstances: –

• • In limited circumstances, with your explicit written consent.
• • Where we need to carry out our legal obligation.
• • Where it is needed in the public interest, such as for equal opportunities monitoring or in relation to our pension scheme.
• • Where is it needed to assess your working capacity on health grounds, subject to appropriate confidentiality safeguards.

We will only use employee’s information for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If the Company needs to use your personal information for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.

8. DATA SHARING

The Company confirms that for the purposes of the Data Protection Act 1998, the Finance Manager has been appointed as the Data Protection Officer and shall act for the Company and is responsible for the personal information in connection with the Employees employment. This means that the Company determines the purposes for which, and the manner in which Employees personal information is processed.

The Company will take all reasonable steps to ensure that Employees information is kept secure, and as described later in the Policy.

The Company. will have to share your data with third parties.

The Company will share your data with third parties where it is necessary to administer the working relationship with you or where we have another legitimate interest in doing so.

Third parties will only process your personal information on our instructions and where they have agreed to treat the information confidentially and to keep it secure.

We require third parties to respect the security of your data and to treat it in accordance with the law.

The Company may need to share your personal information to a third party for the following reasons:

• • For the administration of the Employees employment and associated benefits e.g. to the providers of the Company’s pension scheme or insurance schemes.
• • To comply with the Company’s legal obligations or assist in a criminal investigation or to seek legal or professional advice in relation to employment issues, which may involve disclosure to the Company’s lawyers, accountants or auditors and to legal and regulatory authorities such as HM Revenue and Customs.
• • To other parties which provide products or services to the Company.

9. DATA PROTECTION PRINCIPLES

Employees whose work involves using personal data relating to the Employees or others must comply with this Policy and with the eight legal Data Protection Principles which require that personal information is: Ver 1 Data Protection and Data Security Policy Page 7 of 8

• • Processed fairly and lawfully. The Company must always have a lawful basis to process personal information. In most (but not all) cases, the person to whom the information relates (the Subject) must have given consent. The Employee must be told who controls the information (the Company), the purpose(s) for which the Company is processing the information and to whom it may be disclosed.
• • Processed for limited purposes and in an appropriate way. Personal information must not be collected for one purpose and then used for another. If the Company wishes to change the way which we use personal information the Company must first advise the Employee.
• • Adequate, relevant and not excessive for the purpose.
• • Not kept longer than necessary for the purpose. Information must be destroyed or deleted when the Company no longer needs it. For guidance on how long particular information should be kept, Employees should contact the Data Protection Officer.
• • Processed in line with the Employee’s rights. Employees have a right to request access to their personal information, prevent their personal information being used for direct marketing, request the correction of inaccurate data and to prevent their personal information being used in a way likely to cause them or another person damage or distress.
• • Secure. See further information about data security below.
• • Not transferred to people of organisations situated in countries without adequate protection.

10. DATA SECURITY

The Company must protect all personal information in our possession from being accessed, lost, deleted or damaged unlawfully or without proper authorisation through the use of Data Security measures.

Maintaining Data Security means making sure that:

• • Only individuals who are authorised to use the information can access it.
• • Information is accurate and suitable for the purposes for which it is processes.
• • Information is password protected.
• • Authorised individuals can access information if they need it for authorised purposes. Personal information therefore should not be stored on individual computers but instead on the Company’s system.

By law, the Company must use procedures and technology to secure personal information through the period that the Company holds or controls it, from obtaining to destroying the information.

Personal information must not be transferred to any individual to process (eg while performing service for the Company or on the Company’s behalf), unless that individual has agreed to comply with the Company’s Data Security procedures or the Company is satisfied that other adequate measures exist.

Security procedures include:

• • Physically securing information. Any desk or cupboard containing confidential information must be kept locked. Computers should be locked and password protected or shut down when left unattended and

Ver 1 Data Protection and Data Security Policy Page 8 of 8

• discretion should be used when viewing personal information on a monitor to ensure that it is not visible to others.
• • Data on computers will be password protected.
• • Controlling access to premises. Employees should report immediately to their Line Manager or the Data Protection Officer if they see any person they do not recognise in an entry controlled area.
• • Telephone Precautions. Particular care must be taken by Employees who deal with telephone enquiries to avoid inappropriate disclosures and in particular
• • The identity of any telephone caller must be verified before any personal information is disclosed.
• • If the caller’s identity cannot be verified satisfactorily then they should be asked to put their query in writing.
• • Do not allow callers to bully the individual into disclosing information. In case of any problems or uncertainty, telephone handlers should contact the Data Protection Officer.

11. BREACH NOTIFICATION

• • Data breaches are breaches of security that lead for example to the destruction, loss, alteration or unauthorised disclosure of personal data.

• • Breaches of personal or sensitive data shall be notified immediately to the individual(s) concerned and the ICO.

• • The Company will report personal data breaches to the supervisory authority without undue delay and no later than 72 hours (if feasible) after becoming aware of a breach, unless the breach is unlikely to result in a risk to the rights and freedoms of individuals.

12. RETENTION

• • The Company will retain personal data for a long as is determined necessary to do so to comply with legal obligations or for employment law purposes. The information may be required for income tax and audit purposes. The Company may also refer to the Statutory Retention Periods as published.

13. METHODS OF DISPOSAL

• • Copies of personal information, whether on paper or on any physical storage device, must be physically destroyed when they are no longer needed. Paper documents should be shredded and CD’s or memory sticks or similar must be rendered permanently unreadable.

14. EMPLOYEE RIGHTS

• • Under the General Data Protection Regulation (GDPR) and The Data Protection Act 2018 (DPA) Employees have a number of rights with regard to their personal data. Employees have the right to request from the Company access to, and rectification or erasure of their personal data, the right to restrict processing, object to processing as well as in certain circumstances the right to data portability.

• • In certain circumstances, Employees have the right to withdraw that consent at any time which will not affect the lawfulness of the processing before your consent was withdrawn. If you wish to do this, you should contact the Data Protection Officer in writing.

Ver 1 Data Protection and Data Security Policy Page 9 of 8

• • Employees have the right to lodge a complaint to the Information Commissioners’ Office if you believe that we have not complied with the requirements of the GDPR or DPA 18 with regards to your personal data.

15. SUBJECT ACCESS REQUESTS

• • By law, any Employee may make a formal request for information that the Company holds about them, (data subject access request) providing that certain conditions are met. The request must be made in writing, and a Subject Request Access Form is available for this purpose. In some circumstances, it may not be possible to release the information about the Employee to them eg if it contains personal data about another individual.

• • If you want to access, verify or request erasure or your personal information object to or restrict the processing or your personal information, or request that we transfer a copy of your personal information to another party, you should contact the Data Protection Officer and you will be issued with the Subject Data Access Form for completing and returning.

• • We may need to request specific information from you to confirm your identity and ensure your right to access the information (or exercise any of your other rights). This is another appropriate security measure to ensure personal information is not disclosed to any person who has no right to receive it.

• • In the limited circumstances where you may have provided your consent to the collection, processing and transfer of your personal information for a specific purpose, you have the right to withdraw your consent for that specific processing at any time. To withdraw your consent, please do so in writing to the Data Protection Officer. Once your notification has been received to withdraw your consent, we will no longer process your information for the purpose or purposes you originally agreed to, unless we have another legitimate basis for doing so in law.

16. YOUR RESPONSIBILITIES

• • It is your responsibility for helping the Company keep your personal data up to
• • date. You should advise us if personal information you have provided to the
• • Company changes, for example if you move house, change a telephone

number or change bank details.

• • If any Employee considers that any information held about them is inaccurate, then the Employee should advise Lucy Milne, Finance Manager or the Data Protection Officer and, if the Company agrees that the information is inaccurate then it will be corrected. If the Company does not agree with the correction, then the Company will note the Employees comments.

17. REFERENCES AND POST EMPLOYMENT

• • If the Company receives a request for a reference, in providing a reference the Company may still be processing personal data. Prior to responding to any request, the Company will seek the written consent of the individual that they agree to the Company providing the reference.

Ver 1 Data Protection and Data Security Policy Page 10 of 8

18. COOKIES

• Cookies are small text files that are placed on to your computer by websites that you visit. They are used to make websites work, to improve efficiency of websites, to improve the user’s experience and to provide usage information on websites. This information should make your website visits more productive by storing and using information on your website preferences and habits.

• Your web browser can choose whether or not to accept cookies. Most web browser software is initially set up to accept them.

• Our website uses cookies and you should ensure that your web browser is set up to not accept cookies if you do not wish to receive them. Please note that if you disable cookies, some services or website functionality may not be available. For further information about cookies and how to disable them please go to aboutcookies.org. We use the following cookies:

• Essential cookies. These are cookies that are required for the operation of our website. They include, for example, cookies that enable you to log into secure areas of our website, and to use online forms.

• Analytical cookies. They allow us to recognise and count the number of visitors and to see how visitors move around our website when they are using it. This helps us to improve the way our website works, for example, by ensuring that users are finding what they are looking for easily.

• Marketing cookies. These are used to recognise you when you return to our website. This enables us to personalise our content for you, greet you by name and remember your preferences. These cookies also record your visit to our website, the pages you have visited and the links you have followed. We will use this information to make our website, the advertising displayed on it and communications sent more relevant to your interests.

19. CHANGES TO THIS POLICY

• • We reserve the right to change this policy at any time with notice to you
• • This policy does not override any applicable national data privacy laws and regulations in countries and company operates