Data Protection Policy

1. Purpose and Scope of the Policy

1.1 Sanderson Weatherall Group entities are obliged to comply with the General Data Protection Regulations (EU) 2016/679 (GDPR) and the Data Protection Act 2018 (together the data protection legislation). This data protection policy sets out in general terms how the Sanderson Weatherall Group will comply with the data protection legislation (policy).

1.2 This policy deals with the roles and responsibilities of Sanderson Weatherall Group Limited (CN 04870380) and any of its subsidiary companies and affiliates, which, for the avoidance of doubt, includes Sanderson Weatherall LLP (OC 344770) (Sanderson Weatherall Group), with regard to the processing of personal information.

1.3 This policy applies to all personal information processed by Sanderson Weatherall Group, including hard copy and electronic records.

1.4 This policy applies to all individuals working within any entity within the Sanderson Weatherall Group, including directors, partners, employees, consultants, contractors, casual and agency workers (referred to together in this policy as personnel).

1.5 All those to whom this policy applies are referred to as you and your in this policy and references to we, us or our refers to the entity in the Sanderson Weatherall Group who controls the way the personal information is used.

1.6 Each Sanderson Weatherall Group company is responsible for ensuring that it complies with the data protection legislation. Protecting the confidentiality and integrity of personal information is a responsibility that we take seriously at all times.

1.7 This policy does not form part of any employee’s contract of employment and it may be amended at any time.

1.8 It is important that you take responsibility for ensuring that you act in accordance with this policy. Any breach of this policy by you will be taken seriously and may result in disciplinary action. It may also result in us breaching the data protection legislation or other legal requirements.

1.9 Any questions about the operation of this policy or any concerns that the policy has not been followed should be referred in the first instance to the Data Protection Manager using the contact details referred to in the Questions section of this policy.

2. Defintions

2.1 In this policy the following words have the meanings set out below:

2.1.1 a controller means the person or organisation that determines when, why and how to process personal information. It is responsible for establishing practices and policies in line with the data protection legislation. For example, each Sanderson Weatherall Group affiliate will likely be the data controller of the personal information about its employees;

2.1.2 a processor means an organisation that processes personal information on behalf of a data controller in accordance with the data controller’s instructions. Sanderson Weatherall Group may also use a data processor to process personal information on its behalf, for example Sanderson’ Weatherall Group’s payroll is carried out by a third party, the provider would be likely to be the relevant group entity’s data processor;

2.1.3 a data subject means an individual about whom we hold personal information, for example an employee, a partner of Sanderson Weatherall LLP, a worker, a contractor, an apprentice, an intern, a job applicant, a customer, individuals employed by customers and suppliers, and professional advisers such as legal advisers;

2.1.4 personal data breach means a breach of security leading to the accidental or unlawful distribution, loss, alteration, unauthorised disclosure of, or access to, personal information transmitted, stored or otherwise processed;
2.1.5 personal information means information that is about a data subject and which identifies the data subject;

2.1.6 process(ing) means any operation or set of operations which is performed on personal information or on sets of personal information, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

2.1.7 relevant group entity means the member of the Sanderson Weatherall Group that is the controller of the personal information; and

2.1.8 special category personal data means personal information revealing racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health conditions, sexual life, sexual orientation, biometric or genetic data, and personal information relating to criminal offences and convictions.

3. Data Protection Principles

3.1 Anyone using personal information must do so in accordance with the principles set out in the data protection legislation. Those principles state that personal information must be:

3.1.1 processed fairly, lawfully and transparently;

3.1.2 collected for specified, explicit and legitimate purposes and not used in a manner which is incompatible with those purposes;

3.1.3 adequate, relevant and not excessive;

3.1.4 accurate and, where necessary, up to date;

3.1.5 kept for no longer than is necessary; and

3.1.6 used in a way which ensures they are kept secure.

3.2 We are responsible for ensuring that we comply with the principles set out above and we must be able to demonstrate the steps that we have taken to comply. This is known as the accountability principle under the data protection legislation.

3.3 We describe how you can help us satisfy these principles by setting out some practical examples in sections 4 to 9 below.

4. Fair, Lawful and Transparent Processing

4.1 Personal information must be processed fairly, lawfully and in a transparent manner in relation to the data subject.

4.2 You may only process personal information on the basis of one or more of the lawful bases set out in the data protection legislation. The list below identifies the lawful bases which are most likely to apply to the Sanderson Weatherall Group:

4.2.1 the data subject has given consent;

4.2.2 the processing is necessary for the performance of a contract with the data subject;

4.2.3 the processing is necessary to meet our legal obligations;

4.2.4 the processing is necessary to protect the data subject’s vital interests where the relevant data subject is physically or legally incapable of giving consent (this is intended to cover matters of life and death); or

4.2.5 the processing is necessary to pursue our legitimate interests, except where the processing prejudices the interests or fundamental rights and freedoms of the relevant data subjects.

4.3 Special category personal information must be treated more carefully by us so, where you wish to process special category personal data, you must also be able to justify the processing under a list of narrower legal bases. These include where:

4.3.1 the data subject has given explicit consent;

4.3.2 the processing is necessary for the purpose of carrying out the obligations or exercising our legal rights in the field of employment;

4.3.3 the processing is necessary to protect the vital interests of a data subject where the relevant data subject is physically or legally incapable of giving consent (this is intended to cover matters of life and death);

4.3.4 the personal information is manifestly made public; or

4.3.5 the processing is necessary for the establishment, exercise or defence of legal claims.

4.4 You must identify and document the legal ground being relied on for each processing activity. If you are in any doubt about which lawful basis applies to the processing, please contact the Data Protection Manager for further advice and guidance.

4.5 The data protection legislation requires controllers to provide detailed, specific information to data subjects. Such information must be provided through appropriate privacy notices, which must be concise, transparent, intelligible, easily accessible, and in clear and plain language so that a data subject can easily understand them.

4.6 Sanderson Weatherall Group has adopted and maintains a privacy notice for its customers (privacy notice), which can be obtained from Sanderson Weatherall’s website at www.sw.co.uk and the Sanderson Weatherall Group intranet at ‘MySW’ for our own personnel. The privacy notice sets out the bases on which Sanderson Weatherall Group relies to process the personal information for the purposes identified in the privacy notice.

4.7 You should check that the way you are using personal information is covered by the purposes detailed in the relevant privacy notice. If it is not, you should refer to the Data Protection Manager whose contact details are included in the Questions section of this policy, who will then consider the processing and will take the appropriate action, which may include carrying out a Data Protection Impact Assessment (DPIA) and / or updating the privacy notice. Any changes which need to be made to Sanderson Weatherall Group’s policies or privacy notice will be made and updated versions will be added to the Sanderson Weatherall Group website and ‘MySW’.

5. Specified Purpose

5.1 Personal information must be collected only for specified, explicit and legitimate purposes. It must not be further processed in any manner incompatible with those purposes.

5.2 You should not use personal information for new, different or incompatible purposes from those purposes disclosed when it was first obtained. If it becomes necessary for us to use or disclose the personal information for any purpose that is additional to or different from the originally specified purpose (i.e. to change the purpose for which the personal information are processed), the data subject must be informed of the new purpose before any new processing occurs. Consent may also need to be obtained from the data subject to the proposed new use of their personal information.

5.3 If you plan to use personal information for any new purposes, you should contact the Data Protection Manager whose details are included in the Questions section of this policy for further advice and guidance.

6. Data Minimisation

6.1 Personal information must be adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed.

6.2 Personal information should only be collected to the extent that it is required for the specific purpose(s) notified to the data subject. Any personal information which is not necessary for that purpose should not be collected by personnel in the first place.

6.3 You may only process personal information if and when the performance of your job duties requires it. You should not process personal information for any reason unrelated to your job duties.

7. Accuracy

7.1 Personal information must be accurate and, where necessary, kept up to date.

7.2 You will ensure that the personal information we use and hold is accurate, complete, kept up to date and relevant to the purpose for which we collected it. You must check the accuracy of any personal information at the point of collection and at regular intervals afterwards.

7.3 Where appropriate, you should assess the accuracy of personal information at the time of collection from sources other than the individual to whom the personal information relates.

7.4 Any challenges to the accuracy of the personal information by the data subject should be processed and carefully considered in line with section 12 of this policy.

8. Kept for no Longer Than Necessary

8.1 Personal information must not be kept in an identifiable form for longer than is necessary for the purposes for which the personal information is processed.

8.2 This means you must not keep personal information in a form which permits the identification of the data subject for longer than needed for the legitimate business purpose or purposes for which it was originally collected, including for the purpose of satisfying any legal, accounting or reporting requirements

8.3 This obligation does not apply in the following circumstances:

8.3.1 Litigation. In the event that personal information is required to be retained in order to take or defend actual, threatened, contemplated or pending legal proceedings, the personal information must be preserved until the Executive Board determine that the personal information are no longer needed. If a decision is made to retain the personal information, this decision must be re-evaluated at least every two years to determine whether it is still appropriate to retain the personal information. This exemption applies as soon as legal proceedings are contemplated or anticipated; and

8.3.2 Insurance claim data. Once a claim or potential claim is notified to our insurers, the personal information relating to the notified matter should be retained until the insurer agrees the personal information need not be retained.

9. Security

9.1 Personal information must be secured by appropriate technical and organisational measures against unauthorised or unlawful processing, and against accidental loss, destruction, damage, access, use or disclosure.

9.2 Personal information held by the Sanderson Weatherall Group is held on secure servers in the UK. The Sanderson Weatherall Group has ISO 27001 standard certification in relation to its document management and security.

9.3 You are responsible for protecting the personal information we hold. You must follow the procedures we set out to protect the personal information we hold from unlawful or unauthorised processing and against the accidental loss of, destruction or damage to that personal information. You must exercise particular care in protecting special category personal data from unauthorised or unlawful processing against accidental loss, destruction, damage, access, use or disclosure.

9.4 You must maintain data security by protecting the confidentiality, integrity and availability of the personal information, defined as follows:

9.4.1 confidentiality means that only people who have a need to know and are authorised to use the personal information can access it;

9.4.2 integrity means that personal information is accurate and suitable for the purpose for which it is processed; and

9.4.3 availability means that authorised users are able to access the personal information when they need it for authorised purposes.

9.5 You must comply with all applicable aspects of our information security policies, which are available on the MySW site. You should not attempt to circumvent the administrative, physical and technical safeguards we implement and maintain to protect personal information.

9.6 You may only transfer or allow access to personal information to third-party service providers who agree to comply with the required policies and procedures and who agree to put adequate measures in place, as requested. Please see section 16 for further details on the relevant requirements.

9.7 All personnel who process personal information must carry out appropriate training.

10. Personal Data Breaches

10.1 The data protection legislation requires controllers to notify certain personal information breaches to the Information Commissioner’s Office and, in certain instances, the data subject. The Personal Data Breach Notification and Reporting Policy sets out the circumstances where personal data breaches need to be notified.

10.2 You must comply with the Personal Data Breach Notification and Reporting Policy (which can be obtained from the MySW site or from the Data Protection Manager) if you become aware of or suspect that a personal data breach has occurred.

11. Transfer of Personal Information Outside of the UK or the EEA

11.1 The data protection legislation restricts transfers of personal information to countries outside the UK or the EEA in order to ensure that the level of protection afforded to individuals by the data protection legislation is not undermined. You transfer personal information originating in one country across borders when you transmit, send, view or access that personal information in or to a different country.

11.2 Personal information should not be transferred outside of the UK or the EEA, including being accessed outside of the UK or the EEA, unless this has first been considered by the Data Protection Manager so that appropriate procedures can be implemented.

12. Rights of Data Subjects

12.1 Data subjects have rights when it comes to how we process their personal information.

12.2 For further information about these rights and how they should be handled, please see our Data Subject Rights Policy (which can be obtained from the MySW site).

13. Accountability

13.1 The controller is responsible for, and must be able to demonstrate, compliance with the data protection principles. In practice this means that each relevant group entity needs to be proactive and organised about its approach to data protection and evidencing the steps that have been taken to comply.

13.2 You must keep and maintain accurate corporate records reflecting our processing including records of data subjects’ consents and procedures for obtaining consents in accordance with the policies that we notify to you from time to time.

14. Privacy by Design and Data Protection Impact Assessment (DPIA)

14.1 We are required to implement privacy by design measures when processing personal information by implementing appropriate technical and organisational measures (like pseudonymisation) in an effective manner, to ensure compliance with data protection principles.

14.2 Privacy by design means that, for example, when considering new purposes for processing personal information or implementing new technology, you need to consider the impact the processing will have on data subjects for the whole lifecycle of the processing (i.e. from start to finish of the processing of the personal information).

14.3 You must assess what privacy by design measures can be implemented on all programs / systems / processes that process personal information by taking into account the following:

14.3.1 the state of the art;

14.3.2 the cost of implementation;

14.3.3 the nature, scope, context and purposes of processing; and

14.3.4 the risks of varying likelihood and severity for rights and freedoms of data subjects posed by the processing.

14.4 Controllers must also conduct DPIAs in respect of high risk processing. Some examples of high risk processing include: systematic and extensive profiling with significant effects on data subjects; when processing biometric data; or data matching by combining, comparing or matching personal information obtained from multiple sources.

14.5 You should conduct (and document) a DPIA (and discuss your findings with the Data Protection Manager and the Executive Board) when implementing major systems or business change programs involving the processing of personal information including:

14.5.1 use of new technologies (programs, systems or processes), or changing technologies (programs, systems or processes);

14.5.2 automated processing including profiling and automated decision making;

14.5.3 large scale processing of special category personal data;

14.5.4 processing biometric or genetic data;

14.5.5 carrying out data matching using personal information obtained from multiple sources;

14.5.6 tracking a data subject’s geolocation or behaviour, including but not limited to the online environment; and

14.5.7 large scale, systematic monitoring of a publicly accessible area.

14.6 If you believe that a DPIA should be completed in relation to any processing activity that is proposed you should contact the Data Protection Manager whose contact details are provided in the Questions section of this policy for further advice and guidance.

15. Direct Marketing

In addition to the data protection legislation there are other rules and privacy laws that apply to direct marketing. These are complex and vary depending on the method of marketing (for example, marketing by email) and the type of recipient (for example, private individuals or corporate subscribers).

16. Sharing Personal Information

16.1 Generally, we are not allowed to share personal information with third parties unless certain safeguards and contractual arrangements have been put in place.

16.2 You may only share the personal information we hold with another employee, a partner in the Sanderson Weatherall LLP partnership, agent or representative of our group (which includes our subsidiaries) if the recipient has a job-related need to know the information and the transfer complies with any applicable cross-border transfer restrictions as detailed in section 11.

16.3 If you plan to share personal information with a third party, you are expected to have assessed whether the third party applies appropriate technical and organisation security measures to protect the personal information, prior to any sharing taking place.

16.4 In addition, before sharing any personal information with a third party please contact the Data Protection Manager whose contact details are provided in the Questions section of this policy for further advice and guidance.

17. Complaints

If you receive any complaints from any data subjects in relation to how their personal information is handled by the Sanderson Weatherall Group, you must refer these to the Data Protection Manager whose contact details are set out in the Questions section below and refer to the Sanderson Weatherall Group complaints procedure that is available on the MySW site.

18. Questions

If you have any questions regarding a request by a data subject to exercise their rights under the data protection legislation, please contact the Sanderson Weatherall Group Data Protection Manager whose details are set out in the table below.

Data Protection Manager Telephone Number E-mail Office Address

Martin Archer 0113 221 6000 martin.archer@sw.co.uk 6th Floor Central Square, 29 Wellington Street, Leeds, LS1 4DL

19. Policy Review

19.1 The policy will be reviewed annually or more often if deemed necessary by Sanderson Weatherall Group Limited board of directors, for example if there are any major changes in the law or practice or there are changes in the nature of our business, our clients or other changes which impact on this policy.

19.2 Any updates to this policy will be uploaded to the MySW site. It is your responsibility to check back regularly to obtain the latest copy of this policy.

20. References / Related Policies

20.1 Sanderson Weatherall Group Customer Privacy Policy;

20.2 Sanderson Weatherall Group Personal Data Breach Security Notification and Reporting Policy; and

20.3 Sanderson Weatherall Group Data Subject Access Rights Policy.