Corporate Privacy Policy

March 2023 v.10

1.  Introduction

Ready Motorsports Corporation (“Ready Motorsports” or “Company”) prioritizes the rights and privacy of its Data Subjects. As a Company that conducts business worldwide, it is imperative that we observe and follow all privacy laws that may be applicable to individuals who interact with, conduct business with, or otherwise provide data to the Company.

1.1   Purpose

The purpose of this Privacy Policy is to provide information to all internal and external Data Subjects regarding how the Company collects personal data about Data Subjects, how it may process such data, and what rights all Data Subjects have regarding their personal data.

1.2   Audience

The audience of this Policy is all Data Subjects, both internal and external, as well as all Personnel who have any responsibilities in the creation, maintenance, or execution of this Policy.

1.3   Document Scope and General Information

The information in this section is relevant to all categories of Data Subjects.

1.3.1 Who Controls Personal Data?

• Ready Motorsports is responsible for personal data

1.3.2 General Company Contact Information

• privacy@readymotorsports.com

1.3.3 Company Data Protection Officer (DPO)

• Ready Motorsports has appointed Michael LaRocca, Founder and CEO, as its DPO.
  • His email contact information is as follows: michael.larocca@readymotorsports.com

1.3.4 Company Privacy and Security Officer

• Ready Motorsports has appointed Michael LaRocca, Founder and CEO, as its Privacy and Security Officer.
  • His email contact information is as follows: michael.larocca@readymotorsports.com.

1.4   References and Sources

Refer to Appendix A: References and Sources for a complete table of all references and sources.

2.  Data Subject’s Rights

It is this Company’s commitment to ensure all Data Subjects that interact with the Company have received, understand, and can execute their rights against this Policy.

All Data Subjects have the following rights:

2.1   The Right to be Informed

Data Subjects have the right to be informed about how the Company processes personal data. Typically, the Company communicates this information through a privacy policy, such as this one.

2.2   The Right of Data Access

Data Subjects have a right to obtain a copy of the personal data the Company retains, subject to certain exceptions.

2.3   The Right of Data Rectification

Data Subjects always have a right to ask for an immediate correction of inaccurate or incomplete personal data that the Company retains related to the Data Subject.

2.4   The Right of Data Erasure

• Data Subjects have the right to request that personal data be erased when it is no longer needed, and where applicable law obliges the Company to delete the data or cease the processing of it due to its unlawfulness.
• Data Subjects may also ask the Company to erase personal data when consent has been withdrawn or a Data Subject objected to the data processing. However, this is not a general right to data erasure and there are exceptions.

2.5   The Right to Restrict Data Processing

Data Subjects have the right to restrict the processing of personal data in specific circumstances. Where that is the case, the Company may still store your information, but not use it further.

2.6   The Right to Data Portability

Data Subjects have the right to receive their personal data in a structured, machine-readable format, or to request the Company to share it with a third-party.

2.7   The Right to Object to Data Processing

Data Subjects have the right to object to the Company’s processing of their personal data based on the legitimate interests; where their data privacy rights outweigh the Company’s reasoning for legitimate interests.

2.8   Rights in Relation to Automated Decision Making and Profiling

• Data Subjects have the right to not be subjected to a decision based solely on automated processing which produces legal or similarly significant effects. This includes profiling. Currently, the Company does not perform any automated decision making or profiling.

• Data Subjects may request to enforce their data privacy rights by emailing the Company-appointed DPO at the email address provided in section 1.3.3 of this document.

• In certain circumstances, the Company may need to restrict the above rights to safeguard public interest (e.g., the prevention or detection of crime) or our business interests (e.g., the maintenance of legal privilege).

3.  General Information

As a Data Subject, you maintain certain rights that the Company has obligations to observe. The following section of this document provides a complete outline of all of the pertinent information that Data Subjects have a right to.

3.1   Consent as a Legal Basis for Processing

For some data processing, the Company uses consent as a legal basis. If a Data Subject has consented to processing by the Company, please be aware that a Data Subject has the right to withdraw this consent at any point. To withdraw consent for a particular type of data processing that the Company performs, you may contact the to the Company Contact identified in section 1.3.3 of this Policy.

3.2   Complaints to a Supervisory Authority

Data Subjects have the right to lodge a complaint with a “supervisory authority” (UK/EU) or applicable Department of Justice (U.S.) with regards to the way that the Company processes personal data. If a UK/EU Data Subject would like to submit a complaint, the Company recommends lodging a complaint with the ‘Information Commissioner’s Office (ICO)’. This is the UK’s supervisory authority and is the one which the Company is registered with. If the Data Subject is a U.S. Citizen, then that Data Subject should file a complaint with the appropriate Department of Justice relevant to the State in which they would like to cite their complaint.

3.3   How the Company Shares Your Data

The Company will not share your information with any third parties for the purposes of direct marketing, and will not sell your data.

The Company uses data processors who are third parties who provide elements of services. For those services, the Company has contracts in place with the data processors. This means that they cannot do anything with a Data Subjects personal information unless we have instructed them to do it. Third parties will not share your personal information with any organization apart from the Company, unless it has been authorized by the Company. Third parties will hold it securely and retain it for the period the Company instructs.

In some circumstances, the Company is legally obligated to share information (e.g., a court order). In a scenario such as this, the Company will document that we have a lawful/legal basis on which to share the information.

3.3.1 Transfers of Personal Data to ‘Third Countries’

The Company is an international organization with entities in the UK and the US. It is possible that over the course of business activities, that data may be transferred from the UK/EU to the US. The US is currently considered a ‘third country’ by UK GDPR standards. The Company has developed appropriate safeguards in the form of International Data Transfer Agreements to safeguard data.

3.4   How the Company Protects Your Information

The Company has implemented appropriate technical and organizational measures (TOMs) and data security controls to protect personal data that the Company retains. These controls and measures will help to sustainably mitigate unauthorized disclosure of personal data, as well as any unauthorized use, alteration, or destruction of it. Where appropriate, the Company uses encryption and other technologies that assist in securing data. It is also a requirement that our service providers comply with strict data privacy requirements where they process personal data.

3.5   How Long Will the Company Retain Personal Data?

The Company only retains personal data for as long as necessary and for the purposes described in this privacy policy; or until a Data Subject notifies the Company to cease processing data. After this time, the Company will securely delete personal data, unless there is a legitimate reason to keep it, in order to meet legal or regulatory obligations, or to resolve potential legal disputes.

3.6   Contact and Further Information

• If you have any questions about how the Company uses personal data, or if you wish to submit a complaint about how the Company handles it, you may contact the to the Company Contact identified in section 1.3.3 of this Policy.
  • If you would like to be provided with information about a specific personal data processing activity, you can request that by submitting a request to the Company Contact identified in section 1.3.3 of this Policy.

• The Company only collects personal data it needs for the purposes described above. Certain personal data collected from Data Subjects relates to your next of kin and emergency contacts. In these cases, you are requested to inform such persons about this Policy.

• If you are working at a third-party site (e.g., a Company customer location or facility), such third party may need to process personal data for their purposes acting as a data controller. In these cases, you may request a separate privacy notice/policy from the relevant data controller.

4.  Privacy Notice by Data Subject Type

In the following section of this document, the Company explicitly categorizes its Data Subjects by type to formally document the types of information we request/collect, why that information is requested/collected, what happens if the information requested is not provided, and the legal basis we rely on for the collection of that data.

4.1   Employees or Potential Employees

Standard Types of Information the Company Collects and Uses

The Company collects and uses personal data that concerns you in connection with your employment. The Company may collect the following categories of personal data:

• Personal details and identification data such as name, personal and business address, personal and business telephone number, personal and business email address or any other contact details, date, and country of birth.
• Personal data related to family and social circumstances such as gender, age, marital and family status (including the name and contact details of the next of kin).
• Employment related personal data such as: signature, employment status, national insurance numbers, insurance number, country of residence, nationality, photo, emergency contacts, passport information, work and residence permit, immigration status and travel visa information.
• Qualifications such as qualifications and certifications including current and previous positions, education and training courses, resume/CV, records of education and work achievements, in some cases: contact details of referees and results of capability assessments and interview assessment/feedback.
• Job information and work metrics such as position, title, employment contract, payroll ID, line manager, job band, performance history, employment status, leave of absence information, working time logging, training records, performance targets and development goals. In some cases, the Company may also record results of capability assessments, safety reports and incidents, and professional feedback.
• Compensation, allowances, benefits and expense related information such as salary data, payroll data, pension plan number and contributions, non-salary benefits, bonus, compensation, share options, dependents, beneficiaries or health benefit nomination, bank statements, expense claims and receipts, bank account details, credit card data, phone expenses and insurance data.
• Electronic identification data and information (where employee has access or is affected by such systems or applications) such as access logs, IT and internet usage, device identifiers (mobile device ID, PC ID etc.), registration and login credentials, IP address, tracking and analytics data, recordings (e.g., voice mail/call recordings), posts on corporate platforms (e.g., Yammer), password recovery data, information obtained via IT security tools.
• Financial and other details such as account information, credit checks, payment details and transactions, investigation information and disciplinary history.
• Other personal data (which may include special categories of information as mentioned below) namely where you or others (such as your colleagues) may register these data on or in our systems, programs and application such as business documents containing personal information (e.g., queries, questions, complaints, orders and related records; emails; reports; contracts; presentations, minutes; work products), photos, images and/or videos.

Special Categories of Personal Data

The below mentioned types of personal data are only collected and processed, if at all, in accordance with applicable local laws in your country of residence.

• Membership of religious congregations (e.g., if required for tax purposes);
• Health and medical information, including disability status, special working conditions (such as use of a standing desk) and medical devices needed on the premises, work related injury and illness information, data for travel emergency support (blood type, medical history, allergies);
• Race or ethnicity (e.g., where this is used for diversity purposes);
• In some cases: trade union membership, political opinions and sex life or sexual orientation (e.g., where this is used for investigations of non-equal treatment).
• Data about criminal convictions and offences such as criminal background information and sanction list information to the extent required for the purposes of criminal background screening and Know Your Customer and Anti Money Laundering obligations.
• To the extent necessary to fulfil our obligations, data obtained from publicly accessible sources or which are legitimately transmitted by other third parties (e.g., a credit agency) such as data in public professional social media (e.g., LinkedIn), background check data.

In case you would like to be provided with information about a specific personal data processing activity, you can request that by submitting a request to the Company Contact identified in section 1.3.3 of this Policy.

Use of Data

The company may use your personal data as listed above for the following purposes:

• Human resources management including organization and personal administration, working hours management, improving and maintaining effective staff administration, internal workforce analysis, reporting and planning;
• Staff transfer management from different affiliates and succession planning;
• Payroll, compensation and benefits management including providing staff benefits and maintaining salary, compensations including intellectual property, allowances, benefits, insurances, pensions and performance reviews;
• Talent management and acquisition including recruitment, assessing suitability and working capacity, background checks and verification of qualifications, obtaining and providing references;
• Learning and development management including certifications, training staff and performing assessments and employee satisfaction surveys;
• Processes related to joining and leaving including internal moves and terminations;
• Sickness and other leave and vacations management;
• Internal health and safety programs including health and safety and accident records or reporting and managing process quality;
• Travel and expenses management and organization of business trips including monitoring of travelers to provide support during security or medical emergencies; providing travel security, health and safety training and on a voluntary basis assistance in giving security support during emergencies;
• Carrying out the obligations and exercising specific rights in the field of employment or a collective agreement;
• Internal and external communication of the Company’s organization and representation of the Company including commercial register and assigning powers of attorney;
• Organizing Company events and documentation of such events including managing and organizing internal non-marketing related campaigns, events and meetings;
• Managing Company assets including pictures and videos depicting employees or other individuals available for download on the Company intranet, the Company website, etc.;
• Finance and shared accounting services providing record to report, order to cash and purchase to pay services;
• Reorganization, acquisition and sale of activities, business units and companies;
• Business reporting, statistics and analytics;
• Monitoring and auditing compliance of employees’ activities in the workplace with the Company’s corporate policies, contractual obligations and legal requirements including disciplinary actions;
• Carrying out audits, reviews and regulatory checks to meet obligations to regulators;
• Governance, risk and compliance, including compliance with laws, law enforcement, court and regulatory bodies’ requirements (such as for the process of verifying the identity of customers, called as Know Your Customer / Anti Money Laundering monitoring purposes), customs and global trade compliance, conflict of interest and security obligations) and prevention, detection, investigation and remediation of crime and fraud or prohibited activities or to otherwise protect legal rights and to establish, exercise or defend legal claims;
• Managing the customer relationship, processing customer orders and providing customer support, processing, evaluating and responding to requests and inquiries;
• Managing the suppliers, contractors, advisers and other professional experts including contact interaction, processing and fulfilling purchases and invoices, and contract lifecycle management;
• Making use of work performance and products and for references on documents, such as drawings, purchase orders, sales orders, invoices, reports;
• Access control system providing electronically controlled ingress and/or egress for authorized individuals to locations that have access restrictions and a registry of personnel on site in case of emergencies;
• Intrusion detection including 3rd party monitoring of duress, perimeter, internal security points and ancillary supervisory monitors for site maintenance/automated systems;
• Maintaining and protecting the security of products, facilities, services, systems, networks, computers, and information, preventing, and detecting security threats, fraud or other criminal or malicious activities, and ensuring business continuity; and
• Managing IT resources, including infrastructure management including data backup, information systems’ support and service operations for application management, end user support, testing, maintenance, security (incident response, risk, vulnerability, breach response), master data and workplace including user accounts management, software licenses assignment, security and performance testing and business continuity.

The Company only collects the personal data from you that it needs for the purposes described above. Certain personal data collected from you relates to your next of kin and emergency contacts. In these cases, you are requested to inform such persons about this Notice.

In case you are working at a third-party site (for example a Company customer location or facility), such third party may need to process your personal data for their purposes acting as a data controller. In these cases, you will receive or may request a separate privacy notice from the relevant data controller.

When an Information Request is Refused by the Data Subject

Where it concerns processing operations related to your employment (as described above), the Company will not be able to adequately employ you without certain personal data and you may not be able to exercise your employee rights if you do not provide the personal data requested. Although the Company cannot mandate you to share your personal data with us, please note that this then may have consequences which could affect your employment in a negative manner, such as not being able to exercise your statutory rights or even to continue your employment. Whenever you are asked to provide us with any personal data related to you, the Company will indicate which personal data is required, and which personal data may be provided voluntarily.

Legal Basis

For the use of your personal data for the purposes described above (in section 4), the Company relies on the following legal basis, as applicable:

• The Company processes your personal data for the fulfilment of obligations in your employment contract with us and similar collective employment agreements, or as part of pre-contractual measures to establish employment and related contracts;
• In some cases, the Company relies on our legitimate interests to process your personal data insofar as this is not overridden by your own privacy interests. Such interests may include:
  • Monitoring (for example through IT systems), investigating and ensuring compliance with legal, regulatory, standard and the Company internal requirements and policies;
  • Prevention of fraud and criminal activity including investigations of such activity, misuse of Company assets, products, and services, and as strictly necessary and proportionate for ensuring network and information security; and
  • Transmitting personal data within the Company group for internal administrative purposes as necessary, for example to provide centralized services.
• You may obtain a copy of our assessment regarding our legitimate interest to process your personal data by submitting a request to the Company Contact identified in section 1.3.3 of this Policy.
• In some cases, the Company processes your personal data on the basis of statutory requirements, for example, on the basis of labor law, allowances, tax or reporting obligations, cooperation obligations with authorities or statutory retention periods in order to carry out our contractual responsibilities as an employer;
• In exceptional circumstances the Company may ask your consent at the time of collecting the personal data, for example photos, communications materials, and events. If the Company ask you for consent in order to use your personal data for a particular purpose, the Company will remind you that you are free to withdraw your consent at any time and the Company will tell you how you can do this.

Special Categories of Personal Data

The Company will only process such data in accordance with applicable law and:

• With your explicit consent for specific activities in accordance with applicable law;
• When necessary for exercising rights based on employment, or social protection law or as authorized by collective agreement, or for preventive and occupational medicine or and evaluation of working abilities; or
• Where necessary for establishment, exercise, and defense of legal claims.

Regarding personal data concerning criminal convictions and offences, the Company will only process such data where such processing is permitted by applicable (local) law.

4.2   Contractors, Potential Contractors, or Service Contract Workers

Standard Types of Information the Company Collects and Uses

The Company collects and uses personal data that concerns you in connection with your work assignment and the services you are providing under the work assignment/statement of work directly to the Company. The Company may collect the following categories of personal data:

• Identification data and business contact information, you share with us such as first name, last name, job/position/title, employer, employer address, nationality, tax number, work permit/visa information, business email address, business address, telephone number, mobile telephone number, telefax number, private telephone number, private email address, gender, date of birth.
• Additional information you provide to us in the course of your work assignment such as data concerning the fulfilment of your work assignment, our contractual obligations and pre-contractual measures including correspondence data, offers, tenders, resume/CV, background check data, conditions, qualifications/certificates, contract and order data, invoices, payments, business partner history, records relating to queries/questions/complaints/orders, working time logging, and training and education records, vehicle license plate, insurance data.
• Expense related information such as bank statements, payment details, transactions, expense claims and receipts, bank account details, credit card data.
• Electronic identification data and information collected by the communications systems, IT applications and website browser (where contractor has access or is affected by such systems or applications and in accordance with the applicable law) such as information technology usage (system access, IT and internet usage), device identifier (mobile device ID, PC ID), registration and login credentials, IP address, login data and log files, Analytics ID, digital alias/signature, time and URL, searches, website registration and cookie data recordings (e.g., voice mail/phone recordings, Skype recordings).
• Other personal data namely where you or others (such as your colleagues) may register these data on or in our systems, programs and application such as business documents containing personal information (e.g., queries, questions, complaints, orders and related records, emails, reports, contracts, presentations, minutes, work products).
• Photos, images and/or videos.

The below mentioned types of personal data are only collected and processed, if at all, in accordance with applicable local laws in your country of residence and where relevant depending on your work assignment.

• Special categories of personal data such as data for travel emergency support (blood type, medical history, allergies).
• Data about criminal convictions and offences such as criminal background information for the purposes of criminal background screening.
• To the extent necessary to fulfil our obligations, data obtained from publicly accessible sources or which are legitimately transmitted by other third parties (e.g., a credit agency) such as data transferred to the Company by your employer or the company through which you are assigned to the Company, commercial register data, creditworthiness data.

In case you would like to be provided with information about a specific personal data processing activity, you can request that by submitting a request to the Company Contact identified in section 1.3.3 of this Policy.

Use of Data

The Company may use your personal data as described above for the following purposes:

• Human resources management as relevant to your work assignment and the services you are providing under the work assignment/statement of work directly to the Company including organization and personal administration, working hours management, improving and maintaining effective staff administration, internal workforce analysis, reporting and planning;
• Supplier and service provider management throughout the procurement, logistics and supply chain including contact interaction including tendering, engagement, processing orders, process and fulfilment of purchases, administration and management of suppliers, vendors, contractors, advisers and other professional experts including contact interaction, processing and fulfilling purchases and invoices, and contract lifecycle management;
• Staff transfer management from different affiliates and succession planning;
• Training contractors;
• Internal health and safety programs;
• Travel and expenses management and organization of business trips including monitoring of travelers to provide support during security or medical emergencies, providing travel security, health and safety training and on a voluntary basis assistance in giving security support during emergencies, insurance management;
• Finance and shared accounting services providing record to report, order to cash and purchase to pay services;
• Making use of work performance and products and for references on documents, such as drawings, purchase orders, sales orders, invoices, reports;
• Reorganization, acquisition and sale of activities, business units and companies;
• Monitoring and auditing compliance with the Company’s corporate policies, contractual obligations and legal requirements;
• Carrying out audits, reviews and regulatory checks to meet obligations to regulators;
• Maintaining and protecting the security of products, facilities, services, systems, networks, computers and information, preventing and detecting security threats, fraud or other criminal or malicious activities, and ensuring business continuity; and
• Managing IT resources, including infrastructure management including data backup, information systems’ support and service operations for application management, end user support, testing, maintenance, security (incident response, risk, vulnerability, breach response), master data and workplace including user accounts management, software licenses assignment, security and performance testing and business continuity.

The Company only collects the personal data from you that it needs for the purposes described above. For statistical purposes, improvement of our services and testing of our IT systems the Company uses as much anonymized data as reasonably possible. This means that these data can no longer (in)directly identify you or single you out as an individual.

When an Information Request is Refused by the Data Subject

Where it concerns processing operations related to your work assignment (as described above), the Company will not be able to adequately establish, conduct or terminate a business relationship with you, your employer or the company through which you are assigned to the Company and generally perform the purposes described above without certain personal data. Although the Company cannot obligate you to share your personal data with us, please note that this then may have consequences which could affect your work assignment in a negative manner, such as not being able to take requested pre-contractual measures to enter into a contract with you, your employer or the company through which you are assigned to the Company or to establish and continue your work assignment.

Legal Basis

The Company uses your personal data for the purposes described in this notice based on one of the following legal bases, as applicable:

• The Company may process your personal data for the fulfilment of contractual obligations resulting from your work assignment, or as part of pre-contractual measures the Company take;
• In some cases, the Company rely on our legitimate interests to process your personal data insofar as this is not overridden by your own privacy interests. Such interests may include:
  • Conduct, management, development and furtherance of our business in the broadest sense possible including supply of products and services, performance of agreements and order management with suppliers, process and fulfilment of purchases, process quality management and improvement of products or services, analytics and market intelligence, reduction of default risks in our procurement processes and reorganization, acquisition and sale of activities, business divisions and companies;
  • Monitor, investigate and ensure compliance with legal, regulatory, standard and the Company internal requirements and policies;
  • Prevent fraud and criminal activity including investigations of such activity, misuse of Company assets, products and services, and as strictly necessary and proportionate for ensuring network and information security; and o Transmitting personal data within the Company group for internal administrative purposes as necessary for example to provide centralized services.

You may obtain a copy of our assessment of why the Company may process your personal data for these interests by submitting a request to the Company Contact identified in section 1.3.3 of this Policy.

In some cases, the Company processes your personal data on the basis of legal obligations and statutory requirements, for example, on the basis of tax or reporting obligations, cooperation obligations with authorities, statutory retention periods or the disclosure of personal data within the scope of official or judicial measures may be required for the purposes of taking evidence, prosecution or enforcement of civil law claims.

Special Categories of Personal Data

• The Company will ask your explicit consent for specific activities in accordance with applicable law; or
• Where necessary for establishment, exercise and defense of legal claims.

With regard to personal data concerning criminal convictions and offences, the Company will only process such data where such processing is permitted by applicable (local) law.

4.3   Suppliers or Potential Suppliers

The Company collects and uses personal data that concerns you in connection with the agreements with our suppliers. The Company may collect the following categories of personal data:

• Identification data and business contact information, you share with us such as first name, last name, job/position/title, nationality, business email address, business address, telephone number, mobile telephone number, telefax number, private telephone number, gender, date of birth.
• Additional information you provide to us in the course of our business relations such as data concerning the fulfilment of our contractual obligations and precontractual measures including correspondence data, offers, tenders, resume/CV, conditions, contract and order data, invoices, payments, business partner history, records relating to queries/questions/complaints/orders.
• Electronic identification data and information collected by the communications systems, IT applications and website browser (where supplier has access or is affected by such systems or applications and in accordance with the applicable law) such as information technology usage (system access, IT and internet usage), device identifier (mobile device ID, PC ID), registration and login credentials, IP address, login data and log files, Analytics ID, time and URL, searches, website registration and cookie data, sound recordings (e.g., voice mail/phone recordings, Skype recordings).

The below mentioned types of personal data are only collected and processed, if at all, in accordance with applicable local laws in your country of residence and where relevant depending on the agreements with our suppliers.

• Data about criminal convictions and offences such as criminal background information and sanction list information to the extent required for the purposes of criminal background screening, due diligence and Anti Money Laundering obligations.
• To the extent necessary to fulfil our obligations, data obtained from publicly accessible sources or which are legitimately transmitted by other third parties (e.g., a credit agency) such as commercial register data, creditworthiness data.

Use of Data

The Company may use your personal data as described above for the following purposes:

• Supplier and service provider management throughout the supply chain including contact interaction including tendering, engagement, processing orders, process and fulfilment of purchases, administration and management of suppliers, vendors, contractors, advisers and other professional experts;
• Paying debts, supplier invoice and payment management, purchasing of direct and indirect services;
• Reporting and analytics including market intelligence and development and improvement of services or products through assessment and analysis of the information;
• Management of process quality;
• References on documents, such as tenders, purchase orders, invoices, reports;
• Contract lifecycle management;
• Payment collection and insolvency processes;
• Training suppliers;
• Finance and shared accounting services, providing record to report and purchase to pay services;
• Reorganization, acquisition and sale of activities, business units and companies;
• Monitoring and auditing compliance with the company’s corporate policies, contractual obligations and legal requirements;
• Carrying out audits, reviews and regulatory checks to meet obligations to regulators;
• Governance, risk and compliance, including due diligence and anti-money laundering obligations, customs and global trade compliance and sanctioned party list screening, security, including prevention, detection of crime and fraud;
• Maintain and protect the security of products, facilities, services, systems, networks, computers and information, preventing and detecting security threats, and fraud or other criminal or malicious activities; and
• Manage IT resources, including infrastructure management including data back-up, information systems’ support and service operations for application management, end user support, testing, maintenance, security (incident response, risk, vulnerability, breach response), user accounts management, software licenses assignment, security and performance testing and business continuity.

The Company only collects the personal data from you that it needs for the purposes described above. For statistical purposes, improvement of our services and testing of our IT systems the Company uses as much anonymized data as reasonably possible. This means that these data can no longer (in)directly identify you or single you out as an individual.

When an Information Request is Refused by the Data Subject

Where it concerns processing operations related to the agreements with our suppliers (as described above), the Company will not be able to adequately establish, conduct or terminate a business relationship with you or your company and generally perform the purposes described above without certain personal data. Although the Company cannot obligate you to share your personal data with us, please note that this then may have consequences which could affect the business relationship in a negative manner, such as not being able to take requested pre-contractual measures to enter into a contract with you or to establish and continue the business relationship you have asked for.

Legal Basis

The Company uses your personal data for the purposes described in this notice based on one of the following legal bases, as applicable:

The Company may process your personal data for the fulfilment of contractual obligations resulting from contracts with you or your company, or as part of pre-contractual measures the Company take;

In some cases, the Company rely on our legitimate interests to process your personal data insofar as this is not overridden by your own privacy interests. Such interests may include:

• Conduct, management, development and furtherance of our business in the broadest sense possible including supply of products and services, performance of agreements and order management with suppliers, process and fulfilment of purchases, process quality management and improvement of products or services, analytics and market intelligence, reduction of default risks in our procurement processes and reorganization, acquisition and sale of activities, business divisions and companies;
• Monitor, investigate and ensure compliance with legal, regulatory, standard and the Company internal requirements and policies;
• Prevent fraud and criminal activity including investigations of such activity, misuse of Company assets, products and services, and as strictly necessary and proportionate for ensuring network and information security; and
• Transmitting personal data within the Company group for internal administrative purposes as necessary for example to provide centralized services.

In some cases, the Company processes your personal data on the basis of legal obligations and statutory requirements, for example, on the basis of tax or reporting obligations, cooperation obligations with authorities, statutory retention periods or the disclosure of personal data within the scope of official or judicial measures may be required for the purposes of taking evidence, prosecution or enforcement of civil law claims.

Regarding personal data concerning criminal convictions and offences, the Company will only process such data where such processing is permitted by applicable (local) law.

4.4   Customers/Clients or Potential Customers/Clients

Standard Types of Information that the Company Collects and Uses

The Company collect the following categories of personal data:

• The business contact information you share with us: name, title, job title, email address, business address, telephone number, mobile telephone number
• Additional information you provide to us in the course of our business relations, such as: interests in the Company services or products, marketing preferences, registration information provided at events, fairs, contract or order data, invoices, payments, business partner history, etc.
• Information your browser makes available when you visit the Company website: IP address, the source of your site visit, time spent on the website or a particular page, links clicked, comments shared, browser type, date and time of visit, etc.
• To the extent necessary to fulfil our obligations, data obtained from publicly accessible sources or which are legitimately transmitted by other third parties (e.g., a credit agency): commercial register data, association register data, creditworthiness data.

Use of Data

The Company uses your personal data to:

• Process and fulfil orders and keep you informed about the status of your or your company’s order;
• Provide and administer our products and services;
• Provide customer support and process, evaluate and respond to requests and inquiries;
• Conduct and facilitate customer satisfaction surveys;
• Conduct marketing and sales activities (including generating leads, pursuing marketing prospects, performing market research, determining and managing the effectiveness of our advertising and marketing campaigns and managing our brand);
• Send you marketing communications (such as alerts, promotional materials, newsletters, etc.);
• Perform data analytics (such as market research, trend analysis, financial analysis, and customer segmentation).

The Company only collects the personal data from you that it needs for the above purposes. The Company may also anonymize your personal data, so it no longer identifies you and use it for various purposes, including the improvement of our services and testing our IT systems.

When an Information Request is Refused by the Data Subject

Certain personal data is necessary to establish, conduct or terminate a business relationship with you. The Company need you to provide us with the personal data required for the fulfilment of contractual obligations or which the Company are legally obliged to collect. Without such personal data, the Company will not be able to establish, execute or terminate a contract with you. Also, the Company will be unable to take requested pre-contractual measures to enter a contract with you or to establish and continue the business relationship you have asked for.

Legal Basis

The Company uses your personal data for the purposes described in this notice based on one of the following legal bases, as applicable:

• The Company may process your personal data for the fulfilment of contractual obligations resulting from contracts with you or your company, or as part of precontractual measures the Company have been asked to take;
• The Company may process your personal data on the basis of statutory requirements, for example, on the basis of tax or reporting obligations, cooperation obligations with authorities or statutory retention periods;
• The Company will ask your consent for the activities described in this privacy notice when required by applicable law, for example when the Company processes your data for marketing purposes where the Company don’t have an existing business relationship with you or your company; or
• The Company will rely on our legitimate interests to process your personal data within the scope of the business relationship with you or your company. Our legitimate interests to collects and uses the personal data for this purpose are management and furtherance of our business.

You may obtain a copy of our assessment of why the Company may process your personal data for these interests by submitting a request to the Company Contact identified in section 1.3.3 of this Policy.

4.5   Other Data Subject Types

Unsolicited Personal Information

If you send the Company unsolicited personal information, for example a CV, the Company reserves the right to immediately delete that information without informing you or to decide which category of data subject that you appear to be and manage your personal data within the remit of that category as described elsewhere in this Privacy Notice.

Website Users

The Company collects the following categories of personal data:

• The business contact information you share with us: name, title, job title, email address, business address, telephone number, mobile telephone number, etc.
• Information your browser makes available when you visit the Company website: IP address, the source of your site visit, time spent on the website or a particular page, links clicked, comments shared, browser type, date and time of visit, etc.

Use of Data

The Company uses your personal data to:

• Respond to your specific request that you make, for example request a demonstration, whitepapers, newsletters, or other information.
• Provide customer support and process, evaluate and respond to requests and inquiries;
• Conduct and facilitate customer satisfaction surveys;
• Conduct marketing and sales activities (including generating leads, pursuing marketing prospects, performing market research, determining and managing the effectiveness of our advertising and marketing campaigns and managing our brand);
• Send you marketing communications (such as alerts, promotional materials, newsletters, etc.);
• Perform data analytics (such as market research, trend analysis, financial analysis, and customer segmentation).

The Company only collects the personal data from you that it needs for the above purposes. The Company may also anonymize your personal data, so it no longer identifies you and use it for various purposes, including the improvement of our services and testing our IT systems.

Legal Basis

The Company uses your personal data for the purposes described in this notice based on one of the following legal bases, as applicable:

• Legitimate interest as by using our website it is understood that there is potential for you to be a potential customer, contractor, employee, or supplier.

5.  Company References and Documentation

In accordance with the legal requirements of the privacy laws, regulations, and acts that the Company follows, a comprehensive set of documentation has been created and is regularly maintained for the purposes of maintaining compliance and producing evidence of compliance. In this regard, the Company has created and maintains the following documentation alongside this Policy in order to ensure that Data Subject’s Rights are being properly managed.

5.1   Record of Processing Activities (RoPA)

Article 30 of the GDPR stipulates the need for data controllers to create and maintain a Record of Processing. This record is a document with the purpose of creating an inventory of data processing activities that can be analyzed to help the Company precisely identify:

• Controllers, Processors, and Joint Controller.
• Categories of processed data.
• Why data is being processed and what is being done with it.
• Who has access to, or are the recipients of the personal data.
• Data Retention Schedules
• TOMs, or other controls that have been implemented to protect data.
• If special category data is being processed.

For a complete list of RoPA, please make a request by contacting the Company Contact identified in section 1.3.3 of this Policy.

5.2   Record Retention and Disposal Schedule

Maintained within IMS POL-0005 Record Retention and Disposal Policy, is the Company’s Record Retention and Disposal Schedule that provides a comprehensive list of all types of records, data, and information that must be retained, and for what period of time. Please refer to Appendix B: Record Retention Schedule for a complete exhibit of the Company’s Record Retention Schedule.

Note: Where it is not practical to uniquely segregate and manage specific data types, then a blanket 7-year policy will be applied to all data with a general retention period of 6 years or less.

Appendix A: References and Sources

The following table represents a list of all publications used in the creation of this document.