Vespasian Security Ltd. is a “data controller”. This means that we are required under data protection legislation to notify you of how we will process your personal data both during the employment relationship and post termination. This notice will explain how we collect your personal data, its use, storage, transfer and security. We will also explain what rights you have in relation to how we process your personal data. It is important that you read this notice, together with any other privacy notice we may provide during your employment, so that you are aware of how and why we are processing your personal data. This notice does not form part of any contract of employment or other contract to provide services. We may update this notice at any time.

We are required by law to ensure that when processing any of your personal data that it is:

• Used lawfully, fairly and in a transparent way.

• Collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes.

• Relevant to the purposes we have told you about and limited only to those purposes.

• Accurate and kept up to date.

• Kept in a form which permits you to be identified for only as long as necessary for the purposes we have told you about.

• Kept securely.

We collect, use and store:

• Your name, salutation, addresses, contact numbers, and personal email addresses.

• Date of birth.

• Gender.

• Next of kin and emergency contact information.

• National Insurance number.

• Bank account details, payroll records and tax status information.

• Salary, annual leave, pension and benefits information.

• Start date.

• Location of employment or workplace.

• Copy of driving licence.

• Recruitment information (including copies of right to work documentation, references and other information included in a CV or cover letter or as part of the application process).

• Employment records (including job titles, work history, working hours, training records and professional memberships).

• Compensation history.

• Performance information.

• Disciplinary and grievance information.

• CCTV footage and other information obtained through electronic means such as swipe card records.

• Information about your use of our information and communications systems.

• Photographs.

We may also collect, store and use the following “special categories” of more sensitive personal information:

• Information about your health, including any medical condition, health and sickness records.

• Information about criminal convictions and offences.

We collect your personal data by a variety of means. At recruitment stage we have already collected data through the application process directly. We may sometimes collect additional information from third parties including former employers, credit reference agencies and personal references. Whilst you are working with us periodically we may need to collect additional personal information from you not identified on the above list but before doing so we will provide you with a written notice setting out details of the purpose and the lawful basis of why we are collecting that data, its use, storage and your rights.

For the most part we will use your personal data for one of the following lawful bases:

a) Where we need to perform the contract we have entered into with you.

b) Where we need to comply with a legal obligation. There are other rare occasions where we may use your personal data, which are:

c) Where we need to protect your interests (or someone else’s interests).

d) For official purposes.

During your employment and for a short period after the relationship has ended, we will use your personal information for specific purposes. The list below describes the purpose of our processing, the personal data involved (from clause 3 above) and the lawful basis for our processing (from clause 5 above):

Determining the terms on which you work for us.

Checking your right to work in the UK.

When making payments to you to also include any necessary tax and NI deductions.

Liaising with your pension provider and making payments.

Administration related to the perf contract of employment Business management and work force planning, including accounting and auditing.

Conducting and managing reviews of performance and determining performance requirements.

Making decisions regarding promotions to include assessing qualifications for a particular role

Gathering evidence for a possible disciplinary or gathering evidence in respect of an informal complaint or grievance.

Making decisions about your continued employment or engagement.

Making arrangements for the termination of our working relationship.

Education, training and development requirements.] Dealing with legal disputes involving you or other employees, workers and contractors, including accidents at work.

Managing sickness absence, ascertaining your fitness to work.

Complying with health and safety obligations, completion of accident book and RIDDOR reporting

Monitoring use of our information and communication systems to ensure compliance with our internal procedures and prevention of security lapses and breach of data protection laws.

Gathering data analytics to assess retention and attrition rates

Equal opportunities monitoring

It’s possible that some of the grounds for processing will overlap.

We will only ask you to provide information which we believe is necessary for the performance of the contractual employment relationship (for example bank account details to pay you) or our associated legal obligations (for example giving salary information to HMRC). If you fail to provide certain information when requested we may not be able to meet our contractual obligations to you or we may not be able to fulfil our legal obligations.

We will only use your personal data for the stated purposes, unless we consider that there is a need to use it for another reason and that reason is compatible with the original purpose. However, if we consider that it is necessary and reasonable to use your personal data for an unrelated purpose, we will notify you and explain the legal basis which allows us to do so.

There may be circumstances where we have to process your personal data without your knowledge or consent, where this is required by law and in compliance with the above rules.

Any personal data which reveals your, ethnic origin, political opinions, religious and philosophical beliefs, trade union membership, genetic, biometric or health data, sex life and sexual orientations will be regarded as special categories of personal data. We will only use this data in the following ways:

• In order to comply with employment and other laws when processing and managing situations connected with absences arising in relation to your sickness or family/ dependant related leave.

• To ensure we meet our health and safety obligations towards you and other employment related obligations we will use information about your physical or mental health or disability status to assess your capability to perform your role, monitor and manage your sickness absence, provide appropriate workplace adjustments and administer health related benefits.

• Where it is needed in the public interest, for example for equal opportunity monitoring and reporting.

There may be circumstances where we need to process this type of information for legal claims or to protect your interests (or someone else’s) and you are not able capable of giving your consent or where the relevant information has already been made public.

If we are using your personal sensitive data in accordance with our written policy to perform our legal obligations or exercise specific rights connected to your employment, in these circumstances we do not need your written consent to use sensitive personal data.

However, in limited circumstances, we may request your written consent to allow us to process your sensitive personal data. For example, your written consent will be required before we instruct a medical practitioner to prepare a medical report. If, it becomes necessary to request your consent to process your sensitive personal data, we will provide you with details of the information that we require and why we need it, so that you can decide whether you wish to provide your consent. It is not a condition of your contract of employment with us that you must agree to any request for consent.

We envisage that we will hold information about criminal convictions.

We will only collect information about criminal convictions if it is appropriate given the nature of the role and duties you will perform and where we are legally entitled to do so.

We will use information about criminal convictions and offences in the following ways:

• To ascertain suitability to role

We are allowed to use your personal information in this way to carry out our obligations if requested by any statutory body

We have in place policy and safeguards which we are required by law to maintain when processing this data.

It is our intention that you will not be subject to automated decision making which will have a significant impact on you, unless we have a lawful reason for doing so and we have notified you.

In order to meet our legal obligations connected with your employment relationship it is necessary to share your personal information with certain third parties (see below). We also need to share your data when we have legitimate business reasons for doing so and also where it is necessary in order to perform your contract.

The following third-party service providers process personal information about you for the following purposes:

• Vespasian Security’s Registered Accountant (for the purpose of payroll and associated contributions (NI, PAYE etc)

• NEST Pensions (For the Purposes of Pension Provider)

• PARiM (Vespasian Security’s online booking portal)

• The Security Industry Authority (for the purposes of validation of SIA liciensing) We may share your personal information with other third parties, for example in the context of the possible sale or restructuring of the business.

We may also need to share your personal information with a regulator or to otherwise comply with the law. 15. Third party service providers and data security Third party service providers are only permitted to process your personal data in accordance with our specified instructions. They are also required to take appropriate measures to protect your privacy and personal information. We do not allow your information to be used by the third parties for its own purposes and business activities.

We do not transfer personal data outside the EEA.

We take your privacy and protection of data very seriously. Consequently, we have put in place appropriate security measures to prevent unauthorised use of your personal data. Details of the measures which are in place can be obtained from Simon Hodge. We will notify you and any applicable regulator of any suspected unauthorised use of your personal data.

We will retain your personal data for as long as is necessary to fulfil the purposes for which it was collected for. Details of retention periods for specific purposes are available in our data retention policy which is available from Simon Hodge. When your employment relationship comes to an end with our business we will either retain or securely destroy your personal data in accordance with our data retention policy or other applicable laws and regulations.

In order that we can ensure that the personal data we hold in relation to you is accurate, it is important that you keep us informed of any changes to that data.

Subject to legal limitations you have the right to:

• Request access to your data: You can ask us to provide a copy of the personal data we hold about you.

• Request corrections to be made to your data: If you think that your personal data is incomplete, inaccurate you can ask us to correct it.

• Request erasure of your data: If you consider there is no lawful basis for us to continue processing your data you can ask for that data to be deleted or removed.

• Object to the processing of your data: If our lawful basis for processing your data relates to a legitimate business interest (or third party interest) you can raise an objection to that interest. You can also object to us using your information for direct marketing purposes.

• Request that processing restrictions be put in place: If you believe that your information is being processed without a lawful reason or that the information is incorrect you can request that a freeze/restricting is placed on the processing of the information until your concerns are addressed.

• Request a transfer of your personal data: You can ask us to transfer your personal data to a third party. If you wish to exercise any of the above rights please contact Simon Hodge, Company Director in writing.

You will not be expected to pay a fee to obtain your personal data unless we consider that your request for access to data is unfounded or excessive. In these circumstances we may charge you a reasonable fee or refuse to comply with your request.

Whenever you make a request for access to personal data, we may request specific information to confirm your identity. This is usually done to ensure that we are releasing personal data to the correct person.

If we have asked for your written consent to obtain information, you have the right to withdraw your consent at any time. To withdraw your consent please contact Simon Hodge (info@vespasiansecurity.co.uk or 02392 295503).

Once we receive your notice of withdrawal we will cease processing your data unless we have any other lawful basis on which to continue processing that data.

We reserve the right to amend or update this privacy notice at any time. We will provide you with a new notice when we make any updates.

To exercise all relevant rights, queries or complaints please in the first instance contact our Data Protection Officer on 02392295503. If this does not resolve your complaint to your satisfaction, you have the right to lodge a complaint with the Information Commissioners Office on 03031231113 or via email https://ico.org.uk/global/contact-us/email/ or at the Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, England.