Staff Handbook UK

assessment will: describe the envisaged processing operations; the purpose of the processing; the necessity and proportionality of the processing operations; assess the risks to the rights and freedoms of individuals; and measures and safeguards to address such risks. Data Breaches In the case of a data breach that poses a risk to the rights and freedoms of individuals, the Company will report it to the Information Commissioner within 72 hours of having become aware of the breach. All data breaches will be documented. This will include the facts relating to the data breach, its effects and remedial action. If the breach is likely to result in a high risk to the rights and freedoms of individuals, the Company will communicate to the data subjects that there has been a breach. In addition, the Company will provide them with appropriate information about the nature of the breach, the appropriate contact in the Company if they require more information, the likely consequences of the breach and the mitigation steps taken to HR-related personal data may be transferred to group staff based in Canada where necessary to effectively undertake staff management, HR and other relevant duties. The Canada based staff are instructed only to access and process such data to the extent that it is necessary, and to ensure all such data is secure and deleted in accordance with the retention periods set out above. This transfer of data outside the EEA is necessary for the performance of the individual's contract of employment. It may be that your personal data will be transferred outside the European Economic Area (EEA) through the use of cloud storage or similar technology. In such circumstances data will only be transferred to organisations which are covered by an adequacy decision by the EU Commission. Individual Responsibilities You should assist the Company to keep your personal data accurate and up to date. You should advise the Company as soon as possible if any information you have provided to the Company changes, such as personal details, a change of address or a change in bank details. Where you have access to personal data relating to others, then you must recognise and comply with your responsibilities under Data Protection legislation. If you have access to personal data, you must: • only access personal data you have been given authority to access; • only access personal data for authorised purposes; address any adverse effects. International data transfers

9 | P a g e