CSL Group HoldingS Limited

Third Party Data Retention and Data Breach Policy

  1. ABOUT THIS POLICY
  2. During the course of our activities we shall store and retain personal data about our customers and other third parties. This Policy explains the way in which this information must be stored and retained, and also explains the way in which data breaches must be identified, documented and responded to by CSL Group Holdings Limited (“CSL”) employees.
  3. This Data Retention and Data Breach Policyshould be read together with ourData Protection Policy, which explains how certain information must be collected, handled, processed and transferred.
  4. If you have any questions about the operation of this Policy, the processing of personal data in general or any concerns that the Policy has not been followed, in particular if you are unsure about what to do in a particular situation, please immediately consult Directors’ PA (“Key Individual”).
  5. OVERVIEW
  6. “Personal data” means any information relating to an identified or identifiable natural person (i.e. a “data subject”). Everyone has rights under the law with regard to the way in which their personal data is handled. This applies to data which may be held on paper, a computer or any other structured set of information.
  7. The correct and lawful treatment of this data will maintain confidence in the organisation and will assist in the successful running of our business. You are obliged to comply with this Policy when processing personal data on our behalf. Any breach of this Policy may result in disciplinary action.
  8. In particular, we are legally obliged to ensure the following:
  9. that we keep personal data up to date and take steps to ensure the accuracy of the personal data we hold, erasing or rectifying any inaccurate data without delay;
  10. that we keep personal data in a form which identifies anindividual for no longer than is necessary;
  11. that we take appropriate security measures against unlawful or unauthorised processing of personal data, and against the accidental loss of, or destruction or damage to, personal data; and
  12. that we put in place procedures and technologies to maintain the security of all personal data from the point of collection to the point of destruction.
  13. DATA RETENTION
  14. We must only collect personal data to the extent that it is required for the specific purpose notified to the data subject.
  15. We must ensure that personal data we hold is accurate and kept up to date. We shallcheck the accuracy of any personal data at the point of collection and at regular intervals afterwards, and in any event we should perform a review to this effect no later than the time periods specified in Schedule 1. We shalltake all reasonable steps to destroy or amend inaccurate or out-of-date data whenever this comes to our attention.
  16. Personal data should not be kept for any longer than is necessary for the purpose for which it was originally collected or used or any other purpose for which we are subsequently authorised to process it. We shalltake all reasonable steps to destroy, or erase from our systems, all data which is no longer required for the purpose for which it was originally processed. This should be done periodically and whenever it comes to our attention that we no longer require such information, and in any event we should actively consider whether we still require such information no later than the time periods specified in Schedule 1.
  17. If the purposes for which we process personal data do not or no longer require the identification of a data subject by us, we shall not be obliged to maintain, acquire or process additional information in order to identify the data subject.
  18. DATA SECURITY
  19. We shallmaintain data security by testing and protecting the confidentiality, integrity, availability and resilience of the personal data, defined as follows:
  20. Testing means that we must have a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
  21. Confidentiality means that only people who are authorised to use the data can access it.
  22. Integrity means that personal data should be accurate and suitable for the purpose for which it is processed.
  23. Availability means that authorised users should be able to access the data if they need it for authorised purposes. Personal data should therefore be stored on CSL’s central computer system instead of individual PCs.
  24. Resilience means that we must maintain and follow at all times an effective system for backing up data and regularly test the ability to restore data.
  25. Security procedures include:
  26. Entry controls. Any stranger seen in entry-controlled areas not accompanied by a member of CSL’spersonnel should be reported.
  27. Secure lockable desks and cupboards. Desks and cupboards should be kept locked when unattended if they hold confidential information of any kind (personal information is always considered confidential).
  28. Methods of disposal. Paper documents should be shredded when no longer required. Digital storage devices should be physically destroyed when they are no longer required.
  29. Equipment. Data users must ensure that individual monitors do not show confidential information to passers-by and that they either lock or log off from their PC when it is left unattended.
  30. Other measures include the following:
  31. Passwords. Always keep your password and user name secure and do not share them.
  32. Computer programmes. Do not open email attachments from an unknown source and do not download or run any programmes or games, especially where sent by email. Do not download business data onto any laptop unless authorised by the Key Individual.
  33. Laptops. When taking a laptop with you to another country for business, ensure that it only contains the customer information you need. If your laptop is lost or stolen, contact the Key Individual immediately.Ensure that any personal data held on a laptop is encrypted.
  34. Storing emails. Please tidy your inbox, outbox and folders regularly. Do not store messages or attachments longer than necessary. Your emails, even if marked “private” or “confidential”, might also be viewed by network supervisors or management when lawful to do so.
  35. Sending emails. Do not send any email which might be construed as offensive or discriminatory and do not download offensive or inappropriate material. Consider sending confidential information by secure email. Always write your emails as if they are permanent, because even when they have been deleted they can often still be retrieved and may be disclosable to a Court or regulator.
  36. From time to time, we should consider, (taking into account the costs of implementation and the nature, scope, context and purposes of processing as well as the risk involved) implementing further appropriate technical and organisational measures to ensure a level of security appropriate to the risk. This may include, where appropriate, the pseudonymisation and encryption of personal data and additional measures to ensure the ability to restore the availability of and access to personal data in a timely manner in the event of a physical or technical incident.
  37. DATA BREACHES – immediate steps to take
  38. A “personal data breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. Examples of a breach would include:
  39. personal data accidentally being sent to someone (either internally or externally) who does not have a legitimate need to see it;
  40. databases containing personal data being compromised, for example being illegally accessed by individuals outside CSL;
  41. loss or theft of laptops, mobile devices or paper records containing personal data;
  42. staff accessing or disclosing personal data outside the requirements or authorisation of their job;
  43. being deceived by a third party into improperly releasing the personal data of another person;
  44. the loss of personal data due to unforeseen circumstances such as fire or flood; or
  45. any instance of CSL’s procedures relating to data protection not being followed.
  46. In the case of a personal data breach, you must:
  47. try to contain the breach and limit its scope and impact, for example, by telling the recipient to destroy, remove and not discuss the information; and
  48. immediately inform the Key Individual of the breach, including as much information as possible such as the date and time of the breach, when it was detected, who committed the breach, how many data subjects were involved and any measures already taken to try and contain the breach.
  49. Upon receipt of the notification above, the Key Individual shall, without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the Information Commissioner’s Office, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the Information Commissioner’s Office is not made within 72hours, the notificationmust be accompanied by reasons for the delay.
  50. The notification to the Information Commissioner’s Office must, at the very least:
  51. describe the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
  52. communicate the name and contact details of the contact point where more information can be obtained;
  53. describe the likely consequences of the personal data breach as far as possible; and
  54. describe the measures taken or proposed to be taken by CSL to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
  55. We must always document any personal data breaches, fully and accurately detailing the facts relating to the personal data breach, its effects, and the remedial action taken.
  56. DATA BREACHES – WHEN TO NOTIFY THE DATA SUBJECT
  57. We are only required to notify the personal data breach to the data subject where it is likely to result in a high risk to their rights and freedoms. This must be done without undue delay, and describe in clear and plain language the nature of the breach, containing at least the following information:
  58. the name and contact details of the contact point where more information can be obtained;
  59. the likely consequences of the personal data breach as far as possible; and
  60. the measures taken or proposed to be taken by CSL to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
  61. We are not required to notify the data subject of a data breach where:
  62. we applied effective, appropriate technical and organisational protection measures to the personal data affected by the breach, such as to render the data meaningless to any person who is not authorised to access it (such as encryption);
  63. we have taken subsequent measures which ensure that a material risk to the rights and freedoms of data subjects is unlikely to materialise; or
  64. this would involve disproportionate effort. In such a case, there shall instead be a public communication or similar measure whereby the data subjects are informed in an effective and prompt manner.
  65. Please note that where we have decided that we do not need to notify the data subject of a data breach, the Information Commissioner’s Office may decide to require us to do so anyway.
  66. CHANGES TO THIS POLICY

We reserve the right to change this policy at any time.

Schedule 1- Data retention periods

Item No / Type of data subject / Type of data / Purpose of processing / Retention Period
Customer / Name (including name of sales contact), address, telephone number and email address / In order to open a trading account, process or fulfil an order, including:
  • managing, processing, dispatching and processing payments for orders;
  • managing customer or credit accounts and keeping adequate records of past purchases;
  • contacting the customer regarding their order, or to update them if we change the way that our products or services work;
  • in order to verify the customer’s identity and assess their creditworthiness in order to open an account with us.
/ We should retain this data for as long as necessary under the contract and for a period of 6 yearsfrom the date that the last order was placed or account was closed.
Customer / Name (including name of sales contact), address, telephone number and email address. / In order to send marketing communications which have previously been consented to, or to existing customers in relation to similar goods or services. / Where consent has been obtained, we should obtain fresh consent from the customer every 5 yearsfrom the last date on which consent was last given.
If sending marketing in relation to similar goods or services, we should delete their details 5 years from the date of last purchase.
Customer / Contracts or records of purchasing. / As a record of the agreement reached with the customer (or supplier). / Permanent if current (destroy after 10 yearsfrom last recorded contract if expired).
Supplier / Name (including sales contact), address, phone number, bank details, email address. / To place orders and to process and pay for goods or services purchased by CSL and to keep records of past purchases. / Permanent if current (destroy after 10 yearsfrom last recorded contract if expired).
Website users / Technical information about a user’s visit to our website, including: cookies, IP address, browser type, time zone, operating system/platform, URL used to access, clickstream information, products viewed or searched for, page response times, download errors, page visit duration and interaction information. / For the following purposes:
  • to improve our site so that content is presented in the most effective manner;
  • as part of our efforts to keep our site safe and secure; and
  • for troubleshooting, data analysis, testing, research, statistical and survey purposes.
/ Information will be removed after six months.
Customers, suppliers, other third-party visitors / Name, organisation, registration number. / To verify the identity of all individuals onsite, to ensure the health and safety of all persons on CSL’s premises, and in order to exercise or defend legal claims, or comply with a legal obligation, where necessary. / For length that the visitors book lasts

CW01/CW01/3616822/CSL4/1Page 1