PRIVACY NOTICE

Your Privacy is important to us. This Privacy Notice sets out how we treat and handle personal information that is collected in connection with our whistleblowing procedures and investigations ("Whistleblowing Process").

This Privacy Notice is intended to assist you in making informed decisions when using the Whistleblowing Process to understand how your personal information may be processed. Please take a moment to read and understand it. The application of this Privacy Notice aims to be as consistent as possible across our business and the countries in which we have a presence. However it is possible that local laws in your country will specify certain additional or different requirements that may apply to you, depending on your particular situation. Therefore you should also please refer to any country specific notices that are included in an Annex to this Privacy Notice – where applicable.

1. Information about the Data Controller

DLA Piper UK LLP is the controller of your personal data processed as part of the Whistleblowing Process . Please note that depending on the nature of the whistleblowing report, other DLA Piper entities may also be data controllers responsible for processing your data. For more information on those entities, please see www.dlapiper.com/practicingentities and https://www.dlapiper.com/en/europe/legalnoticespage/governance-service-entities/.

Safecall, the provider of the whistleblowing service, may in limited circumstances also be a data controller of certain of your personal data.

2. What Personal Data do we process

To the extent permitted by law, the Whistleblowing Process may be used without providing your personal data. You may however, voluntarily disclose your personal data, in particular information about your identity and contact details, e.g. your first and last name, address, your country of residence, your telephone number, email address and which firm entity you work for. We do not in the ordinary course of the Whistleblowing Process collect any special category or sensitive data (such as race/ethnic origin, religion or sexual orientation), however, this data may also be processed if it is provided by you. Please only provide this type of data when it is essential to your report. We may also process personal data about other individuals that may have been provided as part of the whistleblowing report. Depending on the nature of your report, those individuals may be given the opportunity to respond to it. We will not disclose your identity unless: it is necessary to do so; you have provided your consent; or where it is required under law.

In addition we will also be using your personal data for reporting and statistical purposes on an anonymous basis.

3. Our Legal Ground of Processing

We process personal data to investigate whistleblowing reports made via the Whistleblowing Process and to implement any actions and remedial measures that are considered necessary and appropriate following an investigation. We rely on the following legal bases to process your information, as applicable in your particular circumstances:

• You have given your consent to the processing of your personal data (GDPR art. 6 (1));
• It is our legal obligation to use your personal information to comply with any legal obligations imposed upon us (GDPR art. 6(1)(c)); and/or
• It is in our legitimate interest or a third party's legitimate interest to use personal information to investigate the whistleblowing reports (GDPR art. 6(1)(f)).

Our legal basis for processing any sensitive data that you may share with us about you is based on your explicit consent (GDPR Art. 9 (2)).

4. Technical and Organizational Measures for Protection of your Personal Data

We are committed to keeping the personal information provided to us secure and we have implemented appropriate technical and organisational measures to protect the personal information that we process from accidental or unlawful destruction, loss, alteration, unauthorised access, or use.

5. Disclosure of Personal Data

As necessary and appropriate in the circumstances of a particular whistleblowing investigation, your data will be disclosed to a restricted number of individuals in the firm with authority to investigate the whistleblowing report and to implement any remedial measures. It may also be disclosed to individuals relevant to the investigation and to other DLA Piper entities as required, as set out in paragraph 1 above.

Depending on the nature of the report, we may also need to share your data with other third parties such as:

• Our professional advisers such as lawyers and accountants;
• Government or regulatory authorities; and
• Professional indemnity or other relevant insurers.

In addition, your data will be disclosed to certain third parties to whom we outsource certain services such as, without limitation, document processing and translation services, IT Systems and software providers and document and storage providers, specifically, Safecall, the provider of the whistleblowing service. We have put in place appropriate measures with Safecall to ensure the adequate protection of your personal data.

Where disclosure of your personal data is required pursuant to a legal obligation we will notify you of this to the extent legally permitted.

6. How long do we keep your Personal Data for

We will retain personal information for as long as it is necessary to investigate the whistleblowing report. We may retain some data in relation to the investigation for at least 6 years after the report is closed in compliance with our legal and regulatory duties. Data not required any longer will be deleted and/or anonymised.

7. Transfer of your personal data

In order to investigate the whistleblowing report we may need to transfer your personal information to locations outside of jurisdiction in which you provide it. If you are based within the European Economic Area (EEA), please note that where necessary we will transfer personal information to countries outside the EEA.

All DLA Piper entities have signed a data sharing agreement which is based on the EU standard contractual clauses to ensure we comply with our legal and regulatory obligations in relation to the processing of personal information, including having a lawful basis for transferring personal information and putting appropriate safeguards in place to ensure an adequate level of protection for the personal information.

8. Your rights

You have the following rights in relation to the personal information we hold about you:

• Your right of access

If you ask us, we'll confirm whether we're processing your personal information and, if necessary, provide you with a copy of that personal information (along with certain other details). If you require additional copies, we may need to charge a reasonable fee.

• Your right to rectification

If the personal information we hold about you is inaccurate or incomplete, you are entitled to request to have it rectified. If you are entitled to rectification and if we've shared your personal information with others, we'll let them know about the rectification where possible. If you ask us, where possible and lawful to do so, we'll also tell you who we've shared your personal information with so that you can contact them directly.

• Your right to erasure

You can ask us to delete or remove your personal information in some circumstances such as where we no longer need it or if you withdraw your consent (where applicable). If you are entitled to erasure and if we've shared your personal information with others, we'll let them know about the erasure where possible. If you ask us, where it is possible and lawful for us to do so, we'll also tell you who we've shared your personal information with so that you can contact them directly.

• Your right to restrict processing

You can ask us to 'block' or suppress the processing of your personal information in certain circumstances, such as where you contest the accuracy of that personal information or you object to us. If you are entitled to restriction and if we've shared your personal information with others, we'll let them know about the restriction where it is possible for us to do so. If you ask us, where it is possible and lawful for us to do so, we'll also tell you who we've shared your personal information with so that you can contact them directly.

• Your right to data portability

You have the right, in certain circumstances, to obtain personal information you've provided us with (in a structured, commonly used and machine readable format) and to reuse it elsewhere or to ask us to transfer this to a third party of your choice.

• Your right to object

You can ask us to stop processing your personal information, and we will do so, if we are relying on our own or someone else's legitimate interests to process your personal information, except if we can demonstrate compelling legal grounds for the processing.

• Your right to withdraw consent

If we rely on your consent as our legal basis for processing your personal information, you have the right to withdraw that consent at any time.

Please note that some of these rights may be limited where we have an overriding interest or legal obligation to continue to process the data or where data may be exempt from disclosure due to reasons of legal professional privilege or professional secrecy obligations.

To assert any of the above rights please contact privacyteam@dlapiper.com.

If you have a concern about any aspect of our privacy practices, including the way we’ve handled your personal information, you can report it to the relevant Supervisory Authority, in particular in the country that you are resident in.

If you have any questions regarding the processing of your personal data using the whistleblowing service please contact the firm’s Privacy Officer, Mariette Kruger, DLA Piper UK LLP, London directly or the firm’s Privacy Team, privacyteam@dlapiper.com.

For more information about how personal data is processed in the firm please see our Privacy Policy.