Author: Global Privacy

Version: 1.2
Privacy Policy
Location: Central Document Repository Document: Privacy Policy
INTERNAL USE ONLY
Author: Global Privacy Updated by: Global Privacy
Release Date: September 2023 Last Reviewed: September 2023
Status: Approved Owner: Global Head of Privacy
Version: 1.2 Custodian: Regional Head of Privacy

......................................................................................................................... 3
.............................................................................................................................. 3
.................................................................................. 4
..................................... 4
.................................................................................. 4
General guidelines ....................................................................................................................... 5
................... 7
Data Protection Impact Assessment ........................................................................................... 7
International data transfer .......................................................................................................... 9
Breach notification and reporting ............................................................................................... 9
.......................................................... 10
............................................................................................. 10
..................................................................... 11
................................................................................................... 13
........................................................................................... 14
Document identification............................................................................................................ 14
Referenced documents ............................................................................................................. 14
History ....................................................................................................................................... 14

Privacy policy 2
Privacy Policy
Location: Central Document Repository Document: Privacy Policy
INTERNAL USE ONLY
Author: Global Privacy Updated by: Global Privacy
Release Date: September 2023 Last Reviewed: September 2023
Status: Approved Owner: Global Head of Privacy
Version: 1.2 Custodian: Regional Head of Privacy

This is the ‘Privacy Policy’ of Foundever™ or any of its parent, sibling, subsidiaries or affiliate companies,
(“Foundever”, “We”, “Company”).

This Policy sets out the obligations when processing the Personal Data of others, including any client
customer information, in the course of your work for us. This Policy is intended to ensure that we:

• Protect individuals whose Personal Data we process;

• Maintain confidence in our organization and our business reputation; and
• Comply with our legal obligations. If our organization fails to comply with data protection laws,
this can lead to significant sanctions, including substantial fines.
• Protect the organization from risk of Personal Data breaches and breaches of data protection
laws.

Please see EverConnect for translated versions of the Policy. In the event of any difference in meaning,
the English version of this Policy shall prevail.

The main terms used are explained in the definition of terms at the end of the document.

This Policy applies to all Foundever employees, associates, workers, and contractors and any third-party
agents engaged in supporting Foundever business worldwide. It is essential that you read, understand
and comply with this policy as non-compliance may result in disciplinary action.

This Policy does not form part of your contract except to the extent that it supplements, expands, or
imposes data protection obligations on you.

This Policy is an internal, confidential document. You must not share it with third parties, clients or
regulators without prior authorization from the Data Protection Officer. We may amend this Policy at
any time and may vary it as appropriate to a particular case.

Privacy policy 3
Privacy Policy
Location: Central Document Repository Document: Privacy Policy
INTERNAL USE ONLY
Author: Global Privacy Updated by: Global Privacy
Release Date: September 2023 Last Reviewed: September 2023
Status: Approved Owner: Global Head of Privacy
Version: 1.2 Custodian: Regional Head of Privacy

We have appointed Data Protection Officers in all regions where we operate. If you have any questions
about this Policy or your data protection obligations, please contact Foundever’s global Privacy function
or your respective Regional DPO at privacy@[Link].

Foundever may act as a Data Controller (with respect to our employees personal data), or as a Data
Processor (with regard to our client’s or client’s customer’s personal data). Where we process Personal
Data as either a Data Controller or Data Processor, we adhere to the following data protection
principles. These require Personal Data to be:

• Processed lawfully, fairly and in a transparent manner (“lawfulness and fairness”);

• Collected only for specified, explicit and legitimate purposes, and processed only in line with
those purposes only (“purpose limitation”);
• Adequate, relevant and limited to the purposes for which we intend to use it (“data
minimization”);
• Accurate, and where necessary, kept up to date (“accuracy”);
• Kept only for as long as is necessary for the ongoing business purposes for which we use it or
for the period required by law, if longer (“storage limitation”);
• Processed in a way which ensures its security, using appropriate technical and organizational
measures to protect against unauthorized or unlawful processing, and against accidental loss,
destruction or damage (“integrity and confidentiality”).

Foundever is accountable for, and will demonstrate compliance with, the data protection laws and
above principles. We are always committed to protecting the privacy, rights and Personal Data of our
associates, our clients and our client’s customers.

In the course of your work for us, you must only process Personal Data in accordance with:

Privacy policy 4
Privacy Policy
Location: Central Document Repository Document: Privacy Policy
INTERNAL USE ONLY
Author: Global Privacy Updated by: Global Privacy
Release Date: September 2023 Last Reviewed: September 2023
Status: Approved Owner: Global Head of Privacy
Version: 1.2 Custodian: Regional Head of Privacy

- This Policy and our Employee Privacy Notice, as regards the Personal Data of our employees,
workers, and contractors;
- Any relevant policies, guidelines, and procedures that we, or our clients, put in place (including
the use of any technology);
- Client contractual requirements and client instructions with regards to the processing of
Personal Data.

You must ensure that you have read and understood the privacy notices and any relevant policies,
guidelines, and procedures. You must contact the DPO in your region immediately if you are unsure
whether particular processing of Personal Data is within the terms of the relevant privacy notice, policy
or contractual requirement or you are otherwise unsure as to whether we have a lawful basis for
processing particular Personal Data.

• Necessary, relevant, accurate

- You only access and process Personal Data that is necessary to perform your work.
- You only collect Personal Data that we actually need – it must be relevant, given the purpose
for its collection. Do not collect excessive Personal Data.
- As far as possible, the Personal Data you process is accurate and up to date. You must ensure
that procedures are in place to ensure high level of Personal Data accuracy, including periodic
review and audit.

• Security – General
- You do not copy, transfer or download Personal Data for personal use and you do not make
Personal Data available to unauthorized persons.
- You protect the Personal Data that you process in the course of your duties. You must handle
Personal Data in a way that guards it against accidental loss or disclosure or unintended or
unlawful processing and in a way that maintains its confidentiality. You must take particular
care in protecting Special Categories of Personal Data from loss or unauthorized access, use or
disclosure.
- You do not attempt to circumvent the safeguards we use to protect Personal Data (including
administrative, physical and technical safeguards).
- Unless our policies specifically allow you to do otherwise, you store all Personal Data in our
systems or, for paper records, on our premises, and you do not remove Personal Data from our
premises (in electronic or paper format) or store Personal Data elsewhere (for example, on a
computer, laptop or mobile phone not provided by us).
- If you have permission to remove Personal Data from our premises, when outside of our
premises, you do not leave any paperwork containing Personal Data, or any device or material
on which Personal Data is stored, unattended at any time unless it is stored securely so that it
cannot be seen or accessed by third parties, including family members.
- You keep all passwords secure and do not reveal them to anyone else.
- You only dispose of paperwork containing Personal Data in the confidential waste bins provided
on our premises or for home workers by ensuring such paperwork is properly shredded.

Privacy policy 5
Privacy Policy
Location: Central Document Repository Document: Privacy Policy
INTERNAL USE ONLY
Author: Global Privacy Updated by: Global Privacy
Release Date: September 2023 Last Reviewed: September 2023
Status: Approved Owner: Global Head of Privacy
Version: 1.2 Custodian: Regional Head of Privacy

- If you are responsible for managing tools, system and Personal Data, you regularly test the
privacy measures implemented and conduct periodic reviews and audit to assess and
demonstrate compliance and improvement efforts.

Please refer to Foundever’s Security Policy for more details about our security program.

• Security – Communications
- You check that the addresses are correct on letters, emails or other communications you are
sending that contain Personal Data and that any attachments or enclosures are correct. Take
particular care to check email addresses when using a predictive (auto-complete) email address
function, or if an email is going to multiple addresses.
- Before sending Personal Data to someone for the first time, to the best of your ability, strive to
verify that the person is who they say they are. It is critical to ensure that you have their correct
email address.
- You consider whether the means you are using to communicate Personal Data are appropriate,
taking into account the sensitivity of the content.
- You do not use your personal email address to communicate Personal Data or other private or
confidential information for work purposes.
- You do not discuss or reveal Personal Data which relates to workplace matters in a public setting
where it may be seen or overheard.

• Sharing Personal Data

- You comply with any policies, guidelines or procedures relating to the sharing of Personal Data.
- You only share Personal Data with other employees, associates or contractors, or with one of
our agents or representatives, if that person has a work-related need to know the information.
- You immediately notify the legal department if you receive any request for disclosure of
Personal Data from any foreign public authority.
- You only share Personal Data with third parties (including, for example, our service providers)
if:
• they have a need to know the Personal Data (for example, in order to provide
services to us);
• the relevant privacy notice gives notice that the Personal Data may be shared with
that third party; and
• you are satisfied that the third party will comply with the data protection principles,
in particular, that the Personal Data will be kept secure.

- When the third party is a Foundever vendor, you ensure that the vendor has been correctly
onboarded in accordance with Foundever’s Global Procurement Policy.

• Training
- You have received and participated in all mandatory privacy training and, if you are a supervisor,
that your team has received and participated in all such training. Mandatory training
completion rates are established by the board and will be reported on accordingly.

• No longer than necessary

Privacy policy 6
Privacy Policy
Location: Central Document Repository Document: Privacy Policy
INTERNAL USE ONLY
Author: Global Privacy Updated by: Global Privacy
Release Date: September 2023 Last Reviewed: September 2023
Status: Approved Owner: Global Head of Privacy
Version: 1.2 Custodian: Regional Head of Privacy

- If you are responsible for the deletion or anonymization of Personal Data, this is done in
accordance with any relevant privacy notice or policy. We must not keep Personal Data for
longer than necessary.
- You must ensure that when Personal Data is no longer needed for specified purpose, it is
deleted or anonymized in accordance with Foundever’s Data Retention Policy and Data
Retention Schedule.

• Personal Data collected indirectly (e.g. from third parties)

- If you are responsible for collecting the Personal Data of any individual indirectly (i.e. not from
the individuals themselves but, for example, from a third party or publicly available source) you
ensure that the individual receives the relevant privacy notice either:
• from the third party who collected the data initially, including notice of onward
transfer; or
• within a reasonable period after you collect the Personal Data (maximum one
month), unless this would involve a disproportionate effort; or
• if you use the Personal Data to communicate with the individual before then, when
the first communication with them takes place (at the latest); or
• if you are disclosing the Personal Data to someone else before this happens.

- You contact the Regional DPO immediately, either directly, via your line manager or by raising
an incident report in Ethics Point, if you are concerned that Personal Data provided to you by a
third party has not been collected in accordance with the data protection principles.

• Record keeping
- Depending on your role, keep accurate and up to date records of the processing activities and
types of Personal Data Foundever processes as part of your function or account in accordance
with Foundever’s Record of Processing Policy.

• Personal Data you acquire in error

- You inform the regional DPO immediately, either directly, via your line manager or by raising an
incident report in Ethics Point, if you acquire any Personal Data in error.

When Foundever processes Personal Data, such processing may be exposed to certain privacy risks. To
identify and minimize those risks, it may be necessary for the organization to carry out a Data Protection

Privacy policy 7
Privacy Policy
Location: Central Document Repository Document: Privacy Policy
INTERNAL USE ONLY
Author: Global Privacy Updated by: Global Privacy
Release Date: September 2023 Last Reviewed: September 2023
Status: Approved Owner: Global Head of Privacy
Version: 1.2 Custodian: Regional Head of Privacy

Impact Assessment (DPIA) before certain activities that involve processing of Personal Data can be
undertaken.

The key processes within Foundever where the need for a DPIA is identified are through Enterprise
Change Management (ECM) and Procurement/Vendor Management. However, any changes to existing
processing activities or introduction of new processing activities, regardless of how they are managed,
should be evaluated to determine whether a DPIA is required. Please contact your Regional DPO for
assistance.

You must not do any of the following without first notifying (as early as possible) the DPO so they can
decide whether a DPIA is required:

• Process Personal Data on a large-scale taking into account the number of individuals concerned,
the volume and range of data processed, the duration and permanence of processing and the
geographic extent of the processing activities – if you are in any doubt as to whether processing
is large-scale, contact the DPO (example: implementation of a Human Resources Information
System (HRIS) processing of data on a global scale, involving hundreds or thousands of
employees);
• Innovative use or applying technological or organizational solutions (including new or different
technology) which involve processing of Personal Data or use of biometric data for improved
access control (example: use of employee facial recognition for multi-factor authentication);
• Process sensitive data or data of highly personal nature which includes genetic data, biometric
data, data concerning health or person’s sex life or sexual orientation, political opinion, religious
belief, or racial or ethnic origin (example: voice recognition for authentication purposes or
fingerprint for access control);
• Systematic monitoring when observing, monitoring, surveilling, or controlling data subjects
(example: use of camera for home work - space monitoring);
• Process data concerning vulnerable data subjects (example: processing personal data of
children/minors);
• Any new or significantly different use of automated decision-making i.e., where a decision is
made on a solely automated basis without meaningful human involvement, and it has a
significant effect on individuals (example: performance report data which automatically
(without human involvement) decides to discipline or terminate an employee);
• Matching or combining data sets from two or more data processing operations performed for
different purposes and/or by different data controllers (example: Merging employee data from
different HRIS systems, following a company merger or acquisition);
• Evaluation or scoring – using automation including Personal Data to evaluate an individual
(example: to analyse or predict an individual’s performance at work, economic situation, health,
personal preferences, interests, reliability, behaviour, location or movements);
• Any new direct marketing activity (including electronic marketing by email, telephone, fax, or
text message).

You must comply with any directions from the regional DPO and Legal department in relation to the
above, and the terms of any DPIA. For more information regarding DPIAs, please refer to Foundever’s
DPIA Policy.

Privacy policy 8
Privacy Policy
Location: Central Document Repository Document: Privacy Policy
INTERNAL USE ONLY
Author: Global Privacy Updated by: Global Privacy
Release Date: September 2023 Last Reviewed: September 2023
Status: Approved Owner: Global Head of Privacy
Version: 1.2 Custodian: Regional Head of Privacy

As a global organization with global IT systems, and with business worldwide, you might receive a
request for transfer of Personal Data outside your area/region. In such case, you must inform the
regional DPO before any transfer of Personal Data, view or access of Personal Data in a country outside
of the country of origin of the Personal Data.

Your regional DPO will confirm if the transfer of Personal Data is in accordance with established
appropriate data transfer mechanisms, or if such is authorized under local privacy requirements and
legislation, or included in your privacy notice. If the proposed transfer is not in accordance with any of
the aforementioned established protection mechanisms, the DPO will work with you to establish an
appropriate transfer mechanism before the Personal Data is transferred.

A Personal Data breach means anything that compromises the security, confidentiality, integrity or
availability of Personal Data or the safeguards that protect it. This could include where Personal Data is
lost, or where it is accessed, disclosed or acquired without authority.

If you know or suspect that a Personal Data breach has occurred, you should immediately contact the
DPO in your region, either directly, via your line manager or by raising an incident report in Ethics Point.
You must retain all evidence relating to a personal data breach to enable Foundever to maintain a record
of such breach, as required by data protection laws.

Our procedure for dealing with suspected Personal Data breaches is set out in our Security and Ethics
Incident Management Policy.

Explanatory Note: The maximum period allowed by the Foundever Privacy Policy to notify a Supervisory
Authority or Privacy regulator of a reportable Data Breach is 72 hours from the point that the
organization becomes aware of the Data Breach.

Please note that notification to client of any suspected or actual Data Breach is subject to contractual
agreement and may be shorter than 72 hours. It is therefore vital that breaches are notified
immediately, whether within or outside business hours.

Privacy policy 9
Privacy Policy
Location: Central Document Repository Document: Privacy Policy
INTERNAL USE ONLY
Author: Global Privacy Updated by: Global Privacy
Release Date: September 2023 Last Reviewed: September 2023
Status: Approved Owner: Global Head of Privacy
Version: 1.2 Custodian: Regional Head of Privacy

Foundever is committed to ensure protection of Data Subjects’ rights under applicable laws. Individuals
may have certain rights with regards their Personal Data, including to:

• Receive certain information about our processing;

• Request access to their Personal Data that we hold (often known as a ‘Data Subject Access
Requests or DSAR);
• Request transfer, correction, deletion, restriction of processing;
• Object to processing (including where this is for direct marketing);
• Request a copy of an agreement transferring Personal Data outside of the originating (home)
territory.
• Object to decisions based solely on automated processing, including profiling;
• Be notified of a Personal Data breach concerning their data;
• Complain to the Supervisory Authority or Privacy regulator; or
• Withdraw their consent to processing (if we process their Personal Data on the basis of their
consent).

If you receive any communication that appears to relate to these rights, you must contact the DPO in
your region immediately. Do not respond to the communication or attempt to deal with it without input
from the DPO.

If you think you may have breached this Policy, please immediately speak to your supervisor and the
DPO in your region. Quick action can be crucial in mitigating the effects of Personal Data Breach and in
complying with potential regulatory reporting requirements.

Breach of this policy, including failure to report a Data Breach, may be dealt with under our Disciplinary
Action Policy, and in serious cases, may be treated as gross misconduct leading to dismissal.

Privacy policy 10
Privacy Policy
Location: Central Document Repository Document: Privacy Policy
INTERNAL USE ONLY
Author: Global Privacy Updated by: Global Privacy
Release Date: September 2023 Last Reviewed: September 2023
Status: Approved Owner: Global Head of Privacy
Version: 1.2 Custodian: Regional Head of Privacy

Foundever complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the
EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S.
Department of Commerce. Foundever has certified to the U.S. Department of Commerce that it adheres
to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) regarding the processing of
Personal Data received from the European Union in reliance on the EU-U.S. DPF and from the United
Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF. Foundever has certified to
the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles
(Swiss-U.S. DPF Principles) regarding the processing of Personal Data received from Switzerland in
reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this Policy and the EU-U.S.
DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about
the Data Privacy Framework (DPF) program, and to view our certification, please
visit [Link]

In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF,
Foundever commits to resolve DPF Principles-related complaints about our collection and use of
Personal Data. EU and UK and Swiss individuals with inquiries or complaints regarding our handling of
Personal Data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the
Swiss-U.S. DPF should first contact Foundever at: Privacy@[Link].

In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF,
Foundever commits to cooperate and comply, respectively, with the advice of the panel established by
the EU data protection authorities (DPAs) and the UK Information Commissioner’s Office (ICO) and the
Gibraltar Regulatory Authority (GRA) and the Swiss Federal Data Protection and Information
Commissioner (FDPIC) with regard to unresolved complaints concerning our handling of Personal Data
received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF.

Under certain conditions, Data Subjects may be entitled to invoke binding arbitration when other
dispute resolution procedures have been exhausted.

Foundever will disclose Personal Data to law enforcement or judicial authority to comply with applicable
law, a subpoena, or other lawful requests by public authorities, including to meet national security or
law enforcement requirements.

Foundever shall ensure that any third party to whom Personal Data may be disclosed to are subject to
law providing the same level of protection as is required by the EU-U.S. DPF and the UK Extension to
the EU-U.S. DPF and the Swiss-U.S. DPF and agree in writing to provide an adequate level of privacy
protection. Foundever may be liable in cases of onward transfers to third parties.

Privacy policy 11
Privacy Policy
Location: Central Document Repository Document: Privacy Policy
INTERNAL USE ONLY
Author: Global Privacy Updated by: Global Privacy
Release Date: September 2023 Last Reviewed: September 2023
Status: Approved Owner: Global Head of Privacy
Version: 1.2 Custodian: Regional Head of Privacy

The Federal Trade Commission has jurisdiction over Foundever’s compliance with the EU-U.S. Data
Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data
Privacy Framework (Swiss-U.S. DPF).

For further information regarding the Data Privacy Framework, please visit
[Link]

Privacy policy 12
Privacy Policy
Location: Central Document Repository Document: Privacy Policy
INTERNAL USE ONLY
Author: Global Privacy Updated by: Global Privacy
Release Date: September 2023 Last Reviewed: September 2023
Status: Approved Owner: Global Head of Privacy
Version: 1.2 Custodian: Regional Head of Privacy

Data Controller: Any person (or organization) which alone or jointly with others, determines the purpose
and means of processing of Personal Data.

Data Processor: Any person or organization which processes personal data on behalf of the Data
Controller.

Data Protection Impact Assessment: An analysis that helps an organization identify, address and
minimize the risks that might result from processing activities involving personal data, while
implementing data processing systems activities, systems or tools that comply with the Foundever’s
Privacy Program. They are particularly important when introducing a new data processing process,
system or technology.

Data Subject: The individual whose Personal Data is being processed.

DPO: Data Protection Officer

Personal Data: Any information about a living individual which they can be identified (or from which
they can be identified along with other information we hold or can reasonably access). This information
can be stored in any media (e.g. paper or a computer database). Some examples are: personal contact
details, such as name, address, email or telephone number, date of birth, bank account details, opinion
about a person’s action or behaviour, for example, expressed in an email or interview notes.

Processing: any activity that involves using Personal Data. This includes collecting Personal Data,
recording it, accessing it, storing it, retrieving it, using it, amending it, disclosing it, destroying it, and
transferring it to third parties.

Special Categories of Personal Data: information about an individual’s racial or ethnic origin; political
opinions; religions our philosophical beliefs; trade union membership; health; sex life or sexual
orientation; criminal convictions, offenses or alleged offenses; genetic data; or biometric data for the
purposes of uniquely identifying an individual.

Subprocessor: Any person or organization appointed by a Data Processor to processes personal data on
behalf of a Data Controller.

Privacy policy 13
Privacy Policy
Location: Central Document Repository Document: Privacy Policy
INTERNAL USE ONLY
Author: Global Privacy Updated by: Global Privacy
Release Date: September 2023 Last Reviewed: September 2023
Status: Approved Owner: Global Head of Privacy
Version: 1.2 Custodian: Regional Head of Privacy

Title Privacy Policy

Version: 1.2 Creation Date: September 2023

Number Description

1. Employee Privacy Notice

2. Record of Processing Policy

3. DPIA Policy

4. Security Policy

5. Security and Ethics Incident Management Policy

6. Global Procurement Policy

Version Date Author Description

1.0 June 2022 Global Privacy Approved

1.1 July 2023 Global Privacy Annual review, no changes

1.2 September 2023 Global Privacy Adding Data Privacy Framework

statement

Privacy policy 14