Approved Profit Sharing Scheme (‘APSS’)

Approved Profit Sharing Scheme (‘APSS’)                                                                                  

Privacy Notice

Equiniti Share Plan Trustees Limited (‘ESPTL’) acting as Plan trustees for any released shares from the APSS that are being held in a UK Trust, handle your personal data as part of providing the APSS service. We are committed to keeping your data safe and using it in a clear and transparent way. This summary details why we hold your data, including any ways that you might not expect. Ocorian Corporate Trustee (Ireland) Limited has been appointed by us as a processor to provide Approved Profit Sharing Scheme (‘APSS’) services. Where they process your personal data as controller, please refer to their Privacy Notice at www.ocorian.com/privacy-statement.

We hold your data

• To provide you with great products and services;
• To protect the assets we hold on your behalf;
• In a way you would expect; and
• To meet legal and regulatory requirements relating to the products you use.

You have rights over the data we hold about you, further details are provided in section 9.

Things you might not know

• In order to offer you an efficient service, some of our processing is undertaken overseas – this includes the Republic of Ireland and India. When we contact you via email, one of our providers uses services based in locations outside of the UK. We always implement appropriate controls to ensure your data stays protected;
• We use auto decision making in limited circumstances to prevent and detect financial crime; and
• We use your personal data to help us provide great customer service. To do this we analyse the way that you use our products and services to help us develop what works best for you. This is called profiling.

Approved Profit Sharing Scheme Privacy Notice

We understand how important your personal data is and are committed to protecting and respecting your privacy.

‘Personal Data’ means any information relating to or which identifies you. This can include items such as your name, address, phone number, identification numbers, such as an account number or your Personal Public Service number (‘PPS’), location data or online identifiers. Personal data can be held electronically or in certain paper records. The UK General Data Protection Regulation (GDPR) regulates the processing of personal data. The UK GDPR seeks to protect your rights to your personal data by setting out, amongst other things, the conditions under which the processing of personal data is lawful, the rights of data subjects and the standards that organisations handling personal data must adopt. This Privacy Notice is issued in compliance with UK GDPR and seeks to explain:

1. Who we are;
2. Products and services covered by this Privacy Notice;
3. How we collect your personal data;
4. Why we collect your personal data;
5. How long we hold the personal data;
6. The conditions under which we can share your personal data with others;
7. Overseas processing;
8. How we keep your personal data secure;
9. Your personal data rights and how to exercise them;
10. Useful information;
11. EU GDPR, and
12. Where to find further information about this Privacy Notice.

1. Who we are (the Plan trustees)

Equiniti Share Plan Trustees Limited is one company within the Equiniti Group. Our main business is provision of Employee Share Plan services. Our registered address is Aspect House, Spencer Road, Lancing, West Sussex, BN99 6DA and our Information Commissioner’s Office (ICO) registration number is Z7941663.

The Plan trustees are the ‘Data Controllers’. This means that we are responsible for deciding how and why we hold and use personal data about you.

In this Privacy Notice, ‘we’, ‘us’ and ‘our’ will always mean ESPTL as the Data Controllers.

2. Products and services covered by this Privacy Notice

This Privacy Notice covers the Plan trustee services provided by us in relation to the APSS as set out in the Plan’s trust deed and rules.

If you have questions about your Plan and services, please contact the Employee Helpline shown in your Plan documentation.

3. How we collect your personal data

The personal information we hold may include your account number, title and name, postal address, your email address and phone number, date of birth, gender, nationality, payroll details such as salary, tax status and tax residency, your pay site code, your payroll reference, your PPS number and your salary bank account, financial information about the value of the Plan, the number of Plan shares, any Persons Discharging Managerial Responsibilities, Directors’ Interest or Closed Period indicators and elections made in connection with the running of the Plan or made as part of a Corporate Action.

This could include special personal data, if we need to record the reason why and when you are no longer an employee of the Company or temporarily not at work, for example due to injury or disability, in order to administer the Plan.

We use different kinds of personal data dependent upon the relationship you have with us, the Plan that you participate in and the products and services that you use. We collect it through a variety of different ways:

Information you provide to us

• By filling in forms via the website;
• By corresponding with us, either directly or via your employer, in writing, by phone, e-mail, live-chat or otherwise;
• Through application and registration forms, identification and legal documentation; and
• Through promotions or surveys.

Information we collect about you

• Images and voice recordings of your communications with us for quality control, training, security and regulatory purposes, but these can also capture your location e.g. use of home landline number;
• Information about the transactions and investments you make as part of the running of the Plan, including financial data and voting instructions; and
• If you contact us via social media, we will collect details from your social media account.

Information we receive from third parties

• Data from your employer as part of the set up and running of the Plan, including identification data, your contact details, information about your job, your payroll details and information about your share plan entitlement and participation;
• As part of our identity and financial crime checking procedures with credit reference agencies, fraud detection agencies and registration or stockbroking industry exchanges;
• In accordance with the Money Laundering Regulations when we require verification of your identity, we will conduct searches of databases and other credit data; and
• Market researchers.

Special types of data

The law and other regulations treat some types of personal information as special. We will only collect and use this information if the law allows us to do so:

• Criminal convictions and offences.
• Genetic and biometric data.
• Health data including gender.
• Racial or ethnic origin.
• Religious or philosophical beliefs.
• Trade union membership.

Keeping your personal data up to date

It is important to us that the information we hold about you remains accurate and up to date at all times, but we need your help in doing this. Please help us by ensuring that you review the information held about you regularly and let your employer know as soon as anything needs updating or correcting.

Other people’s personal data

The information you give us in connection with your Plan, can contain your or another person’s personal data. If you provide us with information about another person, you confirm that they have appointed you to act for them and/or they consent to you providing their personal data to us and that you have informed them of our identity and the purpose for which their personal data will be processed – as set out in this Privacy Notice.

4. Why we collect your personal data

In the table below we demonstrate why and how we use your personal data as well as providing the legal reasons which we rely upon. Under Data Protection legislation we must always have a legal reason for processing your personal data. One of the legal reasons is when we use your personal data for our legitimate interests and this is usually when we have a business reason. However, we must always ensure that we take your interests into consideration too and ensure that the use is fairly balanced. We tell you below when we rely on legitimate interests and what our legitimate interests are.

Why we use your personal data	How we use your personal data	Our legal reasons for using your personal data
Plan launch	To contact eligible employees to provide Plan information.	Our legitimate interests to alert employees to company benefits.
Profiling	In running your account we may analyse the personal data we hold about you and others to create a profile of interests and preferences in order that we can tailor our product or service offering and contact you with information that is relevant to you.	Our legitimate interests for the proper administration of our business for example: ·       Defining types of participants for new products and services; and ·       Operating efficiently.
Provision of Financial services, including the administration and management of customer records	To manage and operate your account with us to facilitate the administration of the Plan in accordance with the Plan trust deed and rules. This includes: ·       Checking individual share entitlements and/or contribution limits are not exceeded; ·       Retaining records of your instructions and keeping your Plan account up to date; ·       Notifying you about Plan events; ·       Notifying you about any Corporate Actions impacting the Plan; ·       Notifying you about changes to our service; ·       Completing transactions that you instruct us to undertake and any legal obligations we have in relation to the transactions; ·       Processing our fees, charges, and any interest due on your accounts. Enforcing or obtaining settlement of debts owed to us or in relation to investments made on your behalf; and ·       Keeping Equiniti websites and portals secure and permit you safe access to our services.   To provide you with transaction records and confirmation notices as required by the Plan.   To respond to any complaints and/or data rights that you invoke.	As part of contract preparations and obligations between us and you.   With your consent.   Legal obligations, such as in relation to Irish tax advantaged Plans.   Our legitimate interests for the proper administration of our business, for example: ·       Keeping our records up to date; ·       Seeking your consent when we need it to contact you; ·       Operating efficiently; ·       Enabling and monitoring your use of Equiniti websites, portals and services; and ·       Defining types of Plan  services to notify you about.
Prize draws, offers, marketing of our products and services	·       To allow you to participate in interactive features of our service, when you choose to do so. ·       Identifying if any of our products or services may be of interest to you and making suggestions and recommendations to you about them. ·       To provide you with the information, products and services that you request from us via your chosen channel. ·       To administer any prize draws that you are offered and elect to enter as an incentive to operate your account, for example as part of electing to receive dividends by BACS rather than by cheque. ·       To ask you if you wish to hear from other entities within the Equiniti Group of Companies that offer complimentary financial services such as foreign exchange services. ·       To share (only upon request) the surname & county of any prize draw winners. ·       We can ask you from time to time to confirm or update your choices, such as when there is a change in the law or the structure of our business. IMPORTANT You can withdraw from marketing and / or prize draw offers and the disclosure of winner surname details at any time. Please contact us if you wish to update your preferences.	·       With your consent. ·       When we have collected your personal data when applying for, or enquiring about, a product or service, provided you could “opt-out” of receiving marketing communications at the time we collected your personal data and have been advised on how to easily do this in our subsequent communications with you for example using an ‘unsubscribe’ button at the bottom of emails. ·       Our legitimate interests, namely - the proper administration of our service and business for example: o   Keeping our records up to date. o   Defining types of customers for new products and services. o   Seeking your consent when we need it, to contact you. o   Operating efficiently. o   Enabling and monitoring your use of our website and services. IMPORTANT Please also refer to the exceptions noted in the marketing section of this Privacy Notice.
Assessment and collection of taxes.	To submit returns to the relevant regulatory authorities and deduct tax and duties (such as income tax). This includes disclosing information to the Irish Revenue Commissioners.	As part of contract preparations and obligations between us and you.   With your consent.   To meet our regulatory requirements. To comply with a legal obligation to account for tax and duties.
Financial crime/auto decision making	To analyse your personal data for financial crime, money laundering and fraud risk purposes in accordance with UK regulations.   This can include making automated decisions based on the personal data that we hold about you or are permitted to collect from others.   You can ask to have one of our staff review any automated decision about you at any time – see section 9 - Your Rights.	To comply with both national and international legislation relating to financial crime. Our legitimate interests such as the proper administration of our services and business for example: ·       Keeping our records up to date; ·       Operating efficiently; and ·       Enabling and monitoring your use of company websites, portals and services. As part of contract preparations and obligations between us and you.   With your consent.   To meet our regulatory requirements.
Improving our services	To improve administration including: ·       Identifying improvements by undertaking data analysis, testing new products, using your personal data for research, statistical and survey purposes; ·       Ensuring that content from company websites and portals are presented in the most effective manner for you and for your device; ·       To develop and manage our products, brands and services; ·       How we manage and work with other companies in the delivery of your products and services; ·       Studying how you and others use our products and services; and ·       Measuring or understanding the effectiveness of Plan information packs. We can do this ourselves or appoint an agency to do this on our behalf.	Performance of a contract between you and us and/or taking steps, at your request, to enter into such a contract.   With your consent.   As part of contract preparations and obligations between us and you.   To comply with legal requirements placed upon us.   To meet our regulatory requirements.   Our legitimate interests, such as the proper administration of our service and business, for example: ·       Keeping our records up to date; ·       Defining types of anniversary, vesting and maturity services to notify you about; ·       Seeking your consent when we need it to contact you; ·       Operating efficiently; and ·       Enabling and monitoring your use of our website and services. Some of this information will be gathered by cookies that you have consented can access your computer. Please see our cookie policy for further information on how to manage cookies.

 

If you choose not to give personal information

We need to collect personal information required by law or under the terms of a contract we have with you. If you choose not to give us the personal data we need, it can mean that you will be unable to participate in the Plan or your participation will lapse. So that you know what information is optional, we make it clear at the time we collect your personal data.

5. How long we hold your personal data

Personal data will not be retained for longer than necessary for us to achieve the purpose for which we obtained your personal data. We will then either securely delete it or anonymise it so that it cannot be linked back to you. We review our retention periods for personal data on a regular basis.

We will retain personal data for the duration of the Plan and for a period of up to 8 years following the closure of the Plan, for the reasons noted below:

• To respond to enquiries and complaints;
• To demonstrate that your instructions were carried out properly; and
• To maintain records to meet rules and regulatory requirements that are applicable to the administration of the Plan.

We can keep your data for longer than 8 years if we cannot delete it for legal, regulatory or technical reasons. We can also keep it for research or statistical purposes. If we do, we will make sure that your privacy is protected and only use it for those purposes.

For full details of our retention policies, please contact us.

6. The conditions under which we can share your personal data with others

The personal data we hold about you is confidential, and we will only share your personal data to enable us to deliver our product(s) or service(s), examples are as follows.

• At your request, or with your consent or the consent of any party linked to your product or service;
• Other Equiniti Group entities who help us deliver our products and services, such as Equiniti Limited, Equiniti Financial Services Limited and Equiniti India Private Limited who help us administer the Plan records and deliver products and services (including online portals).; and
• Non Equiniti entities, such as our agents in connection with running accounts and services for you, including:
  • Banks and other payment service providers to process your entitlements, payments and manage any savings;
  • Printers in order to supply you with documentation and statements;
  • Insurance companies - where we need to provide details of your account when we make a claim;
  • Stockbrokers and market makers who execute transactions we make on your behalf;
  • Service suppliers to facilitate email, IT and administration services;
  • Our professional advisors, for example, our lawyers and technology consultants, when they need it to provide advice to us;
  • Your employer or agent(s), in accordance with any specific instructions you provide to us, or where it is required for the employer to report the information for tax purposes;
  • Third party providers such as Nominees, when either we or you have requested their services e.g. to deliver or manage Plan shares;
  • Credit reference agencies and fraud detection agencies as part of our identification procedures;
  • To the corporate issuer so that they can provide shareholder offers on the same basis as a direct shareholder;
  • Fraud prevention agencies who will use it to prevent fraud and money-laundering and to verify your identity. If fraud is detected, you could be refused certain services, finance, or employment;
  • Market Research Agencies to improve the service we provide to you. We can do this ourselves or appoint an agency to do this on our behalf; and
  • Your Official Receiver or appointed insolvency practitioner if we receive notice of your insolvency, bankruptcy or insolvency proceedings/arrangement.

We will only transfer your personal information to trusted third parties who provide sufficient security guarantees and who demonstrate a commitment to compliance with applicable law and this Privacy Notice. Where third parties are processing personal information on our behalf, they will be required to agree, by contractual means, to process the personal information in accordance with the applicable law. This contract will stipulate, amongst other things, that the third party and its representatives shall act only on our instructions, or as permitted by law.

We are also required to share your personal data with external third parties as follows (but not limited to):

• Regulators and supervisory authorities e.g. Irish Revenue Commissioners, domestic or foreign tax authorities, the Work and Pensions Division, Her Majesty’s Courts and Tribunals Service (the courts), Credit Industry Fraud Avoidance System (Cifas), the London Stock Exchange plc or the operator of any market on which you hold investments, as part of our legal obligations in providing the products/services;
• Where the law requires or permits disclosure, or there is a duty to the public to reveal it;
• When we need to defend or exercise our legal rights or those of a third party;
• Debt collecting, debt chasing or another agent for enforcing payment of monies owed to us;
• Efforts to trace you if we lose contact with you, e.g. to reunite you with your assets;
• Police and other law enforcement agencies for the prevention and detection of crime and where a valid permission is applicable;
• As a result of a court order or other regulatory instruction;
• Our insurers and insurance brokers where required for underwriting our risks and as part of ongoing risk assessments;
• to ‘the company or their agents’ (as defined within the products Terms and Conditions) for general business purposes such as checking if you are an existing data subject of the company, the company’s business administration purposes and to facilitate the company’s development and improvement of their products and services; and
• We can transfer your personal data to a third party as part of a sale of some or all of our business and assets to any third party or as part of any business restructuring or reorganisation. At all times, we take steps to ensure your privacy rights continue to be protected as per this Privacy Notice.

7. Overseas Processing

Personal data will be shared with members of the Equiniti Group outside of the UK, including Equiniti India Private Limited which is based in India, for the purposes described in this Privacy Notice. For these transfers we utilise Model Clauses recognised by the European Commission.

When we contact you via email, one of our service providers uses services outside of the UK. For these transfers, we utilise Model Clauses recognised by the European Commission.

If you would like to obtain a copy of the Model Clauses used to share personal data, please contact the Equiniti Data Protection Officer using the details provided in this Privacy Notice.

Please note that information protection laws do vary from country to country. In particular, the law of the country in which you are resident or domiciled may offer a higher standard of protection than the laws in the UK and/or those other countries in which we store and use the personal data we collect. Whilst we have taken measures to protect your personal data, the transfer to other countries could result in your personal data being available to governments and other authorities in those countries under their laws.

By joining the Plan, you understand this international transfer, storing and processing.

8. How we keep your personal data secure

We understand how important your personal data is to you and we take its security very seriously.

We safeguard your personal data across all our computer systems, networks, websites and offices as much as possible through appropriate procedures and technical security measures (including strict encryption, anonymisation and archiving techniques) and our Information Security policies are aligned to ISO27001, which is an internationally recognised security standard.

We also use secure ways of communicating with you such as when collecting your personal data or providing your account information:

• Online through the use of ‘‘https’’ and other security and encryption protocols. This is indicated by a lock icon on the bottom of the web browser, or the address will include the letters https in the top left-hand corner; and
• By telephone, we will always ask you security questions to confirm your identity before we discuss matters relating to your account(s).

Where you have been given (or where you have chosen) a password or unique identifier (PIN) which enables you to access your Plan details, you are responsible for keeping this password/PIN confidential, along with any username. We will never ask for your full password or PIN, and you must not divulge your full password to us or anyone else. We recommend that any password or PIN you set is not easily guessable and changed frequently (at least once a month).

Because we cannot guarantee the confidentiality of personal data sent on the internet you should never send your login details via email.

Security concerns

If you ever receive a communication from us by post, email or by phone that you are concerned is not genuine, please contact us using the contact details below.

You must immediately inform us if you become aware, or suspect, that someone else has knowledge of your account details.

If you have any concerns about the security of your own personal computers and mobile devices, we suggest you read the advice of Get Safe Online, which can be accessed at www.getsafeonline.org.

9. Your personal data rights and how to exercise them

You have rights in respect of the personal data that we hold about you. Details about all of your rights are provided below and include the right to request a copy of the information that we hold about you.

Some of these rights are conditional and depend upon why we are processing your personal data. This means that we cannot always be able to respond to your request in the way that you want. For example:

• If you ask us to erase your personal data and we are processing the information because we are required to do so because of a legal requirement, we will not be able to delete your personal data; however
• If you ask us to erase your personal data and we are processing the information because you provided us with consent (for example as part of a survey response), we will be able to consider and respond to your request.

Your rights in respect of the personal data that we hold about you	Explanatory detail
The right to be informed about how we use your personal data	This Privacy Notice provides you with the details on how we use and process your data.
The right of access to a copy of any personal data we process about you, together with certain additional information	If you request to see your personal data, your initial request will be free of charge; subsequent requests can attract an administration fee. The additional information includes details of the categories and recipients of the personal data. Providing the rights and freedoms of others are not affected, we will supply to you a copy of your personal data.
The right to request us to rectify or update it	This will be relevant where the personal data we hold is or has become inaccurate or incomplete, taking into account the purposes of the processing. Please explain why you consider the data inaccurate or incomplete.
The right to request us to erase your personal data in certain circumstances	The circumstances when erasure can apply include when we no longer need your personal data, to meet a lawful basis for processing unless: that basis is consent and you withdraw your consent or you object to the processing or the processing is unlawful. However, certain exclusions apply - where the processing is necessary for compliance with a legal obligation or to establish, exercise or defend legal claims.
The right to request us to restrict processing it	This request can be used to stop us processing your personal data: if you disagree over the accuracy of the personal data until we have verified the data; the reason for processing; or if you wish us to retain your personal data for longer than our retention period, e.g. to establish, exercise or defend a legal claim.
The right to request a copy of your personal data for data portability purposes	If you have provided personal data to us under contract or because you consented to the processing and use of the data by automated means, then you have the right to instruct us to transmit that personal data to you or another data controller in a machine-readable format.
The right to object to us processing your personal data	You have a right to object to us processing your data where we are processing it for the performance of a public interest task or purpose of legitimate interests.     You can also object to direct marketing communications from us about products, offers, competitions, or services and any profiling that we can perform in relation to direct marketing. You can do this at the point of data collection, through the use of any opt-out functionality on text and emails, via your preference centre or by contacting the helpline service.   You can update your marketing preferences at any time through the use of the opt-out functionality. You have the right to withdraw your consent at any time. However, this will not affect the lawfulness of processing before the withdrawal. If you would like to receive the marketing described above, please ensure you have indicated your preferences accordingly.
Rights related to decisions based solely on automated processing	Where this processing produces legal effects or significantly affects you, you can object to this processing unless the processing is necessary as part of our contract or is required by legislation.
Right to lodge a complaint with a supervisory authority	If you wish to raise a complaint on how we have handled your personal data, please contact our Data Protection team who will investigate the matter and report back to you.   If you remain unsatisfied with our response or believe we are not processing your personal data in accordance with the applicable law, you are able to contact the data protection supervisory authority in your country. In the UK, it is the Information Commissioner’s Office (ICO) who regulates Data Controllers compliance with data protection legislation. They can be contacted by email: casework@ico.org.uk, post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF or by telephone: 0303 123 1113.

 

 

 

10. Useful information

Vulnerable Adults

We are committed to the privacy protection of vulnerable adults. If we are notified that you are a vulnerable adult we will liaise with your authorised representative, once we are in receipt of the appropriate permissions.

Links to other websites

The websites used for administering the Plan can contain links to other websites run by other organisations, or other Equiniti companies. When you are on another website, we encourage you to read their privacy statement as it will take precedence over this Privacy Notice. We are not responsible for the privacy policies and practices of other sites.

Social media, blogs, reviews, and similar services

Any social media posts or comments you make to us or the delivery of your Plan (e.g. through a Facebook page) will be shared under the terms of the relevant social media platform (e.g. Facebook or Twitter) on which they are made and could be made public by that platform. These platforms are controlled by other organisations, and so we are not responsible for this sharing. You should review the terms and conditions and privacy policies of the social media platforms you use to ensure you understand how they will use your information, what information relating to you they will place in the public domain and how you can stop them from doing so if you are unhappy about it.

Any blog, review or other posts or comments you make about us, our products and services on any of our blogs, reviews or user community services will be shared with all other members of that service and the public at large.

You are responsible for ensuring that any comments you make comply with any relevant policy on acceptable use of those services.

Changes to this Privacy Notice

We review our use of your personal data regularly. In doing so, we can change what personal data we collect, how we keep it and/or what we do with it. As a result, we can change this Privacy Notice from time to time to keep it relevant and up to date.

We will endeavour to alert you to these changes so that you can check you are happy with them before proceeding any further. Please look out for notices from us alerting you to these changes, via websites or other timely communications. If you see such an alert, please take a moment to ensure that you’re happy with any changes. However, we will also tell you of the changes where required by law to do so.

By continuing to use our products and services, you will be bound by this Privacy Notice.

This Privacy Notice was issued In March 2023. If you require copies of previous versions of this Privacy Notice, please contact the Equiniti Data Protection Officer using the contact details noted below.

11. EU GDPR

The European Union adopted the European General Data Protection Regulation (EU GDPR) on May 25^th 2018 and you are protected by the provisions of the EU GDPR if you are in the EU.

The information within this Privacy Notice meets the EU GDPR requirements, however, you also have the right to lodge a complaint (as per section 9 above) with your relevant data protection supervisory authority.

12. Where to find further information about this Privacy Notice

We hope that this Privacy Notice has been helpful in setting out how we handle your personal data and your rights to control it. If you have any questions that remain unanswered, please contact our Data Protection Officer:

• By email at DPO@equiniti.com,
• By post at PO Box 5243, Worthing, BN99 9FY

EU Representatives – (Based in Poland)

• +48 660 765 918
• mackowska-mortyz@kochanski.pl