Data Protection Policy

Published: 15th June 2024

1. Purpose & Scope

1.1 This policy sets out Four32’s approach to complying with laws and regulations relating to Personal Data protection and privacy, and explains how we collect, store, process, and dispose of Personal Data.

1.2 This policy applies to all Business Units and to all Employees.

1.3 Individual Business Units may adopt their own data protection policies and procedures reflecting their own operations and management structures, provided that they comply with the minimum standards set out in this policy.

2. Approval & Responsibility

2.1 This policy has been approved by the Board, which has ultimate responsibility for the policy and for ensuring it is adequately communicated to all employees.

2.2 All Employees are responsible for observing and complying with the provisions of this policy and for avoiding any activity that might lead to, result in, or suggest a breach of this policy.

3. What Are Data Protection Laws?

3.1 In this policy, “Data Protection Laws” means all applicable laws, orders, and regulations relating to Personal Data or privacy (including the privacy of electronic communications).

“Personal Data” means data relating to a living individual who can be identified from that data (or from that data combined with other information in our possession or which we can reasonably access), subject to any specific requirements of applicable Data Protection Procedures.

4. Policy Statement

4.1 Individuals have rights regarding how their Personal Data is handled. The business collects, stores, and processes Personal Data relating to its staff, customers, suppliers, and other third parties in the course of its operations and recognises the need to treat such Personal Data lawfully.

4.2 Failure to comply with Data Protection Laws may expose the business to significant fines calculated by reference to its total worldwide annual turnover, criminal sanctions, civil claims by affected third parties, and reputational damage.

4.3 It is Four32’s policy to comply with all Data Protection Laws in the countries in which it operates or which are otherwise applicable to its business.

5. Data Protection Procedures

5.1 Within the framework of this policy, all Business Units must adopt Data Protection Procedures designed to ensure compliance with applicable Data Protection Laws in the regions or countries in which they operate.

5.2 All Data Protection Procedures must be complied with by Business Units and by all Employees.

6. Data Protection Officers

6.1 Data Protection Laws may require certain companies or legal entities within the Group to appoint a Data Protection Officer (or equivalent). Any such appointment must be approved by the Directors, who otherwise act as the Data Protection Officer for the business.

7. Personal Data Breaches

7.1 A “Personal Data Breach” means any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data that is transmitted, stored, or otherwise processed by the business. Personal Data Breaches may result from cyber-attacks or human error.

7.2 All Personal Data Breaches must be reported to the Board immediately.

8. Reporting Concerns

8.1 Subject to paragraph 7 (Personal Data Breaches), any suspected breaches of this policy should be reported in accordance with the procedures set out in the Company’s Whistleblowing Policy.

9. Training & Awareness

9.1 The Directors must ensure that adequate and regular training is provided to relevant Employees on compliance with Data Protection Laws. Training should be proportionate to the risks faced and tailored to the requirements of each role.

9.2 The Directors must monitor and evaluate the effectiveness of training, including ensuring consistent delivery, addressing non-attendance, and reviewing training periodically to ensure it remains appropriate.

10. Recordkeeping

10.1 The Directors must ensure that sufficient records are maintained to evidence compliance with this policy, including appropriate training records.