The protection of personal data and compliance with data protection laws and regulations is important to our organisation (“Tablebook Me Ltd”, “TBM”, “we”, “us”).

This Policy creates a comprehensive governance structure for managing data protection risks. It and its supporting documents lay out processes and tools that deliver a consistent approach to data protection risk management across the organisation. The protection of personal data of staff and customers is fundamental to preserving trust. Using personal data responsibly can create significant business opportunities for our organisation, our partners and customers. Furthermore, failure to address data protection risk adequately and in compliance with the law can cause brand and reputational damage as well as result in legal penalties.

(a) sets out the principles that underpin our Data Protection Policy; (b) identifies and explains the data protection roles and responsibilities of individuals and teams within TBM; (c) establishes the Data Protection Programme; (d) identifies the internal policies, procedures and standards which support this Policy and together with this document constitute our organisation’s privacy Policy; and (e) sets out a non-exhaustive list of the requirements that all staff must comply with.

This Policy does not provide an exhaustive list of permitted or prohibited conduct or set forth every rule. It is not a substitute for the responsibility to exercise good business judgement and proper care. Individuals should continue to seek proper advice through appropriate channels regarding any concerns and issues that are not specifically addressed in this Policy.

This Policy covers all employees, officers, consultants, contractors, casual workers and agency workers with respect to all operations carried out by us around the world which involve the processing of personal data.

It is the responsibility of employees, officers, consultants, contractors, casual workers and agency workers throughout our organisation to comply with this Policy. Acknowledgement and understanding of this Policy is required through contracts and mandatory training. Failure to comply with this Policy may be a breach of the terms of employment and may lead to disciplinary actions up to and including termination of employment or services contracts.

Senior management is responsible for ensuring adherence to this Policy. The Managing Director is ultimately responsible for oversight of this Policy.

(a) We use personal data in a way that is lawful, fair and transparent. (b) We comply with data protection laws within each of the jurisdictions in which we operate and help individuals understand what information we collect, how we use it and what choices they have. We explain this in clear privacy statements that are regularly reviewed to align with internal practices.

We only collect personal data for specified, clear and legitimate purposes and only as much personal data as we need to achieve those purposes. Though personal data is necessary to provide our services, we only use it in ways that are proportionate to clear goals.

We take steps to ensure that the personal data we hold is accurate, up to date and relevant to the purposes for which it is collected.

(a) We keep personal data in an identifiable form for as long as is necessary for the purposes for which we are using it. (b) We think carefully about how long we keep personal data and maintain clear guidelines on retention periods and the safe disposal of information containing personal data.

We are fully committed to addressing the privacy rights of individuals when we process their personal data in accordance with the applicable laws.

(a) We use appropriate technical and organisational measures to keep personal data secure and ensure its integrity, confidentiality and availability across all systems at all times. (b) We have implemented appropriate security measures, regularly reviewed against best practice, and documented in the Information Security and IT Policies. (c) We require the same level of information security from our service providers to protect personal data processed on our behalf.

TBM and its subsidiaries are a global business and we transfer information internationally. We ensure that adequate safeguards are in place to protect personal data transferred to countries without adequate data protection laws.

We are all responsible for upholding the Data Protection Principles and respecting individuals’ privacy rights. Everyone operating within or on behalf of our organisation must comply with our privacy policies and help TBM uphold its commitments to the protection of personal data.

Governance bodies have been established to roll out and supervise the implementation of the Privacy Management Programme.

The Managing Director is the final point of escalation within TBM’s governance structure.

The Data Protection Officer(s) will have oversight and be the escalation point for high-risk data protection questions and will promote effective communication between departments responsible for data protection compliance.

The Data Protection Officer(s) inform and advise TBM on obligations under client contracts and data protection laws, monitor ongoing compliance with those laws and this Policy, and act as the point of contact for data protection authorities.

(a) The Training Department ensures employees are made aware of their data protection rights and responsibilities within their jurisdictions, provides relevant privacy notices and employment terms, and delivers training. (b) Any business function processing personal data manages privacy risk for its processing, including when engaging third parties; consults the Data Protection Officer(s) when required; ensures the security of personal data; and handles and escalates security incidents as required. (c) All staff must preserve confidentiality and handle personal data securely in accordance with this Policy and supporting policies, procedures and standards.

The Data Protection Officer(s) operate and oversee the TBM Data Protection Programme, providing a comprehensive, coordinated approach to managing data protection risk while serving business needs and strategies. The Programme aims to ensure: (a) required data protection policies and procedures are operationalised; (b) data protection risks are identified with guidance and oversight of the risk lifecycle; (c) risks and metrics are identified and escalated via TBM governance; (d) documentation of compliance, including decisions, implementation and audit; (e) oversight of records of processing activities; (f) facilitation and oversight of data protection impact assessments (“DPIAs”); (g) oversight of third-party vendor management; (h) guidance on data protection in mergers and acquisitions; (i) data protection training and awareness; (j) development of security incident identification and response plans; (k) collaboration across the organisation; (l) data subject rights servicing.

Our organisation operates in compliance with this Policy and all internal policies, procedures and standards relating to data protection. The current related documents are as follows and may be updated, added to or replaced. 11. Data Protection Policy – comprehensive governance for managing data protection risks. 12. Incident And Breach Policy – how to respond to incidents and breaches concerning personal data and mitigate risk. 13. Data Subject Rights Policy – explains rights available to data subjects under applicable laws. 14. Employee Privacy Notice – how staff personal data is processed. 15. Data Security Policy – principles and procedures for information security including encryption, access controls and technical measures.

(a) The Data Protection Officer(s), supported by relevant business functions, will create and maintain records of decisions and actions taken toward data protection risk mitigation and management in accordance with applicable laws, enabling effective collaboration with regulators if required. (b) The Data Protection Officer(s) oversee development and maintenance of additional records required to demonstrate compliance, including consent records, notices to data subjects and a register of personal data breaches.

(a) TBM conducts due diligence on third-party vendors prior to engagement, includes appropriate data protection clauses in agreements and monitors ongoing compliance. The Data Protection Officer(s) develop and maintain supporting processes and procedures, updated to address emerging risks. (b) Risks that cannot be mitigated where the business wishes to proceed will be escalated to the Managing Director for sign-off.

The Data Protection Officer(s) engage early in planned deals to evaluate data protection risks and recommend mitigation. They also participate in post-merger integration to ensure alignment with TBM’s Data Protection Policy.

(a) Data protection awareness training forms part of the compliance training plan and is required of all staff on a regular basis. (b) The Data Protection Officer(s) ensure content remains up to date and appropriate to TBM’s operations, monitor completion rates and provide role- or subject-specific training and relevant communications.

(a) All departments monitor operations for incidents concerning the security of personal data, capture them in a timely and consistent manner and escalate suspected incidents to the Data Protection Officer(s) without delay. (b) All staff must immediately escalate any actual or suspected security incidents according to the Incident Management Plan. (c) The Data Protection Officer(s), with IT Security, identify, evaluate and remediate security incidents and risk events, evaluate trends and escalate significant events to the Managing Director where necessary.

Data Protection Officer(s) have been appointed to oversee the Programme, although this is not a mandatory appointment under Article 37 UK GDPR.

The Data Protection Officer(s) will establish a data subject rights policy covering intake, escalation, roles and responsibilities for responding, and the technical and organisational measures used to address requests.

(a) Use data and equipment for legitimate business purposes in accordance with policies, guidelines and instructions. (b) Do not install or use software without appropriate approval. (c) Manage business applications on computers and telecommunications devices in line with policy and the Information Security and IT Policies.

Immediately report to the Data Protection Officer(s): (a) any suspicious activity related to a computer, network or software application; (b) any potential or actual loss, misuse, improper access or modification of personal data, including loss of mobile devices or paper records; (c) any compromise to a system or device containing personal data; (d) any access, use or disclosure of personal data in violation of policy. Once submitted, the incident will be investigated and corrective actions implemented as necessary.

Undertake and complete all required data protection and information security training.

Non-compliance with this Policy may result in disciplinary action up to and including termination of employment or business relationship, as well as legal action.

The Data Protection Officer(s) shall review this Policy no less than once every year or as soon as reasonably practicable where required and recommend appropriate changes to the Managing Director for approval.

We will draw your attention to any changes where appropriate or required.

Any exception to this Policy must be reviewed and approved by the Data Protection Officer(s). The Data Protection Officer(s) may escalate any non-adherence or exception request to the Managing Director as needed. All exceptions must be approved before implementation.

The Data Protection Officer(s) will ensure questions about the appropriate interpretation of this Policy in light of legal and regulatory requirements are resolved, engaging the Legal function where needed. The Managing Director resolves escalated interpretation questions outside legal or regulatory matters.

Any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to personal data, for example mis-sent emails, lost or stolen paper records, or cyber-attacks.

Data Protection Impact Assessments.

Any living individual to whom personal data or sensitive data relates, such as staff, website visitors or customers.

The TBM Information Security Department.

The TBM Internal Audit Department.

The TBM Legal Department.

The TBM Marketing Department.

Mergers and Acquisitions.

Any information relating to an individual that identifies the individual or could reasonably be used to identify the individual, regardless of medium. Examples include contact details, financial data, passwords, IP addresses, pictures, online search history and geolocation information. Unless otherwise stated, personal data includes sensitive data as defined below.

Any use of personal data by TBM or a subsidiary, or a third party on behalf of TBM, including collection, sharing and storage. Mere storage is considered processing.

Records of Processing Activities.

Information about racial or ethnic origin; political opinions; religious or similar beliefs; trade union membership; physical or mental health or condition; sexual life; sexual orientation; genetic and biometric data such as fingerprints, facial recognition and retinal scans; and criminal offences committed or alleged to have been committed by the data subject.