This is the Data Protection policy adopted by Cambridge Detective Agency Limited (“CDA”)

1. This Policy is to protect the rights and privacy of living individuals and to ensure personal data is not processed by CDAwithout the individual’s (data subject’s) knowledge and consent, unless otherwise exempt.

2. This is a live document which is subject to revision from time to time dependant upon changes to legislation and other factors.

3. CDA is notified with the Information Commissioner’s Office – registration no. Z8714312

4. CDA complies with the requirements of the General Data Protection Regulation (GDPR) when processing personal data, including the collection, storage, transfer and disclosure of personal data, also the deletion and destruction of data.

5. CDA protects the rights and privacy of individuals (subjects of investigations and others) in accordance with GDPR.

6. .CDA needs to process certain information about its sub-contractors and other individuals it has dealings with such as clients for administrative purposes.

7. CDA’s core business activity is the provision of litigation support services, which involves miscellaneous investigation, locating individuals and process serving (delivery of legal documentation). Such activities are predominantly in connection with current or prospective legal proceedings, mainly in the Civil Law Courts. In consequence CDA may be instructed to process the personal data of individuals, identified in client instructions or during any investigation arising from instructions. The data we process originates from legally compliant, publicly available, open sources and personal data made public by the data subject. In addition, it may be provided by the Client under the lawful basis of Legitimate Interest.

8. Reasons/purposes for processing information: CDA processes personal information to enable the provision of investigatory and litigation support services, to maintain the company’s own accounts and records, also to support and manage its employees.

9. Type/classes of information processed: CDA processes information relating to the above reasons/purposes. This information may include: • Personal details • The investigation brief, results and related information • Lifestyle and social circumstances • Family details • Goods and services • Financial details • Education and employment details CDA also processes sensitive data/special categories of information that could include: • Physical or mental health details • Racial or ethnic origin • Trade union membership • Religious or other beliefs

10. Who the information is processed about: CDA processes personal information about: • Customers and clients • Witnesses • The subjects of investigations • Business contacts • Advisers and other professional experts • Suppliers Data Protection Policy • Employees

11. Who the information may be shared with: CDA sometimes needs to share the personal information it processes with the individual themselves and with other organisations. Where this is necessary CDA will comply with all aspects of the Data Protection Act (DPA) and the GDPR. What follows is a description of the types of organisations CDA may need to share some of the personal information it processes with for one or more reasons. Where necessary or required CDA shares information with: • Financial organisations • Credit reference, debt collection and tracing agencies • Police forces • Professional investigators in the private sector • Government • Business associates and other professional bodies and advisers • Suppliers • Current, past or prospective employers • Education and examining bodies • Family, associates or representatives of the person whose personal data we are processing

12. Transfer of data overseas: It may sometimes be necessary to transfer personal information overseas. When this is needed information may be transferred to countries or territories around the world. Any transfers made will be in full compliance with all aspects of the DPA and GDPR.

13. CDA will not process personal data; • Without first having completed a Data Privacy Impact Assessment • Without the consent of the data subject, unless exempt or; • Unless there is a specific legitimate interest or; • Where such interests are overridden by the interests or fundamental rights of the data subject.

14. CDA will adhere to the Principles and Requirements of the GDPR 2018. Specifically: • Data shall be processed fairly and lawfully and shall not be processed unless specific conditions are met; • Shall be obtained for only one or more specified lawful purposes and shall not be further processed in any manner incompatible with that purpose or those purposes; • Shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed; • Shall be accurate and where necessary kept up to date; • Shall not be kept for longer than is necessary for that purpose or purposes; • Shall be processed in accordance with the rights of data subjects under the GDPR; • Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data; • Shall not be transferred to a country or territory outside the participating member countries unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

15. CDA will, through appropriate management, strict application of criteria and controls: • Observe fully conditions regarding the fair collection and use of personal data; • Meet its legal requirements to specify the purposes for which personal data is used; • Collect and process appropriate data, and only to the extent that it is needed to fulfil operational needs or to comply with any legal requirements; • Ensure the quality of data used; • Apply strict checks to determine the length of time data is held; Cambridge Detective Agency Limited Data Protection Policy • Ensure that the rights of individuals about who information is held, can be exercised. To include the right of the individual to be informed that processing is being undertaken (except where exempt), the right to access one’s personal information, the right to prevent processing in certain circumstances and the right to correct, rectify, block or erase information which is proven inaccurate; • Take appropriate technical and organisation security measures to safeguard personal information; • Ensure that personal data is not transferred without suitable safeguards

16. In addition, CDA will ensure that: • Any person managing and handling personal data understands that they are contractually responsible for following good data protection practice; • Any person managing and handling personal data is appropriately trained to do so; • Any person managing or handling personal data is appropriately supervised; • Any query concerning the handling of personal data is dealt with promptly and courteously. • Methods of handling personal data are clearly described and understood; • A regular review and audit is conducted regarding the way personal data is managed and that all personal data is deleted in a timely manner.

17. CDA is the Data Processor under data protection legislation when dealing with its core business as an Investigation Agency/Litigation Support Services Supplier and the client is the Data Controller.

18. All personal data will only be accessible to those who need to use it. Personal data will be held securely: • In a locked room with controlled access, or • In a locked drawer or filing cabinet, or • If electronic, password protected, or • If kept on other digital storage devices in a locked drawer or cabinet. 19. Individual’s Rights: Under certain circumstances individuals have the right to: • Request access to their personal information. This enables them to receive a copy of the personal information that we hold about them and to check it is being lawfully processed. • Request correction of personal information we hold about them. • Request erasure of personal information. • Object to our processing of their personal information. • Request the restriction of our processing of personal information. Any individual who wishes to review, verify, correct, request erasure or object to the processing of personal information must submit a request in writing to: CDA, Windsearle House, The Street, Gazeley, Suffolk CB8 8RD. Please note that CDA is required to verify the identity of any person submitting such request. All requests must include the individual’s full name, address and contact telephone number. As an added measure the sender may also be asked to supply paper evidence of their identity. Persons making such application will not have to pay a fee. Cambridge Detective Agency Limited Data Protection Policy

19. CDA will ensure that personal data is not disclosed to unauthorised third parties which includes family members, friends, government bodies and in certain circumstances the Police, unless authorised under the terms of the prevailing data protection legislation or other statute or a Court Order, for the contractual duty of CDA or if otherwise exempt.

20. CDA does not use any personal information it secures for marketing purposes.

21. CDA undertakes services in accordance with the Association of British Investigators (ABI) Data Protection good practice policies and guides.

22. Data minimisation and retention: CDAwill retain the minimum data necessary for operational and legal obligations. The company has a policy of retaining data from its investigation and litigation service activities for 18 months, unless a client specifically requests longer retention, or the company is legally compelled to retain data for longer. In any event data specifically originating from CDA’s investigation and litigation support activities will not be retained for longer than 6 years.

23. Lawful Basis for processing: CDA processes all personal data, also sensitive/special categories data lawfully, fairly and in a transparent manner. For most of the services it supplies CDA will be processing data without the consent of the data subject, having first established that there is an applicable exemption in each case which can be justified. The exemptions listed under the GDPR for processing without a data subject’s consent are: ➢ Necessary for the purposes of legitimate interests pursued by the controller or a third party. ➢ Processing is necessary for compliance with a legal obligation. ➢ Processing relates to personal data which are manifestly made public by the data. ➢ Processing is necessary for the establishment, exercise or defence of legal claims or wherever courts are acting in their judicial capacity. In each case an assessment will be conducted to ensure that CDA has a lawful basis to process data.

Our Terms & Conditions Document is available on request.