1. INTRODUCTION

Good Business needs to gather and use certain information for the Anthos Carbon Tracker Tool

Good Business is committed to being transparent about how it collects and uses the personal data of its workforce, and to meeting its data protection obligations. This policy sets out our commitment to data protection, and individual rights and obligations in relation to personal data.

It describes how this personal data must be collected, handled and stored to meet our data protection standards — and to comply with the law.

2. POLICY SCOPE

This policy applies to all of our employees, as well as any contractors, suppliers and other people who work on our behalf

It applies to all data that the company holds relating to identifiable individuals, including:

• Contact information (name,email).
• Country of residence and holiday homes.
• Household composition.
• General data concerning their homes,travels,food and shopping habits.
• Clients can provide percentages and types of outside investments.

3. DEFINITIONS

"Personal data" is any information that relates to an individual who can be identified from that information. Processing is any use that is made of data, including collecting, storing, amending, disclosing or destroying it.

"Special categories of Personal Data": Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation within the meaning of Article 9 of the GDPR. This also includes personal data relating to criminal convictions and offences within the meaning of Article 10 of the GDPR and national identification numbers.

"GDPR”": Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

4. DATA PROTECTION LAW AND PRINCIPLES

The General Data Protection Regulation (“GDPR”) describes how organisations must collect, handle and store personal information.

These rules apply regardless of whether data is stored electronically, on paper or on other materials

Good Business processes personal data in accordance with the following data protection principles set out in the GDPR:

• Processing personal data lawfully, fairly and in a transparent manner
• Collecting personal data only for specified, explicit and legitimate purposes.
• Processing personal data only where it is adequate, relevant and limited to what is necessary for the purposes of processing.
• Keeping accurate personal data and taking all reasonable steps to ensure that inaccurate personal data is rectified or deleted without delay.
• Keeping personal data only for the period necessary for processing.
• Adopting appropriate measures to make sure that personal data is secure, and protected against unauthorised or unlawful processing, and accidental loss, destruction or damage.

Good Business tells individuals the reasons for processing their personal data, how it uses such data and the legal basis for processing in its privacy notices. It will not process personal data of individuals for other reasons.

Where Good Business processes special categories of personal data this is done in accordance with a policy on special categories of data.

Good Business keeps a record of its processing activities in respect of personal data in accordance with the requirements of the GDPR.

5. DATA PROCESSING OPERATIONS

Description of the nature of the Data Processing Operation

• Collection, recording, organisation, analysis and reporting on data associated with personal carbon footprints and consultation with data subjects on this issue
• Due to the SK Carbon Pledge, the individual SK client data will be used to create the yearly SK Carbon Pledge group report

Purposes of the Data Processing Operation

• To allow Good Business to calculate individual carbon footprints, communicate with the Data Subjects and provide advice and guidance and to report to Anthos on the individual and aggregated results of this analysis as part of a contract to deliver these services to Anthos.

Categories of Data Subjects

• SKs.
• Family members.
• Anthos employees.

(Categories of) Personal Data

• Contact information (name, email)
• Country of residence and holiday homes.
• Household composition.
• General data concerning their homes, travels, food and shopping habits.
• Clients can provide percentages and types of outside investments.

Retention period for the Personal Data, or the criteria used to establish the retention period

• We retain the information we collect no longer than is reasonably necessary to fulfil the purposes that such data was originally collected in accordance with our internal data retention polices or to comply with our legal and regulatory obligations. Data collected will be held for as long as is necessary to allow us to make comparisons over time and to assess trends, both at an aggregated level and an individual level

6. INDIVIDUAL RIGHTS

Those about whom we hold and process personal data, including employees, have a number of rights in relation to their personal data.

Subject access requests

Individuals have the right to make a subject access request. If you make a subject access request, Good Business will tell you:

• whether or not your data is processed and if so why, the categories of personal data concerned and the source of the data if it is not collected from you;
• to whom your data is or may be disclosed;
• for how long your personal data is stored;
• your rights to rectification or erasure of data, or to restrict or object to processing;
• your right to complain to the Information Commissioner if you think Good Business has failed to comply with your data protection rights; and
• whether or not Good Business carries out automated decision-making and the logic involved in any such decision-making.

We will also provide you with a copy of the personal data undergoing processing.

To make a subject access request, you should send the request to david@good.business. We will usually ask for proof of identification before the request can be processed.

We will normally respond to a request within a period of two weeks from the date it is received, and if this is not possible (for example if the request is particularly complex) we will notify you.

If a subject access request is manifestly unfounded or excessive, for example is a repeat of a previous request, we are not obliged to comply with it. Alternatively, we can agree to respond but will charge a fee, which will be based on the administrative cost of responding to the request.

Other rights

You have a number of other rights in relation to your personal data. You can require Good Business to:

• rectify inaccurate data;
• stop processing or erase data that is no longer necessary for the purposes of processing;
• stop processing or erase data if your interests override our legitimate grounds for processing data (where we rely on legitimate interests as a reason for processing data);
• stop processing or erase data if processing is unlawful; and
• stop processing data for a period if data is inaccurate or if there is a dispute about whether or not the individual's interests override our legitimate grounds for processing data.

To ask Good Business to take any of these steps, you should send the request to david@good.business.

Disclosing data for other reasons

In certain circumstances, the law allows personal data to be disclosed to law enforcement agencies without the consent of the data subject.

Under these circumstances we will disclose requested data. However, the data controller will ensure the request is legitimate, seeking assistance from the board and from the company’s legal advisers where necessary.

6. INTERNATIONAL DATA TRANSFERS

Good Business will not transfer personal data to countries outside the EEA.

7. RESPONSIBILITIES

Everyone who works for or with us has some responsibility for ensuring data is collected, stored and handled appropriately.

Specific responsibilities

In addition to the individual responsibilities set out above, the following people have key areas of responsibility in respect of data protection:

• Giles Gibbons, as our CEO, is ultimately responsible for ensuring that we meet our legalobligations.
• The Managing Partner, David Lourie is responsible for:
• Keeping the board of directors updated about data protection responsibilities, risks and issues.
• Reviewing all data protection procedures and related policies, in line with an agreed schedule.
• Arranging data protection training and advice for the people covered by this policy.
• Handling data protection questions from staff and anyone else covered by this policy.
• Dealing with requests from individuals to see the data we hold about them (also called ‘subject access requests’).
• Checking and approving any contracts or agreements with third parties that may handle the company’s sensitive data.
• Approving any data protection statements attached to communications such as emails and letters.
• Addressing any data protection queries from journalists or media outlets like newspapers.
• Where necessary, working with other staff to ensure marketing initiatives abide by data protection principles.

• Fluid IT (our IT partner) are responsible for (in relation to all Good Business IT provision):
• Ensuring all systems, services and equipment used for storing data meet acceptable security standards.
• Performing regular checks and scans to ensure security hardware and software is functioning properly.
• Evaluating any third-party services the company is considering using to store or process data. For instance, cloud computing services.

• Creative Folks are responsible for (in relation to all Anthos Carbon Tracker Tool hosting provision):
• Ensuring all systems, services and equipment used for storing data meet acceptable security standards.
• Performing regular checks and scans to ensure security hardware and software is functioning properly.
• Evaluating any third-party services the company is considering using to store or process data. For instance, cloud computing services.

8. DATA SECURITY

Good Business takes the security of personal data seriously. We have internal policies and controls in place (set out below) to protect personal data against loss, accidental destruction, misuse or disclosure, and to ensure that data is not accessed, except by employees in the proper performance of their duties.

Where we engage third parties to process personal data on our behalf, such parties do so on the basis of written instructions, are under a duty of confidentiality and are obliged to implement appropriate technical and organisational measures to ensure the security of data.

If Good Business discovers that there has been a breach of personal data that poses a risk to the rights and freedoms of individuals, we will report it to the Information Commissioner within 72 hours of discovery. We will record all data breaches regardless of their effect.

25 Gerrard Street, London, W1D 6JL | +44 (0)20 7494 0565 | www.good.business

Registered Company Number 356 1306