Standard Chartered Group Non Employed Workers Privacy Statement This Group Non Employed Workers ("NEW") Privacy Statement relates to the collection, use and disclosure of Personal Data about any NEW ("“you", “your") by any member of the Standard Chartered Group ("SCB", Swe", “our'), Capitalised terms are defined at the end of this Statement. Nothing in this privacy statement should be taken to imply a relationship of employer/employee between us and you. Purposes for which we may Process your Personal Data ‘The Personal Data (including Sensitive Personal Data) we Process in relation to you is provided by you, third parties, collected through publicly available sources, or generated during your application for, and throughout, your contract/engagement with us, through any media. The controller of your personal data is the SCB entity who has a contractual relationship with your ‘employer/entity through which you are retained, and Group Human Resources. The processing of your personal data is necessary to comply with any legal right or obligations to which we are subject in relation to your contract/engagement. The purposes for which your Personal Data may be processed include, but are not limited to the following: Recruitment; Pre-and post assignment/contract verification screening including searches with a credit reference agency, sanctions screening checks and criminal record checks, where allowed by law; Health and safety matters; Diversity (our commitment to a diverse and inclusive workforce/equal opportunities monitoring); Training: Business travel and the payment of expenses; Contingency planning and emergency contact; Internal transfers: Maintaining a record of your work history; The provision of references to third parties; The Speaking Up programme; To monitor and manage Conduct risk; To monitor compliance with all internal policies and procedures, including but not limited to outside business interests, gifts and entertainment, close financial relationships, usage of electronic equipment, and where necessary, for related investigative purposes; * For the prevention and detection of crime including, but not limited to, fraud and other financialcrime; Management of any action, including disciplinary action, considered, instigated or taken as a result of your conduct or performance; To comply with legal and regulatory requirements; ‘system and equipment access, access rights and usag Global communications (i.e. email); Surveillance cameras for security and protection of employees, premises and Bank assets; and Badge entry system access. Netto dete sift 27 |Standard @ Chartered i ‘To whom we may disclose your Personal Data Your Personal Data will be Processed by your line management and Group functions such as Human Resources, Audit, Compliance, Legal and Shared Investigative Services for the purposes outlined above. In addition, we may also disclose your Personal Data to: ‘* professional advisors, third party providers, agents or independent contractors and other Group companies providing services to SCB; ‘+ your employer/recruit ment agency/entity through which you are contracted/sub-contracted; ‘* any person in connection with litigation or other legal proceedings, to obtain legal advice or for establishing, exercising or defending legal rights; any person to whom disclosure Is allowed ore required by Law and/or Regulation; ‘© any court, tribunal, Regulatory Authority or Governmental Entity; ‘© any criminal records bureau, credit bureau or credit reference agency when conducting background checks when we are allowed by law or regulation to do so; and ‘+ third parties to whom we may transfer our rights and/or obligations under any agreement, including but not limited to a potential merger or acquisition of all or part of the Group's business. Retaining your Personal Data Your Personal Data is retained in line with Law, Regulation and business operational requirements and the Group Records Management Policy. Records retention schedules are included in the Group Records Management Policy. When you leave the Group, the purposes for which we will retain your Personal Data include the following: maintaining historical records; statistical and analysis; for the provision of references to third parties at your request or with yourconsent; in connection with any investigation (internal or otherwise) or litigation or regulatory enquiries or proceedings where you have been involved in the business undertying the investigation, enquiries or proceedings and/or may have relevant information; and ‘other purposes allowed required by Law and/or Regulatior in any jurisdiction. ‘The monitoring of electronic communications The monitoring of electronic communications is governed by the Notice on the Monitoring of Staff Electronic ‘Communications and Use of Group Applications and Systems which can be accessed on the RiskPod here. ‘We use internet blocking software to block access to certain sites. Reports are generated detailing who has tried to access a potentially blocked site and when. These reports may be reviewed when itis suspected that there may be in breach of internal rule or policy, Law and/or Regulation. ‘Accessing your Personal Data Most if not all of the Personal Data Processed in relation to you is accessible to you through the NEW Portal here. If you wish to access Personal Data you believe to be Processed in relation to you which is not accessible on the NEW Portal please email AskHR ([email protected]).. neque ell 1o9[ 2024Standard Chartered 8 ‘Correcting to your Personal Data Please ensure your Personal Data is up to date at all times. You can directly update some Personal Data through the NEW Portal, otherwise please email AskHR concerning deletions, updates or corrections. Your right to erasure ‘You may have the right in some circumstances to ask for some of your Personal Data to be deleted, for ‘example when there is no longer a valid reason to process it. This is not an absolute right to have any personal data deleted that you wish. Your right to object to or restrict the processing of your personal data |n some circumstances you may have the right to object to how we process your Personal Data or restrict its processing but this does not mean you can decide or choose how we process your Personal Data. If you have any concerns about how we process your Personal Data, please email AskHR ([email protected]). Automated decision making and profiling If we undertake any profiling that will result in an automated decision relating to you, we will do so on the basis that we think it is necessary in relation to your assignment/contract with us or with your consent; we ill let you know and you will have the right to discuss the decision. How we protect your Personal Data All Staff must comply with the Group Information Security Policy which imposes technical and organisational security measures to safeguard Group data assets including your Personal Data. When using external service providers, we require that they adhere to security standards mandated by the SCB. Personal Data may be transferred to, or stored at, a location outside of your country of assignment/contract Where the law may not afford the same level of protection as your country of assignment/contract. Regardless of where Personal Data is transferred, when under our control we take all steps reasonably necessary to ensure that Personal Data is kept securely. If your country of assignment/contract is in the European Union ("EU") and your personal data is processed in a country outside of the EU, we will put in place contractual clauses approved by the EU Commission as providing an adequate level of protection. Global Business Services in India, Malaysia, China and Europe may process your personal data. Third parties who may be a controller of your personal data In some circumstances, we may provide your personal data to a third party who will determine how and why ‘your personal data will be processed, for example SCB external auditors. In addition, in the course of your assignment/contract, you may as part of your role interact with corporate clients and third parties such as counterparties and service providers. Such companies may collect your Personal Data, including but not limited to, your name and contact details. In these situations, the ‘organisation concerned is directly responsible for how they Process your Personal Data and SCB will have limited rights in this regard. If you have concerns about how such organisations Process your Personal Data you should contact the organisation direct.Standard © Chartered 8 Complaints If you have a complaint in relation to the processing of your Personal Data and you are not happy with the way we deal with it, please raise through AskHR, your line manager or contact the Global Head of Privacy. You also have the right to complain to the data protection authority, if one exists, in the country where you are employed or the UK Information Commissioner. Details can be obtained from the Global Head of Privacy. Changes to the Group Non Employed Workers Privacy Statement This Privacy Statement may be updated from time to time and you should revisit this site regularly to check for any changes. ‘Your professional responsibilities Most of us process Personal Data in the work we do every day, whether it relates to a Retail or Private Banking Client, the individuals we deal with at our Corporate Clients, third party vendor personnel or Staff. ‘There are laws and regulations that govern every aspect of how we process personal data, from the point of collection through to destruction, the key obligations of which are set out in the Group Privacy Policy. In your role, you must process personal data in line with the Group Privacy Policy and the Group Code of ‘Conduct. Sanctions for a breach of any aspect of privacy law can be severe, potentially leading to regulatory action being taken against SCB and/or the NEW responsible. In some circumstances, a breach may be a criminal offence or lead to other sanctions such as a fine, public censure or a cease and desist order. A breach may also result in disciplinary action, including terminating your assignment/contract. In some countries in which the Group operates, there is an obligation to report personal data breaches to the ‘supervisory authority. It is important therefore you understand the Group Privacy Principles and, in particular, comply with the following: ‘= When recording free text comments only record the minimum amount of Personal Data necessaryand wherever possible ensure comments are objective rather than subjective ‘= Ensure Personal Data recorded can be justified (in court if necessary) as being in the interest of the Bank = Remember any or all records might have to be disclosed to a Client, regulators or a court, including emails * Do not create or maintain unnecessary paper notes/memos/records that include Personal Data * Do not access any Personal Data you are not authorised to access, for example having access to a client database does not authorise you to access a particular client record unless you have a specific authorised business reason to do so. * Do not access any Personal Data out of curiosity or for personal gain - Personal Data can only be accessed if you have a specific business reason for doing so * Do not send Personal Data to any private or personal email accounts (other than your own Personal Data) ¢ Only disclose Personal Data to a third party if you are expressly authorised and instructed to do so as part of your role, ensuring the data is encrypted and password protected with the password sent by a different channel © If you are processing Personal Data in a public space make sure you cannot be overseen by any person or video camera ¢ Donot discuss Personal Data where you can be overheard by people not authorised to hearit ¢ Always dispose of paper records that include Personal Data in a confidential or shredding bin ‘* Lock away paper records including Personal Data when not in use , Naleda Lhoule 2\) 0 22}Standard © Chartered 8 ‘Complaints: If you have a complaint in relation to the processing of your Personal Data and you are not happy with the way we deal with it, please raise through AskHR, your line manager or contact the Global Head of Privacy. You also have the right to complain to the data protection authority, if one exists, in the country where you are employed or the UK Information Commissioner. Details can be obtained from the Global Head of Privacy. Changes to the Group Non Employed Workers Privacy Statement This Privacy Statement may be updated from time to time and you should revisit this site regularly to check for any changes. ‘Your professional responsibilities Most of us process Personal Data in the work we do every day, whether it relates to a Retail or Private Banking Client, the individuals we deal with at our Corporate Clients, third party vendor personnel or Staff. ‘There are laws and regulations that govern every aspect of how we process personal data, from the point of collection through to destruction, the key obligations of which are set out in the Group Privacy Policy. In your role, you must process personal data in line with the Group Privacy Policy and the Group Code of ‘Conduct. Sanctions for a breach of any aspect of privacy law can be severe, potentially leading to regulatory action being taken against SCB and/or the NEW responsible. In some circumstances, a breach may be a criminal offence or lead to other sanctions such as a fine, public censure or a cease and desist order. A breach may also result in disciplinary action, including terminating your assignment/contract. In some countries in which the Group operates, there is an obligation to report personal data breaches to the ‘supervisory authority. It is important therefore you understand the Group Privacy Principles and, in particular, comply with the following: ‘= When recording free text comments only record the minimum amount of Personal Data necessaryand wherever possible ensure comments are objective rather than subjective ‘= Ensure Personal Data recorded can be justified (in court if necessary) as being in the interest of the Bank = Remember any or all records might have to be disclosed to a Client, regulators or a court, including emails * Do not create or maintain unnecessary paper notes/memos/records that include Personal Data * Do not access any Personal Data you are not authorised to access, for example having access to a client database does not authorise you to access a particular client record unless you have a specific authorised business reason to do so. * Do not access any Personal Data out of curiosity or for personal gain - Personal Data can only be accessed if you have a specific business reason for doing so * Do not send Personal Data to any private or personal email account/s (other than your own Personal Data) + Only disclose Personal Data to a third party ifyou are expressly authorised and instructed to do so as part of your role, ensuring the data is encrypted and password protected with the Password sent by a different channel © Ifyou are processing Personal Data in a public space make sure you cannot be overseen by any person or video camera ¢ Donot discuss Personal Data where you can be overheard by people not authorised to hearit © Always dispose of paper records that include Personal Data in a confidential or shreddingbin ‘© Lock away paper records including Personal Data when not inuge , Naira loi aye 2)Standard & Chartered SQ ‘* Comply with the Records Management Policy by deleting, disposing of or destroying Personal Data in line with the records retention schedules Maintain a clear desk policy and lock your screen when you are away from your desk Be careful when answering unsolicited telephone enquiries requesting Personal Data Do not leave documents including Personal Data unattended on printers, Remove any Personal Data from whiteboards and flipcharts when you exit a meeting room Log off and power down your laptop when in transi Notify the loss or theft of a laptop or mobile device immediately Do not procure the disclosure of personal data from a third party not authorised to provide .e. travelling from the office to yourhome) for ‘example, do not ask a job applicant to provide personal data of clients of another organisation they ‘might introduce to the Bank if successful in their application ‘© Donot forward emails which contain personal data that the recipient is not authorised tosee ‘© Donot allow anyone to use your unique user identifier or password to access Personal Data, © Comply with the requirements of the Information and Cyber Security Policy and Standards. Definitions Governmental Entity Means any government, government department or governmental, quasi-governmental, supranational, statutory, regulatory or investigative body, authority, agency, bureau, board, commission, court, association, institution, department, tribunal or instrumentality thereof in any applicable jurisdiction. Processing Law and/or Regulation Means any operation or set of operations which is performed upon Personal Data, and includes, collection, obtaining, recording, storing, retaining; the collection, organisation, adaption, alteration, retrieval, consultation, use, losure, transmission, dissemination, combination, blocking, erasure or destruction of Personal Data. The terms Processed and Processes shall be construed accordingly. Means: ~ _ all applicable laws, regulations or ordinances; or = _ any binding decisions, directions, instructions, pronouncements, requirements or rules, of an applicable Governmental Entity or Regulatory Authority which is = _ either binding on international bank doing business in the applicable jurisdiction; or - of a type with which an international bank doing business in the applicable jurisdiction would customarily comply, and “law and regulation” means any one of them. Personal Data Means information relating to an Individual, including current, past and potential Clients, Staff, suppliers, vendors or shareholders, as well as visitors to the Group's Aaja loeads ghalio ay) re)