Table of Contents

1. Introduction

2. Scope

3. Definitions

4. Policy

4.1 Governance

4.1.1 Office of Data Protection

4.1.2 Policy Dissemination & Enforcement

4.1.3 Data Protection by Design

4.1.4 Compliance Monitoring

4.2 Data Protection Principles

4.3 Data Collection

4.3.1 Data Sources

4.3.2 Data Subject Consent

4.3.3 Data Subject Notification

4.3.4 External Privacy Notices

4.4 Data Use

4.4.1 Data Processing

4.4.2 Special Categories of Data

4.4.3 Data Quality

4.4.4 Profiling & Automated Decision-Making

4.4.5 Direct Marketing

4.5 Data Retention

4.6 Data Protection

4.7 Data Subject Requests

4.8 Law Enforcement Requests & Disclosures

4.9 Data Protection Training

4.10 Data Transfers

4.10.1 Transfers between Axon Outsourcing Entities

4.11 Complaints Handling

4.12 Breach Reporting

5. Policy Maintenance

5.1 Publication

5.2 Effective Date

5.3 Revisions

Appendix A - Information Notification to Data Subjects

Appendix B - Adequacy for Personal Data Transfers

‍

1. Introduction

‍

Axon Outsourcing Pvt. Ltd. (“Axon Outsourcing”) is committed to conducting its business in accordance with all

applicable Data Protection laws and regulations and in line with the highest standards of ethical conduct.

‍

This policy sets forth the expected behaviors of Axon Outsourcing Employees and Third Parties in relation to

the collection, use, retention, transfer, disclosure and destruction of any Personal Data belonging to a Axon

Outsourcing Contact (i.e. the Data Subject).

‍

Personal Data is any information (including opinions and intentions) which relates to an identified or

Identifiable Natural Person. Personal Data is subject to certain legal safeguards and other regulations, which

impose restrictions on how organizations may process Personal Data. An organization that handles Personal

Data and makes decisions about its use is known as a Data Controller. Axon Outsourcing, as a Data Controller,

is responsible for ensuring compliance with the Data Protection requirements outlined in this policy. Non-

compliance may expose Axon Outsourcing to complaints, regulatory action, fines and/or reputational damage.

‍

Axon Outsourcing’s leadership is fully committed to ensuring continued and effective implementation of this

policy and expects all Axon Outsourcing Employees and Third Parties to share in this commitment. Any breach

of this policy will be taken seriously and may result in disciplinary action or business sanction.

‍

This policy has been approved by Axon Outsourcing’s Chief Executive Officer, Mr. Rohit Garg.

‍

2. Scope

‍

This policy applies to all Axon Outsourcing Entities where a Data Subject’s Personal Data is processed:

‍

 In the context of the business activities of the Axon Outsourcing Entities.

 For the provision or offer of goods or services to individuals (including those provided or offered free-

of-charge) by a Axon Outsourcing Entity.

 To actively monitor the behaviour of individuals.

 Monitoring the behaviour of individuals includes using data processing techniques such as persistent

web browser cookies or dynamic IP address tracking to profile an individual with a view to:

• Taking a decision about them.

• Analyzing or predicting their personal preferences, behaviour and attitudes.

‍

This policy applies to all Processing of Personal Data in electronic form (including electronic mail and

documents created with word processing software) or where it is held in manual files that are structured in a

way that allows ready access to information about individuals.

‍

This policy has been designed to establish a worldwide baseline standard for the Processing and protection of

Personal Data by all Axon Outsourcing Entities. Where national law imposes a requirement, which is stricter

than imposed by this policy, the requirements in national law must be followed. Furthermore, where national

law imposes a requirement that is not addressed in this policy, the relevant national law must be adhered to.

The protection of Personal Data belonging to Axon Outsourcing Employees is not within the scope of this policy.

It is covered in the Axon Outsourcing ‘Data Protection for Employee Data’ policy.

‍

3. Definitions

‍

Employee

An individual who works part-time or full-time for Axon Outsourcing under a contract of employment, whether

oral or written, express or implied, and has recognized rights and duties. Includes temporary employees and

independent contractors.

Personal Data

Any information (including opinions and intentions) which relates to an identified or Identifiable Natural

Person.

Contact

Any past, current or prospective Axon Outsourcing client.

Identifiable Natural Person

Anyone who can be identified, directly or indirectly, in particular by reference to an identifier such as a name,

an identification number, location data, an online identifier, or one or more factors specific to the physical,

physiological, genetic, mental, economic, cultural or social id of that natural person.

Data Subject

The identified or Identifiable Natural Person to which the data refers.

Data Controller

A natural or legal person, Public Authority, Agency or other body which, alone or jointly with others, determines

the purposes and means of the Processing of Personal Data.

Data Processors

A natural or legal person, Public Authority, Agency or other body which Processes Personal Data on behalf of

a Data Controller.

Axon Outsourcing Entity

An Axon Outsourcing establishment, including subsidiaries and joint ventures over which Axon Outsourcing

exercise management control.

Process, Processed, Processing

Any operation or set of operations performed on Personal Data or on sets of Personal Data, whether or not by

automated means. Operations performed may include collection, recording, organization, structuring,

storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or

otherwise making available, alignment or combination, restriction, erasure or destruction.

Data Protection

The process of safeguarding Personal Data from unauthorized or unlawful disclosure, access, alteration,

Processing, transfer or destruction.

Data Protection Authority

An independent Public Authority responsible for monitoring the application of the relevant Data Protection

regulation set forth in national law.

Data Protection Officer

A natural or legal person, who has the control over Data Controller and Data processor, compliances part,

including creating awareness among employees, training, audits, cooperate with data protection authorities,

and act a point of contact.

Consent

Any freely given, specific, informed and unambiguous indication of the Data Subject’s wishes by which he or

she, by a statement or by a clear affirmative action, signifies agreement to the Processing of Personal Data

relating to him or her.

Special Categories of Data

Personal Data pertaining to or revealing racial or ethnic origin, political opinions, religious or philosophical

beliefs, trade-union membership; data concerning health or sex life and sexual orientation; genetic data or

biometric data.

Third Country

Any country not recognized as having an adequate level of legal protection for the rights and freedoms of Data

Subjects in relation to the Processing of Personal Data.

Profiling

Any form of automated processing of Personal Data where Personal Data is used to evaluate specific or

general characteristics relating to an Identifiable Natural Person. In particular, to analyze or predict certain

aspects concerning that natural person’s performance at work, economic situations, health, personal

preferences, interests, reliability, behaviour, location or movement.

Binding Corporate Rules

The Personal Data protection policies used for the transfer of Personal Data to one or more Third Countries

within a group of undertakings, or group of enterprises engaged in a joint economic activity.

Personal Data Breach

A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure

of, or access to, Personal Data transmitted, stored or otherwise Processed.

Encryption

The process of converting information or data into binary code, to prevent unauthorized access.

Pseudonymisation

Data amended in such a way that no individuals can be identified from the data (whether directly or indirectly)

without a “key” that allows the data to be re-identified.

Anonymisation

Data amended in such a way that no individuals can be identified from the data (whether directly or indirectly)

by any means or by any person.

‍

4. Policy

‍

4.1 Governance

4.1.1 Data Protection Officer

‍

To demonstrate our commitment to Data Protection, and to enhance the effectiveness of our compliance

efforts, Axon Outsourcing has established a Data Protection Officer (DPO). The DPO operates with

independence and is staffed by suitability skilled individuals granted all necessary authority. The Data

Protection Officer reports to Axon Outsourcing’s Chief Operating Officer who has direct access to the Axon

Outsourcing Board of Directors. The duties of Data Protection Officer (DPO) include:

‍

 Informing and advising Axon Outsourcing and its Employees who carry out Processing pursuant to

Data Protection regulations, national law or Union based Data Protection provisions;

 Ensuring the alignment of this policy with Data Protection regulations, national law or Union based Data

Protection provisions;

 Providing guidance with regards to carrying out Data Protection Impact Assessments (DPIAs);

 Acting as a point of contact for and cooperating with Data Protection Authorities (DPAs);

 Determining the need for notifications to one or more DPAs as a result of Axon Outsourcing’s current

or intended Personal Data processing activities;

 Making and keeping current notifications to one or more DPAs as a result of Axon Outsourcing’s current

or intended Personal Data processing activities;

 The establishment and operation of a system providing prompt and appropriate responses to Data

Subject requests;

 Informing senior managers, officers, and directors of Axon Outsourcing of any potential corporate, civil

and criminal penalties which may be levied against Axon Outsourcing and/or its Employees for

violation of applicable Data Protection laws.

 Ensuring establishment of procedures and standard contractual provisions for obtaining compliance

with this Policy by any Third Party who:

• provides Personal Data to a Axon Outsourcing

• receives Personal Data from a Axon Outsourcing

• has access to Personal Data collected or processed by a Axon Outsourcing Entity.

‍

4.1.2 Policy Dissemination & Enforcement

‍

The management team of each Axon Outsourcing Entity must ensure that all Axon Outsourcing Employees

responsible for the Processing of Personal Data are aware of and comply with the contents of this policy.

‍

In addition, each Axon Outsourcing Entity will make sure all employees engaged to Process Personal Data on

their behalf (i.e. their Data Processors) are aware of and comply with the contents of this policy.

‍

Assurance of such compliance must be obtained from all Employees, whether companies or individuals, prior

to granting them access to Personal Data controlled by Axon Outsourcing.

‍

4.1.3 Data Protection by Design

‍

To ensure that all Data Protection requirements are identified and addressed when designing new systems or

processes and/or when reviewing or expanding existing systems or processes, each of them must go through

an approval process before continuing.

‍

Each Axon Outsourcing Entity must ensure that a Data Protection Impact Assessment (DPIA) is conducted, in

cooperation with the Data Protection Officer, for all new and/or revised systems or processes for which it has

responsibility. The subsequent findings of the DPIA must then be submitted to the Chief Operating Officer for

review and approval. Where applicable, the Information Technology (IT) department, as part of its IT system and

application design review process, will cooperate with the Data Protection Officer to assess the impact of any

new technology uses on the security of Personal Data.

‍

4.1.4 Compliance Monitoring

‍

To confirm that an adequate level of compliance that is being achieved by all Axon Outsourcing Entities in

relation to this policy, the Data Protection Officer will carry out an annual Data Protection compliance audit for

all such Entities. Each audit will, as a minimum, assess:

 Compliance with Policy in relation to the protection of Personal Data, including:

• The assignment of responsibilities.

• Raising awareness.

• Training of Employees.

 The effectiveness of Data Protection related operational practices, including:

• Data Subject rights.

• Personal Data transfers.

• Personal Data incident management.

• Personal Data complaints handling.

 The level of understanding of Data Protection policies and Privacy Notices.

 The currency of Data Protection policies and Privacy Notices.

 The accuracy of Personal Data being stored.

 The conformity of Data Processor activities.

 The adequacy of procedures for redressing poor compliance and Personal Data Breaches.

‍

The Data Protection Officer, in cooperation with key business stakeholders from each Axon Outsourcing Entity,

will devise a plan with a schedule for correcting any identified deficiencies within a defined and reasonable

time frame. Any major deficiencies identified will be reported to and monitored by the Axon Outsourcing

Executive Management team.

‍

4.2 Data Protection Principles

‍

Axon Outsourcing has adopted the following principles to govern its collection, use, retention, transfer,

disclosure and destruction of Personal Data:

‍

 Principle 1: Lawfulness, Fairness and Transparency

‍

Personal Data shall be processed lawfully, fairly and in a transparent manner in relation to the Data

Subject. This means, Axon Outsourcing must tell the Data Subject what Processing will occur

(transparency), the Processing must match the description given to the Data Subject (fairness), and it

must be for one of the purposes specified in the applicable Data Protection regulation (lawfulness).

‍

 Principle 2: Purpose Limitation

‍

Personal Data shall be collected for specified, explicit and legitimate purposes and not further

Processed in a manner that is incompatible with those purposes. This means Axon Outsourcing must

specify exactly what the Personal Data collected will be used for and limit the Processing of that

Personal Data to only what is necessary to meet the specified purpose.

‍

 Principle 3: Data Minimization

‍

Personal Data shall be adequate, relevant and limited to what is necessary in relation to the purposes

for which they are Processed. This means Axon Outsourcing must not store any Personal Data beyond

what is strictly required.

‍

 Principle 4: Accuracy

‍

Personal Data shall be accurate and, kept up to date. This means Axon Outsourcing must have in place

processes for identifying and addressing out-of-date, incorrect and redundant Personal Data.

‍

 Principle 5: Storage Limitation

‍

Personal Data shall be kept in a form which permits identification of Data Subjects for no longer than is

necessary for the purposes for which the Personal Data is Processed. This means Axon Outsourcing

must, wherever possible, store Personal Data in a way that limits or prevents identification of the Data

Subject.

‍

 Principle 6: Integrity & Confidentiality

‍

Personal Data shall be Processed in a manner that ensures appropriate security of the Personal Data,

including protection against unauthorized or unlawful Processing, and against accidental loss,

destruction or damage. Axon Outsourcing must use appropriate technical and organizational

measures to ensure the integrity and confidentiality of Personal Data is maintained at all times.

‍

 Principle 7: Accountability

The Data Controller shall be responsible for and be able to demonstrate compliance. This means Axon

Outsourcing must demonstrate that the six Data Protection Principles (outlined above) are met for all

Personal Data for which it is responsible.

‍

4.3 Data Collection

‍

4.3.1 Data Sources

‍

Personal Data should be collected only from the Data Subject unless one of the following apply:

• The nature of the business purpose necessitates collection of the Personal Data from other persons or

bodies.

• The collection must be carried out under emergency circumstances in order to protect the vital

interests of the Data Subject or to prevent serious loss or injury to another person.

‍

If Personal Data is collected from someone other than the Data Subject, the Data Subject must be informed of

the collection unless one of the following apply:

‍

• The Data Subject has received the required information by other means.

• The information must remain confidential due to a professional secrecy obligation

• A national law expressly provides for the collection, Processing or transfer of the Personal Data.

‍

Where it has been determined that notification to a Data Subject is required, notification should occur promptly,

but in no case later than:

‍

• One calendar month from the first collection or recording of the Personal Data

• At the time of first communication if used for communication with the Data Subject

• At the time of disclosure if disclosed to another recipient.

‍

4.3.2 Data Subject Consent

Each Axon Outsourcing Entity will obtain Personal Data only by lawful and fair means and, where appropriate

with the knowledge and Consent of the individual concerned. Where a need exists to request and receive the

Consent of an individual prior to the collection, use or disclosure of their Personal Data, Axon Outsourcing is

committed to seeking such Consent.

‍

The Data Protection Officer, in cooperation with the Chief Executive Officer, the Chief Operating Officer and

other relevant business representatives, shall establish a system for obtaining and documenting Data Subject

Consent for the collection, Processing, and/or transfer of their Personal Data. The system must include

provisions for:

‍

 Determining what disclosures should be made in order to obtain valid Consent.

 Ensuring the request for consent is presented in a manner which is clearly distinguishable from any

other matters, is made in an intelligible and easily accessible form, and uses clear and plain language.

 Ensuring the Consent is freely given (i.e. is not based on a contract that is conditional to the Processing

of Personal Data that is unnecessary for the performance of that contract).

 Documenting the date, method and content of the disclosures made, as well as the validity, scope, and

volition of the Consents given.

 Providing a simple method for a Data Subject to withdraw their Consent at any time.

‍

4.3.3 Data Subject Notification

‍

Each Axon Outsourcing Entity will, when required by applicable law, contract, or where it considers that it is

reasonably appropriate to do so, provide Data Subjects with information as to the purpose of the Processing of

their Personal Data. When the Data Subject is asked to give Consent to the Processing of Personal Data and

when any Personal Data is collected from the Data Subject, all appropriate disclosures1

will be made, in a manner that draws attention to them, unless one of the following apply:

‍

 The Data Subject already has the information2

 A legal exemption applies to the requirements for disclosure and/or Consent.

‍

The disclosures may be given orally, electronically or in writing. If given orally, the person making the

disclosures should use a suitable script or form approved in advance by the Data Protection Officer. The

associated receipt or form should be retained, along with a record of the facts, date, content, and method of

disclosure.

‍

4.3.4 External Privacy Notices

‍

Each external website provided by a Axon Outsourcing Entity will include an online ‘Privacy Notice’ and an

online ‘Cookie Notice’ fulfilling the requirements of applicable law. Refer to Axon Outsourcing’s ‘Internet

Privacy Notice’ and ‘Internet Cookie Notice’ standard templates for guidance. All Privacy and Cookie Notices

must be approved by the Data Protection Officer prior to publication on any Axon Outsourcing external website.

1 A list of the disclosures that need to be made available to the Data Subject is provided in Appendix A

2 The Axon Outsourcing Entity collecting the information, in cooperation with the Office of Data Protection, must establish means for documenting the

fact that the Data Subject already has the information and how it has been obtained.

‍

4.4 Data Use

4.4.1 Data Processing

‍

Axon Outsourcing uses the Personal Data of its Clients’ Client for the following broad purposes:

To provide services to Axon Outsourcing clients viz.,

 Bookkeeping and Accounting

 Bi-Monthly VAT preparation

 Monthly Management Accounting

 Year-end Accounts preparation

 Preparation of Working Papers, Control Accounts, Lead schedules and Financial Statements

 Preparation of Management Letters, FRSE102/105 and SCAPS/PQAs.

 Preparation of Form 11 and CT1 Tax Returns.

 ROS Management for payments, including extracting reports like P2C, PAYE, VAT, etc.

‍

The use of a Client’s information should always be considered from their perspective and whether the use will

be within their expectations or if they are likely to object. For example, it would clearly be within a Client’s

expectations that their Clients’ details will be used by Axon Outsourcing to respond to a Client request for

information about the services on offer.

‍

Each Axon Outsourcing Entity will process Personal Data in accordance with all applicable laws and applicable

contractual obligations. More specifically, Axon Outsourcing will not Process Personal Data unless at least

one of the following requirements are met:

‍

 The Data Subject has given Consent to the Processing of their Personal Data for one or more specific

purposes.

 Processing is necessary for the performance of a contract to which the Data Subject is party or to take

steps at the request of the Data Subject prior to entering into a contract.

 Processing is necessary for compliance with a legal obligation to which the Data Controller is subject.

 Processing is necessary to protect the vital interests of the Data Subject or of another natural person.

 Processing is necessary for the performance of a task carried out in the public interest or in the

exercise of official authority vested in the Data Controller.

 Processing is necessary for the purposes of the legitimate interests pursued by the Data Controller

‍

There are some circumstances in which Personal Data may be further processed for purposes that go beyond

the original purpose for which the Personal Data was collected. When deciding as to the compatibility of the

new reason for Processing, guidance and approval must be obtained from the Data Protection Officer before

any such Processing may commence.

‍

In any circumstance where Consent has not been gained for the specific Processing in question, Axon

Outsourcing will address the following additional conditions to determine the fairness and transparency of any

Processing beyond the original purpose for which the Personal Data was collected:

‍

 Any link between the purpose for which the Personal Data was collected and the reasons for intended

further Processing.

 The context in which the Personal Data has been collected, regarding the relationship between Data

Subject and the Data Controller.

 The nature of the Personal Data, whether Special Categories of Data are being Processed, or whether

Personal Data related to criminal convictions and offences are being Processed.

 The possible consequences of the intended further Processing for the Data Subject.

 The existence of appropriate safeguards pertaining to further Processing, which may include

Encryption, Anonymisation or Pseudonymisation.

‍

4.4.2 Special Categories of Data

‍

Axon Outsourcing will only Process Special Categories of Data (also known as sensitive data) where the Data

Subject expressly consents to such Processing or where one of the following conditions apply:

‍

 The Processing relates to Personal Data which has already been made public by the Data Subject.

 The Processing is necessary for the establishment, exercise or defense of legal claims.

 The Processing is specifically authorized or required by law.

 The Processing is necessary to protect the vital interests of the Data Subject or of another natural

person where the Data Subject is physically or legally incapable of giving consent.

 Further conditions, including limitations, based upon national law related to the Processing of genetic

data, biometric data or data concerning health.

‍

In any situation where Special Categories of Data are to be Processed, prior approval must be obtained from

the Data Protection Officer and the basis for the Processing clearly recorded with the Personal Data in

question.

‍

Where Special Categories of Data are being Processed, Axon Outsourcing will adopt additional protection

measures. Each Axon Outsourcing Entity may also adopt additional measures to address local custom or

social expectation over the Processing of Special Categories of Data.

‍

4.4.3 Data Quality

‍

Each Axon Outsourcing Entity will adopt all necessary measures to ensure that the Personal Data it collects,

and Processes is complete and accurate in the first instance and is updated to reflect the current situation of

the Data Subject.

‍

The measures adopted by Axon Outsourcing to ensure data quality include:

 Correcting3 Personal Data known to be incorrect, inaccurate, incomplete, ambiguous, misleading or

outdated, with prior consent of Data Subject.

 Keeping Personal Data only for the period necessary to satisfy the permitted uses or applicable

statutory retention period.

 The removal of Personal Data if in violation of any of the Data Protection principles or if the Personal

Data is no longer required.

 Restriction, rather than deletion of Personal Data, insofar as:

• a law prohibits erasure.

• erasure would impair legitimate interests of the Data Subject.

• the Data Subject disputes that their Personal Data is correct, and it cannot be clearly ascertained

whether their information is correct or incorrect.

‍

4.4.4 Profiling & Automated Decision-Making

‍

Axon Outsourcing will only engage in Profiling and automated decision-making where it is necessary to enter

into, or to perform, a contract with the Data Subject or where it is authorized by law.

Where any Axon Outsourcing Entity utilizes Profiling and automated decision-making, this will be disclosed to

the relevant Data Subjects. In such cases the Data Subject will be given the opportunity to:

 Express their point of view.

 Obtain an explanation for the automated decision.

 Review the logic used by the automated system.

3 Correction may include data erase and replacement with corrected or supplemented data.

 Supplement the automated system with additional data.

 Have a human carry out a review of the automated decision.

 Contest the automated decision.

 Object to the automated decision-making being carried out.

‍

Axon Outsourcing must also ensure that all Profiling and automated decision-making relating to a Data

Subject is based on accurate data. Correction may include data erase and replacement with corrected or

supplemented data.

‍

4.4.5 Digital Marketing

‍

As a general rule Axon Outsourcing will not send promotional or direct marketing material to a Axon

Outsourcing Contact through digital channels such as mobile phones, email and the Internet, without first

obtaining their Consent. Any Axon Outsourcing Entity wishing to carry out a digital marketing campaign without

obtaining prior Consent from the Data Subject must first have it approved by the Data Protection Officer.

‍

Where Personal Data Processing is approved for digital marketing purposes, the Data Subject must be

informed at the point of first contact that they have the right to object, at any stage, to having their data

Processed for such purposes. If the Data Subject puts forward an objection, digital marketing related

Processing of their Personal Data must cease immediately, and their details should be kept on a suppression

list with a record of their opt-out decision, rather than being completely deleted. It should be noted that where

digital marketing is carried out in a ‘business to business’ context, there is no legal requirement to obtain an

indication of Consent to carry out digital marketing to individuals provided that they are given the opportunity

to opt-out.

‍

4.5 Data Retention

‍

To ensure fair Processing, Personal Data will not be retained by Axon Outsourcing for longer than necessary

in relation to the purposes for which it was originally collected, or for which it was further Processed. The

length of time for which Axon Outsourcing Entities need to retain Personal Data is set out in the Axon

Outsourcing ‘Personal Data Retention Schedule’. This considers the legal and contractual requirements, both

minimum and maximum, that influence the retention periods set forth in the schedule. All Personal Data should

be deleted or destroyed as soon as possible where it has been confirmed that there is no longer a need to retain it.

‍

4.6 Data Protection

‍

Each Axon Outsourcing Entity will adopt physical, technical, and organizational measures to ensure the

security of Personal Data. This includes the prevention of loss or damage, unauthorized alteration, access or

Processing, and other risks to which it may be exposed by human action or the physical or natural environment.

‍

The minimum set of security measures to be adopted by each Axon Outsourcing Entity is provided in the Axon

Outsourcing ‘Information Security Policy’. A summary of the Personal Data related security measures is

provided below:

‍

 Prevent unauthorized persons from gaining access to data processing systems in which Personal Data

are Processed.

 Prevent persons entitled to use a data processing system from accessing Personal Data beyond their

needs and authorizations.

 Ensure that Personal Data during electronic transmission during transport cannot be read, copied,

modified or removed without authorization.

 Ensure that access logs are in place to establish whether, and by whom, the Personal Data was entered

into, modified on or removed from a data processing system.

 Ensure that in the case where Processing is carried out by a Data Processor, the data can be Processed

only in accordance with the instructions of the Data Controller.

 Ensure that Personal Data is protected against undesired destruction or loss.

 Ensure that Personal Data collected for different purposes can and is Processed separately.

 Ensure that Personal Data is not kept longer than necessary.

‍

4.7 Data Subject Requests

‍

The Data Protection Officer will establish a system to enable and facilitate the exercise of Data Subject rights

related to:

 Information access.

 Objection to Processing.

 Objection to automated decision-making and profiling.

 Restriction of Processing.

 Data portability.

 Data rectification.

 Data erasure.

‍

If an individual makes a request relating to any of the rights listed above, Axon Outsourcing will consider each

such request in accordance with all applicable Data Protection laws and regulations. No administration fee will

be charged for considering and/or complying with such a request unless the request is deemed to be

unnecessary or excessive in nature.

‍

Data Subjects are entitled to obtain, based upon a request made in writing to the Data Protection Officer and

upon successful verification of their id, the following information about their own Personal Data:

 The purposes of the collection, Processing, use and storage of their Personal Data.

 The source(s) of the Personal Data, if it was not obtained from the Data Subject;

 The categories of Personal Data stored for the Data Subject.

 The recipients or categories of recipients to whom the Personal Data has been or may be transmitted,

along with the location of those recipients.

 The envisaged period of storage for the Personal Data or the rationale for determining the storage

period.

 The use of any automated decision-making, including Profiling.

‍

The right of the Data subject to:

‍

 object to Processing of their Personal Data.

 lodge a complaint with the Data Protection Authority.

 request rectification or erasure of their Personal Data.

 request restriction of Processing of their Personal Data.

‍

All requests received for access to or rectification of Personal Data must be directed to the Data Protection

Officer, who will log each request as it is received. A response to each request will be provided within 30 days

of the receipt of the written request from the Data Subject. Appropriate verification must confirm that the

requestor is the Data Subject or their authorized legal representative. Data Subjects shall have the right to

require Axon Outsourcing to correct or supplement erroneous, misleading, outdated, or incomplete Personal

Data.

‍

If Axon Outsourcing cannot respond fully to the request within 30 days, the Data Protection Officer shall

nevertheless provide the following information to the Data Subject, or their authorized legal representative

within the specified time:

 An acknowledgement of receipt of the request.

 Any information located to date.

 Details of any requested information or modifications which will not be provided to the Data Subject,

the reason(s) for the refusal, and any procedures available for appealing the decision.

 An estimated date by which any remaining responses will be provided.

 An estimate of any costs to be paid by the Data Subject (e.g. where the request is excessive in nature).

 The name and contact information of the Axon Outsourcing individual who the Data Subject should

contact for follow up.

‍

It should be noted that situations may arise where providing the information requested by a Data Subject would

disclose Personal Data about another individual. In such cases, information must be redacted or withheld as

may be necessary or appropriate to protect that person’s rights.

‍

Detailed guidance for dealing with requests from Data Subjects can be found in the Axon Outsourcing ‘Data

Subject Request Handling Procedures’ document.

‍

4.8 Law Enforcement Requests & Disclosures

‍

In certain circumstances, it is permitted that Personal Data be shared without the knowledge or Consent of a

Data Subject. This is the case where the disclosure of the Personal Data is necessary for any of the following

purposes:

 The prevention or detection of crime.

 The apprehension or prosecution of offenders.

 The assessment or collection of a tax or duty.

 By the order of a court or by any rule of law.

‍

If any Axon Outsourcing Entity processes Personal Data for one of these purposes, then it may apply an

exception to the Processing rules outlined in this policy but only to the extent that not doing so would be likely

to prejudice the case in question. If any Axon Outsourcing Entity receives a request from a court or any

regulatory or law enforcement authority for information relating to a Axon Outsourcing Contact, you must

immediately notify the Data Protection Officer who will provide comprehensive guidance and assistance.

‍

4.9 Data Protection Training

‍

All Axon Outsourcing Employees that have access to Personal Data will have their responsibilities under this

policy outlined to them as part of their staff induction training. In addition, each Axon Outsourcing Entity will

provide regular Data Protection training and procedural guidance for their staff.

‍

The training and procedural guidance set forth will consist of, at a minimum, the following elements:

 The Data Protection Principles set forth in Section 4.2 above.

 Each Employee’s duty to use and permit the use of Personal Data only by authorized persons and for

authorized purposes.

 The need for, and proper use of, the forms and procedures adopted to implement this policy.

 The correct use of passwords, security tokens and other access mechanisms.

 The importance of limiting access to Personal Data, such as by using password protected screen

savers and logging out when systems are not being attended by an authorized person.

 Securely storing manual files, print outs and electronic storage media.

 The need to obtain appropriate authorization and utilize appropriate safeguards for all transfers of

Personal Data outside of the internal network and physical office premises.

 Proper disposal of Personal Data by using secure shredding facilities.

 Any special risks associated with departmental activities or duties.

‍

4.10 Data Transfers

‍

Axon Outsourcing Entities may transfer Personal Data to internal or Third Party recipients located in another

country where that country is recognized as having an adequate level of legal protection4

for the rights and

freedoms of the relevant Data Subjects. Where transfers need to be made to countries lacking an adequate

level of legal protection (i.e. Third Countries), they must be made in compliance with an approved transfer

mechanism5

‍

Axon Outsourcing Entities may only transfer Personal Data where one of the transfer scenarios list below

applies:

 The Data Subject has given Consent to the proposed transfer.

 The transfer is necessary for the performance of a contract with the Data Subject.

4 For a list of countries recognized as having an adequate level of legal protection see Appendix B.

5 For a list of Third Country transfer mechanisms recognized as providing adequate protection see Appendix B.

 The transfer is necessary for the implementation of pre-contractual measures taken in response to the

Data Subject’s request.

 The transfer is necessary for the conclusion or performance of a contract in the interest of the Data

Subject.

 The transfer is legally required on important public interest grounds.

 The transfer is necessary for the establishment, exercise or defense of legal claims.

 The transfer is necessary in order to protect the vital interests of the Data Subject.

‍

4.10.1 Transfers between Axon Outsourcing Entities

‍

For Axon Outsourcing to carry out its operations effectively across its various Axon Outsourcing Entities, there

may be occasions when it is necessary to transfer Personal Data from one Axon Outsourcing Entity to another,

or to allow access to the Personal Data from an overseas location. Should this occur, the Axon Outsourcing

Entity sending the Personal Data remains responsible for ensuring protection for that Personal Data.

‍

Axon Outsourcing handles the transfer of Personal Data between Axon Outsourcing Entities, where the

location of the recipient is a Third Country, using the Binding Corporate Rules transfer mechanism. Binding

Corporate Rules provide legally binding, enforceable rights on Data Subjects about the Processing of their

Personal Data and must be enforced by each approved Axon Outsourcing Entity, including their Employees.

‍

When transferring Personal Data to another Axon Outsourcing Entity located in a Third Country, you must:

‍

 Ensure that the recipient Axon Outsourcing Entity is included on the approved list of Axon Outsourcing

Entities subject to the Axon Outsourcing ‘Binding Corporate Rules Agreement’. The approved list is held

and maintained by the Data Protection Officer.

 Only transfer the minimum amount of Personal Data necessary for the transfer (for example, to fulfil a

transaction or carry out a service).

 Ensure adequate security measures are used to protect the Personal Data during the transfer

(including password-protection and Encryption, where necessary).

‍

4.11 Complaints Handling

‍

Data Subjects with a complaint about the Processing of their Personal Data, should put forward the matter in

writing to the Data Protection Officer. An investigation of the complaint will be carried out to the extent that is

appropriate based on the merits of the specific case. The Data Protection Officer will inform the Data Subject of

the progress and the outcome of the complaint within a reasonable period.

‍

If the issue cannot be resolved through consultation between the Data Subject and the Data Protection Officer,

then the Data Subject may, at their option, seek redress through mediation, binding arbitration, litigation, or via

complaint to the Data Protection Authority within the applicable jurisdiction.

‍

4.12 Breach Reporting

‍

Any individual who suspects that a Personal Data Breach has occurred due to the theft or exposure of Personal

Data must immediately notify the Data Protection Officer providing a description of what occurred.

‍

The Data Protection Officer will investigate all reported incidents to confirm whether a Personal Data Breach

has occurred. If a Personal Data Breach is confirmed, the Data Protection Officer will follow the relevant

authorized procedure based on the criticality and quantity of the Personal Data involved within 72 hours of

becoming aware of the breach, where feasible.

‍

5. Policy Maintenance

‍

All inquiries about this policy, including requests for exceptions or changes should be directed to the Data

Protection Officer.

‍

5.1 Publication

‍

This policy shall be available to all Axon Outsourcing Employees via means as deemed appropriate by the Data

Protection Officer.

‍

5.2 Effective Date

‍

This policy is effective as of 1st May 2018.

‍

5.3 Revisions

‍

The Data Protection Officer is responsible for the maintenance and accuracy of this policy. Notice of significant

revisions shall be provided to Axon Outsourcing Employees through the Human Resources department.

Listed below are documents that relate to and are referenced by this policy.

 Internet Privacy Notice template

 Internet Cookie Notice template

 Information Security Policy

 Data Subject Request Handling Procedure

 Data Protection Policy for Employee Data

 Personal Data Retention Schedule

 Standard Data Processing Agreement

 Standard Provisions for Outsourcing Agreement

 Binding Corporate Rules Agreement

‍

Appendix A

‍

The table below outlines the various information elements that must be provided by the Data Controller to the

Data Subject depending upon whether or not Consent has not been obtained from the Data Subject.

‍

‍

Appendix B - Adequacy for Personal Data Transfers

‍

The following are a list of countries recognized as having an adequate level of legal protection for the rights

and freedoms of Data Subjects in relation to the Processing of their Personal Data.

‍

 EU Countries

(Austria, Belgium, Bulgaria, Croatia, Republic of Cyprus, Czech Republic, Denmark, Estonia, Finland,

France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands,

Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden and the UK)

 Iceland

 Liechtenstein

 Norway

 Andorra

 Argentina

 Canada (commercial organizations)

 Faeroe Islands

 Guernsey

 Israel

 Isle of Man

 Jersey

 New Zealand

 Switzerland

 Uruguay

 United States (Privacy Shield certified organizations)

‍

The following are a list of Third Country transfer mechanisms that can provide adequate protection when

transfers are made to countries lacking an adequate level of legal protection.

‍

Appropriate Safeguards

‍

 Model Clauses

 Binding Corporate Rules

 Codes of Conduct

 Certification Mechanisms

‍

Derogations

‍

 Explicit Consent

 Compelling Legitimate Interests

 Important reasons of Public Interest

 Transfers in response to a foreign legal requirement

 DPA approved contracts between Data Controllers and Data Processors

‍