Privacy Policy

1) Aim and scope of policy

This policy applies to the processing of personal data in manual and electronic records kept by the Organisation. The Organisation is aware of its obligations under the General Data Protection Regulation (GDPR) and current data protection legislation, and is committed to processing your data securely and transparently.

This policy sets out how we use that information, how long we keep it for and other relevant information about your data and applies to the personal data of job applicants, existing and former employees, apprentices, volunteers, placement students, workers, self-employed contractors, stakeholders and customers. These are referred to in this policy as relevant individuals.

The Organisation makes a commitment to ensuring that personal data, including special categories
of personal data and criminal offence data (where appropriate) is processed in line with GDPR and
domestic laws and all its employees and contractors conduct themselves in line with this, and other
related, policies. Where third parties process data on behalf of the Organisation, the Organisation
will ensure that the third party takes such measures in order to maintain the Organisation’s
commitment to protecting data. In line with current data protection legislation, the Organisation
understands that it will be accountable for the processing, management and regulation, and storage
and retention of all personal data held in the form of manual records and on computers.

2) Definitions

“Personal data” is information that relates to an identifiable person who can be directly or indirectly
identified from that information, for example, a person’s name, identification number, location,
online identifier. It can also include pseudonymised data.

“Special categories of personal data” is data which relates to an individual’s health, sex life, sexual
orientation, race, ethnic origin, political opinion, religion, and trade union membership. It also
includes genetic and biometric data (where used for ID purposes).

“Criminal offence data” is data which relates to an individual’s criminal convictions and offences.

“Data processing” is any operation or set of operations which is performed on personal data or on
sets of personal data, whether or not by automated means, such as collection, recording,
organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by
transmission, dissemination or otherwise making available, alignment or combination, restriction,
erasure or destruction.

3) Data protection principles

All personal data obtained and held by the Organisation will:

• be processed fairly, lawfully and in a transparent manner
• be collected for specific, explicit, and legitimate purposes
• be adequate, relevant and limited to what is necessary for the purposes of processing
• be kept accurate and up to date. Every reasonable effort will be made to ensure that
  inaccurate data is rectified or erased without delay
• not be kept for longer than is necessary for its given purpose
• be processed in a manner that ensures appropriate security of personal data including
• protection against unauthorised or unlawful processing, accidental loss, destruction or
• damage by using appropriate technical or organisational measures
• comply with the relevant data protection procedures for international transferring of
  personal data.

In addition, personal data will be processed in recognition of an individuals’ data protection rights, as
follows:

• the right to be informed
• the right of access
• the right for any inaccuracies to be corrected (rectification)
• the right to have information deleted (erasure)
• the right to restrict the processing of the data
• the right to portability
• the right to object to the inclusion of any information
• the right to regulate any automated decision-making and profiling of personal data.

4) Types of data held

The following types of data may be held by the Organisation, as appropriate, on relevant individuals:

• name, address, phone numbers – for individual and, if relevant, next of kin
• CVs and other information gathered during recruitment
• references from former employers
• National Insurance numbers
• job title, job descriptions and pay grades
• conduct issues such as letters of concern, disciplinary proceedings
• holiday records
• internal performance information
• medical or health information
• sickness absence records
• tax codes
• terms and conditions of employment
• training details
• CCTV footage

5) How We Collect Your Data

We collect data about you in a variety of ways and this will usually start when we undertake to enter into any form of contract or working relationship with you where we will collect the data from you directly, for example, your name, address and other personal details. Further information will be collected directly from you once your engagement begins, for example, your bank details.

In some cases, we will collect data about you from third parties, such as intermediaries who may act
as an introducer.

Personal data is kept in personnel files or within the Company’s HR and IT systems.

6) Why We Process Your Data

Privacy Policy – 2025 – Ventas Sales (Europe) Ltd
The law on data protection allows us to process your data for certain reasons only:

• in order to perform the contract that we are party to
• in order to carry out legally required duties
• in order for us to carry out our legitimate interests
• to protect your interests
• where something is done in the public interest and
• where we have obtained your consent.

All of the processing carried out by us falls into one of the permitted reasons. Generally, we will rely on the first three reasons set out above to process your data. For example, we need to collect your personal data in order to carry out the work or contract that we have entered into with you.

We also collect data so that we can carry out activities which are in the legitimate interests of the Company. We have set these out below:

• making decisions about who to enter into a contract with
• dealing with legal claims made against us
• preventing fraud
• ensuring our administrative and IT systems are secure and robust against unauthorised
  access

7) Sharing Your Data

Your data will be shared with employees and contractors within the Company where it is necessary
for them to undertake their duties.

We may also share your data with third parties as part of a Company sale or restructure, or for other
reasons to comply with a legal obligation upon us.

We do not share your data with bodies outside of the European Economic Area.

8) Protecting your data

We are aware of the requirement to ensure your data is protected against accidental loss or disclosure, destruction and abuse. We have implemented processes to guard against such. Where we share your data with third parties, we provide written instructions to them to ensure that your data are held securely and in line with current data protection requirements. Third parties must implement appropriate technical and organisational measures to ensure the security of your data.

9) How long we keep your data for

In line with data protection principles, we only keep your data for as long as we need it, which will be at least for the duration of your engagement with us though in some cases we will keep your data for a period after your engagement has ended.

10) Automated decision making

No decision will be made about you solely on the basis of automated decision making (where a decision is taken about you using an electronic system without human involvement) which has a significant impact on you.

11) International Transfers

The Organisation may be required to transfer personal data to a country/countries outside of the
EEA. We may need to share personal data with our business partners or suppliers who are based
outside the EEA because, for example, we are advertising or placing a vacancy that operates outside
of the EEA.

The GDPR contains specific provisions for such transfers. With these provisions, the GDPR aims to
guarantee an equivalent level of protection to personal data being transferred to the one they enjoy
within the EEA.

Where this occurs, we will only transfer data on the basis of an adequacy decision and, as such will
only transfer necessary data to those who have been declared adequate.

12) Access to data

Relevant individuals have a right to be informed whether the Organisation processes personal data
relating to them and to access the data that the Organisation holds about them.

Requests for access to this data will be dealt with under the following summary guidelines:

• a form on which to make a subject access request is available from Ventas Sales (Europe). The request should be made to Data@ventassales.com.
• the Organisation will not charge for the supply of data unless the request is manifestly unfounded, excessive or repetitive, or unless a request is made for duplicate copies to be provided to parties other than the person making the request
• the Organisation will respond to a request without delay. Access to data will be provided, subject to legally permitted exemptions, within one month as a maximum. This may be extended by a further two months where requests are complex or numerous.

Relevant individuals must inform the Organisation immediately if they believe that the data is inaccurate, either as a result of a subject access request or otherwise. The Organisation will take immediate steps to rectify the information.

For further information on making a subject access request, employees should refer to our subject access request policy, available from Data@ventassales.com.

If you wish to exercise any of the rights explained above, please contact Data@ventassales.com.

13) Procedures

The Organisation has taken the following steps to protect the personal data of relevant individuals,
which it holds or to which it has access, and it appoints or employs employees with specific
responsibilities for:

• the processing and controlling of data
• the comprehensive reviewing and auditing of its data protection systems and procedures
• overviewing the effectiveness and integrity of all the data that must be protected.

There are clear lines of responsibility and accountability for these different roles.

it provides information on data protection rights, how it uses their personal
data, and how it protects it. The information includes the actions relevant
individuals can take if they think that their data has been compromised in any
way

• it provides its employees with information and training to make them aware of
  the importance of protecting data, to teach them how to do this, and to
  understand how to treat information confidentially
• it can account for all personal data it holds, where it comes from, who it is
  shared with and also who it might be shared with
• it carries out risk assessments as part of its reviewing activities to identify any
  vulnerabilities in its personal data handling and processing, and to take
  measures to reduce the risks of mishandling and potential breaches of data
  security. The procedure includes an assessment of the impact of both use and
  potential misuse of personal data in and by the Organisation
• it recognises the importance of seeking individuals’ consent for obtaining,
  recording, using, sharing, storing and retaining their personal data, and regularly
  reviews its procedures for doing so, including the audit trails that are needed
  and are followed for all consent decisions. The Organisation understands that
  consent must be freely given, specific, informed and unambiguous. The
  Organisation will seek consent on a specific and individual basis where
  appropriate. Full information will be given regarding the activities about which
  consent is sought. Relevant individuals have the absolute and unimpeded right
  to withdraw that consent at any time
• it has the appropriate mechanisms for detecting, reporting and investigating
  suspected or actual personal data breaches, including security breaches. It is
  aware of its duty to report significant breaches that cause significant harm to
  the affected individuals to the Information Commissioner, and is aware of the
  possible consequences
• it is aware of the implications of international transfer of personal data.

14) Data security

The Organisation adopts procedures designed to maintain the security of data when it is stored and transported.

Employees and those working with the Organisation must:

• ensure that all files or written information of a confidential nature are stored in a secure
  manner and are only accessed by people who have a need and a right to access them
• ensure that all files or written information of a confidential nature are not left where
  they can be read by unauthorised people
• refrain from sending emails containing sensitive work related information to their
  personal email address
• check regularly on the accuracy of data being entered into computers
• always use the passwords provided to access the computer system and not abuse them
  by passing them on to people who should not have them
• use computer screen blanking to ensure that personal data is not left on screen when
  not in use.

Personal data should not be kept or transported on personal laptops, USB sticks, or similar devices, unless expressly authorised by the Director. Where personal data is recorded on any such device it should be protected by:

• ensuring that data is recorded on such devices only where absolutely necessary
• using an encrypted system — a folder should be created to store the files that need
  extra protection and all files created or moved to this folder should be automatically
  encrypted
• ensuring that laptops or USB drives are not left lying around where they can be stolen.

15) What are cookies?

Cookies are text files placed on your computer to collect standard Internet Log information and visitor behaviour information. When you visit our website, we may collect information on you automatically through cookies or similar technology.

For further information, visit allaboutcookies.org

How do we use cookies?

Our company uses cookies in a range of ways to improve your experience on our website, including:

• Keeping you signed in
• Understanding how you use our website

What types of cookies do we use?

There are a number of different types of cookies, however our website uses:

Functionality – Our Organisation uses these cookies so that we recognise you on our website and
remember your previously selected preferences. These could include what language you prefer and
location you are in. A mix of first-party and third-party cookies are used.

Advertising – Our Organisation uses these cookies to collect information about your visit to our
website, the content you viewed, the linked you followed and information about your browser,
device and IP address. Our Organisation sometimes shares some limited aspecys of this data with
third parties for advertising purposes. We may also share online data collected through cookies with
our advertising partners. This means that when you visit another website, you may be shown
advertising based on your browsing patterns on our website.

How to manage cookies

You can set your browser not to accept cookies, and the above website tells you how to remove cookies from your browser. However, in some cases, some of our website features may not function as a result.

16) Privacy policies of other websites

Our company website contains links to other websites. Our privacy policy applies only to our website, so if you click on a link to another website, you should read their privacy policy.

17) Making a complaint

The supervisory authority in the UK for data protection matters is the Information Commissioner’s Office (ICO). If you think your data protection rights have been breached in any way by us, you are able to make a complaint to the ICO.