RPS ('we', 'us', 'organisation') is the Data Controller for the information you provide to us. If you have any questions about the process, please contact us at:

RPS, 20 Milton Park, Abingdon, Oxfordshire OX14 4SH (FAO: Data Controller)

dataprotection@rpsgroup.com

RPS is committed to being transparent about how it collects and uses that data and to meeting its data protection obligations.

The organisation may collect and process a range of information about you, for services that we may offer through numerous divisions. Data may include:

• Your name
• Contact details including email address and telephone numbers
• Line manager and Business Segment information
• Geolocation data

The organisation will only seek information from third parties with your consent.

Data protection laws require us to explain what legal grounds justify our processing of your personal information (this includes sharing it with other organisations). For some processing, more than one legal ground may be relevant (except where we rely on a consent). We will only use your personal information when the law allows us to. Most commonly, we will use your personal information in the following circumstances:

• Where it is necessary for the performance of a contract
• Where we have your consent to process the information
• Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.

We may also use your personal information in the following situations, which are likely to be rare:

• Where we need to protect your interests (or someone else’s interests)
• Where it is needed in the public interest [or for official purposes].

Your information may be shared for the purposes of processing on specific service(s) you have entered into with the organisation. Information may be shared with the following parties, including (but not limited to):

• Managers & project team members across the organisation
• Third parties to whom we choose to sell, transfer, or merge parts of our business or our assets
• third party clients to us, on whose projects your services are to be provided

More information can be found for the specific services we offer, at the point of collection from the organisation’s websites.

IT staff may also be required to access your data, if it is necessary for the performance of their roles, routine administration and in the management of our internal IT systems.

RPS will not share your data with third parties, unless there is a requirement to do so.

We keep your personal data for the period necessary to fulfil the purposes for which it has been collected and to comply with our legal obligations.

To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

In some circumstances we may anonymise your personal information so that it can no longer be associated with you, in which case we may use such information without further notice to you. Once this data is no longer required, we will retain and securely destroy your personal information in accordance with applicable laws and regulations.

Here is a list of the rights that all individuals have under data protection laws. They do not apply in all circumstances. If you wish to exercise any of them, we will explain at that time if they are engaged or not.

• The right to be informed about your processing of your personal information
• The right to have your personal information corrected if it is inaccurate and to have incomplete personal information completed
• The right to object to processing of your personal information
• The right to restrict processing of your personal information
• The right to have your personal information erased (the right to be forgotten)
• The right to request access to your personal information and to obtain information about how we process it (see below for further details)
• The right to move, copy or transfer your personal information (data portability)
• Rights in relation to automated decision making which has a legal effect or otherwise significantly affects you

You have the right to complain to the department which enforces your local data protection laws:

• UK - Information Commissioners Office: https://ico.org.uk
• Dublin - Data Protection Commission: https://www.dataprotection.ie/
• Netherlands - Autoriteit Persoonsgegevens: https://www.autoriteitpersoonsgegevens.nl/nl

In the first instance, you should make any request for access to your data via dataprotection@rpsgroup.com

We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal information is not disclosed to any person who has no right to receive it.

You will not have to pay a fee to access your personal information (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, and in exceptional circumstances only, we may refuse to comply with the request in such circumstances.

You are under no statutory or contractual obligation to provide data to RPS. However, if you do not provide the information necessary, then the organisation may not be able to provide the necessary services to fulfil any contractual duties we engage in.

The organisation takes the security of your data seriously. The organisation has internal policies and controls in place to try to ensure that your data is not lost, accidentally destroyed, misused or disclosed, and is not accessed except by its employees in the performance of their duties.

Where the organisation engages third parties to process personal data on its behalf, they do so on the basis of written instructions, are under a duty of confidentiality and are obliged to implement appropriate technical and organisational measures to ensure the security of data.

Data will be stored on a designated server within the organisation's IT system. All data deemed personal information is encrypted to ensure security of data.

Your personal information may be transferred outside the UK or the European Economic Area. If it is processed within the UK, Europe or other parts of the European Economic Area (EEA), then it is protected by both UK and European data protection standards. Some countries outside the UK and EEA also have adequate protection for personal information under laws that apply to us. We will make sure that suitable safeguards are in place before we transfer your personal information to countries outside the UK or EEA that do not have adequate protection under laws that apply to us, except in cases where what are called ‘derogations’ apply.

We do not envisage that any decisions will be taken about you using automated means, however we will notify you in writing if this position changes.

Any changes we may make to our privacy notice in the future will be representative of the effective date confirmed above.

For more information please see our Cookies Policy.

If you have any queries about this privacy notice or in general about the personal data which we may hold about you, please contact: - dataprotection@rpsgroup.com