Privacy Policy

Revision: 1 Date: 26-02-2019WellPerform's duties and scopeWellPerform is required to process relevant personal data regarding employees, consultants, applicants and customers (Data Subjects) as part of operation and shall take all reasonable steps to do so in accordance with this Policy. WellPerform has appointed the Directors of WellPerform as the Data Protection Controller (DPC) who will endeavor to ensure that all personal data is processed in compliance with this Policy and the principles of the relevant legislation. WellPerform recognizes the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) adopted 27 April2016, the two-year transition period and the application date of 25 May 2018.The PrinciplesWellPerform shall, so far as is reasonably practicable, comply with the Data Protection Principles (the Principles) contained in the Data Protection Act to ensure personal data is

- Fairly and lawfully processed
- Processed for a lawful purpose
- Adequate, relevantand not excessive
- Accurate and up to date
- Not kept for longer than necessary
- Processed in accordance with the Data Subject's rights
- Kept secure
- Not transferred without adequate protection and approvalsPersonal dataPersonal data covers both facts and opinionsabout an individual where that data identifies an individual. For example, itincludes information necessary for employment. Examples of data of employeeare: name, address, email, photo, passport, personal registration number, phonenumber, test results, health information, family relations, education, salary,etc.Processing of personal dataConsent may be required for the processing of data for personnel unless processing is necessary for the performance of the contract of employment. Any information which falls under the definition of personal data and is not otherwise exempt, will remain confidential and will only be disclosed to third parties with appropriate consent. Data Subjects have the right of access to information held by WellPerform, subject to the provisions of the Data Protection Act. Any Data Subject wishing to access their personal data should put their request inwriting to WellPerform management. The information will be imparted to the data subject as soon as is reasonably possible after it has come to WellPerform's attention and in compliance with the relevant Acts.Data accuracyWellPerform will endeavour to ensure that all personal data held in relation to all Data Subjects is accurate. Data Subjects must notify WellPerform management of any changes to information held about them.EnforcementIf Data Subjects believe that WellPerform has not complied with this Policy or acted otherwise than in accordance with the Data Protection Act, the Data Subject should notify management.Data securityWellPerform will take appropriate technical and organisational steps to ensure the security of personal data. All employees will be made aware of this policy and their duties under the relevant Data Protection Act. WellPerform employees are required to respect the personal data and privacy of others and must ensure that appropriate protection and security measures are taken against unlawful or unauthorized processing of personal data, and against the accidental loss of, or damage to all personal data. An appropriate level of data security must be deployed for the type of data and the data processing being performed. In mostcases, personal data must be stored in appropriate systems and be encrypted, or password protected when used outside WellPerform. Other personal data may be for publication or limited publication within WellPerform, therefore having a lower requirement for data security. Attention is also drawn to WellPerform's IT Policy and IT Security Procedures, which provides more specific information on digital data protection and best practice guides. WellPerform must ensure that data processed byexternal processors, for example, service providers, cloud services including storage, web sites etc. are compliant with this policy and the relevant legislation.Secure destructionWhen data held in accordance with this policy is destroyed, it must be destroyed securely in accordance with best practice at the time of destruction.Retention of dataWellPerform may retain data for differing periods of time for different purposes as required by legislation /statute obligations. Other legal processes and enquiries may also necessitate the retention of certain data.