ALPHA CRM PRIVACY STATEMENT

Personal Data – Privacy Statement

This Privacy Statement lays out how Alpha treats client personal data (where ‘client’ refers to all of the following; client organisation, TPA or Vendor, or third party such as recruitment agencies and industry bodies), and what rights Alpha’s clients have in relation to this information.

In respect of the processing of your personal data in line with this Privacy Statement, Alpha Financial Markets Consulting PLC and certain other local Alpha entities act as a controller for the personal data they process and comply with the associated requirements as laid out under the General Data Protection Regulation (GDPR) and other data protection laws and regulations. The controlling entities will be Alpha Financial Markets PLC and the local office in your region. Further detail on relevant Alpha offices is provided in section 1.10.

1.1. Categories of personal data

When we refer to “personal data” we mean any data relating to an identified or identifiable individual. This could include information that could identify an individual, directly or indirectly, in particular, by reference to an identifier such as a name, ID number, location data or online identifier. It also includes factors specific to an individual’s characteristics.

Alpha collects limited personal data on its clients; and this primarily encompasses the following types of information:

• contact and organisation related material such as an individual’s work email and business role;

• business communications, such as email exchanges or in-person meetings.

1.2. Sources of personal data

We collect your personal data during the course of your dealings with us. For example, when you engage with us in respect of a project we are undertaking for your organisation. Otherwise, we gather information about you when you provide it to us, for example when you correspond with your contacts within Alpha.

We may also receive information about you from other sources, such as directly from your organisation or via online resources including LinkedIn and other publicly available sources. We combine information about you from various sources, including the information that you have provided to us directly.

1.3. Purposes of processing

Alpha collects client personal data for the following purposes:

• to manage past, current and future business engagements;

• to send information such as engagement related proposals and materials, industry relevant information (such as regulatory digest newsletters), event invitations;

• direct marketing communications; and.

• to comply with our legal and regulatory obligations.

1.4. Lawful basis for processing

Alpha collects, uses, processes and discloses personal data in accordance with applicable data protection and privacy laws. We process personal data on the following bases:

• for legitimate business purposes, including ensuring that Alpha (i) is able to maintain its relationships with existing clients, (ii) is able to manage past, current and future client engagements and(iii) to promote its services and products;

• for the performance of a contract that we have entered into with our client;

• consent, where required by law (including marketing to individuals in a personal capacity by email or SMS).

1.5. Data recipients

Your personal data may be shared with Alpha’s affiliates throughout the world, and with certain third parties such as:

• service providers that provide services on our behalf, including IT service providers;

• legal and other professional advisors and auditors; and

• regulators and law enforcement agencies.

Where third parties are given access to your personal data, Alpha will take the required contractual, technical and organisational measures to ensure that your personal data is only processed to the extent necessary.

1.6. Third country transfers

Alpha may transfer personal data outside of the EEA, where data protection laws may not offer the same level of protection available in your home country. Personal data may be transferred to third countries outside of the EEA (almost exclusively to the US) due to the data hosting locations of Alpha’s IT infrastructure. Where we use third parties to provide data hosting solutions, these transfers comply with relevant equivalent programmes, such as the EU-US Privacy Shield (frameworks developed to enable organisations to comply with data protection requirements when transferring personal data from the European Union to third countries). When we transfer your personal data to any Alpha affiliates based outside the EEA or any country considered “adequate” by the European Commission, we rely on an intra-group transfer agreement that incorporates EU Standard Contractual Clauses designed to protect your personal data. You may obtain information and a copy of the relevant mechanism relied on for the transfer of your personal data by contacting us via the details set out in the “Contact us” section below. You may also find a copy of the EU Standard Contractual Clauses and related information at the Europa website (https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/model-contracts-transfer-personal-data-third-countries_en)

1.7. Retention period

Alpha will only hold your personal data for as long as required to undertake the purposes of our processing, plus a prescribed period of time as required by national laws in your jurisdiction.

We hold personal data about our clients for the following periods:

• Data relating to prospective clients will be retained for up to five years, after which the record will be deleted if there is no recorded contact between Alpha and the prospective client or the prospective client has asked to be deleted within this period;

• Data relating to clients will be retained for the duration of the client relationship plus a further period to comply with certain obligations, legal requirements and best practices.

We will also retain your personal data for as long as necessary in connection with legal action or any investigations involving Alpha.

1.8. Individual data rights

Individuals may have certain statutory rights in relation to their personal data. Subject to any exemptions provided by law, if your personal data is processed by Alpha in respect of our client relationship activities, you may have the following rights:

• to receive confirmation from Alpha as to whether we process your personal data, and where we do, access to that personal data and certain other information;

• to request the rectification of any inaccurate personal data that we hold about you;

• to request the erasure of your personal data in certain circumstances;

• to request the restriction of our processing of your personal data in certain other circumstances, for example in certain scenarios where we are unable to comply with a request to erase your personal data;

• to receive a copy of the personal data that you have provided to Alpha in a structured, machine-readable and commonly-used format and/or, where possible, to request we transmit that personal data to another organisation;

• to object to certain processing of your personal data and to automated decision making and where our processing is based on your consent, you have the right to withdraw consent at any time by contacting us.

Where you are given the option to share your personal data with us, you can always choose not to do so. If you object to the processing of your personal data, we will respect that choice in accordance with its legal obligations. This could mean that we are unable to perform the actions necessary to achieve the purposes of processing described in the Purposes of Processing section above

1.9. Right to lodge a complaint with a supervisory authority

Under the GDPR, individuals have the right to lodge a complaint with their local data protection authority or the Information Commissioner’s Office, which is Alpha’s Lead Supervisory Authority in the European Union. Information about reporting a complaint to the ICO can be found at https://ico.org.uk/concerns/.

A list of EEA data protection authorities by jurisdiction is available at http://ec.europa.eu/justice/article-29/structure/data-protection-authorities/index_en.htm

1.10. Relevant Alpha entities

The list below details the Alpha entities which may act as a controller for your data in conjunction with Alpha Financial Markets Consulting PLC:

1. Alpha Financial Markets Consulting Limited;

2. Alpha Technology Services Consulting Limited;

3. Glass Client Programs Limited;

4. Alpha Financial Markets Consulting (Luxembourg) S.A.;

5. Alpha Financial Markets Consulting Netherlands BV;

6. Alpha Financial Markets Consulting France S.A.S.;

7. Track Two GmbH

8. Alpha Financial Markets Consulting Inc.

9. Alpha Financial Markets Consulting Singapore Pte Ltd

10. Alpha Financial Markets Consulting Switzerland S.A.

1.11. Contact us

Please feel free to contact Alpha if you have any questions about this Privacy Statement or any of Alpha’s practices in relation to your personal data. Clients should direct requests to their primary contact at Alpha in the first instance, whether this is to seek further information or to exercise any of your statutory rights.

You can contact us by emailing privacy@alphafmc.com