1.           Interpretation

1.1         Definitions:

               Automated Decision-Making(ADM): when a decision is made which is based solely on Automated Processing (including profiling) which produces legal effects or significantly affects an individual. The UK GDPR prohibits Automated Decision-Making (unless certain conditions are met) but not Automated Processing.

               Automated Processing: any form of automated processing of Personal Data consisting of the use ofPersonal Data to evaluate certain personal aspects relating to an individual,in particular to analyse or predict aspects concerning that individual'sperformance at work, economic situation, health, personal preferences,interests, reliability, behaviour, location or movements. Profiling is anexample of Automated Processing, as are many uses of artificial intelligence(AI) where they involve the processing of Personal Data.

               Company name: SENExpert Ltd incorporated and registered in England and Wales with company number13523478 whose registered office is at 36 Oaklands Grove Oaklands Grove,London, England, W12 0JA.

               Company Personnel:all employees, workers, contractors, agency workers, consultants, directors,members and others.

               Consent: agreementwhich must be freely given, specific, informed and be an unambiguous indicationof the Data Subject's wishes by which they, by a statement or by a clearpositive action, signify agreement to the Processing of Personal Data relatingto them.

               Controller: theperson or organisation that determines when, why and how to process PersonalData. It is responsible for establishing practices and policies in line withthe UK GDPR. We are the Controller of all Personal Data relating to our CompanyPersonnel and Personal Data used in our business for our own commercialpurposes.

               Criminal Convictions Data:personal data relating to criminal convictions and offences, including personaldata relating to criminal allegations and proceedings.

               Data Subject: a living, identified or identifiable individual about whom we hold Personal Data. Data Subjects may be nationals or residents of any country and may have legalrights regarding their Personal Data.

               Data Privacy ImpactAssessment (DPIA): tools and assessments used to identify and reducerisks of a data processing activity. A DPIA can be carried out as part ofPrivacy by Design and should be conducted for all major system or businesschange programmes involving the Processing of Personal Data.

               Data Protection Officer(DPO): either of the following:

a)        the person required to be appointed in specificcircumstances under the UK GDPR; or

b)        where a mandatory DPO has not been appointed, adata privacy manager or other voluntary appointment of a DPO or the Companydata privacy team with responsibility for data protection compliance.

               Explicit Consent:consent which requires a very clear and specific statement (that is, not justaction).

               UK GDPR: the retainedEU law version of the General Data Protection Regulation ((EU) 2016/679) as defined in the Data Protection Act 2018. PersonalData is subject to the legal safeguards specified in the UK GDPR.

               Personal Data: anyinformation identifying a Data Subject or information relating to a DataSubject that we can identify (directly or indirectly) from that data alone orin combination with other identifiers we possess or can reasonably access.Personal Data includes Special Categories of Personal Data and PseudonymisedPersonal Data but excludes anonymous data or data that has had the identity ofan individual permanently removed. Personal data can be factual (for example, aname, email address, location or date of birth) or an opinion about thatperson's actions or behaviour.

               Personal Data Breach:any act or omission that compromises the security, confidentiality, integrityor availability of Personal Data or the physical, technical, administrative ororganisational safeguards that we or our third-party service providers put inplace to protect it. The loss, or unauthorised access, disclosure oracquisition, of Personal Data is a Personal Data Breach.

               Privacy by Design:implementing appropriate technical and organisational measures in an effectivemanner to ensure compliance with the UK GDPR.

               Privacy Notices (alsoreferred to as Fair Processing Notices) or Privacy Policies: separatenotices setting out information that may be provided to Data Subjects when theCompany collects information about them. These notices may take the form of:

a)        general privacy statements applicable to aspecific group of individuals (for example, employee privacy notices, clausesin agreements with clients or the website privacy policy); or

b)        stand-alone, one-time privacy statementscovering Processing related to a specific purpose.

               Processing or Process:any activity that involves the use of Personal Data. It includes obtaining,recording or holding the data, or carrying out any operation or set ofoperations on the data including organising, amending, retrieving, using,disclosing, erasing or destroying it. Processing also includes transmitting ortransferring Personal Data to third parties.

               Pseudonymisation orPseudonymised: replacing information that directly or indirectlyidentifies an individual with one or more artificial identifiers or pseudonymsso that the person to whom the data relates cannot be identified without theuse of additional information which is meant to be kept separately and secure.

               Special Categories ofPersonal Data: information revealing racial or ethnic origin, politicalopinions, religious or similar beliefs, trade union membership, physical ormental health conditions, sexual life, sexual orientation, biometric or geneticdata.

2.           Introduction

2.1         This Data Protection Policy sets out how theCompany ("we", "our", "us", "theCompany") handle the Personal Data of our clients, prospective clients,suppliers, employees, workers, business contacts and other third parties.

2.2         This Data Protection Policy applies to allPersonal Data we Process regardless of the media on which that data is storedor whether it relates to past or present employees, workers, clients, clientsor supplier contacts, shareholders, website users, or any other Data Subject.

2.3         This Data Protection Policy applies to allCompany Personnel ("you", "your"). You must read,understand and comply with this Data Protection Policy when Processing PersonalData on our behalf and attend training on its requirements. Data protection isthe responsibility of everyone within the Company and this Data ProtectionPolicy sets out what we expect from you when handling Personal Data to enablethe Company to comply with applicable law. Your compliance with this DataProtection Policy is mandatory. Any breach of this Data Protection Policy mayresult in disciplinary action.

2.4         This Data Protection Policy is an internaldocument and cannot be shared with third parties, clients or regulators withoutprior authorisation from the DPO.

3.           Scope of Policy and when to seek advice on dataprotection compliance

3.1         We recognise that the correct and lawfultreatment of Personal Data will maintain trust and confidence in theorganisation and will provide for successful business operations. Protectingthe confidentiality and integrity of Personal Data is a critical responsibilitythat we take seriously at all times. The Company is exposed to potential finesof up to £17.5 million or 4% of total worldwide annual turnover, whichever ishigher and depending on the breach, for failure to comply with the UK GDPR.

3.2         The CEO is responsible for ensuring all CompanyPersonnel comply with this Data Protection Policy and need to implementappropriate practices, processes, controls and training to ensure thatcompliance.

3.3         The DPO is responsible for overseeing this Data Protection Policy. That post is held by Claire Whalley, and they can be reachedat [TELEPHONE NUMBER]and claire@thesenexpert.co.uk.

3.4         Please contact the DPO with any questions about the operation of this Data Protection Policy or the UK GDPR or if you have anyconcerns that this Data Protection Policy is not being or has not been followed. In particular, you must always contact the DPO in the following circumstances:

(a)       ifyou are unsure of the lawful basis on which you are relying to process Personal Data (including the legitimate interests used by the Company) (see paragraph 5.1);

(b)       ifyou need to rely on Consent or need to capture Explicit Consent (see paragraph 6);

(c)       ifyou need to draft Privacy Notices (see paragraph 7);

(d)       ifyou are unsure about the retention period for the Personal Data being Processed(see paragraph 11);

(e)       ifyou are unsure what security or other measures you need to implement to protect Personal Data (see paragraph 12.1);

(f)       if there has been a Personal Data Breach (paragraph 13);

(g)       ifyou are unsure on what basis to transfer Personal Data outside the UK (see paragraph 14);

(h)       ifyou need any assistance dealing with any rights invoked by a Data Subject or complaints (see paragraph 15);

(i)        whenever you are engaging in a significant new,or change in, Processing activity which is likely to require a DPIA (see paragraph 19) or plan to use Personal Data for purposes other than for which itwas collected (see paragraph 8);

(j)        if you plan to undertake any activitiesinvolving Automated Processing including profiling or Automated Decision-Making(see paragraph 20);

(k)       ifyou need help complying with applicable law when carrying out direct marketingactivities (see paragraph 21); or

(l)        if you need help with any contracts or otherareas in relation to sharing Personal Data with third parties (including ourvendors) (see paragraph 22).

4.           Personal data protection principles

4.1         We adhere to the principles relating toProcessing of Personal Data set out in the UK GDPR which require Personal Datato be:

(a)       Processedlawfully, fairly and in a transparent manner (lawfulness, fairness andtransparency);

(b)       collectedonly for specified, explicit and legitimate purposes (purpose limitation);

(c)       adequate,relevant and limited to what is necessary in relation to the purposes for whichit is Processed (data minimisation);

(d)       accurateand where necessary kept up to date (accuracy);

(e)       notkept in a form which permits identification of Data Subjects for longer than isnecessary for the purposes for which the data is Processed (storagelimitation);

(f)       Processed in a manner that ensures its securityusing appropriate technical and organisational measures to protect againstunauthorised or unlawful Processing and against accidental loss, destruction ordamage (security, integrity and confidentiality);

(g)       nottransferred to another country without appropriate safeguards in place(transfer limitation); and

(h)       madeavailable to Data Subjects and allow Data Subjects to exercise certain rightsin relation to their Personal Data (data subject's rights and requests).

4.2         We are responsible for and must be able todemonstrate compliance with the data protection principles listed above(accountability).

5.           Lawfulness, fairness and transparency

5.1         Personal data must be Processed lawfully, fairly and in a transparent manner in relation to the Data Subject.

5.2         You may only collect, Process and share PersonalData fairly and lawfully and for specified purposes. The UK GDPR restricts ouractions regarding Personal Data to specified lawful purposes. Theserestrictions are not intended to prevent Processing but ensure that we ProcessPersonal Data fairly and without adversely affecting the Data Subject.

5.3         The UK GDPR allows Processing for specificpurposes, some of which are set out below:

(a)       theData Subject has given their Consent;

(b)       theProcessing is necessary for the performance of a contract with the DataSubject;

(c)       tomeet our legal compliance obligations;

(d)       toprotect the Data Subject's vital interests; or

(e)       topursue our legitimate interests (or those of a third party) for purposes wherethey are not overridden because the Processing prejudices the interests orfundamental rights and freedoms of Data Subjects. The purposes for which weprocess Personal Data for legitimate interests need to be set out in applicablePrivacy Notices.

5.4         You must identify and document the legal groundbeing relied on for each Processing activity.

6.           Consent

6.1         A Controller must only process Personal Data onone or more of the lawful bases set out in the UK GDPR, which include Consent.

6.2         A Data Subject consents to Processing of theirPersonal Data if they clearly indicate agreement to the Processing. Consentrequires affirmative action, so silence, pre-ticked boxes or inactivity willnot be sufficient to indicate consent. If Consent is given in a document whichdeals with other matters, then the Consent must be kept separate from thoseother matters.

6.3         A Data Subject must be easily able to withdrawConsent to Processing at any time and withdrawal must be promptly honoured.Consent may need to be refreshed if you intend to Process Personal Data for adifferent and incompatible purpose which was not disclosed when the DataSubject first consented.

6.4         When processing Special Category Data orCriminal Convictions Data, we will usually rely on a legal basis for processingother than Explicit Consent or Consent if possible. Where Explicit Consent isrelied on, you must issue a Privacy Notice to the Data Subject to captureExplicit Consent.  

6.5         You will need to evidence Consent captured andkeep records of all Consents, so that the Company can demonstrate compliancewith Consent requirements.

7.           Transparency (notifying Data Subjects)

7.1         The UK GDPR requires a Controller to providedetailed, specific information to a Data Subject depending on whether theinformation was collected directly from the Data Subject or from elsewhere. Theinformation must be provided through an appropriate Privacy Notice which mustbe concise, transparent, intelligible, easily accessible, and in clear andplain language so that a Data Subject can easily understand them.

7.2         Whenever we collect Personal Data directly from a Data Subject, including for HR or employment purposes, we must provide theData Subject with all the information required by the UK GDPR including theidentity of the Controller and DPO, and how and why we will use, Process,disclose, protect and retain that Personal Data through a Privacy Notice whichmust be presented when the Data Subject first provides the Personal Data.

7.3         When Personal Data is collected indirectly (forexample, from a third party or publicly available source), we must provide theData Subject with all the information required by the UK GDPR as soon aspossible after collecting or receiving the data. We must also check that thePersonal Data was collected by the third party in accordance with the UK GDPRand on a basis which contemplates our proposed Processing of that PersonalData.

7.4         If you are collecting Personal Data from a DataSubject, directly or indirectly, then you must provide the Data Subject with aPrivacy Notice.

8.           Purpose limitation

8.1         Personal Data must be collected only forspecified, explicit and legitimate purposes. It must not be further Processedin any manner incompatible with those purposes.

8.2         You cannot use Personal Data for new, differentor incompatible purposes from that disclosed when it was first obtained unlessyou have informed the Data Subject of the new purposes and they have Consentedwhere necessary.

8.3         If you want to use Personal Data for a new ordifferent purpose from that for which it was obtained, you must first contactthe DPO for advice on how to do this in compliance with both the law and thisData Protection Policy.

9.           Data minimisation

9.1         Personal Data must be adequate, relevant andlimited to what is necessary in relation to the purposes for which it isProcessed.

9.2         You may only Process Personal Data whenperforming your job duties requires it. You cannot Process Personal Data forany reason unrelated to your job duties.

9.3         You may only collect Personal Data that yourequire for your job duties: do not collect excessive data. Ensure any PersonalData collected is adequate and relevant for the intended purposes.

9.4         You must ensure that when Personal Data is nolonger needed for specified purposes, it is deleted or anonymised in accordancewith the Company's data retention guidelines.

10.         Accuracy

10.1       PersonalData must be accurate and, where necessary, kept up to date. It must becorrected or deleted without delay when inaccurate.

10.2       Youmust ensure that the Personal Data we use and hold is accurate, complete, keptup to date and relevant to the purpose for which we collected it. You mustcheck the accuracy of any Personal Data at the point of collection and atregular intervals afterwards. You must take all reasonable steps to destroy oramend inaccurate or out-of-date Personal Data.

11.         Storage limitation

11.1       PersonalData must not be kept in an identifiable form for longer than is necessary forthe purposes for which the data is processed.

11.2       TheCompany will maintain retention policies and procedures to ensure Personal Datais deleted after an appropriate time, unless a law requires that data to bekept for a minimum time.

11.3       Youmust not keep Personal Data in a form which permits the identification of theData Subject for longer than needed for the legitimate business purpose orpurposes for which we originally collected it including for the purpose ofsatisfying any legal, accounting or reporting requirements.

11.4       Youwill take all reasonable steps to destroy or erase from our systems allPersonal Data that we no longer require in accordance with all the Company'sapplicable records retention schedules and policies. This includes requiringthird parties to delete that data where applicable.

11.5       Youwill ensure Data Subjects are provided with information about the period forwhich data is stored and how that period is determined in any applicablePrivacy Notice.

12.         Security integrity and confidentiality

12.1       PersonalData must be secured by appropriate technical and organisational measuresagainst unauthorised or unlawful Processing, and against accidental loss,destruction or damage.

12.2       Wewill develop, implement and maintain safeguards appropriate to our size, scopeand business, our available resources, the amount of Personal Data that we own or obtain on behalf of others, and identified risks (including use ofencryption and Pseudonymisation where applicable). We will regularly evaluateand test the effectiveness of those safeguards to ensure security of ourProcessing of Personal Data. You are responsible for protecting the PersonalData we hold. You must implement reasonable and appropriate security measuresagainst unlawful or unauthorised Processing of Personal Data and against theaccidental loss of, or damage to, Personal Data. You must exercise particularcare in protecting Special Categories of Personal Data and Criminal ConvictionsData from loss and unauthorised access, use or disclosure.

12.3       Youmust follow all procedures and technologies we put in place to maintain thesecurity of all Personal Data from the point of collection to the point ofdestruction. You may only transfer Personal Data to third-party serviceproviders who agree to comply with the required policies and procedures and whoagree to put adequate measures in place, as requested.

12.4       Youmust maintain data security by protecting the confidentiality, integrity andavailability of the Personal Data, defined as follows:

(a)       Confidentiality:only people who have a need to know and are authorised to use the Personal Datacan access it;

(b)       Integrity:Personal Data is accurate and suitable for the purpose for which it isprocessed; and

(c)       Availability:authorised users are able to access the Personal Data when they need it forauthorised purposes.

12.5       Youmust comply with and not attempt to circumvent the administrative, physical andtechnical safeguards we implement and maintain in accordance with the UK GDPRand relevant standards to protect Personal Data.

13.         Reporting a Personal Data Breach

13.1       TheUK GDPR requires Controllers to notify any Personal Data Breach to theInformation Commissioner and, in certain instances, the Data Subject.

13.2       Wehave put in place procedures to deal with any suspected Personal Data Breachand will notify the Data Subject or any applicable regulator where we arelegally required to do so.

13.3       Ifyou know or suspect that a Personal Data Breach has occurred, do not attempt toinvestigate the matter yourself. Immediately contact the DPO. You shouldpreserve all evidence relating to the potential Personal Data Breach.

14.         Transfer limitation

14.1       TheUK GDPR restricts data transfers to countries outside the UK to ensure that thelevel of data protection afforded to individuals by the UK GDPR is notundermined. You transfer Personal Data originating in one country acrossborders when you transmit, send, view or access that data in or to a differentcountry.

14.2       Youmust comply with the Company's guidelines on cross-border data transfers.

14.3       Youmay only transfer Personal Data outside the UK if one of the followingconditions applies:

(a)       theUK has issued regulations confirming that the country to which we transfer thePersonal Data ensures an adequate level of protection for the Data Subject'srights and freedoms;

(b)       appropriatesafeguards are in place such as binding corporate rules, standard contractualclauses approved for use in the UK, an approved code of conduct or acertification mechanism, a copy of which can be obtained from the DPO;

(c)       theData Subject has provided Explicit Consent to the proposed transfer after beinginformed of any potential risks; or

(d)       thetransfer is necessary for one of the other reasons set out in the UK GDPRincluding:

(i)        the performance of a contract between us and theData Subject;

(ii)       reasons of public interest;

(iii)      to establish, exercise or defend legal claims;

(iv)      to protect the vital interests of the DataSubject where the Data Subject is physically or legally incapable of givingConsent; and

(v)       in some limited cases, for our legitimateinterest.

15.         Data Subject's rights and requests

15.1       AData Subject has rights when it comes to how we handle their Personal Data.These include rights to:

(a)       withdrawConsent to Processing at any time;

(b)       receivecertain information about the Controller's Processing activities;

(c)       requestaccess to their Personal Data that we hold (including receiving a copy of theirPersonal Data);

(d)       preventour use of their Personal Data for direct marketing purposes;

(e)       askus to erase Personal Data if it is no longer necessary in relation to thepurposes for which it was collected or Processed or to rectify inaccurate dataor to complete incomplete data;

(f)       restrict Processing in specific circumstances;

(g)       objectto Processing which has been justified on the basis of our legitimate interestsor in the public interest;

(h)       requesta copy of an agreement under which Personal Data is transferred outside of theUK;

(i)        object to decisions based solely on AutomatedProcessing, including profiling (ADM);

(j)        prevent Processing that is likely to causedamage or distress to the Data Subject or anyone else;

(k)       benotified of a Personal Data Breach which is likely to result in high risk totheir rights and freedoms;

(l)        make a complaint to us and subsequently to thesupervisory authority; and

(m)      inlimited circumstances, receive or ask for their Personal Data to be transferredto a third party in a structured, commonly used and machine-readable format.

15.2       Youmust verify the identity of an individual requesting data under any of therights listed above (do not allow third parties to persuade you into disclosingPersonal Data without proper authorisation).

15.3       Youmust immediately forward any Data Subject request or complaint you receive tothe DPO.

16.         Accountability

16.1       TheController must implement appropriate technical and organisational measures inan effective manner to ensure compliance with data protection principles. TheController is responsible for, and must be able to demonstrate, compliance withthe data protection principles.

16.2       TheCompany must have adequate resources and controls in place to ensure and todocument UK GDPR compliance including:

(a)       appointinga suitably qualified DPO (where necessary) and an executive accountable fordata privacy;

(b)       implementingPrivacy by Design when Processing Personal Data and completing DPIAs whereProcessing presents a high risk to rights and freedoms of Data Subjects;

(c)       integratingdata protection into internal documents including this Data Protection Policy;

(d)       regularlytraining Company Personnel on the UK GDPR, this Data Protection Policy, anddata protection matters including, for example, a Data Subject's rights,Consent, legal basis, DPIA and Personal Data Breaches. The Company mustmaintain a record of training attendance by Company Personnel; and

(e)       regularlytesting the privacy measures implemented and conducting periodic reviews andaudits to assess compliance, including using results of testing to demonstratecompliance improvement effort.

17.         Record keeping

17.1       TheUK GDPR requires us to keep full and accurate records of all our dataProcessing activities.

17.2       Youmust keep and maintain accurate corporate records reflecting our Processingincluding records of Data Subjects' Consents and procedures for obtainingConsents.

17.3       Theserecords should include, at a minimum:

(a)       thename and contact details of the Controller and the DPO; and

(b)       cleardescriptions of:

(i)        the Personal Data types;

(ii)       the Data Subject types;

(iii)      the Processing activities;

(iv)      the Processing purposes;

(v)       the third-party recipients of the Personal Data;

(vi)      the Personal Data storage locations;

(vii)     the Personal Data transfers;

(viii)    the Personal Data's retention period; and

(ix)      the security measures in place.

17.4       Tocreate the records, data maps should be created which should include the detailset out above together with appropriate data flows.

18.         Training and audit

18.1       Weare required to ensure all Company Personnel have undergone adequate trainingto enable them to comply with data privacy laws. We must also regularly testour systems and processes to assess compliance.

18.2       Youmust undergo all mandatory data privacy-related training and ensure your teamundergoes similar mandatory training.

18.3       Youmust regularly review all the systems and processes under your control toensure they comply with this Data Protection Policy and check that adequategovernance controls and resources are in place to ensure proper use andprotection of Personal Data.

19.         Privacy by Design and Data Protection ImpactAssessment (DPIA)

19.1       Weare required to implement Privacy by Design measures when Processing PersonalData by implementing appropriate technical and organisational measures (likePseudonymisation) in an effective manner, to ensure compliance with dataprivacy principles.

19.2       Youmust assess what Privacy by Design measures can be implemented on allprogrammes, systems or processes that Process Personal Data by taking intoaccount the following:

(a)       Thestate of the art.

(b)       Thecost of implementation.

(c)       Thenature, scope, context and purposes of Processing.

(d)       Therisks of varying likelihood and severity for rights and freedoms of the DataSubject posed by the Processing.

19.3       TheController must also conduct a DPIA in respect to high-risk Processing.

19.4       Youshould conduct a DPIA (and discuss your findings with the DPO) whenimplementing major system or business change programs involving the Processingof Personal Data including the use of new technologies(programs, systems or processes, including the use of AI), or changingtechnologies (programs, systems or processes).

19.5       ADPIA must include:

(a)       Adescription of the Processing, its purposes and the Controller's legitimateinterests if appropriate.

(b)       Anassessment of the necessity and proportionality of the Processing in relationto its purpose.

(c)       Anassessment of the risk to individuals.

(d)       Therisk mitigation measures in place and demonstration of compliance.

20.         Direct marketing

20.1       Weare subject to certain rules and privacy laws when engaging in direct marketingto our clients and prospective clients (for example when sending marketingemails or making telephone sales calls).

20.2       Forexample, in a business to consumer context, a Data Subject's prior consent isgenerally required for electronic direct marketing (for example, by email, textor automated calls). The limited exception for existing clients known as"soft opt-in" allows an organisation to send marketing texts oremails without consent if it:

(a)       Hasobtained contact details in the course of a sale to that person.

(b)       Ismarketing similar products or services.

(c)       Gavethe person an opportunity to opt out of marketing when first collecting thedetails and in every subsequent marketing message.

20.3       Theright to object to direct marketing must be explicitly offered to the DataSubject in an intelligible manner so that it is clearly distinguishable fromother information.

20.4       AData Subject's objection to direct marketing must always be promptly honoured.If a customer opts out of marketing at any time, their details should besuppressed as soon as possible. Suppression involves retaining just enoughinformation to ensure that marketing preferences are respected in the future.

21.         Sharing Personal Data

21.1       Generally,we are not allowed to share Personal Data with third parties unless certainsafeguards and contractual arrangements have been put in place.

21.2       Youmay only share the Personal Data we hold with another employee, agent,consultant or sub-contractor if the recipient has a job-related need to knowthe information and the transfer complies with any applicable cross-bordertransfer restrictions.

21.3       Youmay only share the Personal Data we hold with third parties, such as ourservice providers, if:

(a)       theyhave a need to know the information for the purposes of providing thecontracted services;

(b)       sharingthe Personal Data complies with the Privacy Notice provided to the Data Subjectand, if required, the Data Subject's Consent has been obtained;

(c)       thethird party has agreed to comply with the required data security standards,policies and procedures, and put adequate security measures in place;

(d)       thetransfer complies with any applicable cross-border transfer restrictions; and

(e)       afully executed written contract that contains UK GDPR-compliant third partyclauses has been obtained.

22.         Changes to this Data Protection Policy

22.1       Wekeep this Data Protection Policy under regular review. This version was lastupdated on 01 October 2025. Historic versions are available fromthe DPO].]

22.2       ThisData Protection Policy does not override any applicable national data privacylaws and regulations in countries where the Company operates.

23.         Acknowledgement of receipt and review

I, [NAME], acknowledge that on [DATE], I received andread a copy of The SEN Expert Limited's Data Protection Policy and understandthat I am responsible for knowing and abiding by its terms. I understand thatthis Data Protection Policy does not set terms or conditions of employment orform part of an employment contract.

‍