Data Protection Policy

This Policy sets out how Rayner handles the Personal Data of our customers, suppliers, employees, workers and other third parties. For the purpose of this Policy ‘Rayner’ refers to the Rayner entity processing Personal Data which may be any, or all, of Rayner Surgical Group Limited, Rayner Intraocular Lenses Limited, Rayner Pharmaceuticals Limited, Rayner Surgical Inc., Rayner Surgical GmbH, Rayner Surgical S.A, or Rayner Italia Srl.

This Policy applies to all employees, workers, contractors, agency workers, consultants and directors. You must read, understand and comply with this Policy when processing Personal Data on our behalf and, where requested, attend training on its requirements. This Policy sets out what we expect from you in order for Rayner to comply with applicable law. Your compliance with this Policy is mandatory and any breach of it may result in disciplinary action.

1. PERSONAL DATA PROTECTION PRINCIPLES

1.1 Rayner adheres to the principles relating to Processing of Personal Data set out in the General Data Protection Regulation (“GDPR”), namely:

(a) Lawfulness, Fairness and Transparency – Personal Data must be Processed lawfully, fairly and in a transparent manner.

(b) Purpose Limitation – Personal Data must be collected only for specified, explicit and legitimate purposes.

(c) Data Minimisation – Personal Data collection must be adequate, relevant and limited to what is necessary in relation to the purposes for which it is Processed.

(d) Accuracy – Personal Data must be accurate and where necessary kept up to date.

(e) Storage Limitation – Personal Data must not be kept in a form which permits identification of Data Subjects for any longer than is necessary for the purposes for which the data is processed.

(f) Security, Integrity and Confidentiality – Personal Data must be Processed in a manner that ensures its security using appropriate technical and organisational measures to protect against unauthorised or unlawful Processing and against accidental loss, destruction or damage.

(g) Transfer Limitation – Personal Data must not be transferred to another country without appropriate safeguards being in place.

(h) Data Subject Rights and Requests – Personal Data must be made available to Data Subjects and Data Subjects are allowed to exercise certain rights in relation to their Personal Data.

Rayner is committed to meeting and being able to demonstrate compliance with the data protection principles listed above.

1.2 Key Terms

Data Controller: the person or organisation that determines when, why and how to Process Personal Data. Rayner is the Data Controller of all Personal Data relating to our staff and Personal Data used in our business for our own commercial purposes.

Data Subject: a living, identified or identifiable individual about whom we hold Personal Data.

Personal Data: any information identifying a Data Subject or information relating to a Data Subject that we can identify (directly or indirectly) from that data alone, or in combination with other identifiers we possess, or can reasonably access. Personal Data includes Sensitive Personal Data and pseudo- anonymised Personal Data but excludes anonymous data or data that has had the identity of an individual permanently removed. Personal Data can be factual (for example, a name, email address, photograph, location or date of birth) or an opinion about that person’s actions or behaviour.

Privacy Notice(s): separate notices setting out information that may be provided to Data Subjects when Rayner collects information about them.

Processing/Process: any activity that involves the use of Personal Data. It includes obtaining, recording or holding the data, or carrying out any operation or set of operations on the data including organising, amending, retrieving, using, disclosing, erasing or destroying it. Processing also includes transmitting or transferring Personal Data to third parties.

Sensitive Personal Data: information revealing racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health conditions, sexual life, sexual orientation, biometric or genetic data, and Personal Data relating to criminal offences and convictions.

2. SCOPE

The Rayner Group Board is responsible for ensuring all Rayner personnel comply with this Policy and for the implementation of appropriate practices, processes, controls and training to ensure such compliance. The senior officer responsible for overseeing this Policy is the Legal Director. Please contact the Legal Director with any questions about the operation of this Policy or the GDPR, or if you have any concerns that this Policy is not being or has not been followed.

3. LAWFULNESS, FAIRNESS, TRANSPARENCY

3.1 Lawfulness and Fairness

Personal Data must be Processed lawfully, fairly and in a transparent manner in relation to the Data Subject. Personal Data may only be collected, Processed and shared fairly and lawfully and for specified purposes. The GDPR allows Processing for specific purposes, some of which are set out below:

(a) where the Data Subject has given his or her consent;

(b) where the Processing is necessary for the performance of a contract with the Data Subject;

(c) to comply with legal obligations;

(d) to pursue legitimate interests for purposes where they are not overridden because the Processing prejudices the interests or fundamental rights and freedoms of Data Subjects. The purposes for which Rayner Processes Personal Data for legitimate interests are described in our Privacy Notices.

3.2 Transparency

The GDPR requires Data Controllers to provide detailed, specific information to Data Subjects depending on whether the information was collected directly from Data Subjects or from elsewhere. Such detailed information is provided in our Privacy Notices.

4. PURPOSE LIMITATION

Personal Data must be collected by us only for specified, explicit and legitimate purposes. It must not be further processed in any manner incompatible with those purposes.

Personal Data cannot be used by us for new, different or incompatible purposes from that disclosed when it was first obtained, unless the Data Subject has been informed of the new purposes and they have consented where necessary.

5. DATA MINIMISATION

Personal Data must be adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed. You may only process Personal Data at Rayner when the performance of your job- related duties requires it. You cannot process Personal Data for any reason unrelated to your job duties and you must not collect excessive data. You must ensure that any Personal Data collected by you is adequate and relevant for the intended purposes.

You must ensure that when Personal Data you hold is no longer needed for specified purposes, it is deleted or anonymised. If you have shared the Personal Data with anyone else within Rayner you must ensure that they too are advised of the need to delete or anonymise the data.

6. ACCURACY

Personal Data held by Rayner must be accurate and, where necessary, kept up to date. It must be corrected or deleted without delay when inaccurate.

We must ensure that the Personal Data we each use and hold is accurate, complete, kept up to date and relevant to the purpose for which we collected it. The accuracy of any Personal Data must be checked at the point of collection and at regular intervals afterwards. All reasonable steps must be taken to destroy or amend inaccurate or out-of-date Personal Data.

7. STORAGE LIMITATION

Personal Data must not be kept in an identifiable form for longer than is necessary for the purposes for which the data is processed. You should familiarise yourself with our Retention Policy which is available on the R:Drive or from the Legal Department, to ensure Personal Data is deleted after a reasonable time for the purposes for which it was being held, unless there is a legal requirement that such data be kept for a minimum time. You must comply with our Retention Policy and all Rayner guidance on data retention.

All reasonable steps must be taken to destroy or erase from our systems all Personal Data that we no longer require in accordance with our Retention Policy. This may include requiring third parties to delete such data where applicable.

8. SECURITY, INTEGRITY AND CONFIDENTIALITY

8.1 Protecting Personal Data

Personal Data must be secured by appropriate technical and organisational measures against unauthorised or unlawful processing, and against accidental loss, destruction or damage. You must follow all procedures and technologies we already have or put in place in Rayner to maintain the security of all Personal Data from the point of collection to the point of destruction. You must comply with all applicable aspects of this Data Protection Policy and Rayner’s IS Policy. You must not attempt to circumvent the administrative, physical and technical safeguards we implement and maintain in accordance with the GDPR, and relevant applicable standards, to protect Personal Data.

Security procedures with which you should comply include (but are not limited to):

(a) Secure lockable desks and cupboards. Desks and cupboards should be kept locked if they hold confidential information of any kind. Personal Data is always considered confidential.

(b) Methods of disposal. Paper documents containing Personal Data should be shredded. Digital storage devices should be physically destroyed when they are no longer required.

(c) Equipment. Rayner personnel must ensure that individual monitors do not show confidential information to passers-by and that they lock screens when computers are left unattended. Personal Data should not be held on individual PCs but in a restricted access folder on the R:Drive.

8.2 Reporting a Personal Data Breach

The GDPR requires Data Controllers to notify any Personal Data breach to the applicable Regulator and, in certain instances, the Data Subject.

If you know, or suspect, that a Personal Data breach has occurred, do not attempt to investigate the matter yourself. Immediately contact the Legal Director and the Head of IS. You should preserve all evidence relating to the potential Personal Data breach.

9. TRANSFER LIMITATION

The GDPR restricts data transfers to countries outside the EEA (the 28 countries currently in the EU, and Iceland, Liechtenstein and Norway) in order to ensure that the level of data protection afforded to individuals by the GDPR is not undermined. Personal Data originating in one country is transferred across borders when it is transmitted, sent, viewed or accessed in or to a different country.

You may only transfer Personal Data outside the EEA in certain controlled circumstances. You should liaise with the Legal Department if such a transfer is proposed or considered.

10. DATA SUBJECTS RIGHTS AND REQUESTS

Data Subjects have rights when it comes to how we handle their Personal Data. These include rights to:

(a) withdraw consent to Processing at any time;

(b) receive certain information about the Data Controller’s Processing activities;

(c) request access to their Personal Data that we hold;

(d) prevent our use of their Personal Data for direct marketing purposes or to restrict Processing in specific circumstances;

(e) ask us to erase Personal Data if it is no longer necessary in relation to the purposes for which it was collected or Processed, or to rectify inaccurate data or to complete incomplete data;

prevent Processing that is likely to cause damage or distress to the Data Subject or anyone else; and

(f) make a complaint to the supervisory authority (in the UK, the Information Commissioner).

The identity of an individual requesting data under any of the rights listed above must be verified – you must immediately forward any Data Subject request you receive to the Legal Director. Do not allow third parties to persuade you into disclosing Personal Data without proper authorisation.

11. ACCOUNTABILITY

11.1 Technical and Organisational Measures

To comply with GDPR, Rayner, as a Data Controller, must implement appropriate technical and organisational measures in an effective manner, to ensure compliance with data protection principles. The Data Controller is responsible for, and must be able to demonstrate, compliance with the data protection principles.

Rayner is committed to having adequate resources and controls in place to ensure and to document GDPR compliance including:

(a) a senior executive who is accountable for data privacy, in this case the Legal Director;

(b) ‘privacy by design’ when Processing Personal Data and completing ‘data protection impact assessments’ (DPIAs) where Processing presents a high risk to the rights and freedoms of Data Subjects;

(c) the integration of data protection into internal documents including this Policy, Privacy Notices, related policies and standard operating procedures;

(d) training of relevant personnel on the requirements of GDPR, data privacy, this Policy, related policies and data protection matters; and

(e) the testing of the privacy measures implemented and the conduct of periodic reviews and audits to assess compliance, including using results of testing to demonstrate compliance improvement effort.

11.2 Training and Audit

All relevant Rayner personnel must undergo adequate training to enable them to comply with data privacy laws. All staff must read, acknowledge and comply with this Policy. Certain members of staff  will be required to take part in additional data privacy related training. If you are requested to do so, this is mandatory.

You must regularly review all the systems and processes under your control to ensure they comply with this Policy and check that adequate governance controls and resources are in place to ensure proper use and protection of Personal Data.

11.3 Privacy By Design and Data Protection Impact Assessments (DPIA)

GDPR requires the implementation of ‘privacy by design’ measures when processing Personal Data. To comply Rayner is committed to the implementation of appropriate technical and organisational measures in an effective manner, to ensure our compliance with data privacy principles.

Data Controllers must also conduct data protection impact assessments (DPIAs) in respect of high risk processing, for example, when implementing major system or business change programs involving the processing of Personal Data. We are committed to conducting DPIAs as our circumstances require.

11.4 Direct Marketing

We must comply with privacy law when marketing to our customers. The majority of Rayner’s customer base is pre-existing and our contact database is built on information obtained in the course of previous sales or upon performance of a contract. We can rely, therefore, on a “soft opt-in” based on our own legitimate interests, subject to some important controls. Marketing by us must be conducted only on identical, similar or complementary products, contact should be in a business-to-business context and the right to object to direct marketing should be explicitly offered to the Data Subject.

A Data Subject’s objection to direct marketing must be promptly honoured. You are expected to comply immediately if informed that a Data Subject has objected and to advise Legal. If a customer opts out at any time, their details should be suppressed in our systems as soon as possible. Suppression involves retaining just enough information to ensure that marketing preferences are respected in the future.

11.5 Sharing Personal Data

In most circumstances, we are not permitted to share Personal Data with third parties unless certain safeguards and contractual arrangements area in place.

You may only share the Personal Data we hold with another employee, agent or representative of Rayner if the recipient has a job-related need to know the information and the transfer complies with any applicable cross-border transfer restrictions.

You may only share the Personal Data we hold with third parties, such as our service providers if:

(a) they have a need to know the information for the purposes of providing the contracted services (our payroll provider would be one example);

(b) sharing the Personal Data complies with the Privacy Notice provided to the Data Subject and, if required, the Data Subject’s consent has been obtained;

(c) the third party has agreed to comply with the required data security standards, policies and procedures and put adequate security measures in place; and

(d) the transfer complies with any applicable cross border transfer restrictions.

12. CHANGES TO THIS POLICY

We reserve the right to change this Policy at any time without notice to you, we will advise you on any changes and the latest version of the Policy will be available on our system or from Legal or HR. We last revised this Policy in May 2018 and it was approved by the Rayner Group Board on 22 May 2018.