Privacy policy

This document includes the Privacy Policy, CCTV policy and the Acceptable Use policy

About us We are Plexal (City) Limited (referred to in this Privacy Policy as “we”, “us” or “our”) based at 14 East Bay Lane, The Press Centre, Here East, Queen Elizabeth Olympic Park, Stratford, London E15 2GW. We administer an innovation centre for technology companies to accelerate innovation based at Here East, Queen Elizabeth Olympic Park, Stratford, London E15 2GW (“Plexal”) and we provide various services and facilities to our members and their users of Plexal (“Services and Facilities”) and a website for visitors and our members’ users receiving our Services and Facilities available at https://www.plexal.com/ (our “Website”), which includes our private members area which we refer to as our “Intranet”. References to “you” or “your” in this Privacy Policy means a member’s user of our Services and Facilities, or our Website, or an individual assisting us in providing our Services and Facilities, or our Website (as applicable, depending on the context). This privacy policy (“Privacy Policy”) sets out how we collect and use your personal data and who we may share it with for the purposes of providing Services and Facilities, and our Website to you. We will be the controller of the personal data you provide to us and/or that we receive on your behalf for the purposes of providing the Services to you. This means that we decide the purposes and means of the processing of your personal data. Please read the following carefully to understand how we will use your personal data.

What personal data do we collect? We may collect and process one or more of the following categories of personal data about you or the company you represent (which is our member): • Accelerator Application Data: your position at the company you represent, work experience (including name of organisation, position held at the company, length of employment and a description of the responsibilities held and your achievements); • Accelerator Company Data: company name, number of employees at the company, founding year, names of company founders and details of the company (including product descriptions, business models and assessments of market opportunities); • Access Card Data: your name. the company you represent and your location; • CCTV Data: visual images/footage of you at Plexal; • Cohort Application Data: your ethnicity and gender (depending on the cohort you are applying for); • Cohort Company Data: company name, companies house registration number, number of employees at the company and year of incorporation of the company; • Contact Data: your name, address, phone number and email address; • Correspondence Data: the contents of the messages you send to us, or receive from us; • Event Attendance Data: your name and email address; • Innovation Workshop Data: name, phone number, email address and job title; • Intranet Community Group Data: the contents of the messages you post to other users of the community group you participate in on our Intranet; • Intranet Directory Data: name, email address, position at the company you represent, company name and any additional information that you include under the “about me” section of your profile; • Intranet Message Data: the contents of the messages you send to, and receive from, other users of the Intranet; • Member Company Data: company name and company address; • Member Payment Data: bank details (including sort code and account number) of the member; • Member Representative Registration Data: name, email address, photograph and company name; • Member Representative Contact Data: name, email address and company name; • Promotional Data: photographs of you; • Supplier Company Data: one or more of the following; company name, company address, company VAT registration number, company bank details (including sort code and account number), company financial statements, company insurance details, company organisational chart, details of fraud, litigation or other legal and/or regulatory claims, product and service information, and pricing information; • Survey and Feedback Data: your responses to our surveys and any feedback you provide to us; • Technical Data: IP address, device data (for example, iPhone X, Samsung S9), MAC address, browser version and type, and time zone setting; • Third Party Source Data: we may obtain personal data about you from third party websites such as Facebook, Twitter, Google (including YouTube), LinkedIn, other social network websites and aggregator websites, this is limited to knowing that you have clicked on one of our adverts displayed on such third party websites; • Testimonial Data: your name, the company you represent, job title and the contents of your testimonial; and • Visitor Data: name, email address and company name of the visitor you invite to attend Plexal.

Why do we collect personal data, what do we do with it and what is our lawful basis of processing? We use some or all of your personal data for one or more of the following purposes: Purpose: Lawful basis of processing: If you use our Services and Facilities: • if you enquire about your company participating in one of our cohort programmes, you will be required to fill in an expression of interest form on behalf of the company you represent. As part of this form, we will ask for your Contact Data and Cohort Company Data in order for us to respond to you and follow up on your request. If you proceed to apply to join a cohort we will also require your Cohort Application Data, which we will review along with your Contact Data and Cohort Company Data and respond to you on your application; We have a legitimate interest to process such personal data for the purposes of responding to your request for information, or application to join, a cohort programme. • If you apply to join a cohort programme in your professional capacity, but as an individual and not as part of a company, you will be required to fill in an application form, which requires you to provide your Contact Data and Cohort Application Data in order for us to review our application and respond to you on your application; We have a legitimate interest to process such personal data to review and respond to your application to join a cohort programme. • if you apply to join one of our accelerators, you will be required to fill in an application form on behalf of the company you represent. As part of this form, we will ask for your Contact Data, Accelerator Application Data and Accelerator Company Data in order for us to respond to you and follow up on your request; We have a legitimate interest to process such personal data to review and respond to your application to join an accelerator. • If you express an interest in an innovation workshop or attend an innovation workshop, we will process your Innovation Workshop Data for the purposes of keeping you up to date about our innovation workshops, or if you attend, to identify you during the innovation workshop and communicate with you in respect of such workshop; We have a legitimate interest to process such personal data for the purposes of delivering our workshop to you. • we will use your Contact Data and Member Company Data for the administration of your membership and/or use of our Services and Facilities; We have a legitimate interest to process such personal data to provide you with your membership as part of our obligation to the company you represent with whom we have a contract to provide the Services and Facilities. • to process payments from our members, we process your Member Representative Contact Data, Member Company Data (if the member is a company, and not a sole trader, for example) and Member Payment Data; We have a legitimate interest to process such personal data to process payments for our Services and Facilities from the member you represent. • when we onboard a company to use our Services and Facilities, we are required to process your Member Representative Contact Data and Member Company Data to carry out our onboarding process; We have a legitimate interest to process such personal data to on board the member you represent in order to provide our Services and Facilities to the member. • if you respond to one of our adverts on a third party website we will process your Third Party Source Data to help us to assess the effectiveness of our marketing strategies on these third party websites; We rely on your consent to process such personal data for marketing purposes. • from time to time, we create promotional materials to promote our Services and Facilities, and Plexal more generally, and as part of this, we take photographs of various locations of Plexal, and activities and events undertaken at Plexal. We will process your Promotional Data where we have obtained your consent to do so. We rely on your consent to process such personal data for promotional purposes. • to notify you about changes to our policies and/or our Services and Facilities we process your Contact Data; We have a legitimate interest to process such personal data to provide service messages to you (these are not marketing messages). If you attend Plexal: • if you are one of our members’ users of the Services and Facilities, we will process your Access Card Data and Member Representative Contact Data to allow you to access Plexal and to know who is our premises; We have a legitimate interest to process such personal data when you access Plexal for security purposes and for health and safety reasons or in case of emergency. • if you invite a visitor to attend Plexal, we will process your Member Representative Contact Data and your visitor’s Visitor Contact Data to allow the visitor to access Plexal and meet with you; We have a legitimate interest to process such personal data to allow your visitor to access Plexal and for security purposes. • if you attend an event held at Plexal, we will process your Event Attendance Data for the purposes of your registration at the event and to allow you to access Plexal; We process such personal data for the performance of the contract we have with you to enable you to attend the event and for security purposes. • anyone attending Plexal may be captured on our closed-circuit television (CCTV) and we will process your CCTV Data while you are in and around Plexal. You can request a copy of our CCTV policy from our reception; We have a legitimate interest to process such personal data for security purposes and crime prevention. • if you provided us with feedback or respond to a survey, we will process your Survey and Feedback Data to enable us to improve our Services and Facilities, and our Website. We sometimes seek feedback in the form of NPS scores (which are not connected to you as an individual and are anonymous). We rely on your consent to process such personal data for feedback purposes. If you use our Website: • we will use your Contact Data to provide you with marketing information where you have signed up to receive marketing via our Website; In some instances, we rely on your consent to process such personal data for marketing purposes where you have specifically requested communications from us. In other circumstances, we rely on legitimate interests if we think the communication will be of interest to you. • if you use our Intranet, you will be required to register any account and provide us with your Member Representative Registration Data to enable us to set up your account and to enable you to interact with other users of our Intranet; We process such personal data for the performance of the contract we have with you in order to enable you to access and use the features of our Intranet. • as part of our Intranet, you can use a variety of services, and we process your personal data depending on the services you use as follows: o if you book a meeting room, we process your Member Representative Contact Data in order to secure the meeting room on your behalf and provide you with access to it; o if you raise a query with our help desk on our Intranet, we will process your Member Representative Contact Data in order to respond to your query and find a resolution; o you have the option to upload your Intranet Directory Data, which is encouraged to enable you to connect and network with other users of our Intranet; o you can message other users of our Intranet via the messaging facility as part of our Intranet and if you do, we will process your Member Representative Registration Data and Intranet Message Data in order to facilitate the transmission of messages between users of our Intranet; o you may participate in community groups on our Intranet and if you do, we will process your Member Representative Registration Data and Intranet Community Group Data in order to facilitate these community groups and to allow users to connect and network; We process such personal data for the performance of the contract we have with you in order to enable you to access and use the features of our Intranet. • If you visit our Website, we will process your Technical Data for the purposes of optimising our Website for your device and, in the case of time zone settings, to enable you to see the times of our webinars and events according to the time zone you are based in; We have a legitimate interest to process such personal in order to provide our Website to you in a format that is appropriate for you needs. • if you visit our Website, we use cookies for a variety of purposes. We explain this in further in the section Do we use cookies? below. We rely on your consent to process such personal data for our use of cookies. If you assist us in providing our Services and Facilities, or our Website: • if you represent one of our suppliers who assists us in providing our Services and Facilities, or our Website, to our users, and you are the primary contact for the supplier, we will process your Contact Data along with the relevant Supplier Company Data. We have a legitimate interest to process such personal data for the purposes of receiving services from our suppliers. Marketing: • we will use your Contact Data to provide you with marketing information about our Services and Facilities (or similar services related to our Services and Facilities). This includes if you have subscribed to our newsletter via our Website or via the iPads displayed in various locations in Plexal. We usually send our marketing by email, but other methods may be used (such as by mail or phone); and In some instances, we rely on your consent to process such personal data for marketing purposes where you have specifically requested communications from us. In other circumstances, we rely on legitimate interests if we think the communication will be of interest to you. Promoting Plexal: • if you use our Services and Facilities, you may be asked to provide a testimonial to help us to promote Plexal, if you agree to provide a testimonial we will process your Testimonial Data and use it for promotional purpose. We rely on your consent to process such personal data for marketing and promotional purposes.

Do we use cookies? We use the following categories of cookies on our Website: • Strictly Necessary Cookies: these cookies are essential in order to enable you to move around our Website and use its features or to enable us to provide the Website features to you, including to ensure the security of our Website and prevent misuse of our Website. Without these cookies, services you have asked for such as remembering your login details cannot be provided and we will not be protect our Website from cyber attacks. • Performance Cookies: these cookies collect anonymous information on how you use our Website. For example, we use Google Analytics cookies to help us understand how visitors to our Website navigate the Website and to highlight areas where we can make improvements. The data stored by these cookies does not show personal details from which your individual identity can be established. You may opt out of these cookies using your browser settings but it may affect the performance of our Website. • Targeting Cookies or Advertising Cookies: these cookies collect information about your browsing habits in order to make advertising more relevant to you and your interests. They are also used to limit the number of times you see an advert as well as help measure the effectiveness of an advertising campaign. These cookies also help us to measure the success of the campaigns we run by recording the number of visitors we have to particular pages of our Website and also the effectiveness of our Website by recording the time spent on a page of our Website (these particular cookies are anonymised). The cookies are usually placed by third party advertising networks. They remember the websites you visit and that information is shared with other parties such as advertisers. For example, we use third party companies to provide you with more personalised adverts when visiting other websites. • Social Media Cookies: these cookies allow you to share what you’ve been doing on our Website on social media such as Facebook and Twitter. These cookies are not within our control. Please refer to the respective privacy policies for how their cookies work. If you want to delete any cookies that are already on your computer, please refer to the help and support area on your Internet browser for instructions on how to locate the file or directory that stores cookies. Information on deleting or controlling cookies is available at www.aboutcookies.org. By deleting our cookies or disabling future cookies you may not be able to access certain areas or features of our Website. To opt out of Google Analytics cookies across all websites, please visit: Google Analytics Opt-out Browser Add-on and for other third party cookies relating to behavioural advertising, please go to www.youronlinechoices.eu. Opting out does not mean you will no longer receive online advertising. It does mean that the company or companies from which you opted out will no longer deliver adverts tailored to your web preferences and usage patterns, so you may see a greater number of adverts that are irrelevant to you and your preferences. By continuing to use our website you are agreeing to our use of cookies.

How long do we keep your personal data? We will only retain your personal data for as long as is necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal or regulatory requirements. To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

Disclosure of your information We may disclose your personal data to selected third parties in the circumstances set out below: • Third party service providers for business purposes: in order to run our business, we rely on a number of carefully selected third parties to provide us with services and products. These include our payment processor, anti-fraud and credit check providers to keep us and you secure, analytics and email marketing companies to enable our marketing, client relationship management tools to manage our members and you, research companies to help us carry out surveys, information and/or technology providers to support, maintain and provide our technology and IT infrastructure, including to ensure the security of our Website and Intranet, and other carefully selected third parties. We permit these companies to use your personal data only to the extent necessary to provide us with their services and products; we do not allow these third parties to disclose or use your personal data for any other purposes. We have high expectations in their handling of your personal data, as you do in ours, and we hold them to these; • Advertisers for marketing purposes: we may provide your personal data to our advertising and social media partners (including Facebook and Twitter, where you choose to use these social media partners in connection with our Intranet) where they require your personal data to select and serve relevant adverts about our Services and Facilities to you and others; • Cohort sponsors: we share your Cohort Application Data, Cohort Company Data and Contact Data with our cohort sponsors for the purposes of allowing them to assess applications to join a cohort. Our cohorts will not use your personal data for marketing or sales purposes unless they have obtained your consent to do so. • Other users of our Intranet: if you choose to engage with other users of our Intranet by posting comments in our community groups or sending private messages to other users, the other users of the community group or the recipient of your private message will see the personal data that you share with them; • Third parties where we are considering a corporate transaction: in the event that we sell or buy any business or assets, we may disclose your personal data to the prospective seller or buyer of such business or assets; and • To comply with legal requests: if we are under a duty to disclose or share your personal data in order to comply with any legal or regulatory obligation, or in order to enforce or protect our rights, the rights of our trusted partners and the rights of our members or other users of our facilities and services.

Your rights You have the following rights regarding your information: • to access personal data held about you; • to request us to make any changes to your personal data if it is inaccurate or incomplete; • to request your personal data is erased where we do not have a compelling reason to continue to process such data in certain circumstances; • to receive your personal data provided to us as a data controller in a structured, commonly used and machine-readable format where our processing of the data is based on: (i) your consent; (ii) our necessity for performance of a contract to which you are a party to; or (iii) steps taken at your request prior to entering into a contract with us and the processing is carried out by automated means; • to object to, or restrict, our processing of your personal data in certain circumstances; • if we use your personal data for direct marketing, you can ask us to stop and we will comply with your request; • if we use your personal data on the basis of having a legitimate interest, you can object to our use of it for those purposes, giving an explanation of your particular situation, and we will consider your objection; • to object to, and not be subject to a decision which is based solely on, automated processing (including profiling), which produces legal effects or could significantly affect you; and • to lodge a complaint with a data protection supervisory body, which is the Information Commissioner’s Office. To exercise any of your rights set out above, including to withdraw your consent where we have stated we are processing your personal data based on your consent, please contact us at connect@plexal.com.

How do I make a complaint? If you are unhappy with how we’ve handled your information, please contact Brandon Hucq at Brandon@plexal.com, for data protection related complaints. If you’re not satisfied with our response to your complaint or believe our processing of your personal data does not comply with data protection law, you can make a complaint to the Information Commissioner’s Office (ICO) at Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF. Tel: 0303 123 1113 or via its website at www.ico.gov.uk.

External Links Our Website and Intranet may, from time to time, contain links to and from the websites of third parties, or plug-ins and other applications. If you follow a link to any of these websites, please note that these websites have their own privacy policies and that we do not accept any responsibility or liability for these policies. Please check these policies before you submit any personal data to these websites.

Changes to Our Privacy Policy Any changes we may make to our Privacy Policy in the future will be posted on this page and, where the changes are material, the changes will be notified to you by email. This Privacy Policy was last updated on 25 May 2018. If you would like to receive a copy of a previous version of this Privacy Policy, please get in touch using the contact details below.

Contact Please email us at connect@plexal.com if you are unsure about any of the information listed above or have further questions or comments regarding this Privacy Policy.

CCTV Policy At Plexal we believe that CCTV plays a legitimate role in helping to maintain a safe and secure environment for all our staff and visitors. Images recorded by CCTV are Personal Data and as such must be processed in accordance with data protection laws. We are committed to complying with our legal obligations in order to appropriately handle and protect Personal Data and ensure that the legal rights of staff, relating to their Personal Data, are recognised and respected. This policy is intended to enable staff and visitors to understand how Plexal uses CCTV, those responsible for CCTV use (Nikhil Patel (IT Manager) and John Herbert (Facilties Manager)), the rights individuals may have in relation to CCTV, who has access to CCTV images and how individuals can raise any queries or concerns they may have. 1. DEFINITIONS 1.1 For the purposes of this policy, the following terms have the following meanings: CCTV: means cameras, devices or systems including fixed CCTV and any other systems that capture information of identifiable individuals or information relating to identifiable individuals. CCTV Data: means any Data in respect of CCTV, e.g. video images, static pictures, etc. Data means any information which is stored electronically or in paper-based filing systems. Data Subject means any individuals who can be identified directly or indirectly from CCTV Data (or other Data in our possession). Data Controller: is the organisation or authority which, determines how and for what purpose the Personal Data are processed. When operating CCTV, Plexal is the relevant Data Controller and is responsible for ensuring compliance with the Data Protection Laws. CCTV users: are those of our employees (or employees of any Data Processors which we appoint) whose work involves processing CCTV. This will include those whose duties are to operate CCTV to record, monitor, store, retrieve and delete images. Data users must protect the CCTV Data they handle in accordance with this policy. Service Provider: is any organisation that is not a CCTV user (or other employee of a Data Controller) that processes CCTV Data or Personal Data on our behalf and in accordance with our instructions (for example, Firelek). Data Protection Laws: means: a) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) (the “GDPR”) and any equivalent or implementing legislation; b) all other applicable laws, regulations or court judgements relating to the processing of personal data, data privacy, electronic communications, marketing and/or data security; and c) any and all legally binding guidelines, recommendations, best practice, opinions, directions, decisions, or codes issued, adopted or approved by the European Commission, the Article 29 Working Party, the European Data Protection Board, the UK’s Information Commissioner’s Office and/or any other supervisory authority or data protection authority from time to time in relation to the processing of personal data, data privacy, electronic communications, marketing and/or data security; in each case as from time to time in force and as from time to time amended, extended, consolidated, re-enacted, replaced, superseded or in any other way incorporated into law and all orders, regulations, statutes, instruments and/or other subordinate legislation (including the Data Protection Bill 2017 when in force) made under any of the above in any jurisdiction from time to time. Processing: is any activity which involves the use of CCTV Data, whether or not by automated means. It includes collecting, obtaining, recording or holding CCTV Data, or carrying out any operation or set of operations on the CCTV Data including organising, structuring, amending, retrieving, using, disclosing or erasing or destroying it. Processing also includes transferring CCTV Data to third parties. Site: means the Plexal premises at Here East, Queen Elizabeth Olympic Park, Stratford, London, E15 2GW. 2. ABOUT THIS POLICY 2.1 We currently use CCTV to view and record individuals at our Site, 24 hours per day, 7 days per week. This policy sets out why we use CCTV, how we will use CCTV and how we will process any CCTV Data recorded by CCTV to ensure that we are compliant with Data Protection Law. 2.2 The images of individuals recorded by CCTV in the workplace are Personal Data and therefore subject to the Data Protection Laws. Plexal is the Data Controller of all CCTV Data captured at our Site. 2.3 This policy covers all employees, directors, officers, consultants, contractors and workers and may also be relevant to members of the public visiting the Site. 3. STAFF RESPONSIBLE John Herbert (Facilities Manager) and Nikhil Patel (IT Manager) have overall responsibility for ensuring compliance with Data Protection Laws and the effective operation of this policy. Day-to-day operational responsibility for CCTV and the storage of CCTV Data recorded is the responsibility of Nikhil Patel (IT Manager) and John Herbert (Facilities Manager). Should you have any queries on the use of CCTV or surveillance systems by us please contact John Herbert (Facilities Manager) and Nikhil Patel (IT Manager). 4. WHY WE USE CCTV 4.1 We currently use CCTV around our Site as outlined below. We believe that such use is necessary for the following legitimate business purposes: (a) to prevent or detect crime and protect buildings and assets from damage, disruption, theft, vandalism and other crime; (b) for the personal safety of staff, visitors and other members of the public and to act as a deterrent against crime; and (c) to support law enforcement bodies in the prevention, detection and prosecution of crime. We may implement or use CCTV for purposes other than those specified above which we will notify you of from time to time. 5. MONITORING 5.1 The locations of the CCTV are chosen to minimise the viewing of spaces/individuals which are not relevant to the legitimate purpose of the monitoring as specified above. 5.2 Currently, none of our CCTV records sound. 5.3 Images are reviewed once a week or when necessary, A live feed from the CCTV is not monitored continuously. 5.4 Any staff using CCTV will be given training to ensure that they understand and observe the legal requirements relating to the processing of any Data gathered. 6. HOW WE OPERATE CCTV 6.1 Where CCTV is in use at our Site, we will ensure that signs are displayed at the entrance of the surveillance zone to alert employees and visitors that their image may be recorded. The signs will contain details of the organisation operating the system and who to contact for further information. 6.2 We will ensure that live feeds from the CCTV are only viewed by appropriately authorised members of staff or third-party service providers whose role requires them to have access to such CCTV Data. Recorded images will only ever be viewed in restricted areas such as designated, secure offices and via login by John Herbet (the Facilities Manager) and Nikhil Patel (the IT Manager). 7. HOW WE USE THE DATA 7.1 In order to ensure that the rights of individuals recorded by our CCTV are protected, we will ensure that CCTV Data gathered from such systems is stored in a way that maintains its integrity and security. 7.2 We will ensure that any CCTV Data is only used for the purposes specified in section 4.1 above. We will not use CCTV Data for another purpose unless permitted by Data Protection Laws. 7.3 Where we engage Data Processors to process Data on our behalf, we will ensure contractual safeguards are in place to protect the security and integrity of the Data. 8. RETENTION AND ERASURE OF DATA 8.1 Data recorded by our CCTV will be stored locally on servers at our Site and there will be back-ups stored using our cloud service provider. We will not retain this Data indefinitely but will permanently delete it once there is no reason to retain the recorded information. Exactly how long the Data will be retained for will vary according to the purpose for which it was recorded. For example, where images are being recorded for crime prevention purposes, CCTV Data will be kept only for as long as it takes to establish that a crime has been committed. In all other cases, recorded images will be kept for no longer than 30 days. 8.2 At the end of its useful life, all Data stored in whatever format will be erased permanently and securely. Any physical matter such as tapes or discs or hard copy photographs will be promptly disposed of as confidential waste. 9. ONGOING REVIEW OF OUR USE OF CCTV 9.1 We will periodically review our ongoing use of existing CCTV at our Site to ensure that its use remains necessary and appropriate and in compliance with Data Protection Laws. 9.2 We will also carry out checks to ensure that this policy is being followed by all staff. 10. RIGHTS OF DATA SUBJECTS 10.1 As CCTV Data will identify individuals, it will be considered Personal Data under applicable Data Protection Laws. Under Data Protection Laws, Data Subjects have certain rights in relation to the Personal Data concerning them. These are as follows: (a) the right to access a copy of that Personal Data and the following information (this may include CCTV Data captured by our CCTV): (i) the purpose of the processing; (ii) the types of Personal Data concerned; (iii) to whom the Personal Data has or will be disclosed; and (iv) the envisaged period that the Personal Data will be stored, or if not possible, the criteria used to decide that period; (b) the right to request any inaccurate Personal Data that we hold concerning them is rectified, this includes having incomplete Personal Data completed; (c) the right to request the Personal Data we hold concerning them is erased without undue delay, where it is no longer necessary for us to retain it in relation to the purposes it was collected; (d) the right to request restriction of our processing of Personal Data in certain circumstances; and (e) the right to lodge a complaint with the Information Commissioner’s Office, if the Data Subject considers that our processing of the Personal Data relating to him or her infringes Data Protection Laws. 11. REQUESTS OF DISCLOSURE BY THIRD PARTIES 11.1 No images from our CCTV cameras will be disclosed to any third party (other than our third-party CCTV provider Firelec without express permission being given by John Herbert (Facilties Manager) or Nikhil Patel (IT Manager). Data will only be disclosed to a third party in accordance with Data Protection Laws. 11.2 In other appropriate circumstances, we may allow law enforcement agencies to view or remove CCTV footage where this is required in the detection or prosecution of crime. 12. COMPLAINTS 12.1 If any member of staff has questions about this policy or any concerns about our use of CCTV, then they should speak to John Herbert (Facilties Manager) or Nikhil Patel (IT Manager) in the first instance. 12.2 Where this is not appropriate or matters cannot be resolved informally, employees should use our formal grievance procedure.

Acceptable Use Policy This website (http://www.plexal.com) is operated by Plexal (City) Limited. This is our acceptable use policy for our website and it tells you about what you can and can’t do when using our website. When we talk about “using our website” we mean as we have described this term in our Website Terms and Conditions (available at insert link). Please read this policy carefully before you start using our website. We recommend that you print a copy of this policy, so that you can look at it later. By using our website, you agree to abide by this policy, together with our Website Terms and Conditions available at the link above. If you do not agree to this policy or our Website Terms and Conditions, you must stop using our website.

What’s in this policy? Please use the links below to find out more about this policy: • Who is Plexal (City) Limited and how can you contact us? • What can’t you do when using our website? • What do you need to know if you use Nexuedus?/can we use generic • What are our content standards? • What can we do if you don’t follow the rules? • Can we make changes to this policy?

Who is Plexal (City) Limited and how can you contact us? We are a private limited company registered in England under company number 10012478, and our registered office is at 6th Floor Lansdowne House, Berkeley Square, London, United Kingdom, W1J 6ER . We are located at Plexal. You can write to us at the registered office address above, [or email us at connect@plexal.cominsert email address].

What can’t you do when using our website? You must not use our website: • in any way that is unlawful and breaches the laws of England; • in any way that is fraudulent, or has any fraudulent purpose or effect; • to harm or attempt to harm children in any way (which means anyone under the age of 18 years of age); • to transmit or send any advertising or promotional material that would reasonably be considered as unsolicited, and when we talk about “unsolicited”, we mean material which is spam, unwanted by the recipient, or has been sent to someone without being asked for; and • to knowingly transmit any data, send or upload any material that contains viruses, Trojan horses, worms, logic or time-bombs, keystroke loggers, spyware, adware, malware or ransomware, or other material which is malicious or technologically harmful. You also agree: • not to reproduce, duplicate, copy or re-sell any part of our website, because to do so would breach the section titled: What can you do with the content of our website? in our Website Terms and Conditions (available by clicking on the link above); and • not to access without our permission, or cause any damage or disruption to: o any part of our website; o any equipment or network on which our website is stored or hosted; o any software used to provide our website; or o any equipment or network or software owned or used by any third party.

[What d o you need to know if you use Nexudus ? We may from time to time provide you with the ability to interact with us and other users of our website through Nexudus. If we do, you will be required to register an account to use Nexudus. We will do our best to assess any possible risks to you from third parties when you use Nexudus, and we will decide whether it is appropriate to moderate the use of Nexudus in the light of those risks. However, we are under no obligation to oversee, monitor or moderate Nexudus, and we expressly exclude our liability for any loss or damage arising from the use of Nexudus by a user in contravention of this policy and our content standards, whether Nexudus is moderated or not. If we choose to moderate Nexudus, we will provide you with a way of contacting the moderator where possible, should a concern or difficulty arise.

What a re the content standards? These content standards are guidelines you must follow if you post, upload or contribute any material to our website (including Nexudus), or use Nexudus in any way. You must comply with the spirit and the letter of the following content standards. Contributions must: • be accurate (where they state facts); • be genuinely held (where they state opinions); and • comply with English law and/or apply with the laws of any country from which they are posted or uploaded. Contributions must not: • contain any material which is defamatory of any person; • contain any material which is obscene, offensive, hateful or inflammatory; • promote sexually explicit material; • promote violence; • promote discrimination based on race, sex, religion, nationality, disability, sexual orientation or age; • infringe any copyright, database right or trade mark of any other person; • be likely to deceive any person; • be made in breach of any legal duty owed to a third party, such as a contractual duty or a duty of confidence; • promote any illegal activity; • be threatening, abuse or invade another’s privacy, or cause annoyance, inconvenience or needless anxiety; • be likely to harass, bully, intimidate, upset, embarrass, alarm or annoy any other person; • be used to impersonate any person, or to misrepresent your identity or affiliation or connection with any person; • give the impression that they originate from us, if this is not the case; and • advocate, promote or assist any unlawful act such as (by way of example only) copyright infringement or computer misuse.

What can we do if you don’t follow the rules? We will decide, atin our discretion, whether you have breached this policy through your use of our website (including Nexudus). When a breach of this policy has occurred, we may take any action that we think is appropriate.
Failure to comply with this policy is a material breach of the Website Terms and Conditions (available by clicking the link above), which give you the right to use our website. If you fail to comply with this policy we may: • immediately, temporarily or permanently take away your right to use our website or our blog; • immediately, temporarily or permanently remove or delete any posting or material uploaded by you to our intranet website (Nexudus) or our blog; • issue a warning to you; • issue legal proceedings against you to recover all of our costs on an indemnity basis (including, but not limited to, reasonable administrative and legal costs) resulting from your breach, and when we talk about on an “indemnity basis” we mean a full reimbursement by you of any costs we incur; • take any further legal action against you that we choose; and/or • disclose any information to law enforcement authorities as we reasonably feel is necessary.

Can we make changes to this policy? We may change this policy from time to time, so we encourage you to check this policy each time you use our website to check that you understand this policy and still agree with it. This policy was first published on our website on 25/05/2018.