Introduction

This Data Protection Policy (the "Data Protection Policy") is the overarching policy for data security and protection for Aureus (the "Company" or "we"), designated to set forth the requirements for data processing at the Company. The purpose of the Data Protection Policy is to support the requirements of the UK GDPR, the Data Protection Act 2018, and all other relevant legislation. We recognise data protection as a fundamental right and embrace the principles of data protection by design and by default.

1. Definitions

In this Data Protection Policy, the following terms, either in uppercase or lowercase, shall have the following meanings:

• Company: Aureus
• Data Controller or Controller: The natural or legal person, public authority, agency, or other body which alone or jointly with others determines the purposes and means of the processing of data.
• Data Processing or Processing: Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
• Data Processor or Processor: The natural or legal person, public authority, agency, or other body which processes data on behalf of the data controller.
• Data Protection Impact Assessment or DPIA: Tools and assessments used to identify and reduce risks of a data processing activity as required by Article 35 of the UK GDPR. DPIA can be carried out as part of Privacy by Design and should be conducted for all major system or business change programmes involving the processing of personal data.
• Data Subject: An identifiable natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
• Staff or Staff Member: Employees of the Company and other staff members, for example, self-employed persons (e.g., service providers) who provide services to the Company and whose status is in essence equivalent to employees.
• UK GDPR: The retained EU law version of the General Data Protection Regulation (EU) 2016/679 (UK GDPR), tailored by the Data Protection Act 2018.
• Laws: All applicable laws on data protection, including the UK GDPR, the Data Protection Act 2018, and other national or international legal acts applicable to the Company.
• Personal Data or Data: Any information relating to an identified or identifiable natural person (i.e., data subject).
• Personal Data Breach: A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored, or otherwise processed.
• Privacy by Design: Implementing appropriate technical and organisational measures in an effective manner to ensure compliance with the UK GDPR.
• Recipient: A natural or legal person, public authority, agency, or another body to which the personal data is disclosed, whether a third party or not.
• Responsible Person: Person responsible for handling matters related to data protection at the Company, i.e., Data Protection Officer and IT Manager (it@auruescoin.co.uk).
• Supervisory Authority: An independent public authority established by the United Kingdom. In the UK, this is the Information Commissioner's Office (ICO), Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.

2. Data Processing Principles

Personal data shall be processed at the Company following the Laws and other standards that regulate data protection, data processing, and information security. At the Company, personal data shall be:

• Processed lawfully, fairly, and in a transparent manner in relation to the data subject ("lawfulness, fairness, and transparency");
• Collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes ("purpose limitation");
• Adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed ("data minimisation");
• Accurate and, where necessary, kept up to date ("accuracy");
• Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data is processed ("storage limitation");
• Processed in a manner that ensures appropriate security of the data, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organisational measures ("integrity and confidentiality").

The Company shall be responsible for, and be able to demonstrate compliance with, the above principles ("accountability").

If the Company violates at least one of the above data processing principles, such processing may be considered as non-compliant.

If any Staff Member has any doubts about the implementation of the above principles, they must immediately address them to the Responsible Person or line manager.

2.1 Lawfulness, Fairness, and Transparency

Personal data must be processed lawfully, fairly, and in a transparent manner in relation to the data subject. The Company may only collect, process, and share personal data fairly and lawfully and for specified purposes. The UK GDPR allows data processing in the presence of applicable legal bases for the processing, such as:

• The data subject has given consent;
• The processing is necessary for the performance of a contract with the data subject or in order to take steps at the request of the data subject prior to entering into a contract;
• To comply with legal obligations of the Company;
• To protect the data subject's vital interests;
• To perform a task carried out in the public interest or in the exercise of official authority vested in the Company;
• To pursue legitimate interests of the Company where they are not overridden because the processing prejudices the interests or fundamental rights and freedoms of data subjects.

The Company may also process special category data if any of the abovementioned legal bases as well as any of the exceptions listed in Article 9 of the UK GDPR are applicable. The Company must identify and document the legal ground being relied on for each processing activity.

Furthermore, the UK GDPR requires the Company to provide detailed, specific information to data subjects depending on whether the information was collected directly from data subjects or from elsewhere. The information provided must be concise, transparent, intelligible, easily accessible, and in clear and plain language so that a data subject can easily understand it. The full list of information to be provided to the data subjects is established in Articles 13-14 of the UK GDPR, and the Company shall comply with this obligation.

In the event of (a) new processing activities, (b) changes in processing activities already carried out, or (c) termination of any processing activities, such changes shall be communicated to the Responsible Person and coordinated in advance (if this is not possible, as soon as it becomes possible).

The Company shall assess the processing activities and make sure that the proper legal ground is being relied on for each processing activity.

If Staff Members have any doubts about the implementation of the above principle, they must immediately address them to the Responsible Person or line manager.

Where the Company seeks to process personal data on the basis of consent, it shall be freely given, specific, informed, and unambiguously given in order to make the processing of personal data legitimate. Data subject consents to the processing of his/her personal data if he/she indicates such position clearly, either by a statement or positive action. Consent requires affirmative action, so silence, pre-ticked boxes, or inactivity are insufficient. If consent is given in a document which deals with other matters, then the consent must be kept separate from those other matters. Data subjects must be able to easily withdraw consent at any time, and withdrawal must be promptly honoured.

Consent may need to be refreshed if the Company intends to process personal data for a different and incompatible purpose which was not disclosed when the data subject first consented.

The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. The Company needs to keep records of all consents and have sufficient evidence thereof so that the Company can demonstrate its compliance with requirements on consent.

If personal data is processed on the basis of consent, the Company and its Staff Members must make sure that the consent has been obtained before performing any related processing activities. Any processing activities on such basis are strictly prohibited until it is ascertained that the Company has obtained the consent that meets the abovementioned requirements.

2.2 Purpose Limitation

Personal data must be collected only for specified, explicit, and legitimate purposes. It must not be further processed in any manner incompatible with those purposes. The Company cannot use personal data for new, different, or incompatible purposes from that disclosed to data subjects when it was first obtained unless it has informed the data subjects of the new purposes and they have consented where necessary.

The Company and its Staff Members must make sure that the personal data collected for specified, explicit, and legitimate purposes is not further processed in a manner that is incompatible with those purposes. For instance, if personal data is collected in order to obtain services from a person, it may not be used to send marketing material to such person without a separate legal basis.

2.3 Data Minimisation

Personal data must be adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed. Staff Members may only process personal data when and to the extent the performance of their job duties requires it. They cannot process personal data for any reason unrelated to their particular job duties. Staff Members may only collect personal data that they require for their job duties and business operations of the Company. Collecting excessive personal data is strictly prohibited. The Company and its Staff shall ensure any personal data collected is adequate and relevant for the intended purposes. The Company and its Staff must ensure that when personal data is no longer needed for specified purposes, it is deleted or anonymised.

2.4 Data Accuracy

Personal data must be accurate and, where necessary, kept up to date. It must be corrected or deleted without delay when inaccuracies are discovered. The Company must ensure that the personal data it uses and holds is accurate, complete, kept up to date, and relevant to the purpose for which the Company collected it. The Company must check the accuracy of any personal data at the point of collection and at regular intervals afterwards. Also, the Company must take all reasonable steps to destroy or amend inaccurate or out-of-date personal data.

2.5 Storage Limitation

Personal data must not be kept for longer than is necessary for the purposes for which the personal data is processed. The Company shall ensure that personal data is deleted after a reasonable time when its necessity for respective purposes expires, unless the Laws require that personal data to be kept for a longer period. The Company must not keep personal data in a form which permits the identification of the data subject for longer than needed for the legitimate business purpose or purposes for which the Company originally collected it, including for the purpose of satisfying any legal, accounting, or reporting requirements. The Company shall take all reasonable steps to destroy or erase from its systems and all mediums all personal data that it no longer requires in accordance with the Data Protection Policy and Laws. This includes requiring third parties to delete that personal data where applicable. The Company, when acting as a data controller, shall also ensure data subjects are informed of the period for which personal data is stored.

2.6 Integrity and Confidentiality

Personal data must be secured by appropriate technical and organisational measures against unauthorised or unlawful processing and against accidental loss, destruction, or damage. The Company shall develop, implement, and maintain safeguards appropriate to its size, scope, and business, its available resources, the amount of personal data that it owns or maintains on behalf of others, and identified risks (including the use of encryption and pseudonymisation where applicable). Requirements for Staff Members related to such safeguards are further listed in Section 6 of this Data Protection Policy. The Company shall regularly evaluate and test the effectiveness of those safeguards to ensure the security of its processing. The Company may only transfer personal data to third-party service providers who agree to comply with the required policies and procedures and agree to put adequate measures in place as requested. The Company shall maintain the security of personal data by protecting the confidentiality, integrity, and availability of the personal data defined as follows:

• Confidentiality means that only people on a need-to-know principle are authorised to use the personal data and can access it.
• Integrity means that personal data is accurate and suitable for the purpose for which it is processed.
• Availability means that authorised users should be able to access the personal data when they need it for authorised purposes.

3. Data Processors

The Company may authorise data processors—providers of technological and electronic communication services, advisers, auditors, consultants, and other individuals that process personal data in the possession of the Company for the purposes identified by the Company and in line with its instructions—to process the personal data that the Company controls. If the Company authorises a data processor to process personal data, the Company shall select the processor that will guarantee the required technical and organisational data protection measures and ensure that such measures will be enforced. The Company and data processors shall always enter into written contracts (data processing agreements) that stipulate that data processors shall only process the personal data on the basis of instructions from the Company. Such contracts shall include all requirements imposed by the UK GDPR and the Laws.

Staff Members must ensure that the data processors are in compliance with the above requirements prior to the processing. All related doubts shall be immediately addressed to the Responsible Person or line manager.

4. Rights of Data Subjects

Data subjects have the following rights:

• Right of access (Article 15 of the UK GDPR)
• Right to rectification of personal data (Article 16 of the UK GDPR)
• Right to erasure of personal data ("right to be forgotten") (Article 17 of the UK GDPR)
• Right to restriction of processing (Article 18 of the UK GDPR)
• Right to data portability (Article 20 of the UK GDPR)
• Right to object to processing (Article 21 of the UK GDPR)
• Right to lodge a complaint with a supervisory authority (Article 77 of the UK GDPR).

When the Company acts as a data controller, the Company will be responsible for compliance with the data subject rights.

4.1 Right to Access

The right to access encompasses two different aspects. First, upon a request, confirmation shall be given to the data subject that the personal data relating to him or her is being processed. Second, access to the following information shall be granted:

• The purposes of processing
• The categories of personal data concerned
• The recipients or categories of recipients to whom the personal data has been or will be disclosed, in particular recipients in third countries or international organisations
• The period for which the personal data will be stored or, if that is not possible, the criteria used to determine that period
• The existence of the right to request access to and rectification or erasure or restriction of processing or a right to object to processing, as well as the right to data portability
• The existence of a right to lodge a complaint with a Supervisory Authority
• Where the personal data is not collected from the data subject, any available information as to its source
• The existence of automated decision-making, including profiling, and at least in those cases meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject (if necessary).

Where personal data is transferred to a third country or to an international organisation, the data subject shall have the right to be informed of the appropriate safeguards relating to the transfer. Upon a request of the data subject, the Company shall provide him/her with a copy of the personal data undergoing the processing free of charge and in compliance with the rights of third parties. The provision of copies should not, for example, breach any business confidentiality or intellectual property rights (e.g., copyright, trademarks). Should the data subject want several copies, a reasonable fee may be charged for this based on administrative costs. Where the request is made by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form.

4.2 Right to Rectification of Personal Data

At the request of the data subject, inaccurate personal data must be rectified immediately, and incomplete personal data shall be supplemented. All recipients of personal data that has been rectified shall be informed of the rectification unless this is impossible or can only be carried out at disproportionate expense. At the request of the data subject, he/she shall be informed of the recipients.