D&S Group Data Protection Policy 2025

DAVIS & SHIRTLIFF LIMITED
GROUP DATA PROTECTION POLICY

CONTENTS
1. INTRODUCTION ....................................................................................3
2. DEFINITIONS ...........................................................................................3
3. INFORMATION WE COLLECT ............................................................ 4
4. PRINCIPLES FOR DATA PROTECTION ............................................. 5
5. LAWFUL BASIS OF PROCESSING PERSONAL DATA ................... 6
6. RIGHTS OF THE DATA SUBJECTS .......................................................6
7. DATA PROTECTION OFFICER ............................................................ 7
8. COLLECTION OF DATA ........................................................................ 8
9. MINIMIZATION OF COLLECTION OF DATA...................................9
10. PROCESSING SENSITIVE PERSONAL DATA ................................ 9
11. PROCESSING DATA RELATING TO VULNERABLE GROUPS ....9
12. RESTRICTIONS ON PROCESSING ................................................... 9
13. RECTIFICATION OF PERSONAL DATA ............................................10
14. RETENTION OF PERSONAL DATA ....................................................10
15. CROSS-BORDER TRANSFERS OF PERSONAL DATA ...................11
16. DISCLOSURE OF PERSONAL DATA.....................................................12
17. COMMERCIAL USE OF DATA ..............................................................12
18. DATA PROTECTION IMPACT ASSESSMENT ...................................13
19. SAFEGUARDS AND SECURITY OF DATA ..........................................13
20. PRIVACY BY DESIGN AND DEFAULT ...................................................14
21. HANDLING OF NON-COMPLIANCE ....................................................14
23. TRAINING AND AWARENESS .................................................................15
24. COMPLAINT HANDLING MECHANISMS ..........................................15
25. REVIEW OF THIS POLICY .........................................................................15

1. INTRODUCTION
D&S Group, including its subsidiaries and associate companies (“the Group”), recognizes and
upholds the fundamental rights of all individuals whose personal data it collects, holds, or
processes. The Group is committed to protecting personal data in compliance with
International best practices, including the General Data Protection Regulation (GDPR) and
the Data Protection Laws and Regulations across the jurisdictions in which it operates. In line
with these requirements, the Group is duly registered as both a Data Controller and Data
Processor with the relevant supervisory authorities in its jurisdictions of operation.
This Policy provides guidance on how the Group will handle personal data to ensure
compliance with the law, safeguard the rights and freedoms of data subjects, and mitigate
risks associated with data breaches or misuse of information. It sets out the principles,
standards, and responsibilities that all employees, contractors, and partners of the Group
must adhere to when processing personal data.
This Policy does not exhaustively define or cover every possible situation relating to data
protection and privacy compliance. Some jurisdictions may impose stricter requirements or
higher standards of compliance than those outlined herein. In such cases, employees are
expected to comply with the higher standard. Where uncertainty arises, employees must seek
guidance from their line executive, the Group Data Protection Officer, or other designated
authority before proceeding.

2. DEFINITIONS
For purposes of this Policy, the following terms shall have the meanings assigned below:
a) Consent – means a freely given, specific, informed and unambiguous indication of the
data subject’s wishes, signified by a statement or a clear affirmative action, by which the
data subject agrees to the processing of their personal data.
b) Data Controller – means a natural or legal person, public authority, agency, or other body
which, alone or jointly with others, determines the purposes and means of processing
personal data.
c) Data Processor – means a natural or legal person, public authority, agency, or other body
which processes personal data on behalf of the data controller.
d) Data Subject – means an identified or identifiable natural person who is the subject of
personal data.
e) Personal Data – means any information relating to an identified or identifiable natural
person, whether directly or indirectly, by reference to an identifier such as a name,
identification number, location data, online identifier, or one or more factors specific to the
physical, physiological, genetic, mental, economic, cultural, or social identity of that
person.
f)
Processing – means any operation or set of operations performed on personal data,
whether or not by automated means, including collection, recording, organisation, storage,
adaptation, alteration, retrieval, consultation, use, disclosure, dissemination, alignment,
combination, restriction, erasure, or destruction.
g) Sensitive Personal Data – means personal data that reveals or relates to an individual’s
racial or ethnic origin, health status, genetic or biometric data, religious or philosophical
beliefs, political opinions, trade union membership, sex life, or any other category of data
prescribed as sensitive under applicable laws.
h) Personal Data Breach – means a breach of security leading to the accidental or unlawful
destruction, loss, alteration, unauthorised disclosure of, or access to, personal data
transmitted, stored, or otherwise processed.

3. INFORMATION WE COLLECT
The Group collects and processes personal data only where necessary for legitimate business
purposes, in compliance with applicable laws, and in a manner that respects the rights of data
subjects. The type of information collected will depend on the relationship between the data
subject and the Group, and may include the following:
a) Employees and Job Applicants: We collect personal details such as name,
national ID or passport number, contact information, next of kin, curriculum vitae,
academic and professional qualifications, employment history, bank account
details, performance records, and disciplinary records. This information is
necessary for recruitment, onboarding, payroll administration, benefits
management, performance evaluation, and compliance with labour and tax laws.
b) Customers and Clients: We collect identification details, contact information,
financial and payment details, account records, service history, and
correspondence. This data enables us to provide services, manage billing and
payments, deliver customer support, and fulfill contractual and legal obligations.
c) Suppliers, Contractors, and Business Partners: We collect company
registration details, contact information, contracts, bank details, and relevant
correspondence. Such information is used for supplier management, due
diligence, contract execution, and processing of payments.
d) Visitors to Premises: We maintain a visitor register that may capture details such
as name, company or institution, contact information, vehicle registration, and
national ID or passport details. In addition, CCTV surveillance is in place at
strategic locations. This data is collected and processed for security, access
control, health and safety, and incident management.
e) Users of ICT Systems and Networks: We collect login credentials, access logs,
call and email records, device identifiers, and network traffic data. This information
is used to facilitate ICT administration, enhance cybersecurity, prevent fraud, and
improve service delivery.
f) Marketing and Communication: Where permitted by law, we may collect contact
details, marketing preferences, responses to campaigns, and feedback. This data
supports customer engagement, targeted marketing, service updates, and
promotional activities, subject to the consent of the data subject where required.
g) Legal and Regulatory Requirements: We may collect identification details,
compliance-related data, financial records, and correspondence with regulators.
Such data is processed strictly for purposes of statutory reporting, regulatory
compliance, dispute resolution, and enforcement of legal rights. This includes
forwarding debtors details to Private Debt Collectors(PDC).
h) Application and Website Users: When using our applications or website, we may
collect account information such as username, password, email address, and
phone number. We may also collect device data including IP address, operating
system, browser type, geolocation (if enabled), as well as cookies and analytics
data. This data supports account access, authentication, personalization, service
optimization, fraud prevention, and user experience improvements.

4. PRINCIPLES FOR DATA PROTECTION
The Group shall ensure that all collection, processing, storage, and use of personal data is
guided by the following principles:
a) Lawfulness, Fairness, and Transparency: Personal data shall be collected and
processed lawfully, fairly, and in a transparent manner, ensuring that data subjects
are aware of how their data is being used.
b) Purpose Limitation: Personal data shall only be collected for specified, explicit,
and legitimate purposes and shall not be further processed in a manner
incompatible with those purposes.
c) Data Minimization: The Group shall only collect and process personal data that
is adequate, relevant, and limited to what is necessary in relation to the purposes
for which it is processed.
d) Accuracy: The Group shall take all reasonable steps to ensure that personal data
is accurate and, where necessary, kept up to date. Inaccurate data shall be
corrected or erased without delay.
e) Storage Limitation: Personal data shall not be kept for longer than is necessary
for the purposes for which it was collected, unless retention is required by law,
regulation, or for legitimate business purposes.
f) Integrity and Confidentiality: Personal data shall be processed in a manner that
ensures appropriate security, including protection against unauthorized or unlawful
processing, accidental loss, destruction, or damage, through the use of technical
and organizational measures.
g) Accountability: The Group shall be responsible for and be able to demonstrate
compliance with these principles, including maintaining appropriate
documentation, policies, and safeguards.

5. LAWFUL BASIS OF PROCESSING PERSONAL DATA
5.1 The Group shall only collect and process personal data where there is a clear and lawful
basis in accordance with applicable data protection laws. Processing shall not be undertaken
arbitrarily, and all data subjects shall be informed of the lawful basis relied upon at the point
of collection. The lawful bases include:
a) Consent – where the data subject has freely given, specific, informed, and
unambiguous consent to the processing of their personal data. Consent may be
withdrawn at any time without affecting the lawfulness of prior processing.
b) Performance of a Contract – where processing is necessary for the performance
of a contract to which the data subject is a party, or in order to take steps at the
data subject’s request prior to entering into a contract.
c) Compliance with Legal Obligations – where processing is required to meet
obligations imposed on the Group under any applicable law or regulatory
requirement.
d) Legitimate Interests – where processing is necessary for the legitimate interests
of the Group or a third party, provided that such interests do not override the
fundamental rights and freedoms of the data subject.
e) Vital Interests – where processing is necessary to protect the life, health, or safety
of the data subject or another individual.
f) Public Interest/Exercise of Official Authority – where processing is necessary
for the performance of a task carried out in the public interest or in the exercise of
official authority vested in the Group under law.
5.2 The Group shall document and maintain records of the lawful basis relied upon for each
category of processing activity and ensure that such basis is consistently applied across all
jurisdictions of operation.

6. RIGHTS OF THE DATA SUBJECTS
6.1 The Group recognizes and upholds the fundamental rights of all individuals whose
personal data it collects, holds, or processes. These rights are derived from applicable data
protection and privacy laws in the countries in which the Group operates, and they shall be
respected and facilitated consistently across the Group.
6.2 A data subject has the following rights:
a) Right to be Informed – To be notified, in clear terms, about the collection, use,
and sharing of their personal data, including cross-border transfers.
b) Right of Access – To know whether the Group holds their data and to obtain a
copy of it without undue delay.
c) Right to Rectification – To request correction of inaccurate, incomplete, or
outdated personal data.
d) Right to Erasure – To request deletion of personal data where it is no longer
necessary, was unlawfully processed, or where consent has been withdrawn.
e) Right to Object – To object to processing, including for direct marketing, profiling,
or automated decision-making that significantly affects them.
f) Right to Restrict Processing – To request limitation of processing, for example,
while a dispute on accuracy or lawfulness is resolved.
g) Right to Withdraw Consent – To withdraw consent at any time, without affecting
the lawfulness of prior processing.
h) Right to Data Portability – To receive their personal data in a structured,
machine-readable format and request its transfer to another controller where
technically feasible.
i)
Right to Remedies – To seek compensation for damages from unlawful
processing and to lodge complaints with the Group’s Data Protection Officer (DPO)
or relevant regulator.

7. DATA PROTECTION OFFICER
7.1 The Group has appointed a Data Protection Officer (DPO) in line with applicable data
protection laws across its jurisdictions. The DPO shall serve as the central point of contact for
all data protection matters within the Group. The responsibilities of the DPO include:
a) Advising the Group on its obligations under relevant data protection laws and
regulations.
b) Monitoring and ensuring compliance with data protection requirements across all
subsidiaries and affiliates.
c) Facilitating training, awareness, and capacity building for staff involved in personal
data processing activities.
d) Acting as a liaison between the Group and supervisory authorities, including Data
Commissioners, and cooperating with external regulators on matters relating to data
protection.
e) Providing guidance on Data Protection Impact Assessments (DPIAs) and ensuring
appropriate safeguards are implemented for high-risk processing activities.
The Data Protection Officer’s details are as follows:
Name:
Postal Address:
Telephone Contact Details:
Email:
7.2 The above details have been published on the Group’s official website and formally
communicated to the Office of the Data Commissioner and other relevant supervisory
authorities within the jurisdictions in which the Group operates.

8. COLLECTION OF DATA
8.1 The Group shall ensure that the Personal Data it collects and processes is accurate and
up to date. All relevant records must be updated should the Group be notified of inaccuracies
by a Data Subject.
8.2 The Group shall, before collecting Personal Data, inform the Data Subject of:
a) the fact that personal data is being collected;
b) the purpose for which the personal data is being collected;
c) the third parties whose personal data has been or will be transferred to, including
details of safeguards adopted;
d) a description of the technical and organizational security measures taken to ensure
the integrity and confidentiality of the data;
e) the data being collected pursuant to any law and whether such collection is
voluntary or mandatory; and
f) the consequences if any, where the Data Subject fails to provide all or any part of
the requested data.
8.3 Where necessary, the Group will maintain adequate records to show that Consent was
obtained before processing Data
8.4 The Group shall collect, store, or use Personal Data for a purpose which is lawful, specific,
and explicitly defined.
8.5 Personal Data may be collected indirectly where:
a) the Data is contained in a public record;
b) the Data Subject has deliberately made the data public;
c) the Data Subject has consented to the collection from another source;
d) the Data Subject has an incapacity, the guardian appointed has consented to the
collection from another source; and
e) the collection from another source would not prejudice the interests of the Data
Subject.
8.6 Collection of data from another source is necessary:
a) for the prevention, detection, investigation, prosecution, and punishment of crime;
and
b) for the enforcement of a law which imposes a pecuniary penalty, or for the
protection of the interests of the data subject or another person.
8.7 A Data Subject shall have the right to withdraw consent at any time and Data will not be
processed after the withdrawal of consent by a Data Subject. The withdrawal of Consent shall
not affect the lawfulness of processing based on prior Consent before its withdrawal.

9. MINIMIZATION OF COLLECTION OF DATA
The Group shall collect and process only personal data that is adequate, relevant, and limited to
what is necessary for the defined and lawful purpose, and shall avoid collecting or retaining data
that is excessive, speculative, or unrelated to the legitimate business needs of the Group.

10. PROCESSING SENSITIVE PERSONAL DATA
10.1 The Group shall not process sensitive personal data—including but not limited to data
relating to race, ethnic origin, political opinions, religious or philosophical beliefs, trade union
membership, health status, sex life, genetic data, biometric data, or criminal records—unless
the Data Subject has given prior, informed, and written consent, or the processing is expressly
permitted by law. Such consent may be withdrawn at any time, without explanation and at no
cost to the Data Subject.
10.2 Sensitive personal data may be processed without consent only where strictly necessary
and subject to appropriate safeguards, including:
a) compliance with a legal obligation;
b) protection of the vital interests of the Data Subject or another person, particularly
where the Data Subject is incapable of giving consent;
c) the establishment, exercise, or defense of a legal claim;
d) for reasons of substantial public interest, national security, or public health, as
authorized under applicable law;
e) provision of health or social care, occupational medicine, or medical diagnosis by
a health professional bound by confidentiality obligations;
f) scientific or historical research, subject to safeguards prescribed by law; or
g) where the data has been manifestly made public by the Data Subject.
10.3 The Group shall apply strict technical and organizational measures to safeguard the
rights and freedoms of Data Subjects whenever sensitive personal data is collected,
processed, or stored, and shall maintain records to demonstrate compliance with this
obligation.

11. PROCESSING DATA RELATING TO VULNERABLE GROUPS
The Group shall only process the personal data of children or vulnerable persons with verified
consent from a parent, guardian, or other lawful representative, or where required or permitted by
law. Such processing shall always safeguard the best interests of the child or vulnerable person,
with appropriate mechanisms for age verification, consent, and confidentiality, and limited
exceptions where processing is necessary for vital interests, education, health, counselling, social
care, research, or legal proceedings.

12. RESTRICTIONS ON PROCESSING
12.1 The Group shall, at the request of a Data Subject, restrict the processing of personal
data where:
a) Accuracy of the personal data is contested by the Data Subject, for a period
enabling the Group to verify the accuracy of the Data.
b) Personal data is no longer required for the purpose of the processing, unless the
Group requires the personal data for the establishment, exercise, or defense of a
legal claim.
c) Processing is unlawful and the Data Subject opposes the erasure of the personal
data and requests the restriction of their use instead; or
d) Data Subject has objected to the processing, pending verification as to whether
the legitimate interests of the Group override those of the Data Subject.
12.2 Where personal data is restricted, it shall, unless merely stored, only be processed:
a) with the data subject’s consent;
b) for the establishment, exercise, or defence of legal claims;
c) for the protection of the rights of another person; or
d) for reasons of public interest.
12.3 The Group shall implement mechanisms to ensure that time limits established for the
rectification, erasure or restriction of processing of personal data, or for a periodic review of
the need for the storage of the personal data, is observed.

13. RECTIFICATION OF PERSONAL DATA
13.1 A Data Subject may request the Group through the Data Protection Officer to rectify
without undue delay personal data in its possession or under its control that is inaccurate,
outdated, incomplete or misleading; or to erase or destroy without undue delay personal data
that the Group is no longer authorized to retain, irrelevant, excessive, or obtained unlawfully.
13.2 Where the Group has shared the personal data with a third party for processing
purposes, the Group shall take all reasonable steps to inform third parties processing such
data, that the Data Subject has requested the rectification of such personal data in their
possession or under their control.
13.3 Where the Group is required to rectify or erase personal data, but the personal data is
required for the purposes of evidence, the Group shall, instead of erasing or rectifying, restrict
its processing and inform the Data Subject within a reasonable time.

14. RETENTION OF PERSONAL DATA
14.1 The Group shall retain personal data only for as long as is reasonably necessary to fulfill
the purposes for which the data was collected and processed. Once personal data is no longer
required for these purposes, it shall be securely deleted, anonymized, or pseudonymized in a
manner that prevents its reconstruction or unauthorized use.
14.2 Personal data may be retained for longer periods only under the following circumstances:
a) Where retention is required or authorized by applicable law or regulation;
b) Where retention is necessary to fulfill contractual obligations;
c) Where personal data relates to functions or activities for which it was collected or
processed;
d) Where retention is necessary for the prevention, detection, investigation,
prosecution, or punishment of an offense or breach of law;
e) Where retention is necessary to protect national security;
f) Where retention is required to enforce a court order or legislation related to public
revenue collection;
g) Where retention is necessary for proceedings before a court or tribunal;
h) Where retention is necessary for historical, statistical, research, or journalistic
purposes, provided that the personal data is appropriately anonymized or
pseudonymized; or
i)
Where the data subject has provided consent for longer retention.
14.3 The Group shall maintain records of the retention periods, the purpose for which the
personal data was collected, and any third parties to whom the data has been disclosed. At
the expiry of the retention period, the Group shall ensure that personal data is destroyed or
de-identified in a secure manner to prevent reconstruction or misuse.

15. CROSS-BORDER TRANSFERS OF PERSONAL DATA
15.1 The Group operates across multiple jurisdictions and may, from time to time, transfer
personal data across national borders. Such transfers shall be carried out in strict compliance
with the applicable data protection laws of the country of origin, and in a manner that ensures
the continued protection of data subjects’ rights.
15.2 Personal data may only be transferred outside the Republic where one or more of the
following conditions are satisfied:
a) The recipient country, organisation, or sector has been determined to provide an
adequate level of protection.
b) The transfer is subject to standard contractual clauses, binding corporate rules, or
intra-group schemes that have been approved by the relevant supervisory
authority.
c) The data subject has given explicit, informed consent to the transfer, having been
advised of potential risks.
d) The transfer is necessary for the performance of a contract with the data subject,
or for the implementation of pre-contractual measures at the data subject’s
request.
e) The transfer is necessary for the conclusion or performance of a contract in the
interest of the data subject between the Group and a third party.
f) The transfer is required for reasons of public interest, establishment or defence of
legal claims, protection of vital interests, or other lawful grounds recognised under
applicable data protection laws.
15.3 The Group shall notify or seek approval from the relevant supervisory authority, where
required by law, before undertaking cross-border transfers.
15.4 The Group shall implement technical, organisational, and legal safeguards, maintain
records of transfers, and ensure transferees uphold equivalent protection standards.

16. DISCLOSURE OF PERSONAL DATA
16.1 The Group shall only disclose personal data in accordance with applicable data
protection laws and regulations. All disclosures shall be lawful, necessary, and proportionate
to the purpose for which the data was collected. The Group will assess each request for
information and reserves the right to decline any request that does not meet the required legal
or regulatory standards.
16.2 The Group may disclose personal data to:
a) Law enforcement agencies, regulatory authorities, courts, or other statutory bodies,
where disclosure is required or authorised by law and the request complies with
applicable procedures.
b) Subsidiaries, associate companies, service providers, professional advisers, business
partners, or agents engaged in providing products, services, or support to the Group,
subject to appropriate confidentiality and data protection obligations.
c) Fraud prevention, anti-money laundering, credit reference, and other agencies where
disclosure is necessary to comply with legal or regulatory obligations.
d) Third-party vendors, contractors, or consultants involved in system support, IT
services, application/website maintenance, or business continuity.
e) Debt collection agencies or other entities engaged in recovery of amounts lawfully due
to the Group.
f) Emergency service providers or other authorised persons where disclosure is
necessary to protect the vital interests, health, or safety of a data subject or another
person.
g) Any other person or entity where the data subject has provided consent, or where
disclosure is otherwise permitted by law.
16.3 The Group will not release personal data to any person or entity acting outside its legal
or contractual mandate and will always seek the express consent of data subjects before
sharing personal data with third parties for direct marketing purposes.

17. COMMERCIAL USE OF DATA
The Group shall not use personal data for commercial purposes, such as marketing or
promotions, unless the data subject has given express consent or such use is permitted by
law and communicated at the point of collection. Wherever possible, personal data used
commercially shall be anonymised to prevent identification, and data subjects shall always
have the right to opt out of such use.

18. DATA PROTECTION IMPACT ASSESSMENT
18.1 The Group recognizes that certain processing operations may pose a high risk to the
rights and freedoms of data subjects, particularly where new technologies, large-scale
processing of sensitive data, or systematic monitoring activities are involved. In such cases,
and in accordance with applicable data protection laws in our jurisdictions of operation, the
Group shall conduct a Data Protection Impact Assessment (DPIA) prior to commencing the
processing activity.
18.2 A DPIA shall include:
a) A systematic description of the envisaged processing operations and their
purposes, including where applicable the legitimate interests pursued;
b) An assessment of the necessity and proportionality of the processing in relation to
its stated purpose;
c) An evaluation of the risks posed to the rights and freedoms of data subjects; and
d) The measures, safeguards, and security mechanisms envisaged to address
identified risks, ensure compliance with applicable laws, and protect data subjects.
18.3 Where a DPIA indicates that the processing is likely to result in high residual risks, the
Group shall consult the relevant Data Protection Authority prior to undertaking such
processing, as may be required by law. DPIAs shall be reviewed periodically and updated
where there is a material change in the nature, scope, or risks of the processing activity.
18.4 The Group shall maintain adequate records of all DPIAs conducted and ensure that its
employees, contractors, and service providers involved in high-risk processing activities are
aware of, and comply with, the findings and mitigation measures identified in the DPIA.

19. SAFEGUARDS AND SECURITY OF DATA
19.1 The Group shall implement appropriate technical and organizational measures to protect
personal data against accidental, unlawful, or unauthorized destruction, loss, alteration,
disclosure, access, or other forms of processing that may compromise its confidentiality,
integrity, or availability. Such safeguards shall be commensurate with the nature of the data
and the risks associated with the processing activities.
19.2 The Group’s security measures shall include, but are not limited to:
a) Technical Controls – use of encryption, access controls, firewalls, intrusion detection
systems, secure servers, and regular system monitoring to prevent unauthorized
access or breaches.
b) Organizational Controls – clear policies and procedures, role-based access
restrictions, staff vetting, and confidentiality undertakings for employees, contractors,
and third-party service providers.
c) Physical Controls – secure office premises, controlled access to facilities,
surveillance where necessary, and secure storage of paper-based records.
d) Procedural Controls – regular risk assessments, vulnerability testing, data protection
impact assessments, and business continuity and disaster recovery measures.
19.3 All employees, contractors, and agents of the Group are responsible for safeguarding
personal data in their possession or under their control and must strictly comply with this Policy
and applicable data protection laws. Any suspected or actual data breach must be reported
immediately to the Group Data Protection Officer for investigation and response in accordance
with established breach management procedures.

20. PRIVACY BY DESIGN AND DEFAULT
The Group shall embed data protection principles into all systems, processes, products, and
services from the earliest stages of design and throughout their lifecycle. This includes
implementing measures that ensure personal data is processed only where necessary, limited
to the minimum required for the intended purpose, and accessible only to authorized persons.
By default, the highest levels of privacy and security settings shall apply to all processing
activities, unless the data subject chooses otherwise. The Group shall regularly review and
update its systems and practices to ensure compliance with evolving data protection
requirements and to safeguard the rights and freedoms of data subjects.

21. HANDLING OF NON-COMPLIANCE
21.1 The Group takes compliance with data protection laws and this Policy seriously. Any
actual, suspected, or potential non-compliance must be promptly reported to the Group Data
Protection Officer (DPO) or other designated authority. All reports will be investigated fairly,
confidentially, and in a timely manner, with appropriate corrective or disciplinary action taken
where necessary.
21.2 Non-compliance may lead to measures such as retraining, suspension of data
processing activities, or disciplinary action up to and including termination of employment or
contract. Where required, the Group will also fulfil its legal obligations to notify supervisory
authorities and affected data subjects. Employees are encouraged to raise concerns without
fear of retaliation.

22. REPORTING AND NOTIFICATION OF DATA BREACHES
The Group shall ensure that all personal data breaches are reported to the relevant
supervisory authority and, where required, to affected data subjects within the timelines
prescribed by applicable laws in each jurisdiction. Where multiple timelines may apply, the
Group shall adopt the shortest notification period to ensure compliance across all operations.
Notifications shall include sufficient details of the breach, the remedial measures taken, and
guidance to affected individuals, where required.

23. TRAINING AND AWARENESS
The Group shall ensure that all employees are trained on their data protection responsibilities
and the implementation of this Policy to promote a culture of data protection and compliance
across the Group.

24. COMPLAINT HANDLING MECHANISMS
The Group is committed to ensuring that all Data Subjects can raise concerns or complaints
regarding the processing of their personal data in a fair, transparent, and accessible manner.
Data Subjects may lodge complaints directly with the Group through designated channels,
including written correspondence, email, or any other official platform communicated by the
Group. All complaints shall be acknowledged promptly, investigated objectively, and resolved
within a reasonable timeframe. Where appropriate, the Data Protection Officer (DPO) shall
oversee the process, ensure compliance with applicable laws, and provide feedback to the
complainant. If a Data Subject is dissatisfied with the outcome, they retain the right to escalate
the matter to the relevant Data Protection Authority in their jurisdiction. The Group shall
maintain records of complaints and their resolution to demonstrate accountability and
continuous improvement in data protection practices.

25. REVIEW OF THIS POLICY
This Policy will be subject to annual review by the management to ensure the policy remains
current and compliant with evolving laws.