OXFORD BIOLABS' Code of Conduct on DATA PRIVACY and DATA PROTECTION

Introduction

The Oxford Biolabs Code of Conduct on Data Privacy and Data Protection (the 'Privacy Policy') expresses Oxford Biolabs' commitment to strive to protect the personal data of Oxford Biolabs' Customers, Suppliers and Business Partners. This Privacy Policy applies to all employees of the Oxford Biolabs Group of Companies in their roles as follows:

i) Oxford Biolabs Ltd, Oxford Biolabs Deutschland GmbH and Oxford Biolabs USA LLC as data controllers, and

ii) Oxford Biolabs Ukraine LLC and Keilwert Services LLC as a data processors for the data controllers.

This Privacy Policy indicates how this commitment shall be implemented.

Both Oxford Biolabs Ukraine LLC and Keilwert Services LLC are located in a country, Ukraine, that is categorised by the EU Commission as being a Country with Absence of Adequacy. This Privacy Policy also provides for the safeguards at a similar level of data privacy and data protection to those countries that are regarded as having adequate safeguards.

Article 1 – Scope, Applicability and Implementation Scope

1.1 This Privacy Policy addresses the worldwide processing of personal data of Oxford Biolabs Customers, Suppliers and Business Partners

1.2 This Privacy Policy does not address the processing of personal data of Oxford Biolabs employees.

1.3 This Privacy Policy applies to the processing of personal data by electronic means and in systematically accessible paper-based filing systems.

1.4 Individuals (also known as Data Subjects) keep any rights and remedies they may have under applicable local law. Where this Privacy Policy provides more protection than applicable local law or provide additional safeguards, rights or remedies for individuals, this Privacy Policy shall apply.

1.5 Oxford Biolabs may supplement this Privacy Policy through sub-policies and notices that are consistent with this Privacy Policy.

1.6 This Privacy Policy is binding on Oxford Biolabs. Oxford Biolabs employees must comply with this Privacy Policy and, for all those controlling or processing personal data, shall deposit a signed copy of the Privacy Policy on their employee file, to acknowledge their understanding and commitment to keeping to this Privacy Policy.

1.7 This Privacy Policy enters into force as of May 25th, 2018, and replaces any previous codes of conduct on Data Privacy and Data Protection. They are published on the Oxford Biolabs intranet and all Oxford Biolabs websites.

1.8 Where there is a question as to the applicability of this Privacy Policy, employees shall seek the advice of the Data Protection Officer prior to the relevant processing.

Article 2 – Purposes for processing personal data

Legitimate Business Purposes

2.1 Personal data shall be collected, used, transferred or otherwise processed for one or more of the following legitimate business purposes (“Business Purpose”):

(i) Purposes necessary to conduct Oxford Biolabs business.

This addresses processing necessary for activities such as:

(a) conclusion and execution of agreements with Customers, Suppliers and Business Partners;

(b) to record and financially settle delivered services, products and materials to and from Oxford Biolabs;

(c) marketing, sales, and promotions;

(d) account management;

(e) customer service;

(f) finance and accounting;

(g) research and development;

(h) purchasing;

(i) internal management and control;

(j) external communications;

(k) government and legal affairs;

(l) alliances, ventures, mergers, acquisitions, and divestitures; or

(m) intellectual property and standards management

However, Oxford Biolabs does not store payment card numbers on its servers. Payment card numbers are submitted to payment card authorisation services, which provide Oxford Biolabs with validation information only. Oxford Biolabs does not have access to your personal financial data.

(ii) Business process execution and internal management.

This addresses processing necessary for activities such as managing company assets, conducting internal audits and investigations, and implementing business controls;

(iii) Health, safety and security.

This addresses processing necessary for activities such as those involving health and safety, the protection of Oxford Biolabs and employee assets, and the authentication of Customer, Supplier or Business Partner status and access rights;

(iv) Compliance with legal obligations.

This addresses processing necessary for compliance with a legal obligation to which Oxford Biolabs is subject; or

(v) Vital interests.

This addresses processing necessary to protect a vital interest of an individual.

Consent

2.2 If none of the criteria listed in Article 2.1 applies, or if consent is required by applicable local law, Oxford Biolabs shall obtain explicit consent from the individual before processing their personal data. When seeking consent, Oxford Biolabs shall inform the individual of:

(i) the purposes of the processing for which consent is requested; and

(ii) any other relevant details to seek to ensure fair processing.

Oxford Biolabs shall record each consent provided by individuals and acknowledge the consent through e-mail.

However, if the processing is reasonably necessary to address a direct request of the individual, the individual’s consent shall be implied.

Denial or withdrawal of consent

2.3 The individual may deny or withdraw consent at any time. Processing will be discontinued unless Oxford Biolabs has taken action that relies upon the previously provided consent. In such case Oxford Biolabs will discontinue processing as soon as reasonably practical.

Children

2.4 Oxford Biolabs does not seek to nor knowingly form relationships with minors (individuals under 18 years old). When seeking explicit consent from an individual, this consent shall include acknowledgement that the individual is 18 years old or over. In the event that Oxford Biolabs subsequently learns that an individual in its databases are under 18, any consent provided by that individual will be deemed to have been withdrawn, personal data deleted to the maximum extent allowed under applicable law, and a block placed on that individual from any further trading relationship.

Article 3 – Processing of personal data for supplementary purposes

3.1 Generally, and unless explicit consent has been provided by an individual, personal data shall be initially processed only for the purposes for which it was originally collected. However, personal data may further be processed for a legitimate Business Purpose (Article 2.1 above) of Oxford Biolabs for the following supplementary processes:

(i) transferring the personal data to an archive, under statutory documentation retention requirements;

(ii) conducting internal audits or investigations;

(iii) implementing business controls;

(iv) conducting statistical, historical or scientific research as required for the business operations of Oxford Biolabs;

(v) preparing for or engaging in dispute resolution;

(vi) in pursuit of a legal case requiring the use of relevant personal data;

(vii) managing insurance issues;

(viii) any other legitimate purpose established from time to time by the operation of law, which shall be then updated within this Privacy Policy.

3.2 If an employee is in any doubt whether a process is a supplementary process, they shall consult the Data Protection Officer.

Article 4 – Purposes for processing Sensitive Data

Purposes for processing Sensitive Data

4.1 Oxford Biolabs shall process Sensitive Data only to the extent necessary to serve an applicable Business Purpose. Sensitive Data may be processed under one or more of the following circumstances:

(i) where the individual has explicitly consented to the processing, unless the consent may not be relied upon under applicable local law;

(ii) where processing Sensitive Data is a necessary part of providing services to the individual;

(iii) where Sensitive Data is processed in connection with, and as a necessary part of, the purchase or use by an individual of a Oxford Biolabs product or service;

(iv) where the individual is voluntarily participating in a research project or product test;

(v) as required by or allowed under applicable local law;

(vi) to establish, exercise or defend a legal claim;

(vii) only in respect of racial or ethnic data: for the authentication of Customer, Supplier or Business Partner. Oxford Biolabs may process photos and video images (in some countries photo and video images of individuals qualify as racial or ethnic data);

(vii) to prevent, detect or prosecute (including cooperating with public authorities) suspected fraud, contract breaches, violations of law, or other breaches of the terms of access to Oxford Biolabs sites or assets;

(ix) to protect a vital interest of an individual, but only where it is impossible to obtain the individual’s consent first; or

(x) where necessary to comply with an obligation of international public law (e.g. treaties).

Denial or withdrawal of consent

4.2 The information requirements of Article 2.2 and Article 2.3 also apply to the granting, denial or withdrawal of consent.

Prior Authorisation of Data Protection Officer

4.3 Where Sensitive Data is processed based on a requirement of law other than the local law applicable to the processing, or based on the consent of the individual, the processing requires the prior approval of the Data Protection Officer.

Use of Sensitive Data for supplementary purposes

4.4 Sensitive Data may be processed for supplementary purposes only in accordance with Article 3.

Article 5 – Quantity and Quality of personal data

No excessive data

5.1 Oxford Biolabs shall restrict the processing of personal data to that data which is reasonably adequate for and relevant to the applicable Business Purpose. Oxford Biolabs shall take reasonable steps to securely delete or destroy personal data that is not required for the applicable Business Purpose.

Retention period

5.2 Oxford Biolabs generally shall retain personal data only:

(i) for the period required to serve the applicable Business Purpose;

(ii) to the extent reasonably necessary to comply with an applicable legal requirement; or (iii) as part of documentation required under statutory Documentation Retention requirements

Oxford Biolabs may specify (e.g., in a sub-policy, notice or records retention schedule) a time period for which certain categories of personal data will be kept.

End of retention period

5.3 Promptly after the applicable retention period has ended, the Data Protection Officer shall direct that the personal data be:

(i) securely deleted or destroyed;

(ii) de-identified; or

(iii) transferred to an archive (unless this is prohibited by applicable local law or an applicable records retention schedule).

Quality of personal data

5.4 Personal data should be accurate, complete and kept up-to-date to the extent reasonably necessary for the applicable Business Purpose.

Informing Oxford Biolabs

5.5 Oxford Biolabs will undertake reasonable efforts to ensure that personal data is accurate, complete and up-to-date. However, it is the final responsibility of the individual to inform Oxford Biolabs if their personal data is inaccurate, incomplete or outdated and Oxford Biolabs shall rectify the data in accordance with Article 7.

Article 6 – Informing the individual Information to the individual for each processing

6.1 Oxford Biolabs shall inform the individual concerning:

(i) the Business Purposes for which personal data is processed;

(ii) which member of the Oxford Biolabs Group of Companies is responsible for the processing (as data controller); and

(iii) other relevant information (e.g., the nature and categories of the processed personal data, the categories of Third Parties to which the personal data are disclosed, if any, and how the individual can exercise their rights).

(i) the contact details of the Oxford Biolabs, as data controller, its customer service department and the Data Protection Officer

(ii) the Business Purpose of the processing for which the personal data is intended and the consequences of having incomplete personal data

(iii) the period for which the personal data will be stored or the criteria used to determine that period

(iv) the existence of the individual’s rights (see Article 7 below)

(v) the right to lodge a complaint (see Article 17 below)

(viii) the existence of automated decision-making, including profiling, and meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

(ix) the existence of this Privacy Policy, published on Oxford Biolabs websites, as providing adequate safeguards for the transfer of data to a member of the Oxford Biolabs Group of Companies that is located in a Country with Absence of Adequacy.

(x) a statement that personal data will not be transferred, sold, leased or rented to a Third Party data controller, except as required under applicable law.

Personal data not obtained from the individual

6.2 To the extent required by applicable law, where personal data has not been obtained directly from the individual, Oxford Biolabs shall provide the individual with information as required by Article 6.1, as well as:

(i) which Oxford Biolabs company was in receipt of this data;

(ii) the source of that personal data, including if publicly accessible;

(iii) the categories of personal data concerned;

This communication shall occur no later than the time the personal data is recorded in a Oxford Biolabs database.

Exceptions

6.3 The requirements of Article 6.2 may be set aside if:

(i) it is impossible or would involve a disproportionate effort to inform the individual; or (ii) such provision of information would result in disproportionate cost.

Article 7 – Rights of individuals

Rights of individuals

7.1 Individuals have the right to request an overview (Right of Access) of their personal data processed by or on behalf of Oxford Biolabs. Where reasonably possible, the overview shall contain information regarding the source (if reasonably available), type, purpose and categories of recipients of the relevant personal data. If the personal data is incorrect, incomplete or not processed in compliance with applicable law or this Privacy Policy, the individual has the right, as appropriate, to have their personal data rectified (Right of Rectification), deleted (Right of Erasure) or blocked (Right to withdraw consent). The individual has the right to object to the processing of her personal data on the basis of compelling grounds related to her particular situation (Right of Restriction of Processing). The Individual also has the right for their personal data to be received by them or transferred to a Third Party using a commonly-used electronic format (Right of Data Portability).

Procedure

7.2 To access, rectify, delete, or block personal data or to object to the processing, the individual should send their request or objection to the contact person or contact point indicated in the relevant communication. If no contact person or contact point is indicated, the individual may send their request or objection to Oxford Biolabs through the contact section of the relevant Oxford Biolabs website, or they may contact the Data Protection Officer. Prior to fulfilling the request of the individual, Oxford Biolabs may require the individual to:

(i) specify the type of personal data in question;

(ii) specify, to the extent reasonably possible, the data system in which the personal data likely is stored;

(iii) specify the circumstances in which Oxford Biolabs obtained the personal data;

(iv) show proof of their identity; and

(v) in the case of rectification, deletion, or blockage, specify the reasons why the personal data is incorrect, incomplete or not processed in accordance with applicable law or the Privacy Policy.

Response period

7.3 Without undue delay, and in any case within four weeks of Oxford Biolabs receiving the request or the objection, the Data Protection Officer shall inform the individual in writing either:

(i) of Oxford Biolabs position with regard to the request or the objection and any action Oxford Biolabs has taken or will take in response, or

(ii) the ultimate date on which they will be informed of Oxford Biolabs position, which date shall be no later than eight weeks thereafter.

Complaint

7.4 An individual may file a complaint in accordance with Article 17 if:

(i) the response to the request or the objection is unsatisfactory to the individual (e.g., the request is denied); or

(ii) the individual has not received a response as required by Article 7.3.

Denial of requests

7.5 Oxford Biolabs may deny an individual’s request or objection if:

(i) the request or objection does not meet the requirements of Articles 7.1 and 7.2;

(ii) the request or objection is not sufficiently specific;

(iii) the identity of the relevant individual cannot be established by reasonable means; or (iv) the request or objection is made within an unreasonable time interval of a prior request or objection or otherwise; or constitutes an abuse of rights, for instance because of its repetitive character. A time interval between requests of six months or less shall generally be deemed to be an unreasonable time interval. Before denying a request or objection, employees shall seek the advice of the Data Protection Officer.

Article 8 – Security Requirements

Data security

8.1 Oxford Biolabs shall take appropriate commercially reasonable technical, physical and organisational measures to protect personal data from misuse or accidental, unlawful or unauthorised destruction, loss, alteration, disclosure, acquisition or access.

Employee access

8.2 Employees shall be provided access to personal data only to the extent necessary to serve the applicable Business Purpose and to perform their job.

Confidentiality obligations

8.3 Employees who access personal data shall meet their confidentiality obligations as specified by their contract of employment, and other Oxford Biolabs policies and procedures.

Article 9 – Direct Marketing

Explicit consent for direct marketing

9.1 To the extent required by applicable law, when processing personal data for the purpose of making direct marketing communications, Oxford Biolabs will obtain their explicit consent of the targeted individual. In every subsequent direct marketing communication that is made to the individual, the individual shall be offered the opportunity to withdraw their consent (opt-out) of further marketing communication.

Objection to marketing

9.2 If the individual objects to receiving marketing communications from Oxford Biolabs, or withdraws their consent to receive such materials, Oxford Biolabs will take steps to refrain from sending further marketing materials, and any other material not connected with a Business Purpose, as specifically requested by the individual. Oxford Biolabs will do so within the time period required by applicable law.

Article 10 – Automated Decision Making

Automated decisions

10.1 Automated tools may be used to make decisions about individuals but decisions may not be based solely on the results provided by the automated tool. This restriction does not apply if:

(i) explicit consent has been provided by the individual to the contrary;

(i) the use of automated tools is required or authorised by law; or

(ii) the decision is made by Oxford Biolabs for purposes of entering into or performing a contract provided that:

(a) the underlying request leading to a decision by Oxford Biolabs was made by the individual (e.g., where automated tools are used to qualify contest entries or process requests from Customers); or

(b) suitable measures are taken to safeguard the legitimate interests of the individual (e.g., the individual has been provided with an opportunity to express their point of view).

Article 11 – Transfer of personal data to Third Parties

Transfer to Third Parties

11.1 This Article sets forth requirements concerning the transfer of personal data from Oxford Biolabs to a Third Party. Note that a transfer of personal data includes situations in which:

(i) Oxford Biolabs discloses personal data to Third Parties (e.g., in the context of corporate due diligence); or

(ii) Oxford Biolabs provides remote access to personal data to a Third Party.

Third Party Data Controllers and Third Party Data Processors

11.2 There are two categories of Third Parties:

(i) Third Party Data Processors: these are Third Parties that process personal data solely on behalf of Oxford Biolabs and at its direction (e.g., providers that host accounting software, order management software, customer relationship management software, payment software); and

(ii) Third Party Data Controllers: these are Third Parties that process personal data and determine the purposes and means of the processing.

Transfer for applicable Business Purposes only

11.3 Oxford Biolabs shall transfer personal data to a Third Party only as necessary to serve the Business Purpose for which the personal data is processed (including supplementary purposes as per Article 3 or purposes for which the individual has provided consent in accordance with Article 2).

Third Party Data Controllers

11.4 Oxford Biolabs shall not transfer, sell, lease, or rent personal data to a Third Party data controller except as required under applicable law.

Third Party Data Processors

11.5 Third Party data processors may process personal data only if the third party data processor has a written contract with Oxford Biolabs. The contract shall include provisions addressing the following:

(i) the Third Party data processor shall process personal data only in accordance with Oxford Biolabs instructions and for the purposes authorised by Oxford Biolabs;

(ii) the Third Party data processor shall keep the personal data confidential;

(iii) the Third Party data processor shall take appropriate technical, physical and organizational security measures to protect the personal data; and

(iv) the Third Party data processor shall not permit subcontractors to Process personal data in connection with its obligations to Oxford Biolabs without the prior written consent of Oxford Biolabs. Furthermore, contracts with Third Party data processors shall include, as appropriate, provisions addressing the following:

(v) Oxford Biolabs has the right to review the security measures taken by the Third Party data processor and the third party data processor shall submit its relevant data processing facilities to audits and inspections by Oxford Biolabs or any relevant government authority; and

(vi) the Third Party data processor shall promptly inform Oxford Biolabs of any Data Breach involving personal data, without undue delay.

All such contracts shall be drafted in consultation with the Data Protection Officer.

Transfer of personal data to a Country with Absence of Adequacy

11.6 This Article sets forth additional rules for the transfer of personal data to a Third Party located in a country that is not considered by the EU Commission to provide an ‘adequate level of protection’ for personal data (Country with Absence of Adequacy). Personal data may be transferred to a Third Party located in a Country with Absence of Adequacy only if:

(i) a contract has been concluded between Oxford Biolabs and the relevant Third Party that provides for safeguards at a similar level of protection as that provided by this Privacy Policy; the contract shall conform to any model contract required under applicable local law (if any);

(ii) the Third Party has implemented binding corporate rules or a similar transfer control mechanism which provide adequate safeguards as required under applicable law;

(iii) the transfer is necessary for the performance of a contract with the Customer, Supplier or Business Partner or to take necessary steps at the request of the Customer, Supplier or Business Partner prior to entering into a contract;

(iv) the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the individual between Oxford Biolabs and a Third Party (e.g. in case of recalls);

(v) the transfer is necessary to protect a vital interest of the individual;

(vi) the transfer is necessary for the establishment, exercise or defense of a legal claim;

(vii) the transfer is required by any applicable law to which the relevant Oxford Biolabs Group Company is subject; or

(viii) the individual has consented to such transfer.

To the extent permitted by law, items (vii) and (viii) above require the prior approval of the Data Protection Officer.

Consent for transfer

11.7 When seeking consent pursuant to Article 11.6 (viii), the individual shall be first provided with the following information:

(i) the purpose of the transfer;

(ii) the identity of the transferring member of the Oxford Biolabs Group of Companies;

(iii) the identity or categories of Third Parties to which the personal data will be transferred;

(iv) the categories of personal data that will be transferred;

(v) the country to which the personal data will be transferred; and

(vi) the fact that the personal data will be transferred to a Country with Absence of Adequacy.

Transfers between NonAdequate Countries

11.8 This Article sets forth rules for transfers of personal data that was collected in connection with the activities of a member of the Oxford Biolabs Group of Companies located in a Country with Absence of Adequacy to a Third Party also located in a Country with Absence of Adequacy. In addition to the grounds listed in Article 11.6, these transfers are permitted if they are:

(i) necessary for compliance with a legal obligation to which the relevant member of the Oxford Biolabs Group of Companies is subject;

(ii) necessary to serve the public interest; or

(iii) necessary to satisfy a Business Purpose of Oxford Biolabs.

Article 12 – Overriding Interests

Overriding Interests

12.1 Some of the obligations of Oxford Biolabs or rights of individuals under this Privacy Policy may be overridden if, under the specific circumstances at issue, a pressing legitimate need exists that outweighs the interest of the individual (Overriding Interest). An Overriding Interest exists if there is a need to:

(i) protect the legitimate business interests of Oxford Biolabs including:

(a) the health, security or safety of individuals;

(b) Oxford Biolabs intellectual property rights, trade secrets or reputation;

(c) the continuity of Oxford Biolabs business operations;

(d) the preservation of confidentiality in a proposed sale, merger or acquisition of a business; or

(e) the involvement of trusted advisors or consultants for business, legal, tax, or insurance purposes.

(ii) prevent or investigate suspected or actual violations of:

(a) law (including cooperating with law enforcement);

(b) contracts; or

(c) or Oxford Biolabs policies; or

(iii) otherwise protect or defend the rights or freedoms of Oxford Biolabs, its employees or other persons.

Exceptions in the event of Overriding Interests

12.2 If an Overriding Interest exists, one or more of the following obligations of Oxford Biolabs or rights of the individual may be set aside:

(i) Article 3.1 (Use of personal data for a supplementary purpose);

(ii) Article 6.1 (Information to the individual);

(iii) Article 7.1 (Rights of individuals);

(iv) Article 8 (Data Security); and

(v) Articles 11.4, 11.5 and 11.6 (i) (Third Party data controller contracts, Third Party data processor contracts, Transfer of personal data to a Country with Absence of Adequacy).

Sensitive Data

12.3 The requirements of Article 4.1 (Sensitive Data) may be set aside only for the Overriding Interests listed in this Article 12.1(i)(a), (c) and (e), (ii) and (iii).

Consultation with the Data Protection Officer

12.4 Setting aside obligations of Oxford Biolabs or rights of individuals based on an Overriding Interest requires the prior consultation of the Data Protection Officer.

Information to the individual

12.5 Upon request of the individual, Oxford Biolabs shall inform the individual of the Overriding Interest that led to the setting aside of Oxford Biolabs obligations or the rights of the individual, unless the particular Overriding Interest sets aside the requirements of Articles 6.2 or 7.2, in which case the request shall be denied.

Article 13 – Supervision and compliance

Data Protection Officer

13.1 Oxford Biolabs shall appoint a Data Protection Officer who is responsible for:

(i) supervising compliance with this Privacy Policy;

(ii) providing weekly updates to the Managing Director of Oxford Biolabs Ltd and quarterly reports to the Board of Directors of Oxford Biolabs Ltd on data protection risks and compliance issues; and

(iii) coordinating official investigations or inquiries into the processing of personal data by a public authority.

(iv) the development of the policies, procedures and system information (as required by Article 14);

(vi) planning training and awareness programmes (Article 15);

(vii) monitoring and reporting on compliance with this Privacy Policy;

(viii) collecting, investigating and resolving privacy inquiries, concerns and complaints; and

(ix) determining and updating appropriate sanctions for violations of This Privacy Policy (e.g., disciplinary standards).

(x) informing the individual in writing (as required by Article 7.4);

(xi) directing that personal data is securely deleted or destroyed, de-identified or transferred to an Archive promptly after the end of the retention period (as required by Article 5.3);

(xii) determining how to comply with the Privacy Policy when there is a conflict with applicable law (as required by Article 20.2);

(xiii) undertaking Data Protection Impact Assessments; and

(ix) informing the Board of Directors of any new legal requirement that may interfere with Oxford Biolabs ability to comply with this Privacy Policy (as required by Article 20.3).

The contact details of the Data Protection Officer shall be published on each Oxford Biolabs internet website.

Default Data Protection Officer

13.5 If no Data Protection Officer has been designated, the Managing Director of Oxford Biolabs is responsible for supervising compliance with the Privacy Policy.

Article 14 – Policies and procedures

Policies and procedures

14.1 Oxford Biolabs shall develop and implement policies and procedures to comply with this Privacy Policy.

System information

14.2 Oxford Biolabs shall maintain readily available information regarding the structure and functioning of all systems and processes that process personal data (e.g. inventory of systems and processes, privacy impact assessments).

Article 15 – Training

Employee training

15.1 Oxford Biolabs shall provide training on this Privacy Policy and other privacy and data security obligations to employees who have access to or responsibilities associated with managing personal data.

Article 16 – Monitoring compliance

Audits

16.1 Oxford Biolabs shall periodically arrange an audit of business processes and procedures that involve the processing of personal data for compliance with this Privacy Policy at the request of the Data Protection Officer.

Applicable professional standards of independence, integrity and confidentiality shall be observed when conducting an audit. The results of any audit shall in all cases be presented to the Board of Directors at the following Board Meeting.

Annual Report

16.2 The Data Protection Officer shall produce an annual Customer, Supplier and Business Partner privacy report for consideration at the Board Meeting immediately following the 31st January each year.

Article 17 – Complaint procedure

Complaint to Data Protection Officer

17.1 Individuals may file a complaint regarding compliance with this Privacy Policy with the Data Protection Officer, who shall initiate an investigation and:

(a) when necessary, advise the organization on the appropriate measures for compliance; and

(b) when measures are undertaken, monitor the steps designed to achieve compliance until all compliance measures are completed.

The Data Protection Officer may consult with any government authority having jurisdiction over a particular matter about the measures to be taken.

Reply to the individual

17.2 Within four weeks of Oxford Biolabs receiving a complaint, the Data Protection Officer shall inform the individual in writing either:

(i) of Oxford Biolabs position with regard to the complaint and any action Oxford Biolabs has taken or will take in response; or

(ii) the ultimate date on which she will be informed of Oxford Biolabs position, which date shall be no later than twelve weeks thereafter.

Complaint to the Managing Director of Oxford Biolabs Ltd

17.3 An individual may file a complaint with the Managing Director of Oxford Biolabs if:

(i) the resolution of the complaint by the Data Protection Officer is unsatisfactory to the individual (e.g., the complaint is rejected);

(ii) the individual has not received a response as required by Article 17.2; or

(iii) the time period provided to the individual pursuant to Article 17.2 is, in light of the relevant circumstances, unreasonably long and the individual has objected but has not been provided with a shorter, more reasonable time period in which they will receive a response.

Statutory rights

17.4 The operation of the Complaints procedure outlined in this Article shall not effect the statutory rights of the individual, including the right of complaint to the relevant supervisory authority.

Article 18 – Legal issues

Local law and jurisdiction

18.1 Any processing by Oxford Biolabs of personal data shall remain to be governed by applicable local law. Individuals keep any rights and remedies they may have under applicable local law. Local public authorities having jurisdiction over the relevant matters maintain their authority.

Specific provision when Data Protection Authorities in EEA have jurisdiction under local law

18.2 If a Data Protection Authority of one of the EEA countries has jurisdiction under its applicable data protection law to evaluate data transfers by an Oxford Biolabs company established in its country, such Data Protection Authority may evaluate these data transfers also against this Privacy Policy.

Protection provided by the Privacy Policy

18.3 Where this Privacy Policy provides more protection than applicable local law or provide additional safeguards, rights or remedies for individuals, this Privacy Policy shall apply.

Supervisory Authority for enforcement of this Privacy Policy

18.4 Except in the case of jurisdiction of a Data Protection Authority of one of the EEA countries pursuant to Article 18.2, compliance with this Privacy Policy shall be exclusively supervised by the Information Commissioners Office in the United Kindgom.

Available remedies and burden of proof

18.7 Under this Privacy Policy, individuals shall only be entitled to remedies available to individuals under the United Kingdom Data Protection legislation. Regarding the burden of proof in respect of damages, it will be for the individual to demonstrate that they have suffered damage and to establish facts which show it is plausible that the damage has occurred because of a violation of this Privacy Policy.

Article 19 – Sanctions for non-compliance

Non-compliance

19.1 Non-compliance of Oxford Biolabs employees with this Privacy Policy may result in disciplinary action up to and including termination of employment.

Article 20– Changes to the Privacy Policy

20.1 Any changes to this Privacy Policy require the prior approval of the Managing Director of Oxford Biolabs Ltd.

20.2 Any amendment shall enter into force after it has been approved and published on the Oxford Biolabs intranet.

20.3 Any request, complaint or claim of an individual involving this Privacy Policy shall be judged against the version of this Privacy Policy that is in force at the time the request, complaint or claim is made.

ANNEX 1 Definitions

ARCHIVE shall mean a collection of personal data that is no longer necessary to achieve the purposes for which the personal data originally were collected or that are no longer used for general business activities, but are used only for historical, scientific or statistical purposes, dispute resolution, investigations or general archiving purposes. An archive includes any data set that is subject to appropriately enhanced security and has restricted access.

BUSINESS CONTACT INFORMATION shall mean personal information typically found on a business card that is used by an individual in the conduct of her employment.

BUSINESS PARTNER shall mean any (a) individual or (b) individual associated with an entity, other than a Customer or Supplier, which has a business relationship or strategic alliance with Oxford Biolabs (such as a joint marketing partner, joint venture or joint development partner).

BUSINESS PURPOSE shall mean a purpose for processing personal data as specified in Article 2 or 3 or for processing Sensitive Data as specified in Article 4. .

COUNTRY shall mean each country in which a group company is established.

COUNTRY WITH ABSENCE OF ADEQUACY shall mean a country that is deemed not to provide an “adequate” level of data protection, under the determination of the EU Commission.

CUSTOMER shall mean any (a) individual or (b) individual associated with an entity, which purchases or may purchase a Oxford Biolabs product or service.

DATA BREACH shall mean any actual or suspected theft, or unauthorized processing, loss, use, disclosure, or acquisition of, or access to, any data.

DATA CONTROLLER shall mean the entity or natural person which alone or jointly with others determines the purposes and means of the processing of personal data.

DATA PROCESSOR shall mean the entity or natural person which Processes personal data on behalf of the Data Controller.

EEA (or European Economic Area) shall mean all Member States of the European Union, plus Norway, Iceland and Liechtenstein.

EMPLOYEE shall mean an employee, job applicant or former employee of Oxford Biolabs.

GENERAL DATA PROTECTION REGULATION shall mean the Regulation 2016/679 of the European Commission on the protection of individuals with regard to the processing of personal data and on the free movement of such data.

OVERRIDING INTEREST shall mean a pressing legitimate need that under specific circumstances outweighs the interest of the individual. personal data personal data shall mean any information relating to an identified or identifiable individual where the individual is associated with a Oxford Biolabs Customer, Supplier or Business Partner.

OXFORD BIOLABS shall mean the Oxford Biolabs Group of Companies.

OXFORD BIOLABS GROUP OF COMPANIES shall mean Oxford Biolabs Ltd, Oxford Biolabs Deutschland GmbH, Oxford Biolabs USA LLC, Oxford Biolabs Ukraine LLC, Keilwert Services LLC, and any company or legal entity of which one of these companies, directly or indirectly owns more than 50% of the issued share capital, has 50% or more of the voting power at general meetings of shareholders, has the power to appoint a majority of the directors, or otherwise directs the activities of such other legal entity;

SENSITIVE DATA shall mean personal data that reveals an individual’s racial or ethnic origin, political opinions, or membership in political parties or similar organisations, religious or philosophical beliefs, membership in a professional or trade organisation or union, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning physical or mental health or mental health including any opinion thereof, addictions, criminal offences, criminal records, proceedings with regard to criminal or unlawful behaviour, social security numbers issued by the government or similar identifying references, or data concerning a natural person’s sex life or sexual orientation.

SUPPLIER shall mean any (a) individual or (b) individual associated with an entity, which provides goods or services to Oxford Biolabs (such as an agent, consultant or vendor).

THIRD PARTY shall mean any person or entity (e.g., an organisations or government authority) that is not a member of the Oxford Biolabs Group of Companies.

X