CEGA GROUP PRIVACY POLICY
24 May 2018

1. Introduction, Aims and Scope

1.1. This policy applies to all Charles Taylor Group companies who operate as part of the CEGA Group. The companies making up the CEGA Group are:

1.1.1. CEGA Group Services Limited;
1.1.2. CEGA Holdings Limited;
1.1.3. CEGA Solutions Limited;
1.1.4. CEGA Air Ambulance UK Limited.

1.2. The CEGA Group companies are a group of undertakings in the definition of Article 4(19) GDPR, each of which is incorporated in England & Wales and registered with Companies House at the following address: the Minster Building, 21 Mincing Lane, London, EC3R 7AG. As a matter of European Union law, each is domiciled in the United Kingdom and established in the European Union. The CEGA Group is part of the Charles Taylor Group of companies.

1.3. As part of the Charles Taylor Group of companies, the companies in the CEGA Group are committed to conducting their businesses in a manner that protects and values each individual's personal data, and processes said personal data fairly, lawfully, and ethically. The lawful and proper processing of personal data by Charles Taylor Group is integral to the success of its businesses, is required by law under the new General Data Protection Regulation ("GDPR"), and is expected by our customers, clients, partners & employees.

1.4. Further to the various policies and processes operated by Charles Taylor Group, the CEGA Group has developed and customised its own policies around data protection to account for the specific challenges of its business, including their global scope (including territories outside of the European Economic Area), the scale of their operations and the sensitive nature of the personal data they often process.

1.5. This document is the CEGA Privacy Policy. It governs the way in which the various data controllers in the CEGA Group (for which, see the CEGA Group Governance & Registration Policy) will comply with data protection law in the UK, gives summary information as to the way in which CEGA Group processes personal data and how data subjects can exercise their rights in respect of personal data held by CEGA.

1.6. This Privacy Policy is one of six core CEGA Group policies, which provide the framework for the processing of personal data by CEGA Group. They should be read together, and any apparent inconsistencies will be resolved upon request by the CEGA Group Data Protection Officer. The other policies are:

1.6.1. CEGA Group Governance & Registration Policy;
1.6.2. CEGA Group Data Subject Rights Policy;
1.6.3. CEGA Group Data Retention Policy;
1.6.4. CEGA Group Data Incident Policy;
1.6.5. CEGA Group Data Transfer Policy; as well as
1.6.6. The CEGA Information Security & Data Privacy Policy; and
1.6.7. all Charles Taylor Group data protection policies insofar as applicable to CEGA.

1.7. The aim of these policies is to support the management of data protection across CEGA Group by providing this agreed set of standards. All CEGA Group employees and contractors in all relevant territories and businesses must familiarise themselves with the processes and procedures set out herein and comply with them at all times.

1.8. This Policy applies to all CEGA Group entities which process (whether electronically or otherwise) Personal Data (including Special Category Personal Data). Subject to the CEGA Group Data Transfer Policy (which shall take precedence in all matters of territoriality), CEGA Group shall treat data concerning any living natural person as being personal data, irrespective of their nationality, citizenship, or residence.

1.9. For operational purposes, there may be occasions where deviations to this Policy or any linked Policies are required. Where this in necessary and justified, the deviations shall be recorded by the CEGA Group Data Protection Officer in the CEGA Information Security and Data Privacy Policy and the CEGA Data Privacy Policy and, where appropriate, notified to the Information Commissioner's Office ("ICO").

2. Definitions

2.1. The Policy, unless indicated otherwise below, adopts the definitions contained in Article 4 GDPR (or, prior to 25 May 2018, the Data Protection Act 1998 ("DPA")). Specifically, this Policy relies on the below definitions.

2.1.1. Personal Data means:
"any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person."

2.1.2. Special Category Personal Data means:
"personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation."

2.1.3. Processing means:
"any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction."

2.1.4. Data Controller means:
"the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data."

2.1.5. Data Processor means:
"a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller."

2.1.6. Data Subject means:
"an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person."

2.1.7. Third Party means:
"a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data."

2.1.8. Consent means:
"any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her."

2.1.9. Data Breach means:
"a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed."

2.2. This policy also relies on the following defined terms:

2.2.1. Archiving means the removal of Data from active systems (including, but not limited to, IT systems) and placing the Data into secure storage (whether hard copy or electronic) where the Data is still capable of being accessed by arrangement.

2.2.2. Data Privacy Officer or DPO means the individual designated by the CEGA Group under Article 37(2) GDPR to inform and advise the CEGA Group on the Applicable Data Protection Law and Applicable Guidance, and monitor the CEGA Group's compliance with the Applicable Data Protection Law and Applicable Guidance.

2.2.3. Privacy Office means the Office consisting of the CEGA Group Data Privacy Officer, CEGA Data Privacy Managers and staff reporting to them directly or indirectly on matters concerning data protection.

2.2.4. Data Privacy Manager means individuals within CEGA who are responsible for managing compliance with the Applicable Data Protection Law and Applicable Guidance and assisting the CEGA Group Data Privacy Officer.

2.2.5. General Data Protection Regulation or GDPR means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.

2.2.6. Applicable Data Protection Law (on or after 25 May 2018) means:

2.2.6.1. the Data Protection Act 1998 and subsidiary legislation or orders (but only for as long as they remain in force);
2.2.6.2. the Data Protection Act 2018 (if and insofar as enacted) ("DPA2018"), and subsidiary legislation and orders made pursuant to the DPA2018;
2.2.6.3. the GDPR (but only for as long as the UK remains a Member State of the European Union, and/or the GDPR continues to apply as a matter of domestic law of the UK);
2.2.6.4. Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector ("the PEC Directive"), the Privacy and Electronic Communications (EC Directive) Regulations 2003 ("PECR"), and any subsequent EU instrument ("the ePrivacy Regulation") which either amends or replaces these legal instruments (but only for so long as the UK remains a Member State of the European Union); and
2.2.6.5. any other domestic data protection laws as shall be in force in the UK from time to time, to give effect to the rights of citizens concerning data protection (including replacements for PECR, whether or not implementing or retaining the EU ePrivacy Regulation).

2.2.7. Applicable Guidance means guidance and/or codes of practice and/or outcomes of any enforcement action issued and/or published by the ICO, the Article 29 Working Party and the European Data Protection Board, or any successor bodies to these organisations, in relation to any Applicable Data Protection Law.

3. The Principles underpinning this policy

3.1. CEGA Group will at all times comply with Applicable Data Protection Law and Applicable Guidance. Insofar as they are able within the law and within the terms of contracts with external parties, CEGA Group companies will seek to make all decisions through the prism of acting in the best interests of the Data Subject.

3.2. Article 5 GDPR provides for the core principles of Applicable Data Protection Law:

3.2.1. We shall process personal data fairly, lawfully and transparently;
3.2.2. We shall only be processing for specified, explicit purposes, or collateral purposes that are not incompatible with the processing for which the data was obtained;
3.2.3. We will limit processing of personal data to what is adequate, relevant & necessary
3.2.4. We will keep personal data accurate and up-to-date;
3.2.5. When we no longer need to keep personal data in a way that identifies the data subject, we will either delete it, or render data subjects non-identifiable;
3.2.6. We will take appropriate technological and organisational measures to keep personal data secure, and protect it against accidental or malicious unlawful or unauthorised processing.

3.3. CEGA Group has, as part of its compliance with the Applicable Data Protection Law from 25 May 2018, prepared a full Data Inventory, conducted a Data Mapping Exercise, and Gap Analysis. These show the extent to which CEGA Group's current data protection policies and processes under the Data Protection Act 1998 meet GDPR compliance requirements, and in what areas CEGA Group needs to update its policies and processes in order to achieve compliance.

3.4. CEGA Group (including all data co-controllers with CEGA Group) shall, pursuant to Article 24(2) GDPR, endeavour to adhere to all ICO-approved codes of conduct (pursuant to Article 40 GDPR), and shall, in the future, aim to achieve certification of compliance (pursuant to Article 42 GDPR) from a certification body approved by the ICO or other supervisory authority, when such a certification scheme is implemented.

3.5. Under Article 29 GDPR, any processor engaged on behalf of a CEGA Group company as a controller, or a sub-processor on behalf of a CEGA Group company as a processor, shall process personal data only on the CEGA Group company's instructions. Where the CEGA Group is a controller, and it is reasonably practicable to do so (or necessary), CEGA Group will seek to ensure that the relationship between a processor and the CEGA Group company engaging them is a contractual one, compliant with Article 28 GDPR.

4. Processing personal data Fairly, Lawfully and Transparently

4.1. CEGA Group will keep and maintain a Data Inventory, listing the categories of all the Personal Data that it processes, including specifying the Special Category Personal Data.

4.2. CEGA Group will keep and maintain a Fair Processing Notice (set out at Appendix A to this Privacy Policy) which shall be displayed publicly on all CEGA Group websites & made available to data subjects according to Applicable Data Protection Law.

4.3. CEGA Group will conduct a general Privacy Impact Assessment upon the implementation of GDPR on 25 May 2018, and shall thereafter conduct Privacy Impact Assessments upon developing new procedures or processes, or entering into new forms of business which involve the processing of personal data. The CEGA Group DPO shall be responsible for any prior consultation with the ICO within the meaning of Article 36 GDPR. In particular, any new reliance on automated decision-making (including profiling) under Article 22 GDPR shall be referred to the ICO for prior consultation.

4.4. CEGA Group will act in accordance with all its legal and ethical obligations in respect of personal data, including (but not limited to) Applicable Data Protection Law.

4.5. CEGA Group will give effect to Articles 12-14 GDPR and the Right to Information.

4.6. Any contracts in which both CEGA Group and another entity are both Data Controllers shall where possible specify the division of responsibilities in a manner that maximises the transparency of approach to data subjects, especially with respect to their Data Subject Rights. The CEGA Data Subject Rights Policy details the process by which allocation of responsibility for decision-making in relation to data subject Requests shall be made.

5. Processing personal data for Specified Purposes only

5.1. The CEGA Group DPO will maintain the Data Inventory, which shall include:

5.1.1. as against every type and category of Personal Data the lawful basis (or bases) for its processing, according to Article 6 GDPR;

5.1.2. as against every type and category of Special Category Personal Data, the exemption (or exemptions) relied upon under Article 9(2) GDPR from the prohibition in Article 9(1) GDPR;

5.1.3. as against every type and category of personal data relating to criminal convictions and the like (Article 10 GDPR), the provision of Applicable Data Protection Law which permits such processing (this type of personal data will normally only be processed if CEGA Group are advised of, or discover, fraudulent conduct);

5.1.4. a full record of any circumstances in which CEGA Group as a data controller relies on its own legitimate interests, and consideration of the extent (if at all) to which this infringes upon the principles of the Applicable Data Protection Law.

5.1.5. Where the processing of personal data is for different purposes than the original purposes for which the personal data was obtained, the CEGA Group DPO shall ensure that the new, different, purposes are recorded and rendered distinctive in the Data Inventory, and that a PIA is conducted to ensure compliance with Article 6(4) GDPR as to the compatibility of the new purposes with the original purposes.

6. Data Minimisation

6.1. CEGA Group will only process Personal Data insofar as is reasonably necessary to do so.

6.2. CEGA Group will review its Data Inventory on a periodical basis, no less than once per annum, and the CEGA Group DPO shall certify (no less than annually) that no types or categories of personal data are excessive, or inadequate, or not relevant to the purposes for which that personal data is processed.

7. Data Integrity

7.1. CEGA Group shall ensure, where reasonably practicable, that all personal data it processes shall be accurate and up-to-date.

7.2. The CEGA Data Subject Rights Policy provides for the Right to Rectification, which shall be effected without undue delay on receipt of a written Request from, or on behalf of, a data subject seeking to rectify (including seeking to amplify) their Personal Data.

8. Data Retention

8.1. The CEGA Group Data Retention Policy provides details as to the period for which types and categories of personal data shall be retained, and the lawful basis for that retention.

8.2. In the absence of any justification under the Data Retention Policy, personal data shall be deleted without undue delay, unless paragraph 8.3 applies.

8.3. In limited circumstances, to be recorded in the Data Inventory and the CEGA Retention Policy, and approved in each case in advance by the CEGA Group DPO (who shall report all such approvals to the Board) personal data may be retained beyond the date provided for in the Data Retention Policy, but only if the data subjects are rendered non-identifiable from such data, and in such circumstances Article 11 GDPR shall apply.

9. Appropriate Technical & Organisational Measures

9.1. CEGA Group shall take all appropriate technical and organisational measures to keep Personal Data secure and processed only for the authorised purposes.

9.2. All staff (whether employees, or contractors, or others) must comply with this CEGA Group Privacy Policy and all of the policies mentioned at paragraph 1.6. CEGA Group will incorporate such obligations into all contracts of employment.

9.3. Further provisions as to this principle of Applicable Data Protection Law can be found in the CEGA Group Data Incident Policy and, where relevant, in the Information Security and Data Privacy Policy.

10. Audit and Review

10.1. This Policy shall be reviewed on an annual basis by the CEGA Group DPO and the Boards of each of the CEGA Group Companies and the Senior Leadership Team.

---

APPENDIX A - FAIR PROCESSING NOTICE

This Fair Processing Notice tells you about processing of "personal data" by the CEGA Group .

We may hold and process your personal data in order to provide services relating to the insurance industry. Our activities ('the Services) include claims handling, medical screening, risk assessment, and performing contracts of insurance which can include providing medical assistance abroad. We also provide non-insurance related medical assistance including repatriation, and other services related to our core businesses. When providing the services we are usually "data processors" of your personal data, and the "data controller" is the company with whom you (or your employer or family member) has an insurance policy. Sometimes, though, we may be a joint data controller with the insurance company. If you don't know who is the proper data controller for your personal data, then you can contact us below, and we will check for you.

We are committed to processing all personal data fairly, lawfully, and transparently. To make things simpler, CEGA Group have nominated one data controller, CEGA Group Services Limited, to handle all requests or queries you might have about our processing of your personal data. We have, alongside a number of Charles Taylor Group entities, jointly appointed a CEGA Group Data Protection Officer ("DPO") to oversee compliance with data protection law. Their contact details are: Gordon Bon; The Minster Building, 21 Mincing Lane, London, EC3R 7AG; +44 20 7680 5665, gordon.bon@ctplc.com .

You have various legal rights in your personal data including the right of: information and access to your data, including a "portable" copy of your data; erasure and rectification of your data; and rights to restrict or object to processing of your personal data. Where we rely on your consent to process your personal data you can withdraw that consent at any time. To exercise these data subject rights please contact the following email address: data.protection@cegagroup.com .

The data we generally hold and process includes names, contact details, dates of birth, insurance policies or claims in which you may have been involved. This may include special category personal data including, potentially, information about your medical history, race, ethnicity, sexual orientation, religious beliefs, trade union membership, genetic and biometric data, political opinions, and any other physical or mental health details. This personal data is held only for the purposes of performing the Services.

CEGA Group will almost always obtain your data from its clients who are insurance companies or their clients, who in turn will have obtained it from you or your employer or family member in relation to an insurance policy or employee policy. Alternatively this may have been provided to us by a company in connection with the provision of medical assistance to you.

Our lawful bases for processing personal data include:

• where you have given us your consent, we rely on that consent, including your explicit consent to process special category personal data;
• where you are party to a contract, and that contract requires your personal data to be processed;
• where we may have legal obligations that mean we have to process personal data, including anti-money laundering obligations, checking criminal convictions, checking international sanctions registers and fraud investigation and recovery.
• some aspects of processing personal data in insurance may fall within the "public interest" lawful basis.

In all circumstances, however, we also rely on our legitimate interests, and those of our insurance industry clients or other clients, to ensure that you and the other people who are named under your insurance policy are properly protected by the provision of adequate insurance against the risk of misfortune, or, if the processing is unrelated to an insurance policy, to ensure that medical evidence can be effectively provided to individuals. Where we rely on our legitimate interests, we will always balance them against the rights and freedoms of the people whose personal data we process. Where their rights override our legitimate interests we will cease to process personal data.

From time to time, we may need to disclose personal data to third parties. Sometimes, these will be companies who process on our behalf and only act upon our instructions. Sometimes, these will be individuals and companies who are needed to provide services such as: doctors, clinics and hospitals, air ambulances, taxi services, or other services which may be covered under your insurance policy or company scheme.

From time to time we will need to transfer your personal data outside the European Union. We will, save for exceptional circumstances, only do so:

• to a county in the European Economic Area or that the European Commission has certified as having adequate data protection law;
• under Binding Corporate Rules within our group of companies;
• with your consent, to protect your vital interests, for important reasons of public interest, to perform a contract in your interests, for the defence of legal claims.

We will always keep records of where your data has been sent outside of the EU and you can have access to these records if you wish. We will generally keep personal data for as long as we have a lawful basis (including the legitimate interest basis), or where that lawful basis comes to an end, we may retain it for six years and one year afterwards, for the purposes of litigation. Any data kept after this time will be pseudonymised so that you are no longer identifiable from such data.

There are some very limited circumstances where we, on behalf of our clients, use computer questionnaires to give you a quick decision on whether or not they can provide you with insurance cover, and in some cases to generate a quote based on your individual circumstances, including things which may involve your Special Category Personal Data (like your health data). This is a form of 'automated decision-making', because it compares your answers against our insurance client's criteria, and makes a 'decision' about whether to provide cover and, at times, how much that might cost.

We will not use automatic decision making without either (a) your explicit consent; or (b) with a view to your entering into a contract of insurance with our insurance company client; or (c) in the public interest, according to the UK Data Protection Act 2018. However, if you are not happy with the result of an automated decision, you can request human intervention, express your own views, and/or contest the automated decision by writing to data.protection@cegagroup.com (but please put 'Automated Decision-Making' in the email Subject line).

Further details can be found in our privacy policies.
The CEGA Privacy Policy is accessible online via this link.
CEGA's other data protection policies are available upon request.