1E Privacy Standards

This document outlines the standards that apply to the processing of Personal Data (as defined below) within 1E (the “Standards”).

• “Applicable Law” means the law in the jurisdiction where a 1E is situated, and any other law to which a 1E is subject.
• “Data Protection Authority” or “DPA” means the supervisory authority responsible for monitoring and enforcing compliance with data protection laws in a specific country.
• “Personal Data” refers to personal data of:
  • 1E Staff or Contractors
  • Customers
  • Vendors
  • Job Applicants
• “Personal Data” means information relating to an identified or identifiable natural person (‘data subject’); an identifiable person is one who can be identified, directly or indirectly, particularly by reference to an identifier such as a name, an identification number, location data, an online identifier, or one or more factors specific to their physical, physiological, genetic, mental, economic, cultural, or social identity.

These Standards apply to the processing of Personal Data by 1E.

At 1E, personal data is processed in accordance with the 1E Privacy Policy and complies with the following principles:

• Personal Data will be processed transparently, fairly, and lawfully. Data subjects will be informed of the purposes for which their personal data may be processed, the legal basis for processing, and other relevant information required by applicable Privacy Laws. This information will also include details of the rights available to data subjects under applicable Privacy Laws.
• Personal Data will be collected for legitimate business purposes and will not be further processed in any way that is incompatible with those purposes.
• Sensitive Personal Information will be processed only when strictly necessary for the firm’s business purposes and in accordance with the requirements of applicable Privacy Laws.
• Appropriate steps will be taken to ensure that Personal Data collected and processed is adequate but not excessive, relevant, accurate, and, where necessary, kept up to date.
• Personal Data will be retained only as long as necessary to fulfill the purposes for which it was collected, unless otherwise required by applicable law.

• Taking into account the state of the art and the cost of implementation, 1E will take appropriate technical and organizational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, damage, unauthorized disclosure or access, and against all other unlawful forms of processing. These measures will ensure a level of security appropriate to the risks represented by the processing and the nature of the Personal Data to be protected, ensuring that sensitive personal data and other highly confidential information receive enhanced protection.
• 1E will ensure the reliability of 1E staff and contractors with access to or responsibility for Personal Data, including processing Personal Data in accordance with 1E’s instructions.

• When 1E engages a Vendor to process Personal Data on its behalf, 1E will select a Vendor that provides appropriate assurances regarding the security level employed for the Personal Data to be processed. 1E will ensure that a contract is entered into with the Vendor that addresses relevant requirements of applicable Privacy Laws.
• For cross-border transfers, 1E will ensure such transfers comply with the requirements of applicable Privacy Laws. Where required by law, 1E will establish safeguards to protect Personal Data and the rights of individuals. These safeguards may include contracts, contractual clauses, multiparty data transfer agreements, or intragroup agreements.

1E maintains privacy and security awareness training, focusing on educating all staff and contractors about privacy, security, and best practices.

All 1E personnel are required to comply with these Standards and must indicate their acceptance of these Standards upon joining the firm.

1E commits to implementing measures to assess and verify compliance with these Standards and applicable data protection legislation.

1E acknowledges that data subjects have the following rights concerning their data:

• Right of Access: Data subjects may request access to their personal information, including requesting a copy thereof.
• Right to Rectification: Data subjects may request to update or correct any inadequate, incomplete, or inaccurate personal information.
• Right to Erasure: Data subjects may request erasure of their personal information if it is no longer necessary for the purposes it was collected, it is being processed unlawfully, or they have withdrawn their consent to such processing (where processing is based on their consent).
• Right to Restrict Processing: Data subjects may request that further processing of their personal information cease.
• Right to Data Portability: Data subjects may request their personal information in a structured, commonly used, and machine-readable format for their use or transfer.
• Right to Object: Data subjects may object to 1E’s processing of their personal information for direct marketing purposes.
• Right to Withdraw Consent: Where 1E processes data subjects’ personal information based on their consent, data subjects have the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.
• Right to Lodge a Complaint: Data subjects have the right to lodge a complaint with a supervisory authority if they believe 1E’s processing of their personal information violates data protection regulations.

1E acknowledges that data subjects are entitled to enforce the following rights against 1E regarding their Personal Data:

• The right to obtain a copy of these Standards upon request.
• The right to receive a response within a reasonable time, and no later than one month after the request is made.
• The right to make a complaint and obtain appropriate redress for a breach of these Standards by 1E.
• The right to lodge a complaint with a Data Protection Authority in the European Economic Area in the country of habitual residence, place of work, or location of the alleged infringement of these Standards.

Data subjects wishing to enforce their rights should contact DPO@1E.com or fill out the request form.