Dash Global Limited

DATA PROTECTION POLICY

CONTENTS 

CLAUSE 

1. Interpretation
2. Introduction
3. Scope
4. Personal data protection principles
5. Lawfulness, fairness, transparency
6. Purpose limitation
7. Data minimisation
8. Accuracy
9. Storage limitation
10. Security integrity and confidentiality
11. Transfer limitation
12. Data Subject's rights and requests
13. Accountability
14. Changes to this Privacy Policy
15. Acknowledgement of receipt and review

1. Interpretation 

1.1 Definitions: 

Consent: agreement which must be freely given, specific, informed and be an  unambiguous indication of the Data Subject's wishes by which he or she, by a  statement or by a clear positive action, signifies agreement to the Processing of  Personal Data relating to them. 

Data Controller: the person or organisation that determines when, why and how  to process Personal Data. It is responsible for establishing practices and policies in  line with the GDPR. We are the Data Controller of all Personal Data which we hold  and use. 

Data Subject: a living, identified or identifiable individual including children about  whom we hold Personal Data. Data Subjects may be nationals or residents of any  country and may have legal rights regarding their Personal Data. 

Data Privacy Impact Assessment (DPIA): tools and assessments used to  identify and reduce risks of a data processing activity. DPIA should be conducted  for all major system or business change programmes involving the Processing of  Personal Data. 

Data Protection Officer (DPO): the person required to be appointed in specific  circumstances under the GDPR. Where a mandatory DPO has not been appointed,  this term means a data protection manager or other voluntary appointment of a  DPO or refers to a data privacy team with responsibility for data protection  compliance. That post is held by Louise Marshall of Dragon Argent who can be  reached at dpo@dash-global.com 

EEA: the 28 countries in the EU, and Iceland, Liechtenstein and Norway. 

Experts: The real world evidence specialists and technologists/CTO who deliver  the disease companions in collaboration with advocacy partners. The director /  senior positions are held by Andrew Turner and Lee Wemyss of Dash Global Limited  who can be reached at info@dash-global.com 

Explicit Consent: consent which requires a very clear and specific statement (that  is, not just action). Explicit Consent is required for the Processing of Special  Categories of Data. 

General Data Protection Regulation (GDPR): the General Data Protection  Regulation (Regulation (EU) 2016/679). Personal Data is subject to the legal  safeguards specified in the GDPR. 

Personal Data: any information identifying a Data Subject or information relating  to a Data Subject that we can identify (directly or indirectly) from that data alone  or in combination with other identifiers we possess or can reasonably access.  Personal Data includes Special Categories of Data and Pseudonymised Personal  Data but excludes anonymous data or data that has had the identity of an individual 

permanently removed. Personal data can be factual (for example, a name, email  address, location or date of birth) or an opinion about that person's actions or  behaviour.  

Personal Data Breach: any act or omission that compromises the security,  confidentiality, integrity or availability of Personal Data or the physical, technical,  administrative or organisational safeguards that we or our third-party service  providers put in place to protect it. The loss, or unauthorised access, disclosure or  acquisition, of Personal Data is a Personal Data Breach. 

Privacy Notices (also referred to as Fair Processing Notices): separate  notices setting out information that may be provided to Data Subjects when Dash  Global Ltd collects information about them. These notices may take the form of  general privacy statements applicable to a specific group of individuals (for  example, Employee Privacy Notice, Expert Privacy Notice or Member Privacy  Notice) or they may be stand-alone, one-time privacy statements covering  Processing related to a specific purpose. 

Processing or Process: any activity that involves the use of Personal Data. It  includes obtaining, recording or holding the data, or carrying out any operation or  set of operations on the data including organising, amending, retrieving, using,  disclosing, erasing or destroying it. Processing also includes transmitting or  transferring Personal Data to third parties. 

Pseudonymisation or Pseudonymised: replacing information that directly or  indirectly identifies an individual with one or more artificial identifiers or  pseudonyms so that the person, to whom the data relates, cannot be identified  without the use of additional information which is meant to be kept separately and  secure. 

Related Policies: Dash Global Ltd’s policies, operating procedures or processes  related to this Privacy Policy and designed to protect Personal Data, for example  Data Subject Access Request Form and Data Breach Notification Procedure. 

Special Categories of Data: sensitive personal information revealing racial or  ethnic origin, political opinions, religious or similar beliefs, trade union membership,  physical or mental health conditions, sexual life, sexual orientation, biometric or  genetic data, and Personal Data relating to criminal offences and convictions.  

2. Introduction 

This Privacy Policy sets out how the Dash Global Limited ("we", "our", "us", "Dash Global")  handle the Personal Data of our Members, Experts and employees and any other Data  Subjects.  

This Privacy Policy applies to all Personal Data we Process regardless of the media on  which that data is stored or whether it relates to past or present Members, Experts  employees and any other Data Subjects. 

All Dash Global Ltd employees and Experts ("you", "your") must comply with this Privacy  Policy. You must read, understand and adhere to this Privacy Policy when Processing  Personal Data on our behalf and attend training on its requirements. This Privacy Policy  sets out what we expect from you in order for Dash Global Ltd to comply with applicable  law. Your compliance with this Privacy Policy is mandatory. Related Policies are available  to help you interpret and act in accordance with this Privacy Policy. You must also comply  with all such Related Policies and guidelines.  

This Privacy Policy (together with Related Policies) is an internal document and cannot be  shared with third parties, clients or regulators without prior authorisation from the CTO or DPO. 

3. Scope 

Protecting the confidentiality and integrity of Personal Data is a critical responsibility that  we take seriously at all times. Dash Global is accountable for compliance with the  provisions of the GDPR. 

All at Dash Global, including: [the CEO, the CTO and other senior staff] are responsible for  ensuring all personnel comply with this Privacy Policy and need to implement appropriate  practices, processes, controls and training to ensure such compliance.  

The DPO is responsible for overseeing this Privacy Policy and, as applicable, developing  Related Policies and guidelines. 

Please contact the DPO with any questions about the operation of this Privacy Policy or  the GDPR or if you have any concerns that this Privacy Policy is not being or has not been  followed.  

4. Personal data protection principles 

We adhere to the principles relating to Processing of Personal Data set out in the GDPR  which require Personal Data to be: 

(a) Processed lawfully, fairly and in a transparent manner (Lawfulness,  Fairness and Transparency).  

(b) Collected only for specified, explicit and legitimate purposes (Purpose  Limitation). 

(c) Adequate, relevant and limited to what is necessary in relation to the  purposes for which it is Processed (Data Minimisation).  

(d) Accurate and where necessary kept up to date (Accuracy). 

(e) Not kept in a form which permits identification of Data Subjects for longer  than is necessary for the purposes for which the data is Processed (Storage  Limitation).

(f) Processed in a manner that ensures its security using appropriate technical  and organisational measures to protect against unauthorised or unlawful  Processing and against accidental loss, destruction or damage (Security,  Integrity and Confidentiality). 

(g) Not transferred to another country without appropriate safeguards being  in place (Transfer Limitation). 

(h) Made available to Data Subjects on request (Data Subject's Rights and  Requests). 

We are responsible for and must be able to demonstrate compliance with the data  protection principles listed above (Accountability). 

5. Lawfulness, fairness, transparency 

5.1 Lawfulness and fairness 

Personal data must be Processed lawfully, fairly and in a transparent manner in relation  to the Data Subject. This means that you may only collect, process and share Personal  Data for a specified purpose or purposes (for example, undertaking research projects  for/with NHS Trusts, universities, charities and industry) based on a specified legal basis  (or ground) for Processing.  

Under the GDPR there are only six legal grounds for Processing of Personal Data available  set out below: 

(a) Consent (see section 5.2 below for the new GDPR requirements for  consent); 

(b) Entering into or performing a contract with the Data Subject; 

(c) Compliance with a legal obligation to which we are subject;  

(d) Protection of the vital interests of the individual or another person; 

(e) Necessary for the purposes of Dash Global’s own (or any third party’s)  legitimate interests except where these interests are overridden by the  interests or fundamental rights and freedoms of Data Subjects. Before  using legitimate interests as a legal basis for any Processing, you must  contact the DPO; or 

(f) Necessary for the performance of a task carried out in the public interest  or in the exercise of official authority. 

You must determine the legal basis being relied on for each new Processing activity and  the purpose(s) before you start Processing Personal Data.  

If you want to use Personal Data for a new or different purpose not compatible with the  original purpose(s) you will need to consider a new lawful basis for Processing and notify  the relevant Data Subjects with an updated privacy notice.

5.2 Consent 

Consent is one of the lawful bases for Processing Personal Data under the GDPR. 

The GDPR sets a new higher standard to obtain Consent from a Data Subject. It must be  freely given, specific, informed and unambiguous and easily withdrawn. To make sure your  Processing based on Consent meets the GDPR requirements, it must be: 

Unbundled: request for Consent must be separate from other terms and  conditions. Consent should not be a precondition of signing up to a service  unless necessary for that service; 

Active opt-in: Consent requires affirmative action, so pre-ticked opt-in  boxes are invalid, use unticked opt-in boxes or similar active opt-in methods  (e.g. a binary choice given equal prominence); 

Granular: you must give separate options to consent for different types (or  purposes) of Processing wherever appropriate; 

Named: you must name Dash Global and any third parties who will be  relying on Consent; even precisely defined categories of third-party  organisations are not acceptable under the GDPR; 

Documented: you must keep records to demonstrate what the Data  Subject has consented to, including what they were told, and when and how  they consented; 

Easy to withdraw: Data Subjects must be able to withdraw Consent to  Processing at any time and withdrawal must be promptly honoured. It must  be as easy to withdraw as it was to give Consent. This means you must  have simple and effective withdrawal mechanisms in place; 

No imbalance in the relationship: Consent will not be freely given if there  is imbalance in the relationship between the Data Subject and the Data  Controller (e.g. employee vs. employer). 

In addition, Consent may need to be refreshed or renewed if you intend to Process Personal  Data for a different and incompatible purpose which was not disclosed at the time when  the Data Subject first gave his or her Consent. 

Explicit Consent is usually required for Processing Special Categories of Personal Data, for  Automated Decision-Making and for cross border data transfers. Usually we will be relying  on another legal basis (and not require Explicit Consent) to Process most types of Special  Categories of Data. Where Explicit Consent is required, you must issue a separate Fair  Processing Notice to the Data Subject to capture Explicit Consent.

You will need to evidence Consent obtained and keep records of all individual Consents so  that Dash Global can demonstrate its compliance with Consent requirements. 

To review existing Consent or to seek a new Data Subject’s Consent under the GDPR, refer  to the latest version of the Consent Checklist set out in the ICO’s GDPR Consent Guidance  on: https://ico.org.uk/  

5.3 Transparency (notifying data subjects) 

The GDPR requires Data Controllers to provide detailed, specific information to Data  Subjects depending on whether the information was collected directly from Data Subjects  or from elsewhere. Such information must be provided through appropriate Privacy Notices  or Fair Processing Notices which must be concise, transparent, intelligible, easily  accessible, and in clear and plain language so that a Data Subject can easily understand  them. 

Whenever we collect Personal Data directly from Data Subjects, including for human  resources or employment purposes, we must provide the Data Subject with all the  information required by the GDPR including the identity of the Data Controller and DPO,  how and why we will use, Process, disclose, protect and retain that Personal Data through  a Fair Processing Notice which must be presented when the Data Subject first provides the  Personal Data to us. 

When Personal Data is collected indirectly (for example, from a third party or publicly  available source), you must provide the Data Subject with all the information required by  the GDPR as soon as possible but no later than within a month after collecting/receiving  the data. You must also check that the Personal Data was collected by the third party in  accordance with the GDPR and on a basis which contemplates our proposed Processing of  that Personal Data.  

6. Purpose limitation  

Personal Data must be collected only for a specified, explicit and legitimate purpose. It  must not be further Processed in any manner incompatible with the original purpose.  

You cannot use Personal Data for new, different or incompatible purposes from that  disclosed to the Data Subject when it was first obtained from them unless you have  informed him or her of the new purposes and they have consented where necessary. 

7. Data minimisation 

Personal Data must be adequate, relevant and limited to what is necessary in relation to  the purpose for which it was first collected. 

You may only collect and Process Personal Data that you require for your job duties: do  not collect excessive data and do not Process Personal Data for any reasons unrelated to 

your job duties. Ensure any Personal Data collected is adequate and relevant for the  intended purposes. 

You must ensure that when Personal Data is no longer needed for specified purposes, it is  deleted or anonymised in accordance with the Caldicott principles and NHS digital security  and data protection guidelines. 

8. Accuracy 

Personal Data must be accurate and, where necessary, kept up to date. It must be  corrected or deleted without delay when inaccurate. 

You must ensure that the Personal Data we use and hold is accurate, complete, kept up  to date and relevant to the purpose for which we collected it. You must check the accuracy  of any Personal Data at the point of collection and at regular intervals afterwards. You  must take all reasonable steps to destroy or amend inaccurate or out-of-date Personal  Data. 

9. Storage limitation 

Personal Data must not be kept in an identifiable form for longer than is necessary for the  purposes for which the data was collected and is processed. 

You must not keep Personal Data in a form which permits the identification of the Data  Subject for longer than needed for the legitimate business purpose or purposes for which  we originally collected it including for the purpose of satisfying any legal, accounting,  clinical or reporting requirements.  

Dash Global maintains a Records Retention Schedule to ensure Personal Data is deleted  where it is no longer required for the purpose it was originally collected, unless a law  requires such data to be kept for a certain amount of time. Please refer to Dash Global’s Records Retention Schedule to identify the relevant retention periods. 

You must take all reasonable steps to destroy or erase from our systems (electronic and  paper) all Personal Data that we no longer require in accordance with the Advocacy  Partners’ Records Retention Schedule. This includes requiring third parties to delete such  data where applicable. 

You must ensure Data Subjects are informed of the period for which data is stored and  how that period is determined in any applicable Privacy Notice or Fair Processing Notice.  

10. Security integrity and confidentiality 

10.1 Protecting Personal Data

Personal Data must be secured by appropriate technical and organisational measures  against unauthorised or unlawful Processing, and against accidental loss, destruction or  damage. 

Dash Global is responsible for protecting the Personal Data it holds. Dash Global has and  will continue to develop, implement and maintain safeguards appropriate to our size, scope  and business, our available resources, the amount of Personal Data that we own or  maintain on behalf of others and identified risks (including use of encryption and  Pseudonymisation where applicable). We regularly evaluate and test the effectiveness of  those safeguards to ensure security of our Processing of Personal Data. You must  implement reasonable and appropriate security measures against unlawful or  unauthorised Processing of Personal Data and against the accidental loss of, or damage  to, Personal Data. You must exercise particular care in protecting Special Categories of  Personal Data from loss and unauthorised access, use or disclosure. 

You must follow all procedures and technologies we put in place to maintain the security  of all Personal Data from the point of collection to the point of destruction. You may only  transfer Personal Data to third-party service providers who agree to comply with the  required policies and procedures and who agree to put adequate measures in place, as  requested. 

You must maintain data security by protecting the confidentiality, integrity, availability  and resilience of the Personal Data, defined as follows: 

(a) Confidentiality means that only people who have a need to know and are  authorised to use the Personal Data can access it. 

(b) Integrity means that Personal Data is accurate and suitable for the  purpose for which it is processed. 

(c) Availability means that authorised users are able to access the Personal  Data when they need it for authorised purposes.  

(d) Resilience means that Personal Data is able to withstand and recover from  threats. 

You must comply with all applicable aspects of our INFORMATION SECURITY POLICY and  not attempt to circumvent the administrative, physical and technical safeguards we  implement and maintain in accordance with the GDPR and relevant standards to protect  Personal Data.  

10.2 Reporting a Personal Data Breach 

The GDPR requires Data Controllers to notify any Personal Data Breach to the applicable  supervisory authority and, in certain instances, the Data Subject. Dash Global’s lead  supervisory authority is the UK’s Information Commissioner’s Office (ICO).

We have put in place procedures to deal with any suspected Personal Data Breach and will  notify Data Subjects or the ICO where we are legally required to do so. 

If you know or suspect that a Personal Data Breach has occurred, do not attempt to  investigate the matter yourself. Immediately contact the DPO and the CEO and CTO and  follow the Data Breach Notification Procedure. You should preserve all evidence relating to  the potential Personal Data Breach. 

11. Transfer limitation 

The GDPR restricts data transfers to countries outside the EEA unless the adequate level  of data protection afforded to individuals under the GDPR is ensured.  

Our servers are based in the UK and we do not transfer the personal information we collect  outside the EEA.  

12. Data Subject's rights and requests 

Data Subjects have rights when it comes to how we handle their Personal Data.  These include rights to: 

(a) Request access to the personal information (commonly known as a “data  subject access request”). This enables an individual to receive a copy of  the personal information we hold about them and to check that we are  lawfully processing it. 

(b) Request correction of the personal information that we hold about an  individual. This enables a Data Subject to have any incomplete or  inaccurate information we hold about them corrected. 

(c) Request erasure of the personal information. This enables an individual  to ask us to delete or remove personal information where there is no good  reason for us continuing to process it. Data Subjects also have the right to  ask us to delete or remove their personal information where they have  exercised their right to object to processing (see below). 

(d) Object to processing of the personal information where we are relying  on legitimate interests (or those of a third party) and there is something  about Data Subject’s particular situation which makes them want to object  to processing on this ground. Individuals also have the right to object  where we are processing their personal information for direct marketing  purposes. 

(e) Request the restriction of processing of the personal information. This  enables individuals to ask us to suspend the processing of personal  information about them, for example if they want us to establish its  accuracy or the reason for processing it. 

(f) Request the transfer of the personal information to another party. This  is also called the right of portability of personal data. Individuals can 

10 

request transfer of their data to a third party in a structured, commonly  used and machine readable format in limited circumstances only. This right  is unlikely to apply to personal data Processed by us. 

You must verify the identity of an individual requesting data under any of the rights listed  above (do not allow third parties to persuade you into disclosing Personal Data without  proper authorisation).  

You must immediately forward any Data Subject request you receive to the DPO, CEO and  CTO and comply with Dash Global’s Data Subject Request Procedure. 

13. Accountability 

13.1 Dash Global as the Data Controller must implement appropriate technical and  organisational measures in an effective manner, to be able to demonstrate our compliance with data protection principles under the GDPR. The adequate  resources and controls include: 

(a) appointing a suitably qualified DPO or an executive accountable for data  privacy;  

(b) completing DPIAs where Processing presents a high risk to rights and  freedoms of Data Subjects;  

(c) integrating data protection into internal documents including this Privacy  Policy, Related Policies, guidelines, Privacy Notices or Fair Processing  Notices; 

(d) regularly training Dash Global employees and Experts on the GDPR, this  Privacy Policy, Related Policies and guidelines and data protection matters  including, for example, Data Subject's rights, Consent, legal basis, DPIA  and Personal Data Breaches. Dash Global must maintain a record of  training attendance by Dash Global employees and Experts; and  

(e) regularly testing the privacy measures implemented and conducting  periodic reviews and audits to assess compliance and security of data,  including using results of testing to demonstrate improvement efforts. 

13.2 Record keeping 

The GDPR requires us to keep full and accurate records of all our data Processing activities.  

In order to manage our compliance with the record keeping requirement under the GDPR,  all our data Processing activities are recorded in our DG Information Asset Register required by Article 30 of the GDPR. You must keep and maintain accurate corporate  records reflecting data Processing activities under your control including records of Data  Subjects' Consents and procedures for obtaining Consents. 

These records should include, at a minimum, the name and contact details of the Data  Controller and the DPO, clear descriptions of the Personal Data categories, Personal Data 

11 

types, Processing activities, Processing purposes, third-party recipients of the Personal  Data (if any), Personal Data storage locations, Personal Data transfers, retention periods  and a description of the security measures in place.  

13.3 Training and audit 

We are required to ensure all Dash Global employees and Experts have undergone  adequate training to enable them to comply with data privacy laws. We must also regularly  test our systems and processes to assess compliance.  

You must regularly review all the systems and processes under your control to ensure they  comply with this Privacy Policy and check that adequate governance controls and resources  are in place to ensure proper use and protection of Personal Data.  

13.4 Data Protection Impact Assessment (DPIA) 

Data controllers must conduct DPIAs in respect to high-risk Processing.  

You should conduct a DPIA (and discuss your findings with the DPO) when implementing  major system or business change programmes involving the Processing of Personal Data  including: 

(a) use of new technologies (programmes, systems or processes), or changing  technologies (programmes, systems or processes); 

(b) large scale, systematic monitoring of a publicly accessible area. 

A DPIA must include: 

(c) a description of the Processing, its purposes and the Data Controller's  legitimate interests if appropriate;  

(d) an assessment of the necessity and proportionality of the Processing in  relation to its purpose;  

(e) an assessment of the risk to individuals; and  

(f) the risk mitigation measures in place and demonstration of compliance. 13.5 Direct marketing  

We are subject to certain rules and privacy laws when promoting Dash Global.  

For example, a Data Subject's prior consent is required for electronic direct marketing (for  example, by email, text or automated calls). The limited exception for existing customers  known as "soft opt in" allows organisations to send marketing texts or emails if they have  obtained contact details in the course of a sale to that person, they are marketing similar 

12 

products or services, and they gave the person an opportunity to opt out of marketing  when first collecting the details and in every subsequent message.  

A Data Subject's objection to direct marketing must be promptly honoured. If a Data  Subject opts out at any time, their details should be suppressed as soon as possible.  

13.6 Sharing Personal Data with third parties 

Generally we are not allowed to share Personal Data with third parties unless certain  safeguards and contractual arrangements have been put in place.  

You may only share the Personal Data we hold with another employee, Expert or  representative of Dash Global if the recipient has a job-related need to know the  information and the transfer complies with cross-border transfer restrictions as described  in clause 11 above. 

You may only share the Personal Data we hold with third parties, such as our service  providers if: 

(a) they have a need to know the information for the purposes of providing  the contracted services;  

(b) sharing the Personal Data complies with the Privacy Notice provided to the  Data Subject and, if required, the Data Subject's Consent has been  obtained; 

(c) the third party has agreed to comply with the required data security  standards, policies and procedures and put adequate security measures in  place; 

(d) the transfer complies with any applicable cross border transfer restrictions;  and  

(e) a fully executed written contract that contains GDPR approved third party  clauses has been obtained. 

14. Changes to this Privacy Policy  

We reserve the right to change this Privacy Policy at any time. We will notify you of any  changes and provide you with the updated copy of this Privacy Policy. 

13 

15. Acknowledgement of receipt and review 

I, Lee Wemyss), acknowledge that on 31 January 2021I received and read a copy  of the Dash Global Privacy Policy, dated 31 January 2021 and understand that I am  responsible for knowing and abiding by its terms. I understand that the information  in this Privacy Policy is intended to help Dash Global employees and Experts work  together effectively on assigned job responsibilities and assist in the use and  protection of Personal Data. This Privacy Policy does not set terms or conditions of  employment or form part of an employment contract.

Name Lee Andrew Wemyss
Date 31 January 2021