Privacy policy

Privacy Notice

Last Updated 12^th November 2025

Contents

Scope of this Privacy Notice: Who is Williams Lea?
Who Are You?
What is a Privacy Notice?
General Interactions With Us
How We Protect Your Data
How We Keep On Top of Privacy
The Laws We Follow
How We May Share Your Personal Data
When We Transfer Personal Data
Internationally
Your Rights as a Data Subject and How to Access
Them
Web Visitor Tracking – Use of Cookies
Changes to the Privacy Notice
How Can We Help You? – Contacting Williams Lea

Scope of this Privacy Notice: Who is Williams Lea?

This Privacy Notice applies to Williams Lea Limited, Williams Lea LLC, and their
global subsidiaries or related entities under common ownership (collectively
referred to as “WL Group” or “WL”). WL is part of the R.R. Donnelley group of
companies. Throughout this notice, “WL” refers to all covered entities.

For the purposes of this notice “Services” do NOT include:

WL products or services for which a separate privacy notice is provided (if
any); or
Third Party Products. These are third party products or services that you may
choose to integrate with WL products or services, such as third-party add-ons,
plugins or any separate software or other services whatsoever. You should always
review the policies of third-party products and services to make sure you are
comfortable with the ways in which they collect and use your information.
The business activities of our parent company R.R Donnelley and Sons

Unless otherwise stated, our SaaS Products and our other Products and Services are
treated the same for the purposes of this Privacy Notice.

Please note that The Stationery Office Ltd (TSO), although a subsidiary of WL,
operates its own services and websites and maintains separate privacy notices
tailored to those offerings. If you are engaging specifically with TSO, please
review its dedicated privacy notices, which can be accessed via TSO’s websites or
using the links below:

The Stationery Office

TSO Shop

Who Are You?

WL Client Employee
(your
employer is our client and buys services from us)

Controller or Processor

WL may act as either a Controller or a Processor of your personal
data, depending on the context in which it is processed.

We act as a Controller when we process your personal data to manage our
business relationship with your employer — for example, for service oversight,
billing, or account management. In these cases, WL determines the purposes and means
of processing. We may also process your personal data as a Controller for marketing
purposes, such as sending you information about WL services, events, or updates that
may be relevant to your role or organization, where permitted by law. You can opt
out of such communications at any time by following the instructions provided in the
communication or by contacting us directly.

We act as a Processor when we process your personal data solely on behalf of
your employer, and in accordance with their instructions — for example, when
delivering contracted services such as reception or facilities management, or when
providing access to WL SaaS Products that your employer has elected to use, or other
systems or tools used in the provision of those services to your employer. The rest
of this section covers WL processing of your data as a Controller.

This section does not apply to personal data of your employer’s customers that you
may pass to WL for processing. For information on how WL handles customer data on
behalf of clients, please refer to the section titled Customer of a WL Client.

The data we collect, hold or process

We collect, store and use your business contact details, such as name, work address,
telephone numbers, mobile numbers and email addresses.

We also hold letters, emails, voicemails (if you leave one for us) and other typical
business documents (e.g. spreadsheets and documents) relating to our business
interactions. Some of these business documents may hold details about you. We also
use customer relationship management systems, like Salesforce, to store details of
our interactions with you as your suppliers.

If you are visiting one of our locations or offices we may record CCTV images of you
– CCTV is one of security mechanisms to prevent and detect any unauthorized access
to our sites and secure areas.

As part of our billing process we may also hold financial information relating to
your organization which may include account holder details.

Special categories of data

We do not hold any personal data relating to your racial or ethnic origin, political
opinions, religious or philosophical beliefs, trade union membership, genetic or
biometric data for the purposes of uniquely identifying you, data concerning your
health, sex life or sexual orientation.

We do not hold any information related to your children.

Why we collect, hold or process your personal data

This data is collected as part of general business interactions we have with you
including the pre-sales, sales and post-sales activity between our organizations.
For example, the daily interactions between our client-facing teams and your
business, or as part of the account management processes between our account
directors and your organization’s employees that manage the relationship between us.

Why we are permitted to collect, hold or process your personal data

We are performing a service for you or your organization as part of a contract or we
have a legitimate business purpose to hold the personal data about you and
potentially your colleagues at our client so we can carry out usual business
operations with you.

Purpose of Processing	Legal Basis
To deliver services to you or your organization	Performance of a contract
To maintain business operations and communications, including marketing services and technologies relevant to your employer with you	Legitimate interests – to manage client relationships and deliver services effectively

What would happen if we cannot hold your data?

It would not be possible to continue operating the services we provide to your
organization if we were not able to hold and process this data.

If you are no longer working for a client of WL then as a result of our regular data
reviews and refreshes, your data will be deleted in line with our retention
policies, unless we are required to keep it for legal, regulatory, or operational
reasons. For example, we may retain email instructions of communications that form
part of audit trail or are necessary to evidence work undertaken.

If you are no longer working for one of our clients but have chosen to share your new
contact details with WL these contact details may be held for future pre-sales
activity between us.

How long we keep your data for

Our default position is only to keep personal data for as long as is necessary for us
to perform the service for you, unless there is a legal requirement for us to hold
the data for a longer period of time e.g. for tax purposes we may need to keep
copies of invoices which could hold the personal data of a former client’s employee
or a current client’s ex-employee.

If we do need to keep data for legal purposes we will not use that data for any other
purposes and we will protect it from loss, alteration or unauthorized access.

Automated decision making or profiling of you

We do not use your personal data to profile you or to make any automated decisions
about you.

Suppliers we use

We use a number of suppliers to help us maintain business interactions with you.

If one of our suppliers has access to and processes your personal data we will check
that the supplier keeps your data confidential, has the processes and technology in
place to keep your personal data secure and does not use your data for any reason
other than in accordance with the set of processing instructions we have agreed with
them.

We also make sure that the supplier does not transfer your data internationally
without the required permission and legal frameworks in place.

All the necessary privacy requirements will be put in place through the contracts
between us and our suppliers to allow them to hold and process your personal data.

Other countries your data may be transferred to

We are a global organization and this means some of our systems and offices are
located around the world.

As not every country has the same rules and regulations about the privacy of your
data we make sure that when we transfer your personal details outside of the
European Union (or wider European Economic Area) we protect your data appropriately.

If we transfer your personal data to another country outside of the EU we first check
whether the EU Commission has made a finding of adequacy in respect to their privacy
laws prior to any transfer occurring. Failing that, we put in
place Standard Contractual Clauses (also called Model
Clauses or Data Transfer Agreements) between ourselves (WL) and the organization or
business that is to receive that data.

For other countries with specific international transfer requirements, we take into
account and comply with the relevant local laws governing cross-border data
transfers.

Other useful information

Please review the main body of this Privacy Notice for information about

How to contact WL
Your rights related to your personal data as a client employee of WL

WL Supplier Employee
(you
or
your employer provide us with a service)

Controller or Processor

We are considered Controllers of your personal data that you share
with us. This is because we decide the reasons for collecting, holding and using
your data. We also decide the ways in which we process your data.

The data we collect, hold or process

We collect, store and use your business contact details, such as name, work address,
telephone numbers, mobile numbers and email addresses.

If you are visiting one of our WL sites we may record CCTV images of you – CCTV is
one of security mechanisms to prevent and detect any unauthorized access to our
sites and secure areas.

As part of our payment processes we may also hold financial information relating to
your company which may include account holder details.

Special categories of data

We do not hold any information related to your children.

Why we collect, hold or process your personal data

This data is collected as part of the pre-engagement and ongoing supplier
relationship activity between our organizations. For example the daily interactions
between your WL-facing teams and our business, or as part of the account management
processes between our account directors and your organization’s employees that are
part of the business relationship between us.

Why we are permitted to collect, hold or process your personal data

You are performing a service for us as part of a contract and we need to hold the
personal data about you and potentially your colleagues at our supplier so we can
carry out usual business operations with you.

Purpose of Processing	Legal Basis
To receive services from your organization	Performance of a contract
To maintain business operations and communications with you	Legitimate interests – to manage supplier relationships and ensure service delivery

What would happen if we cannot hold your data

It would not be possible to continue operating the business relationship between our
organizations if we were not able to hold and process this data.

If you are no longer working for a supplier of WL as a result of our regular data
reviews and refreshes, your data will be deleted in line with our retention policy,
unless we are required to keep it for legal, regulatory, or operational reasons. For
example, we may retain email instructions of communications that form part of audit
trail or are necessary to evidence work undertaken.

How long we keep your data for

Our default position is to only keep personal data for as long as is necessary i.e.
the duration of our business relationship, unless there is a legal requirement for
us to hold the data for a longer period of time e.g. for tax purposes we may need to
keep copies of your invoices which could hold the personal data of a former employee
of yours.

If we do need to keep data for legal purposes, we will not use that data for any
other purposes and we will protect it from loss, alteration or unauthorized access.

Automated decision making or profiling of you

We do not use your personal data to profile you or to make any automated decisions
about you.

Suppliers we use

We use a number of suppliers to help us maintain business interactions with you.

We also make sure that the supplier does not transfer your data internationally
without the required permission and legal frameworks in place.

All the necessary privacy requirements will be put in place through the contracts
between us and our suppliers to allow them to hold and process your personal data.

Other countries your data may be transferred to

We are a global organization and this means some of our systems and offices are
located around the world.

For other countries with specific international transfer requirements, we take into
account and comply with the relevant local laws governing cross-border data
transfers.

Other useful information

Please review the main body of this Privacy Notice for information about

How to contact WL
Your rights related to your personal data as a supplier employee to WL

Customer of a WL
Client
(we
received your personal data from one of our Clients)

Controller or Processor

We are considered Processors of your personal data that our client
has shared with us.

This is because we do not decide the reasons for collecting, holding and using your
data, instead we have received specific instructions from our client to process your
data – and you are a customer of our client.

Our client collected your data (or you shared it with them) and they have told us how
to hold and process your data. In this relationship our client is considered the
Controller of your personal data.

The data we collect, hold or process

We do not collect any of your personal data, it is passed to us by our client and we
handle it and process it by following an agreed set of processes or instructions
from our client.

The nature of the data we may process about you will vary, depending on the services
we perform for our client.

To identify the personal data our client holds about you please contact them
directly. They are required to have a Privacy Notice (like this one) available for
their customers – and their Privacy Notice should give you these details.

Special categories of data

Only if our client has strictly instructed us to, it is possible that we might
process personal data relating to your racial or ethnic origin, political opinions,
religious or philosophical beliefs, trade union membership, genetic or biometric
data for the purposes of uniquely identifying you, data concerning your health, sex
life or sexual orientation.

Similarly we might also process information related to your children.

Why we collect, hold or process your personal data

As we said above, we do not collect any of your personal data, it is passed to us by
our client because we have entered into a legal contract with them which requires us
to process your personal data.

Your data is processed by following an agreed set of processes or instructions from
our client.

For example, our client could be from the banking or legal sector. WL may provide
document production services, or mailroom services to our client. In providing
these services we may interact with documents or correspondence in which your data
is contained in relation to services you access as a customer of the client.

Why we are permitted to collect, hold or process your personal data

We are performing a service for our client as part of a contract and we need to
process your personal data so we can carry out the instructions of our client.

Purpose of Processing	Legal Basis	Controller Responsibility
To deliver services to our client in accordance with their instructions	Determined by the data controller	The client (data controller) is responsible for identifying and communicating the legal basis

What would happen if we cannot hold your data?

It would not be possible to continue operating the service we are providing to our
client if we were not able to process your data.

How long we keep your data for

We only retain your personal data for as long as we are instructed to by our clients,
so if you stop being a customer of our client your data will be deleted when that
retention time ends.

For some of the services we provide we might only hold or process your data for a
matter of hours or days (such as when we handle incoming or outgoing mail for our
clients). For other services we might hold your data for a longer period (such as at
the request of our client who may have a regulatory requirement to retain and
archive a document that contains your personal data).

If you wish to know the exact retention periods of your personal data that we process
for our client you will need to ask our client that you are a customer of. Our
client should have a Privacy Notice like this available for their customers that
sets this information out for you.

Automated decision making or profiling of you

We do not use your personal data to profile you or to make any automated decisions
about you. Our client may instruct us to perform analytics on your data and details
of these activities will be available in the Privacy Notice of our client you have a
business relationship with.

Suppliers we use

The suppliers we use to help us fulfil our service to our clients are many, depending
on the nature of the service we provide for that client.

If our supplier will process your personal data we make sure that our client has
agreed that we can use this supplier and we check that the supplier keeps your data
confidential, has the processes and technology in place to keep your personal data
secure and does not use your data for any reason other than through the set of
processing instructions we have agreed with them.

We also make sure that the supplier does not transfer your data internationally
without the required permission and legal frameworks in place.

All the necessary privacy requirements will be put in place through the contracts
between us and our suppliers to allow them to hold and process your personal data.

The information relating to the suppliers used to process your personal data is
available from our client that you are a customer of.

Other countries your data may be transferred to

We are a global organization and this means some of our systems and offices are
located around the world. We do not move your data outside of the European Union (or
wider European Economic Area, EEA) without the knowledge and permission of our
client who instructed us to process your personal data.

For other countries with specific international transfer requirements, we take into
account and comply with the relevant local laws governing cross-border data
transfers. We do not move your data to another country without the knowledge and
permission of our client who instructed us to process your personal data.

Other useful information

Please review the main body of this Privacy Notice for information about

How to contact WL
Your rights related to your personal data as the customer of our client can be
found on the Privacy Notice at our client.

Current WL employee or
Non Agency
Contractor

For security reasons these Privacy Notices are classified as ‘INTERNAL’ and are
hosted on the global WL intranet: Front Door for our employees’ use.

Current Agency
Employee,
Consultant or Contractor Working for Williams Lea

The following information relates to agency workers who are working as an agency
employee, consultant or contractor at WL through a recruitment agency.

With some limited exceptions due to governmental regulations or industry regulations
required by our clients, we will not hold other pre-employment screening data about
you (such as screening records or criminal record checks) after the recruitment
process is complete. If you are working for us through a recruitment agency, we will
only hold a confirmation that you passed screening checks and you should review the
Privacy Notice of the recruitment agency for their employment practices to learn
more about what pre-employment screening data about you they may retain.

Controller or Processor

We are considered Controllers of your personal data that you share
with us or that is provided to us by the employment agency to facilitate you
undertaking work for us. This is because we decide the reasons for collecting,
holding and using your data. We also decide the ways in which we process your data.

The data we collect, hold or process

We collect, store and use your personal details, such as name, home address,
telephone numbers, mobile numbers and email addresses.

We also hold letters, emails, voicemails and other typical business documents (e.g.
spreadsheets and documents) relating to business interactions as our temporary
employee. Some of these business documents may hold details about you.

If you are working in one of our WL sites we may record CCTV images of you – CCTV is
one of security mechanisms to prevent and detect any unauthorized access to our
sites and secure areas.

To pay your salary and as part of your benefits package we may also hold information
such as your national insurance number and bank account details.

When you originally applied for agency work for WL we may also have asked for copies
of documents for proof of identity and address, such as your passport or household
bills.

Special categories of data

Depending on the country and business unit you are working for we may have collected
data about your racial or ethnic origin as part of our equality monitoring program.

We might also have conducted a background check on you as part of our employee
screening process. This may have included a check on criminal convictions.

Prior to employment and during the course of your employment we might have collected
data about your personal health situation e.g. as part of sickness reporting.

We do not use your genetic or biometric data for uniquely identifying you and we do
not collect information on your political, religious or philosophical beliefs, or
trade union membership, sexual orientation or sex life information.

If you voluntarily disclose any of the above types of data during your employment
(e.g. trade union membership or sexual orientation), we will not record or retain
this information unless there is a lawful basis and a clear business need to do so,
which will be communicated to you at the time.

We are committed to ensuring that any special category data we do process is handled
with the highest level of care and in accordance with applicable data protection
laws.

Why we collect, hold or process your personal data

This data is collected as part of the pre-employment and ongoing employment process.
We need this data to discharge various legal obligations, such as checking your
right to work for us and we are also contractually bound in some business units and
countries to screen our employees prior to employment.

We also need this data to pay your salary and provide you with any benefits, such as
pension contributions, to compensate you for working for us.

Why we are permitted to collect, hold or process your personal data

We are both performing services for each other as part of the contract of employment
that we have both entered into.

Purpose of Processing	Legal Basis for Processing
To manage the employment relationship with the agency worker (e.g. onboarding, payroll)	Performance of a contract
To comply with legal obligations (e.g. right to work checks, tax reporting, safeguarding)	Compliance with a legal obligation
To fulfil contractual obligations with our clients, where agency workers process client data	Legitimate interests – to deliver services to clients effectively
To assess suitability for the role (e.g. background checks, qualifications)	Legitimate interests and/or legal obligation depending on the nature of checks
To process special category data (e.g. health data for workplace adjustments)	Employment obligations or explicit consent where required

What would happen if we cannot hold your data

It would not be possible for us to compensate you for your employment with us and
satisfy the legal requirements related to your employment, such as payment of taxes.

If you are no longer working for WL then as a result of our regular data reviews and
refreshes, your data will be deleted in line with our data retention policy unless
we are required to keep it for legal, regulatory or operational reasons.

How long we keep your data for

Our default position is to only keep personal data for as long as you are employed by
WL, unless there is a legal, regulatory or operational requirement for us to hold
the data for a longer period of time e.g. for tax purposes.

If we do need to keep data we will not use that data for any other purposes and we
will protect it from loss, alteration or unauthorized access.

Automated decision making or profiling of you

Depending on the country and business unit we may use your personal data as part of a
pre-employment screening process which might include an automated credit check. We
do not carry out these checks without your knowledge or permission.

Suppliers we use

We use a number of suppliers to help us satisfy our obligations to you as a temporary
employer.

If our supplier will process your personal data we make sure that we check the
supplier keeps your data confidential, has the processes and technology in place to
keep your personal data secure and does not use your data for any reason other than
through the set of processing instructions we have agreed with them.

We also make sure that the supplier does not transfer your data internationally
without the required permission and legal frameworks in place.

There is a special contract in place between us and our suppliers that covers all the
necessary privacy requirements to allow them to hold and process your personal data.

Other reasons we might share your data

If the purpose of your temporary employment with WL is to support in providing
services to our client, either at their business location, remotely or from a WL
location, we may be required to share your name, address, contact information and
sometimes a passport and/or divers licence in order for the client to validate your
identity for giving access to their sites or systems. We will make you aware of this
if this applies to you in the context of your temporary employment.

Other countries your data may be transferred to

We are a global organization and this means some of our systems and offices are
located around the world.

For other countries with specific international transfer requirements, we take into
account and comply with the relevant local laws governing cross-border data
transfers.

Potential WL
Employee (you
are looking to work for us)

Controller or Processor

The data we collect, hold or process

We collect, store and use your personal details, such as name, job title, home
address, telephone numbers, mobile numbers and email addresses.

We also hold letters, emails, voicemails and other typical business documents (e.g.
spreadsheets and documents) relating to your interactions with us as a potential
employee. Some of these business documents may hold details about you.

If you visited one of our locations or offices we may have recorded CCTV images of
you – CCTV is one of the security mechanisms to prevent and detect any unauthorized
access to our sites and secure areas.

When you applied to work for WL we may also have asked for copies of documents for
proof of nationality, residence status, right to work status, identity and address,
such as your passport or household bills. We will also hold any data that you chose
to include in a CV or cover letter as part of the application process. We may also
collect data about you from any employment agencies or background check providers
that we use to support us during the recruitment process.

Special categories of data

Depending on the country and business unit you have applied to work for we may have
collected data about your racial or ethnic origin as part of our equality monitoring
program.

Depending on the country and business unit you have applied to work for we might also
have conducted a background check on you as part of our employee screening process.
This may have included a check on any criminal convictions.

We might have collected data about your personal health situation e.g. as part of a
pre-employment health check.

We do not collect or use your genetic or biometric data for uniquely identifying you
and we do not collect information on your political, religious or philosophical
beliefs, or trade union membership, sexual orientation or sex life information.

We are committed to ensuring that any special category data we do process is handled
with the highest level of care and in accordance with applicable data protection
laws.

Why we collect, hold or process your personal data

This data was collected as part of the pre-employment process. We needed this data to
discharge various legal obligations, such as checking your right to work for us, and
for some roles in some countries we might also have been contractually bound to
screen our employees as a requirement to perform services on behalf of our clients.

Why we are permitted to collect, hold or process your personal data

We collect and process your personal data as part of our recruitment process, which
is necessary in order to take steps at your request prior to entering into a
potential employment contract. We may also process certain data based on our
legitimate interests, such as improving our recruitment practices or defending legal
claims.

Purpose of Processing	Legal Basis for Processing
To assess your application and suitability for employment	Taking steps prior to entering into a contract
To improve recruitment practices and candidate experience	Legitimate interests – to enhance hiring processes
To fulfil contractual obligations with our clients, where a successful applicant will process client data	Legitimate interests – to deliver services to clients effectively
To defend against legal claims (e.g. discrimination, unfair recruitment practices)	Legitimate interests – to protect the organization legally
To conduct background checks, verify right to work, and comply with employment law	Compliance with a legal obligation
To process special category data (e.g. health data for reasonable adjustments, diversity monitoring)	Employment obligations or explicit consent where required

What would happen if we could not hold your data

If we were unable to collect, hold, or process your personal data during the
recruitment process, we would not be able to progress your application or consider
you for employment at WL. This is because we require certain information to verify
your identity, assess your suitability for the role, and comply with legal
obligations such as right to work checks and pre-employment screening. Without
access to this data, we would be unable to communicate with you about your
application, arrange interviews, or complete necessary background checks. As a
result, your application could not proceed and you would not be able to join WL as
an employee.

How long we keep your data for

If you are not successful in your application to work for WL then your personal data
will be deleted as a result of our regular data reviews and refreshes, unless we are
required to keep it for legal reasons.

If you are successful in your application to work for WL then we will continue to
hold your data as part of the employee data we hold and process as part of the
employment contract between us.

Automated decision making or profiling of you

We do not use your personal data to profile you or to make any automated decisions
without human oversight about you without your permission.

Suppliers we use

We use a number of suppliers to help us satisfy our obligations when considering your
application to work for WL.

If our supplier holds your personal data we make sure that we check that the supplier
keeps your data confidential, has the processes and technology in place to keep your
personal data secure and does not use your data for any reason other than strictly
in accordance with the set of processing instructions we have agreed with them.

We also make sure that the supplier does not transfer your data internationally
without the required permission and legal frameworks in place.

All the necessary privacy requirements will be put in place through the contracts
between us and our suppliers to allow them to hold and process your personal data.

Other countries your data may be transferred to

We are a global organization and this means some of our systems and offices are
located around the world.

For other countries with specific international transfer requirements, we take into
account and comply with the relevant local laws governing cross-border data
transfers.

Other useful information

Please review the main body of this Privacy Notice for information about

How to contact WL
Your rights related to your personal data as a potential employee of WL

Former WL Employee
(you
used
to work for us)

Controller or Processor

We are considered Controllers of your personal data that you
shared with us. This is because we decide the reasons for collecting, holding and
using your data. We also decide the ways in which we process your data.

The data we collect, hold or process

We collect, store and use your personal details, such as name, home address,
telephone numbers, mobile numbers and email addresses.

We also hold letters, emails, voicemails and other typical business documents (e.g.
spreadsheets and documents) relating to your interactions with us as our employee.
Some of these business documents may hold details about you.

If you worked in one of our locations or offices we may have recorded CCTV images of
you – CCTV is one of the security mechanisms to prevent and detect any unauthorized
access to our sites and secure areas.

To pay your salary and as part of your benefits package we may also have held
information such as your national insurance number and bank account details.

When you originally applied to work for WL we may also have asked for copies of
documents for proof of nationality, residence status, identity and address, such as
your passport or household bills.

Special categories of data

During your original recruitment and depending on the country and business unit you
worked for we may have collected data about your racial or ethnic origin as part of
our equality monitoring program.

Depending on the country and business unit you worked for we might also have
conducted a background check on you as part of our employee screening process. This
may have included a check on any criminal convictions.

Prior to employment and during the course of your employment we might have collected
data about your personal health situation, e.g., as part of sickness reporting.

Certain employee benefits might also have required you to pass information on your
health to us, e.g., if we offered you private medical health insurance.

We do not use or hold your genetic or biometric data for uniquely identifying you and
we do not collect information on your political, religious or philosophical beliefs,
or trade union membership, sexual orientation or sex life information.

It is possible we might hold information related to your children should they have
been given to us as next-of-kin in the event of your death in service, or you may
have extended an employee benefit, such as private health care insurance, to include
your children.

We are committed to ensuring that any special category data we do process is handled
with the highest level of care and in accordance with applicable data protection
laws.

Why we collect, hold or process your personal data

This data was collected as part of the pre-employment and ongoing employment process.
We needed this data to discharge various legal obligations, such as checking your
right to work for us and we might also have been contractually bound to screen our
employees as part of our services to our clients.

We also needed this data to pay your salary and to provide you with the benefits
package to compensate you for working for us.

Why we are permitted to collect, hold or process your personal data

We were both performing services for each other as part of the contract of employment
we have both entered into.

When your employment with WL ends, we may need to retain certain personal data for
legal, regulatory, or operational reasons. For example, we are required by law to
keep records related to payroll, tax, and employment for specified periods. We may
also need to retain information to evidence work undertaken, respond to audit
requests, or address any claims or disputes that arise after your employment ends.
Where data is retained, it will be protected and only used for these specific
purposes. Once the relevant retention period has passed, your data will be securely
deleted in line with our data retention policy.

Purpose of Processing	Legal Basis for Processing
To fulfil obligations under the employment contract (e.g. final pay, references)	Performance of a contract
To comply with legal and regulatory requirements (e.g. payroll, tax, right to work records)	Compliance with a legal obligation
To retain records for audit, operational continuity, or evidencing work undertaken	Legitimate interests – o support business operations and client obligations
To respond to legal claims, disputes, or investigations after employment ends	Legitimate interests – to protect the organization legally
To process special category data (e.g. health records, diversity data)	Legal claims, employment obligations, or explicit consent

What would happen if we could not hold your data

If we were unable to retain your personal data after your employment with WL ends, we
would not be able to meet our legal, regulatory, or operational obligations. For
example, we are required by law to keep certain records related to payroll, tax, and
employment for specified periods. We may also need to retain information to evidence
work undertaken, respond to audit requests, or address any claims or disputes that
arise after your employment ends. Without access to this data, we may be unable to
provide references, resolve queries, or comply with requests from regulatory
authorities. Once the relevant retention period has passed, your data will be
securely deleted in line with our data retention policy.

Automated decision making or profiling of you

We do not use your personal data to profile you or to make any automated decisions
about you.

Suppliers we use

We used a number of suppliers to help us satisfy our obligations to you when you were
an employee.

We also make sure that the supplier does not transfer your data internationally
without the required permission and legal frameworks in place.

All the necessary privacy requirements will be put in place through the contracts
between us and our suppliers to allow them to hold and process your personal data.

Other countries your data may be transferred to

We are a global organization and this means some of our systems and offices are
located around the world.

For other countries with specific international transfer requirements, we take into
account and comply with the relevant local laws governing cross-border data
transfers.

Other useful information

Please review the main body of this Privacy Notice for information about

How to contact WL
Your rights related to your personal data as a former employee of WL

If you are none of the Data Subject categories listed above, then the rest of our
Privacy Notice may not be relevant to you. However, as a visitor to our website we
need to make sure you understand what we might do with any information we collect
about you when you visit our site.

What is a Privacy Notice?

We want you to know that we care about your privacy and we want to be clear with you
about how we hold and process any of your personal data that we collect.

There are various ways that you might interact with WL and the data you provide when
doing so allows us to do many things. Here is a list of reasons we may hold and
process your data.

To perform a contract or service for you or your employer as a business client
e.g. send out business communications.
We have a legitimate interest in doing so e.g. making the interaction between us
better.
There is a legal obligation or the law says we have to e.g. we must hold
employee tax records.

Generally, we do not seek your permission or consent to hold or process data about
you, unless required to do so by law, as you have usually come to us and asked us to
do something for you – like employ you and pay your salary and benefits.

If we do need to ask you first before we collect or process your personal data we
will make it clear to you and you can make a choice if you wish to accept or decline
our request.

These terms may seem difficult to understand and we will make this clearer in the
specific sections based upon your relationship with us. You can find these via the
links in the Who are you? section above.

This Privacy Notice is here to explain

What data we collect about you
How we collect your data
Why we collect your data
How we use your data
If we share your data and who we share it with

This information is set out in the Who are you? section links above

Below we will also explain

How we protect your data
How you can control your data, including accessing, updating and deleting what
we store and the rights you have related to this data

General Interactions With Us

We may collect or record basic data – e.g. name, e-mail address, postal address,
phone number – which you voluntarily provide through forms on our websites, through
use of a WL app, through electronic mail which you send to us, or through other
means of communication between you and us.

Sending us emails

If you email us, your email data will be held and processed in either Google Mail,
Microsoft Outlook or Salesforce Marketing Cloud.

These are third-party services and are located either in the European Union or in the
United States of America (USA).

The privacy information for these third-party services can be found as follows:

Google Mail: https://policies.google.com/privacy

Salesforce: https://www.salesforce.com/uk/company/privacy/

Microsoft Outlook: Microsoft
Privacy Statement – Microsoft privacy

When you email us, we will attempt to use Transport Layer Security (TLS) in order to
encrypt and protect the email traffic between us. If your email systems cannot use
TLS you should be aware that any email that we send or receive may not be protected
as it travels across the Internet.

We also monitor any emails sent to us for viruses and malicious software.

Using Social Media

We use social media to help you reach us and keep you informed. If you message us
privately through any of the following platforms we will collect any information
about you that choose to give us. We will use this information to review,
investigate and respond to any comment or question you may raise as well as to carry
out our obligations and enforce our rights under any contract we have with our
suppliers and or clients.

The Privacy Notices of the social media sites we use can be found below.

Twitter (X) : https://twitter.com/en/privacy

LinkedIn: https://www.linkedin.com/legal/privacy-policy

YouTube: https://policies.google.com/privacy

How We Protect Your Data

We care about the security of your personal data so we follow the best industry
standards as well as all applicable laws to protect the personal data submitted to
us (either submitted by you or by a third-party for whom we provide services). We
secure your data both during transmission and once we receive it.

Where appropriate we use encryption technology to enhance data privacy and help
prevent loss, misuse, or alteration of your data as we hold or process it. We also
use industry-standard technology and processes for detecting and responding to
situations where some unauthorized person is trying to access your data held on our
systems.

We maintain physical, electronic and procedural safeguards in connection with the
collection, storage and disclosure of personally identifiable information.

It is important for you to protect against unauthorized access to your password and
to your computer. Be sure to sign off when you finish using a shared computer.

The transmission of information via the internet is not completely secure. Although
we will do our best to protect your personal data, we cannot guarantee the security
of your data transmitted to our website; any transmission is at your own risk. Once
we have received your information, we will use strict procedures and security
features to try to prevent unauthorized access.

How We Keep On Top of Privacy

We regularly review our compliance with this Privacy Notice as well as our compliance
with the privacy regulations that apply to WL. R.R.Donnelley, the parent company of
WL is a corporate member of the International Association of Privacy Professionals
(IAPP) and our privacy and legal teams keep up to date with the latest changes to
privacy and data protection laws that affect our companies across the globe.

The Laws That We Follow

WL must comply with all applicable privacy laws in the jurisdictions where it
operates these include but are not restricted to:

Regulation (EU) 2016/679 of the European Parliament, which is also known as the
General Data Protection Regulation (GDPR).
ePrivacy Directive (ePD) – Privacy and Electronic Communications Directive
(2002/58/EC)
UK GDPR and the Data Protection Act 2018
UK Privacy and Electronic Communications Regulations as amended
Personal Information Protection and Electronic Document Act (PIPEDA)
California Consumer Protection Act (CCPA) and other applicable State Privacy
Laws.
Colorado Privacy Act (CPA)
We also comply, where relevant, with any local privacy related laws in other
European countries and non-European countries.

Consistent with the principles of international privacy regulations, WL aims to
resolve complaints about our collection or use of your personal data at no cost to
the individual, However, as permitted by applicable law, WL reserves the right to
seek compensation for requests that are unfounded, impose an excessive burden, or
have a repetitive character.

How We May Share Your Personal Information

We may disclose the personal information we hold about you to:

Our group companies and affiliates
Banks and other financial institutions
Payment service providers
Your employer or the corporate entity that you represent, solely for the
purposes of providing the Services to you and/or your employer where we have a
contract with your employer or the company you represent
Third party companies in the event that we are involved in a corporate
transaction such as an actual or potential merger, joint venture, consolidation
or asset sale
Our professional advisors such as lawyers, accountants, auditors, financial
services providers and other professionals
Our service providers as Processors on our behalf, including IT hosting
companies: We may engage other companies and individuals to perform functions on
our behalf. Examples include fulfilling orders, delivering packages, sending
postal mail and e-mail, analysing data, providing marketing assistance and
providing customer services. They have access to personal information needed to
perform their functions, but may not use it for any other purposes. Further,
they must process the personal information in accordance with this Privacy
Notice and as permitted by applicable data protection laws
For the protection of WL and others, we release account and other personal
information when we believe release is appropriate to comply with the law,
enforce or apply our agreements with our customers or suppliers; or protect the
rights, property or safety of our users or others. This includes exchanging
information with other companies and organizations for fraud protection and
credit risk reduction. However, this does not include selling, renting, sharing
or otherwise disclosing personally identifiable information from customers for
commercial purposes in a way that is contrary to the commitments made in this
Privacy Notice
Regulatory authorities as required by any such authority, including tax
authorities
We may, from time to time, expand, reduce or sell the parts of the WL business
and this may involve the transfer of divisions or the whole business to new
owners. If this happens, your personal data will, where relevant, be transferred
to the new owner or controlling party, under the terms of this Privacy Notice
Law enforcement agencies, courts and other relevant tribunals

WL does not sell the personal data that we collect as part of our business
operations.

When We Transfer Personal Data Internationally

GDPR and the Standard Contractual Clauses (European Union, Switzerland and
United Kingdom)

We process your personal information using data centers located within the European
Union. In some cases, your data may also be processed using data centers located
outside the European Union.

Where personal information is transferred to our group companies or third-party
service providers outside the European Economic Area (EEA), we ensure that such
transfers comply with applicable data protection laws. Transfers to countries that
have received an adequacy decision from the European Commission are recognized as
providing an equivalent level of data protection.

WL uses Standard Contractual Clauses (SCCs) and internal assessments to ensure that
appropriate data safeguards can be used as a grounds for data transfers from the EU,
Switzerland, and UK to third countries. These clauses have been “pre-approved” by
the European Commission under the GDPR for data transfers from Controllers or
Processors in the EU/EEA (or otherwise subject to the GDPR) to Controllers or
Processors established outside the EU/EEA (and not subject to the GDPR).

WL may process in the US and/or India the following types of EU, UK and Swiss
information: name, address, invoice information including bank account information,
and order information (referred to as “EU, UK and Swiss Business Contact
Information”).

WL uses EU, UK and Swiss Business Contact Information for the following purposes:
managing client relationships, tracking payments and ensuring payment, and otherwise
maintaining the client relationship. WL may disclose EU, UK and Swiss Business
Contact Information to its affiliates, subsidiaries, business partners, and service
providers for such purposes.

In situations where WL discloses (i.e. onward transfers) EU, UK and Swiss Business
Contact Information to any third parties acting as service providers or “agents” on
behalf of WL, WL will require the recipient protects the disclosed Business Contact
Information in accordance with the SCCs, or otherwise take steps to ensure that it
is appropriately protected.

With respect to any sharing of EU, UK and Swiss Business Contact Information for the
purposes of marketing WL products and services, WL obtains guarantees from its
affiliates, subsidiaries and business partners that such entities will use and
disclose that information only for the purposes of marketing WL products and
services.

In cases of onward transfer of EU, UK or Swiss Business Contact Information to third
parties pursuant to SCCs, WL is potentially liable in the event of an improper
disclosure. In certain situations, individuals may seek to opt-out of disclosures of
their EU, UK and Swiss Business Contact Information by contacting WL as specified in
the “” section below.

WL takes appropriate technical and organizational measures to safeguard EU, UK and
Swiss personal data against unauthorized or unlawful processing of, or accidental
loss, damage, misuse, unauthorized access, unauthorized disclosure, unauthorized
alteration, or destruction, and maintains reasonable procedures to help ensure that
such information is relevant for its intended use, that it is accurate, complete,
current and not excessive and that such information is not retained longer than is
reasonably necessary.

With respect to personal data received or transferred for processing pursuant to the
SCCs in the US, WL is subject to the regulatory enforcement powers of the United
States Federal Trade Commission. In certain situations, WL may disclose EU, UK and
Swiss personal data as necessary in connection with the sale or transfer of all or
part of its business, where required or permitted by law, where WL believes that
such disclosures are appropriate in connection with a law enforcement request or as
otherwise permitted by the SCCs, or in order to investigate, prevent or take action
regarding illegal activities or suspected fraud or in order to comply with, enforce
or apply WL agreements.

Choice

If personal data covered by this Privacy Notice is to be used for a new purpose that
is materially different from that for which the personal data was originally
collected or subsequently authorized, or is to be disclosed to a non-agent third
party in a manner not specified in this Notice, WL will provide you with an
opportunity to choose whether to have your personal data so used or disclosed.
Requests to opt out of such uses or disclosures should be sent to us as specified in
the “How Can We Help You?” section below.

Certain personal data, such as information about medical or health conditions, racial
or ethnic origin, political opinions, religious or philosophical beliefs, is
considered “sensitive or special category information.” WL will not use sensitive
information for a purpose other than the purpose for which it was originally
collected or subsequently authorized by the individual unless WL has received your
affirmative and explicit consent (opt-in).

Data Processor Activities

WL operates as a data Processor for our business customers located in the US, EU, UK
and other geographic locations worldwide. WL’s business customers remain the data
Controllers with respect to any customer data that they provide to WL for our
provision of services. WL therefore acts in accordance with the instructions of such
customers regarding the collection, processing, storage, deletion and transfer of
customer data, as well as other matters such as the provision of access to and
rectification of this customer data.

Children’s Online Privacy Protection

The WL website is not intended for children (under 18 years of age). WL does not sell
its services to children, and as such, our websites are designed for adult user
interaction. If you are under 18 years of age, do not use or provide your
information on this website.

We do not knowingly collect personal data of children. Nor do we knowingly
collect, process, store, or sell personal data from children.

If we are made aware that we are processing personal data of children in performing
services on behalf of WL’s customers, we use all appropriate safeguards designed to
protect such information.

Your Rights as a Data Subject and How to Access Them

Depending on where you are located and the laws that apply, you may have the
following rights regarding your personal data. Not all rights may apply in every
case or jurisdiction, not all jurisdictions provide you with these rights in full,
but we will make reasonable efforts to support your request wherever possible and
support your request to exercise these rights, regardless of your location, to the
extent permitted by law.

Right to Information: You can request details about how we use
your personal data, including the categories and specific pieces of personal
information we collect, the sources, the purposes for collection, and the
categories of third parties with whom we share your data
Right of Access: You can request a copy of the personal data we
hold about you. We will provide this information free of charge unless the
request is unfounded or excessive. We will respond within the timeframes
required by law and inform you if an extension is needed
Right to Rectification/Correction: You can ask us to correct or
update inaccurate or incomplete personal data we hold about you
Right to Erasure/Deletion: You can request the deletion of your
personal data, subject to certain exceptions (for example, where we are required
to retain data for legal or regulatory reasons, or to exercise or defend legal
claims)
Right to Restrict Processing: You can ask us to restrict or
suppress the processing of your personal data in certain circumstances. We may
continue to store your data but will not process it further unless required by
law
Right to Data Portability: Where applicable, you can request
your personal data in a commonly used, machine-readable format, or ask us to
transfer it to another organization
Right to Object/Opt-Out: You can object to certain types of
processing, including direct marketing or processing based on legitimate
interests. You may also opt out of the sale of your personal information.
NOTE: WL does not sell personal information to third parties, including
for monetary or other valuable consideration, as defined under the
California Consumer Privacy Act (CCPA) and California Privacy Rights Act
(CPRA). We also do not share your personal information for cross-context
behavioural advertising
Right to Withdraw Consent: Where we rely on your consent to
process your data, you may withdraw that consent at any time
Right to Limit Use of Sensitive Personal Information: In some
jurisdictions, you may request that we limit the use and disclosure of sensitive
personal information
Right to Non-Discrimination: You will not be discriminated
against for exercising any of your rights under applicable privacy laws
Right to Lodge a Complaint: You have the right to lodge a
complaint with a supervisory authority or data protection regulator if you
believe your rights have been infringed

How to Exercise Your Rights

To exercise any of these rights, please contact our Data Protection Officer at global.privacy@williamslea.com.
We may need to verify your identity before acting on your request. We aim to respond
promptly and in accordance with applicable laws.

Web Visitor Tracking – Use of Cookies

When you visit our website, we and our partners automatically collect certain
technical information, such as your IP address, browser configuration, operating
system, and general location data. We use cookies and similar technologies to
enhance your experience, analyse site usage, and support marketing efforts.

Non-essential cookies are only placed with your consent. Cookies are small text files
stored on your device, and while they help us understand usage patterns, they do not
usually identify you personally. For more details, please refer to our Cookie Notice.

Changes To This Privacy Notice

WL may change this Privacy Notice from time to time. If this Privacy Notice changes,
the revised Privacy Notice will be posted at the “Privacy Notice” link on the WL
website’s home page. We recommend that you re-visit our Privacy Notice from time to
time to ensure you are happy with any changes. Should any amendments impact how we
process your personal data we will take reasonable steps to inform you. In some
cases, this information may be made available to you through your employer as the
company that utilizes our services.

We collect and use this personal information in order to provide services to you. If
you decide not to provide the personal data we ask for, it may delay or prevent us
from providing those services.

How Can We Help You? – Contacting Williams Lea

We have specially qualified staff and legal counsel who can provide advice to our
businesses on privacy and data protection, and to work with our clients, employees
and the regulators (the Supervisory Authorities who manage and enforce privacy
rules).

Our Global Data Protection Officer who is responsible for all WL legal entities can
be contacted by email at global.privacy@williamslea.com
or in writing to:

Williams Lea Data Protection Officer

PO BOX 29

NR3 1GN

United Kingdom

You also have the right to complain about the use your personal information to local
supervisory authority,

In the UK, WL is registered with the Information Commissioner’s Office (ICO). You can
contact them by calling 0303 123 1113. Or go online to www.ico.org.uk/concerns

Or you can write to them at:

Information Commissioner’s Office,

Wycliffe House,
Water Lane,
Wilmslow Cheshire,
SK9 5AFIf you are located within Europe, our legal representative for Europe is
Williams Lea (Ireland) Limited.

You can contact the Irish Data Protection Commission their details are:

www.dataprotection.ie

DATA PROTECTION COMMISSION

21 FITZWILLIAM SQUARE SOUTH
DUBLIN 2
D02 RD28
IRELAND

In the US each state has an Attorney General’s office that can handle complaints
related to data privacy violations

Before you take your complaint to the relevant Supervisory authority, we would
welcome the opportunity to resolve any issues with you directly. Please direct any
complaints that you have to: global.privacy@williamslea.com.

If we receive formal written complaints, we follow up such complaints with the person
making the complaint. We will also work with the relevant regulator (Supervisory
Authority) to resolve any complaints that cannot be resolved directly.

To Unsubscribe from Marketing Communications

You may unsubscribe from our marketing communications by clicking on the
“unsubscribe” link located on the bottom of our e-mails, or by sending us an email
us at global.privacy@williamslea.com

Privacy Notice

Scope of this Privacy Notice: Who is Williams Lea?

Who Are You?

What is a Privacy Notice?

General Interactions With Us

How We Protect Your Data

How We Keep On Top of Privacy

The Laws That We Follow

How We May Share Your Personal Information

When We Transfer Personal Data Internationally

Your Rights as a Data Subject and How to Access Them

Web Visitor Tracking – Use of Cookies

Changes To This Privacy Notice

How Can We Help You? – Contacting Williams Lea