Agile Defense, Inc.

European Union General Data Protection Regulation Notice

OVERVIEW
Purpose and Intended Audience

This Notice provides information regarding Agile Defense Information Technology’s compliance with the European Union General Data Protection Regulation (“GDPR”).

This notice is intended for all Agile Defense employees and applicants who work, or will work, in the European Union, European Economic Area, and Switzerland. This Notice is also intended for all Agile Defense employees who have access to personal data for covered individuals, or responsibility for systems, processes, or vendors that interface with personal data for covered individuals.

Agile Defense, Inc. and its managed affiliates (collectively, “Agile Defense” or “we”) make reasonable efforts to protect the personal data of covered individuals. This Notice aims to provide guidance to Agile Defense employees on the standards that govern Agile Defense’s compliance with GDPR principles for these covered individuals. It also aims to provide covered individuals with transparent information regarding the processing of their personal data.

Scope and Responsibility

This Notice applies to Agile Defense and all managed affiliates. It covers all personal data related to Agile Defense’s employees, applicants for employment, contract workers, and consultants who work, or will work, in the European Union, European Economic Area, and Switzerland. All employees of Agile Defense that have access to such personal data are responsible for conducting themselves in accordance with this Notice. Agile Defense employees responsible for engaging third parties to handle personal data covered by this Notice on behalf of Agile Defense (e.g., temporary staff, independent contractors, sub-contractors, business partners, or vendors) are responsible for obtaining appropriate assurances that such third parties have an obligation to conduct themselves in accordance with the applicable provisions of this Notice, including any applicable contractual assurances required by GDPR principles.

Failure of an Agile Defense employee to comply with this Notice may result in disciplinary action up to and including termination.

Definitions
Listed below are the definitions that pertain to this Notice. Where a term is not specifically defined in this section, the definitions of Article 4 of the GDPR shall apply. Agile Defense is the data controller.

“Agile Defense” – Agile Defense, Inc. and its managed affiliates.

“Personal data” – any information relating to an identified or identifiable natural person (“data subject”). An identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to his/her physical, physiological, mental, economic, cultural or social identity. Data is considered personal when it enables anyone to link information to a specific person, even if the person or entity holding that data cannot make that link.

“Processed” or “processing” personal data – this term is broadly defined and includes any manual or automatic operation (or set of operations) on personal data, including its collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, use, transmission, dissemination or publication, alignment or combination, and even restriction, erasure, or destruction.

“Personnel” or “you” or “your” – all employees of Agile Defense who work in the European Union, European Economic Area, and Switzerland. As applicable, this may also refer to applicants for employment, contract workers, and consultants who work, or will work, in the European Union, European Economic Area, and Switzerland.

“Data Controller” – a person or entity who, either alone or jointly or together with other persons or entities, determines the purposes for which and the manner in which any personal data are, or are to be, processed. For purposes of this Policy, the Data controller is Agile Defense. For questions, contact Danielle Cole (dcole@agile-defense.com, (571) 748-4460.

“Sensitive personal data” – personal data that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.

NOTICE

  1. General Rule

Personal data shall be collected and processed in compliance with the requirements of the GDPR and/or other applicable local data privacy laws (“Privacy Laws”).

Agile Defense collects and processes personal data relating to its personnel primarily for job-related purposes. You can find a list of the purposes for which we process your personal data in Section 4 of this Policy. We do not collect and process more or other types of personal data than are necessary to fulfill the respective purposes. We will only use personal data as set forth in this Policy, unless you have specifically provided your consent to another use of your personal data or such use is otherwise permissible under applicable Privacy Laws. You shall be informed about the categories of personal data collected and how the personal data will be processed. If we intend to use your personal data for purposes other than those for which the personal data was originally collected, we will inform you in advance. Where the processing is subject to your consent, we will use your personal data for a different purpose only with your permission. Access to the personal data shall be role-based and consistent with the job duty responsibilities of Agile Defense’s employees who are given access.

  1. Personal Data Collected and Held

Unless limited by local legislation, the following personal data will typically be collected, processed, and stored as part of the personnel record Agile Defense holds on you:

-Your identity: to include last name, first name, maiden name; date of birth; sex; home address; home telephone number; home email, name and telephone number of a contact in case of emergency; passport number and related materials for processing of residency or other immigration status (if applicable); adhesion to the Catholic and Evangelic Church (in Germany and Switzerland only and exclusively for host country tax purposes); driver’s license number (if applicable); work permit number; social security number (if applicable and only as required for payroll, benefit and insurance purposes); country of birth and nationality (if applicable); bank account details; employee identification number; and, if any, your disability rate (if applicable) as required for Agile Defense to comply with its legal duty; your disability and veteran status (if applicable); marriage certificates and banking loan information for processing for relocation matters; and personal banking information for processing of payroll.

-Family status: to include marital status; last name, first name and date of birth of your spouse or partner (should you and your spouse or partner wish to be added to your insurance); last name, first name, and date of birth of your children (should you wish to add them to your insurance); insurance information; retirement account information; passport number and related materials for processing of residency or other immigration status; school forms for local school enrollment or tuition payments.

-Employment terms and conditions: to include fixed-term contract or open-ended contract (if applicable); part-time or full-time job; hire date; termination date; division; department; reporting structure; job title; pay grade; work telephone number and work email address; job description; salary schedule and other compensation elements; participation in and elements of awards under the executive compensation plan, if applicable; related payments; actual working hours or shift time; retirement fund contribution; tax and source tax deductions; absence management (in particular sick leave, leave of absence, family leave, parental leave); paid holidays (if applicable); time off given in compensation for extra time worked); personnel representative status (such as whether there is an applicable works council).

-Education and development: to include diplomas and training certificates held; languages and proficiency (if applicable); curriculum vitae detailing your work experience and if applicable, military experience (but not the reasons for deferment or rejection from the military service, if any); continuous training; mobility situation and management of career development actions; performance evaluations; training programs completed.

-Data collected through the Ethics Hotline (if applicable): You or a complainant can submit complaints or inquiries on an anonymous basis to the Agile Defense Ethics hotline. If you or a complainant wishes to use your or their identity, then the following personal data may be collected: last name, first name, job title, and contact information of the person who contacted the compliance hotline (the complainant); last name, first name, job title, and contact information of the person who is the subject of the communication to the compliance hotline; last name, first name, job title, and contact information of the person(s) involved in the collection and processing of the complaint; alleged facts reported by the complainant; follow up required to verify the alleged facts; and information obtained or created in connection with reporting the complaint.

  1. Collection and Processing of Sensitive Data

In principle, no personal data revealing your political opinions, religious or philosophical beliefs, sex life or sexual orientation, the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, are collected or processed by Agile Defense.

However, racial or ethnic origin personal data (e.g. your identified race and ethnic origin as provided by you at your time of hire or when you voluntarily self-disclose such information after your time of hire) may be collected and processed by Agile Defense to the extent that Agile Defense is required to do so in order to comply with its affirmative action and equal employment opportunity obligations.

Further, health-related personal data (e.g., absence records associated with illness or accidents, including possible exposure to certain materials or contaminants; maternity leave; disabilities; work-related injuries or claims; etc.) may be collected and processed by Agile Defense to the extent Agile Defense is required to do so in order to comply with its labor and social security obligations or to manage the safety at the workplace.

Additionally, personal data related to trade union membership may be collected and processed for purposes of administering the terms of union agreements, benefits and retirement plans, and other activities governed by collective bargaining agreements.

  1. Purposes of the Personal Data Processing

Where it is necessary, we use your personal data to help ensure effective personnel administration, for the following purposes:

-Payroll, Benefits, and Insurance: Personal data are used to administer the salaries, benefits, and insurance that you receive under your employment agreement, including annual merit increases, any other salary adjustments, annual bonus payments and retirement plan management, including other benefits provided to retirees; income tax; and social security withholdings.

-Travel Arrangements and Business Expense Processing: Personal data is used to make travel arrangements and to process business expenses associated with business travel; to process business expenses associated with approved coursework, books and periodicals, and training; to process business expenses associated with approved business expenditures.

-Performance Review and Management: Agile Defense uses personal data to facilitate personnel performance management and career development, notably through annual performance appraisals; annual salary reviews, and; if any, disciplinary measures in accordance with local legislation.

-Succession Planning and Leadership Development: Personal data may also be used for succession planning and leadership development of employees.

-Administration of Executive Compensation Program or Other Similar Employee Equity Plan: Personal data may be used in the administration of the executive compensation program or other similar employee equity plan.

-Legal Obligations: We also use your personal data to comply with our legal obligations, such as income tax and social security withholdings; “Catholic and Evangelic Church tax” (in Germany only and exclusively for tax purposes); disability and family leave obligations; or cooperation with courts, including civil actions, and with law enforcement agencies in legal investigations regarding suspected criminal activities or other suspected illegal activities. Subject to local law requirements, Agile Defense may use your personal data to protect our legal rights or support any claim, defense or declaration in a case or before any jurisdictional and/or administrative authority or arbitration or mediation panel, in the context of disciplinary actions/investigations or of internal or external audit and inquiries.

-Security: Some of your personal data are collected and processed for security purposes including office access and IT resources access. Personal data may be collected in the course of IT resources security procedures, including security penetration tests, for which IT experts will try to access our system to find any security breaches.

-General Management and Human Resources Administration: Personal data may also be used for administration purposes, including employee feedback through the use of employee surveys and contacting employees; administration of email systems and company directories; assignment of offices and other Company equipment; assignment of identification badges; and evaluations performed for purposes such as headcount, diversity and inclusion measures and overall corporate programs to promote an optimal workplace. personal data may also be used for Agile Defense’s planning and budgeting; financial reporting; corporate reorganizations; outsourcing; restructuring; and acquisitions and divestments. personal data may also be used for human resources administration such as to obtain feedback from personnel about Agile Defense and the work-life environment, so as to identify areas where the organization can improve and related matters.

-Reporting: Personal data may be collected through the compliance hotline implemented by Agile Defense Corporation as a means of allowing employees to report allegations related to the following matters, or other areas of concern: accounting, internal accounting controls, auditing matters, bribery, banking and financial crime; facts affecting the vital interest of Agile Defense; or issues related to employees’ physical or moral integrity. The collected personal data may be transferred to Agile Defense Corporation located in Reston, Virginia USA in the event that the message received through the reporting system may affect substantially the legitimate interests of Agile Defense Corporation, Agile Defense or any of their affiliates.

-Monitoring: We will only monitor your use of Agile Defense IT Resources in accordance with applicable statutory requirements (including, if applicable, notification of relevant authorities) and, if applicable, works council agreements.

-Performance in Your Job Within Agile Defense: To assign a workspace, office, computers, other Agile Defense equipment, to keep track of the individuals to whom the equipment is assigned, and to enable access to Agile Defense’s IT systems and applications, including third party applications used to perform your job.

  1. Legal Basis for Processing:

We only process your personal data so far as such Processing is legally permitted. Please see below for a more comprehensive description of the legal basis on which we process your personal data. Among other things, the Processing of your personal data is based on the legal principles set out below.

5.1. For the Performance of a Contract with You:

Agile Defense may enter into legal contracts with you other than your employment contract, e.g., with regards to fringe benefits or cost of living allowances. We may process your personal data to comply with legal obligations arising from these contracts.

5.2. Compliance with a Legal Obligation:

Agile Defense is subject to a number of statutory requirements, e.g., to ensure compliance with legal obligations throughout Agile Defense. To comply with these requirements, we must process certain personal data, for example personal data that we collect through the compliance hotline. Such legal obligations may sometimes require the processing of certain Sensitive personal data.

5.3. Safeguarding Legitimate Interests:

Agile Defense will process certain personal data in order to safeguard our own or any third party’s interests. This may include personal data collected for General Management and Human Resources Administration, Security, Reporting, Monitoring, and Legal Obligation purposes.

5.4. Processing in the Context of Employment:

Furthermore, we will process certain personal data in the context of your employment contract. This may include, for example, administrative processing of your personal data to manage, plan and organize your work and your workplace, e.g., to manage the payment of your salary. If you refuse to provide your personal data, which are required in the context of your employment, you might face adverse effects such as the loss of certain benefits, or we might not be able to fulfil our legal obligations to you, i.e. the employment contract cannot be performed.

  1. Personal Data Retention Period and Place of Storage:

Agile Defense will only keep your personal data for so long as they are relevant for the purposes for which they were collected or as required by law. Agile Defense’s personnel’s personal data are held in paper, electronic, and other formats, and must be securely stored and accessible only in accordance with job responsibilities. Refer to Agile Defense’s policies on record retention practices.

  1. Conditions of Disclosure of Personal Data:

Access to personal data is given to those individuals of Agile Defense and its affiliates who need such access for a purpose listed above or where required by law. These parties include human resources, international human resources, talent management, finance, accounting and payroll, contracts, procurement, ethics, business services, security, tax, and other department personnel who require access to administer designated responsibilities. Personal data may also be disclosed to information technology personnel, controllers and accounting personnel, and relevant business managers. Agile Defense will from time to time and for the purposes listed above, need to make some of your personal data available to:

(i) Government administrations (for example tax authorities or social security services) or judicial authorities.

(ii) Your current, past, or prospective employers.

(iii) Other employees within Agile Defense, Agile Defense Corporation and their affiliates or subsidiaries.

(iv) Employment or recruitment agencies.

(v) External advisers (including Agile Defense’s independent public accountants, authorized representatives of internal control functions such as auditors or attorneys, corporate security, and corporate legal) and to companies which provide services to Agile Defense] for assisting Agile Defense in human resources management (such as payroll services, candidates’ assessment purposes and outplacement services).

(vi) Third parties in the course of Agile Defense’s general management (payroll administrators, benefits providers and administrators, information technology systems providers, financial institutions, retirement plan institutions, and consultants, and professional advisors and consultants).

(vii) Customers and clients.

(viii) Distributors and suppliers of goods or services.

(ix) Travel agencies.

(x) Insurance companies.

(xi) Outsourcers for various services.

In addition, where permitted by applicable law, personal data may be disclosed in connection with a corporate restructuring, sale, or assignment of assets, merger, divestiture, or other changes of control or financial status of Agile Defense Corporation, Agile Defense, or any of their affiliates. Finally, and to the extent permitted by applicable laws, personal data may be transferred to respond to internal or external audit and inquiries, to law enforcement requests, to administrative or judicial authorities or where required by applicable laws, court orders, or government regulations (including disclosures to tax, employment/labor or other authorities).

You can be assured that your personal data are disclosed or transferred to Agile Defense’s employees or to the recipients within the departments listed in Paragraph 7 above who need to use your personal data for the purposes described in this Notice, and that your personal data will be treated confidentially. Agile Defense requires from the service providers to whom your personal data may be transferred that they undertake to process your personal data only on behalf and subject to Agile Defense’s instructions and to implement appropriate security measures to keep your personal data confidential.

  1. Transfer of personal data Outside of the EU:

As certain of the recipients listed in the above paragraphs may be located outside the EU where the data protection laws might not provide a level of protection equivalent to the laws in your jurisdiction, Agile Defense has taken the appropriate measures to comply with the requirements of the Privacy Law to secure transfer of personal data outside EU.

  1. Security Measures Implemented to Protect Personal Data

Agile Defense has undertaken efforts to put into place appropriate technical and organizational security measures to minimize the risk of unauthorized or unlawful disclosure or access to, or accidental or unlawful loss, destruction, alteration or damage to your personal data. These measures will help ensure an appropriate level of security in relation to the risks inherent to the processing and the nature of the personal data to be protected. Your personal data will only be accessible to those Company employees who have a need-to know your personal data for the performance of their job duties.

We work to have appropriate physical, technical and organizational security measures in place to protect the security of your data that we process. These security measures may be updated over time when legal and technological developments occur.

  1. Your Rights

You have specific legal rights relating to the personal data Agile Defense collects and Processes about you. In certain circumstances, you may have rights to:

-Access your personal data that Agile Defense stores.

-Correct the personal data Agile Defense holds about you.

-Erase your personal data.

-Restrict Agile Defense use of your personal data.

-Object to Agile Defense use of your personal data.

-Withdraw your consent, if applicable.

-Receive your personal data in a usable electronic format and transmit it to a third party (right to data portability).

You may contact the responsible persons as listed below at any time if you would like to access the personal data that Agile Defense holds about you or if you want to exercise your rights. You may access information concerning the source of the personal data, e.g., the purposes for which your personal data are being used, the categories of personal data concerned and the details of the parties with whom Agile Defense may share your personal data. Pursuant to the law, you may object to the processing of your personal data for legitimate reasons, notably the transfer of your personal data to some recipients. Please note that where Agile Defense collects, holds and processes your personal data to perform its obligations under your employment contract you may not oppose to such processing.

You further have the right to lodge a complaint with a relevant supervisory authority if you believe that we may have infringed your rights.

  1. Changes to this Notice

This Notice may be updated from time to time. Any such changes will posted on Agile Defense’s website and will be available by contacting the data privacy officer listed below.

  1. Contact Information

-Data privacy officer contact information: Danielle Cole, 11600 Sunrise Valley Drive, Suite 440, Reston, Virginia 20191, (571) 748-4460, dcole@agile-defense.com.

-Alternate contact for further information: Agile Defense, Inc., People Operations Department, 11600 Sunrise Valley Drive, Suite 440, Reston, Virginia 20191 (703) 351-9977