PEX LTD (hereafter referred to as ‘PEX’) is committed towards its valued customers in protecting and keeping customers’ personal data confidential. With the enforcement of the Data Protection Act 2017 (the “DPA”) on 15 January 2018 and the General Data Protection Regulation (the “GDPR”) on 25 May 2018, PEX acknowledges that its valued customers may have some questions about these new laws and regulations. Therefore, to help you better understand these, we have outlined some of the significant provisions below.

How will the GDPR and the DPA affect you?

1. Personal Data Processing The processing of your personal data is conducted in compliance with the GDPR and the DPA. As such, the personal data are: • Processed legally with a clear view as to how the information will be used in accordance with your rights; • Collected for specified, explicit and legitimate purposes; • Accurate and kept up to date; • Retained for no longer than is necessary for the relevant purposes it was collected; • Kept appropriately secure.

2. Consent Your consent for processing and maintaining information is crucial and you have a right to withdraw consent at any time.

3. Right of Access You have the right to know if your data is being processed or not. We shall supply a free copy of the processed data within one month upon a written request from you. However, we reserve the right to charge a ‘reasonable fee’ if your requests are manifestly excessive or repetitive.

4. Right to be Informed We must provide appropriate information on the processing procedure and be transparent as to how we use personal data. We must provide the information to you at the time information is obtained (if obtained directly) or within a reasonable period (if obtained indirectly) upon written request.

5. Right to Deletion You may request to ‘be forgotten’ or be deleted from the database of PEX subject to exceptions if the processing causes you damage or distress. However, there are some specific circumstances where we may reject the deletion request if such requests are not in line with other laws pertaining to

record keeping public interest, historical, statistical or scientific research for the establishment exercise or defence of legal claim.

6. Right to Rectification It is your duty to notify and update PEX of any change in the information maintained by us at any time. Your personal data must be rectified if it is inaccurate or incomplete. As a rule, PEX will not share your information with any third parties unless with your express consent.

7. Right to Object You have the right to object, in writing, at any time to the processing of your personal data. Upon receiving an objection in writing, PEX will stop processing your personal data immediately.

9. Data Breaches A data breach occurs where there is an unauthorised disclosure or a loss of personal data. Any breach must be reported to the Data Protection Officer at PEX (e-mail: dp@pexintl.com) as soon as the breach is noted so that appropriate measures can be taken to recover or limit any damage.

PEX is bound by law to notify the Data Protection Office of any breach within 72 hours after becoming aware of it. Further, where a breach is likely to put your rights at risk, PEX has the obligation to notify you directly.

Should you feel your rights have been breached by us, you may lodge a complaint with the Commissioner.