Ontic A BBA Aviation Company Privacy Policy & Cookie Notice Introduction This notice explains how and why your personal data is processed by Ontic (also referred to as “Ontic”, “we”, “our” and “us”) when you visit the Ontic website (http://www.ontic.com) (“Website”), use our services, purchase goods or services from us, otherwise communicate or engage with us or when we send you marketing communications. Ontic is a “controller” in relation to its use of your personal data. This is a legal term – it means that we make decisions about how and why we process your personal data and, because of this, we are responsible for making sure it is used in accordance with data protection laws. The controller in respect of personal data processed in connection with the Website is Ontic Engineering and Manufacturing Inc. For the purposes of the other processing activities set out in this notice, the controller will be the relevant Ontic entity with which you contract as a customer or supplier, as explained below, or with whom you communicate. Click here for a list of the relevant Ontic entities providing services and their contact details. Ontic is part of the BBA Aviation plc group (“BBA Group”). Click here for a list of the other relevant BBA Group entities and their contact details. In line with our aim to have a consistent approach to protecting personal data, this is a global policy that we follow in each of our locations. It is based on European Union data protection principles that are set out in the General Data Protection Regulation. Where we have sites in jurisdictions with significantly different data protection laws it may be that the rights and obligations set out in this privacy policy do not apply. If you have any questions about how this privacy policy applies to you or want to make a complaint to us about how we handle your personal information, please contact dataprivacy@bbaaviation.com. We may provide you with additional privacy notices where we believe it is appropriate to do so. It is important that you read this privacy policy together with any other privacy notice or fair processing notice we may provide on specific occasions, so that you are fully aware of how and why we are using your data. This privacy policy supplements these other notices and is not intended to override them. Candidates applying for roles with us, should also see our candidate privacy notice here. Cookies Our Website uses cookies. This helps us to provide you with a seamless experience when you browse our Website and also allows us to improve our site. For detailed information on the cookies we use and the purposes for which we use them see below: ‘How we use cookies’. Sources of personal information We collect different types of personal data about you when you visit our Website, communicate with us, use our services or otherwise engage with us. We also obtain personal data from other sources, and create some personal data ourselves. Ontic cannot identify you personally as a user of its Website unless you are logged in to any account with us and save for dealing with any cyber security incident investigation, will not try to identify you from any online identifiers like your IP address. The relationship we have with you will dictate what, if any, personal data we collect about you and why we use it. This policy explains use of your personal data by or on behalf of Ontic when acting as the responsible Controller as explained above. We will sometimes obtain personal data from other sources, such as from your employer, other third parties or publicly available online sources or official records such as Companies House. Detailed information about the sources of your personal information are set out below: Type of personal information Collected from Contact Information For individual Ontic customers or individuals who get in touch with us: Contact information (name, job title, address, email, telephone numbers) Suppliers (including subcontractors and individuals associated with our suppliers and subcontractors): business contact information (name, employer name, job title, address, email, telephone numbers) You or your employer Identification and Other Regulatory Information Identification information (passport details and/or driver’s license and/or car registration number) for our visitors forms and CCTV footage when you visit us onsite. You or your employer Health Information Dietary, allergy, health and access requirements. You or your employer Third Party Vetting Type of personal information Collected from For individual customers/suppliers or directors and other key office bearers of corporate customers/suppliers and counterparties (including parties to any M&A activity contemplated, agents, joint venture partners, representatives, senior level hires, consultants, licensees or intermediaries): third party vetting information including (name, alias, title, gender, place of birth, date of birth, ID number, images, relatives/close associates, country of citizenship and residence, occupation(s), watchlist status, adverse media articles, details of shareholders, whether there is any legal action pending against you and your relationship with public officials and state-owned enterprises) You, or your employer or publicly available resources, credit reference agencies or third-party systems used for our regulatory checks Billing and Financial Information For individual Ontic customers: Financial information (billing details, bank account details or credit/debit card details and credit reports) You and credit reference agencies or third-party systems used for our regulatory checks Communications Communications received from you through our website or otherwise. You Browsing and Device Usage Information Website users: Technical and usage information (user name and passwords used by you in relation to our platforms and services, IP address and other online identifiers, account settings, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, other technology on the devices you use to access our website and information about how you use our website, products and services) You Marketing Information Marketing information (your marketing status and history, marketing preferences, your experiences with our services and contact preferences) You Uses of your personal information We process your personal data for many different purposes when you visit our Website, purchase goods or services from us or otherwise communicate or engage with us. We are required by law to always have a permitted reason or justification (called a “lawful basis”) for processing your personal data. You can read more about what we process your data for, and the lawful bases on which we rely for such processing, in the table below. For some processing activities, we consider that more than one lawful basis may be relevant depending on the circumstances. The purpose applicable to you will vary according to the relevant Ontic controller of your personal data (as explained in the introductory paragraph above). Use on the basis of “contract” means to perform a contract with you or to take steps at your request prior to entering a contract with you. Use on the basis of “legal obligation” means to comply with a legal obligation to which we are subject. Use on the basis of our legitimate interests means we have a fair, proportionate and overriding lawful business reason to use your details. This will primarily be where by using the information, we learn about you or develop our relationship, so we can work together more closely and better, or make sound business decisions involving or affecting you. We may convert your personal data into statistical or aggregated form, or de-identify it, to better protect your privacy, or so that you are not identified or identifiable from it. Anonymised data cannot be linked back to you. We may use it to conduct research and analysis, including to produce statistical research and reports. Your personal data will not be sold or licensed outside the BBA Aviation Group for marketing purposes. Purposes for processing personal data Purposes of processing Lawful basis Your explicit consent To perform a contract with you To comply with a legal obligation For our legitimate interests Providing Services Responding to your requests or general enquiries (including in relation to any existing contract with you)    (so we can respond to your enquiries) Establishing you / your organisation as a customer on our systems   Fulfilling your order request by providing you / your organisation with the requested services and/or products  Taking payment from you in respect of the services  Sending you solicited industry updates and service-related communications    Purposes of processing Lawful basis Your explicit consent To perform a contract with you To comply with a legal obligation For our legitimate interests (so we can keep you updated) Sending promotional materials to you and communicating with you about our business, such as our email newsletter and inviting you to Ontic or BBA Group-organised events   (To keep you updated with the latest our promotions and developments) Hosting you at our office or BBA Group-organised events or trade shows and providing hospitality services.  (To host our customers and prospective customers effectively) Conducting surveys for benchmarking, continuous improvement and marketing purposes (although you do not have to respond to these surveys)   (to resolve any problems or complaints and improve our services/products) Managing our business relationship with customers and resolving any problems, complaints or disputes   (our relationship with you is paramount, so we need to be able to try to resolve any complain or dispute you might raise with us) Ensuring the proper operation and performance of the website, monitoring its use, security and integrity on an ongoing basis and checking, producing statistical information and improving its functionality for users. This includes tracking user journeys through the website and learning from them so we can tailor and improve our services accordingly  (we need to monitor our systems in this way to ensure that our platforms work properly, to help protect them, us and you from illegal activity, to analyse how they are used and to improve them) Ensuring appropriate use of our website in accordance with its terms and conditions and our policies to keep it operating efficiently for other users  Purposes of processing Lawful basis Your explicit consent To perform a contract with you To comply with a legal obligation For our legitimate interests Legal and Regulatory Compliance and Reporting Performing customer or counterparty due diligence and other screening and risk management activities including identity verification and conflict checks, financial and credit searches, screening and checks against third party sources for anti-bribery and corruption, economic sanctions regulations  Providing your personal data to regulatory authorities where there is a legal requirement to do so   Establishing and enforcing our legal rights and obligations, monitoring to identify and record fraudulent activity online, preventing, detecting crime and meeting legal obligations for data security   (we need to monitor our systems in this way to help protect them, us and you from illegal activity) Using your financial information and keeping details of your purchasing and payments history to evaluate and monitor your credit worthiness as a prospective or existing customer or supplier    (it is in our interest to protect our business against risks associated when considering your application for credit account) Responding to binding requests or search warrants or orders from courts, governmental, regulatory and/or enforcement bodies and authorities  Responding to non-binding requests or search warrants or orders from courts, governmental, regulatory bodies and authorities  (We wish to cooperate as necessary or advisable with proportionate requests from authorities and/or volunteering such details to them in appropriate cases. This is also in the public interest) Purposes of processing Lawful basis Your explicit consent To perform a contract with you To comply with a legal obligation For our legitimate interests Complying with our general regulatory and statutory obligations including investigating, evaluating, demonstrating, monitoring, improving, reporting on meeting Ontic’s compliance with relevant legal and regulatory requirements  For our general record-keeping and customer/supplier relationship management, for compliance with accounting, taxation and other legal obligations and otherwise for good governance, insurance requirements and risk management, including obtaining professional advice and dealing with claims    (we need to store customer related files so we can refer back to them in the event of a complaint, request or investigation it is also in our interest to protect our business against specified losses and claims) General Business Training our staff   (sometimes it is appropriate for us to use your personal information so that we can provide our staff with training to manage risk and improve the quality of our services) Undertaking third party approval checks (third party vetting) of parties to any M&A activity contemplated with BBA or a member of the BBA Group, agents, joint venture partners, representatives, senior level hires, consultants, licensees, intermediaries or customers, and negotiating the terms of any contracts    (it is in our legitimate interest to undertake third party vetting for the purpose of risk management) General record-keeping and relationship management with our customers/suppliers/contractors/business partners    (so we can refer back to our records in the event of a query) Purposes of processing Lawful basis Your explicit consent To perform a contract with you To comply with a legal obligation For our legitimate interests Managing, planning and delivering our global business and marketing strategies  (as a global business we need to implement effective business and marketing strategies) Continuously reviewing and improving our products and services (including by seeking and obtaining your feedback) and developing new ones  (We have a legitimate interest in making sure that we are continuously improving our service offering) Obtaining legal advice, establishing, defending and enforcing our legal rights and obligations in connection with, any legal proceedings (including prospective legal proceedings)  (We must be able to establish and defend our legal rights and understand our obligations, and seek legal advice in connection with them) Maintaining the security and integrity of our systems, platforms, premises and communications (and detecting and preventing actual or potential threats to the same)   (We need to make sure that our business processes and facilities are secure) Managing the proposed sale, restructuring, transfer or merging of any or all part(s) of our business, including to respond to queries from the prospective buyer or merging organisation  (We have a legitimate interest in being able to sell any part of our business) Visitors to our sites Arranging taxis, transportation or other services on your behalf, as and when requested by you. Depending on your request, we may ask you to provide us with your personal information (if required by the third party service provider) in order to make the booking, including but not limited to: Name, contact details, passport details, pick up and drop off location   Purposes of processing Lawful basis Your explicit consent To perform a contract with you To comply with a legal obligation For our legitimate interests Maintaining security measures at our sites, including CCTV and building access controls. There are signs in our office showing that CCTV is in operation. The images captured are securely stored and only accessed on a need to know basis (e.g. to look into an incident). CCTV recordings are typically automatically overwritten after a short period of time unless an issue is identified that requires investigation (such as a theft).  (promoting security and safety of our personnel and members of the public and preventing and detecting crime) Maintaining security measures at our sites, including requiring visitors to our sites to sign in at reception and keeping a record of visitors for a short period of time. Our visitor records are securely stored and only accessible on a need to know basis (e.g. to look into an incident). Information collected for visitor records includes, name, telephone number, car registration (if you are parking onsite), company, time in and time out.  (promoting security and safety of our personnel and members of the public and preventing and detecting crime) Suppliers Managing our business relationship with our suppliers/subcontractors and their staff as necessary to receive the services (including arranging payment of invoices).  (it is in our legitimate interest to engage third parties and manage our business relationships with suppliers) Where a supplier or sub-contractor is helping us to deliver a service to our shareholders/investors, we process personal data about the individuals involved in providing the services in order to administer and manage our relationship with the supplier (through its staff) and to provide such services to our shareholders/investors.  (it is in our legitimate interest to engage suppliers to assist with the provision of services for our shareholders/investors) Purposes for processing special categories of personal data Purposes of processing special categories of personal data Special category lawful basis We are permitted to process your personal data because… You have given your explicit consent It is necessary to protect somebody’s vital interests or they are incapable of giving consent It is necessary for the establishment, exercise or defence of legal claims It is necessary for reasons of substantial public interest Hosting you at our office or Ontic or BBA Group-organised events or trade shows and providing hospitality services.  (for your dietary and access requirements)  (in case of accidents or emergencies at our sites) Responding to binding requests or search warrants or orders from courts, governmental, regulatory and/or enforcement bodies and authorities  Investigating, evaluating, demonstrating, monitoring, improving, reporting on and meeting Ontic’s compliance with relevant legal and regulatory requirements (such as anti-bribery, client verification checks, disability discrimination and health & safety compliance)  Obtaining legal advice, establishing, defending and enforcing our legal rights and obligations in connection with, any legal proceedings (including prospective legal proceedings)  How we keep your personal information secure We take our security obligations seriously and we take specific steps (as required by applicable data protection laws) to protect your personal data from unlawful or unauthorised processing and accidental loss, destruction or damage. All our staff and third-party service providers who have access to confidential information (including personal information) are subject to confidentiality obligations. Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to our site; any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access. Disclosure of your personal information Inside the BBA group (including to other Ontic companies) Ontic and the BBA Group includes companies and operations around the world. The Ontic entity responsible for your personal data may need to share your personal data with other companies in the BBA Group, including to other Ontic companies:  in connection with our business strategy and customer relationship programmes. For example, if you are a customer or prospective customer, we may add your personal data to our global client contact database which is available across the Ontic network. You can find a list of the countries in which we operate here.  where support and functions are provided by other group companies, such as in relation to our website hosting and operation, IT systems and support and maintenance, marketing support, audit, compliance and legal;  to meet our customer needs where providing services across offices/locations;  for authorisations/approvals with relevant decision makers;  for reporting purposes; and/or  where systems and services are provided on a shared basis such as our customer management system and marketing functions. Access rights between Ontic companies and other members of the BBA group are limited and granted only on a need to know basis, depending on job functions and roles. Where any Ontic companies or other BBA Group companies process your personal data on our behalf (as our processor), we will make sure that they have appropriate security standards in place to protect your personal data. In addition, we will enter into a written contract imposing appropriate security standards on them and, if your personal data is transferred to an Ontic or other BBA group company outside the EEA, we will put in place appropriate safeguards to ensure the protection of such data. Outside the BBA group From time to time we may ask third parties to carry out certain business functions for us. These third parties will process your personal data on our behalf (as our processor). We will disclose your personal data to these parties so that they can perform those functions. Before we disclose your personal data to other people, we will make sure that they have appropriate security standards in place to make sure your personal data is protected and we will enter into a written contract imposing appropriate security standards on them. Examples of these third-party service providers include service providers and/or sub-contractors, such as our IT support, back up and server hosting providers In certain circumstances, we will also disclose your personal data to third parties who will receive it as controllers of your personal data in their own right for the purposes set out above, in particular:  services provided to you or us by a third party acting independently to Ontic but which has a relationship with Ontic, for example certain fraud checking services and our professional service advisors;  if we transfer, purchase, reorganise, merge or sell any part of our business or the business of a third party, and we disclose or transfer your personal data to the prospective seller, buyer or other third party involved in a business transfer, reorganisation or merger arrangement (and their advisors); and  if we need to disclose your personal data in order to comply with a legal obligation, to enforce a contract or to protect the rights, property or safety of our employees, customers or others. We have set out below a list of the categories of recipients with whom we are likely to share your personal data:  IT support, website and data hosting providers and administrators who help us with the operation of our websites, mobile applications, data rooms, document and workflow management systems and other systems and applications;  marketing service providers, including companies who send out surveys, alerts and marketing communications on our behalf;  analytics, search engine providers and survey providers who help collate customer feedback for us;  banks and payment processors in relation to purchases you make with us;  third party debt recovery organisations where we need to recover money owed to us;  consultants and professional advisors including legal advisors and accountants;  courts, court-appointed persons/entities, receivers and liquidators;  business partners and joint ventures;  insurers; and  governmental departments, statutory and regulatory bodies including the Information Commissioner’s Office, the police and Her Majesty’s Revenue and Customs and Border Forces. We may also share your personal data with third parties, as directed by you. Where we transfer your personal information The data that we collect from you may be transferred to, and stored at, a destination outside the European Economic Area (“EEA”). It may also be processed by staff operating outside the EEA who work for us or for one of our suppliers. We will take all steps reasonably necessary to ensure that your data is treated securely and in accordance with this privacy policy. If any of our processing activities require your personal data to be transferred outside the EEA, we will only make that transfer if:  the country to which the personal data is to be transferred ensures an adequate level of protection for personal data;  the recipient or recipient country is subject to an approved certification mechanism or code of conduct with binding and enforceable commitments which amount to appropriate safeguards for your personal data – this includes for example, the EU-US Privacy Shield which enables the secure transfer of personal data to the United States  we have put in place appropriate safeguards to protect your personal data, such as an appropriate approved form of contract with the recipient which incorporates specific provisions as directed by the European Commission;  the transfer is necessary for one of the reasons specified in data protection legislation; or  you explicitly consent to the transfer. Personal data shared between the BBA Group will be subject to the contractual obligations imposed by EU standard contract clauses. A copy of the European Commission approved standard contractual clauses are available here. If you would like to see a copy of any of the other relevant safeguards used by us to protect the transfer of your personal data, please contact dataprivacy@bbaaviation.com. How long we keep your personal information We will keep your personal data during the period of your relationship with us and then, after that period ends, for as long as is necessary in connection with both our and your legal rights and obligations. This may mean that we keep some types of personal data for longer than others but we will only retain your personal data for a limited period of time. This period will depend on a number of factors, including:  any laws or regulations that we are required to follow;  whether we are in a legal or other type of dispute with each other or any third party;  the type of information that we hold about you; and  whether we are asked by you or a regulatory authority to keep your personal data for a valid reason. How we use cookies We use cookies for certain areas of our Website. Cookies are small text files that are placed on computer or mobile device when you visit our Website. Cookies allow web applications to respond to you as an individual. The web application can tailor its operations to your needs, likes and dislikes by gathering and remembering information about your preferences. We also use the third party cookies to collect information about how visitors generally use our Websites. We use this information to compile reports and to help us improve our Websites. The third party cookies collect information for us, not for anyone else. We use the following types of cookies on our Website:  Strictly Necessary Cookies: These cookies are necessary for the website to function and cannot be switched off in our systems. These cookies are essential to enable you to move around the website and use its features such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.  Performance Cookies: These cookies collect information about how you use our Website, for instance which pages visitors go to most often. We use this information to compile statistics and to help us to improve our website and the services we offer. All information these cookies collect is aggregated and therefore anonymous. We also use third-party cookies to help with performance.  Functionality Cookies: These cookies allow the Website to remember your preferences when you return to our Website and provide enhanced, more personalised experience. They may be set by us or by third party providers whose services we have added to our pages. If you do not allow these cookies then some or all of these services may not function properly. A mix of first and third-party cookies are used.  Social Media Cookies: These cookies provide our Website with functionality to enable you to share our Website content via social media. By continuing to use our Website, you agree to us placing these cookies on your device and accessing them when you visit our Website in the future. Disabling cookies Overall, cookies help us provide you with a better Website service by enabling us to deliver content to you as a registered user and monitor which pages you find useful and which you do not. A cookie in no way gives us access to your computer or any information about you, other than the data you choose to share with us. This practice is strictly in force. We know that people have concerns about cookies, but we believe that the benefit we both gain from their proper use is worthwhile. You can configure your web browser to refuse cookies, to delete cookies, or to be informed if a cookie is set. You can find out how to do this by clicking "help" on your browser menu. Please note that by deleting or disabling future cookies, your user experience may be affected and you might not be able to take advantage of certain functions of our site. You may also stop the transmission of information generated by the Google Analytics cookies about your use of this Website and of your IP address, by downloading and installing the Google Analytics Opt-out Browser Add-on available here: https://tools.google.com/dlpage/gaoptout You can learn more about cookies at www.allaboutcookies.org and www.youronlinechoices.eu. Your Rights If BBA or Ontic use your personal data as a Controller and UK or European Union law applies to that use: You have certain legal rights, which are summarised in the table below, in relation to any personal data held by BBA or Ontic about you. Your ability to exercise these rights will naturally be limited where we incidentally use limited business-related personal data in business records and business communications which we need to retain. Where our processing of your personal data is based on your consent, you have the right to withdraw your consent at any time. If you do decide to withdraw your consent we will stop processing your personal data for that purpose, unless there is another lawful basis we can rely on – in which case, we will let you know. Your withdrawal of your consent won’t impact any of our processing up to that point. Where our processing of your personal data is necessary for our legitimate interests, you can object to this processing at any time. If you do this, we will need to show either a compelling reason why our processing should continue, which overrides your interests, rights and freedoms or that the processing is necessary for us to establish, exercise or defend a legal claim. You can exercise these rights at any time by contacting us at dataprivacy@bbaaviation.com. Your right What does it mean? Limitations and conditions of your right Right of access Subject to certain conditions, you are entitled to have access to your personal data (this is more commonly known as submitting a “data subject access request”). If possible, you should specify the type of information you would like to see to ensure that our disclosure is meeting your expectations. We must be able to verify your identity. Your request may not impact the rights and freedoms of other people, eg privacy and confidentiality rights of other individuals. Other exemptions may apply dependent on the information and context. Right to data portability Subject to certain conditions, you are entitled to receive the personal data which you have provided to us and which is processed by us by automated means, in a structured, commonly-used machine readable format. If you exercise this right, you should specify the type of information you would like to receive (and where we should send it) where possible to ensure that our disclosure is meeting your expectations. This right only applies if the processing is based on your consent or on our contract with you and when the processing is carried out by automated means (ie not for paper records). It covers only the personal data that has been provided to us by you. Rights in relation to inaccurate personal or incomplete data You may challenge the accuracy or completeness of your personal data and have it corrected or completed, as applicable. You have a responsibility to help us to keep your personal information accurate and up to date. We encourage you to notify us of any changes regarding your personal data as soon as they occur, including changes to your contact details. This right only applies to your own personal data. When exercising this right, please be as specific as possible. Right to object to or restrict our data processing Subject to certain conditions, you have the right to object to or ask us to restrict the processing of your personal data. As stated above, this right applies where our processing of your personal data is necessary for our legitimate interests. You can also object to our processing of your personal data for direct marketing purposes. Right to erasure Subject to certain conditions, you are entitled to have your personal data erased (also known as the “right to be forgotten”), eg where your personal data is no longer needed for the purposes it was collected for, or where the relevant processing is unlawful. We may not be in a position to erase your personal data, if for example, we need it to (i) comply with a legal obligation, or (ii) exercise or defend legal claims. Your right What does it mean? Limitations and conditions of your right Right to withdrawal of consent As stated above, where our processing of your personal data is based on your consent you have the right to withdraw your consent at any time. If you withdraw your consent, this will only take effect for future processing. If any of the personal information you give us changes, or something is incorrect (e.g. your contact details) please inform us without delay by contacting your local customer service representative. If you have any concerns about how we process your personal data, please send an email with the details of your concerns to dataprivacy@bbaaviation.com so we can try to resolve it. However, if you consider that we are in breach of our obligations under data protection laws, you are always entitled to submit a complaint with the Information Commissioner’s Office (“ICO”), which is the UK data protection regulator. More information can be found on the ICO website at https://ico.org.uk. If Ontic uses your personal data and UK or European Union law does not apply to that use (such as where you are in the US and contract with us in the US): You may have rights that differ from the rights set out above. More information If you want more information about any of the subjects covered in this privacy policy or if you would like to discuss any issues or concerns with us, please contact us at dataprivacy@bbaaviation.com. Changes to our Privacy Policy Any changes we may make to our privacy policy in the future will be posted on this page. Please check back frequently to see any updates or changes to our privacy policy. Third Party Websites Our site may, from time to time, contain links to and from the websites of our partner networks, advertisers and affiliates. If you follow a link to any of these websites, please note that these websites have their own privacy policies and that we do not accept any responsibility or liability for these policies. Please check these policies before you submit any personal data to these websites. Contact Questions, comments and requests regarding this privacy policy should be addressed to dataprivacy@bbaaviation.com. Date this privacy policy was last updated: 30 May 2019