Palladium is a global development solutions provider. Palladium recognises the importance of protecting Personal Data and has implemented this Notice in accordance with the relevant laws in the countries in which it operates.

This notice (together with our Cookie Notice) sets out the basis on which Personal Data is or will be processed by us. By visiting our sites, contacting us, contracting with us or otherwise engaging with us in the ways countenanced below, you consent to the practices described in this Notice.

1. Definitions and Addenda

Act means the act, statute, regulation, law or court/tribunal order, governing the processing or controlling of Personal Data in the relevant jurisdiction.

Palladium, we, us, our refers to Palladium Global Holdings Inc., or each of its subsidiaries and affiliates, as appropriate, where those subsidiaries or affiliates act as a Data Controller (within the meaning of a relevant Act), as the case may be.

Personal Data means personally identifiable information, personal data or personal information, however described under the relevant Act.

Sensitive Information has the same meaning as provided under a relevant Act, if applicable (or ‘special categories’ in the case of the United Kingdom Act).

Persons in the European Economic Area, the United Kingdom, or Switzerland, see our EEA+ Supplemental Data Protection Law Disclosures to this notice here.

California residents, see our California Consumer Privacy Act Disclosures here.

2. Collection of Personal Data

We will only collect Personal Data where the Personal Data is reasonably necessary for a function or activity of ours.

The types of Personal Data we may collect includes (but is not limited to):

• Identity and contact information – including name, email address, gender, telephone number, address, identification/KYC documents
• Professional and personal information - occupation, references, current and previous employment history, titles, qualifications and skills, relationship or marital status, interactions with us, opinions
• Online presence - information provided by you through our website, LinkedIn, Meta/Facebook, Twitter or social media accounts
• Website usage – if you use our website(s), we will typically collect certain technical data including your usage data, location, browser type and version, time zone, plug-in types and versions, operating system and platform, along with other details about the devices you use to access the website(s), the browsing path into the website(s), and devices;
• Communications with you – if you contact us, we will typically keep a record of that correspondence in accordance with our relevant policies
• Contractual information – your contractual and performance history with us

Personal Data will be collected using lawful and fair means and will be collected only from you unless this is unreasonable and impracticable. Personal Data may be collected in a variety of ways, including:

• Job or position applications submitted by you or responses to employment advertisements;
• Contact with us or one of our projects;
• Through completion of a due diligence or other form;
• From one or more of our clients;
• Enquiries, statements, contact or submissions made by you through telephone, our websites and online platforms or portals;
• Comments, linkages or messages you make through or to our websites or social media accounts;
• Your profiles on professional websites for that purpose;
• Details given when you visit our website(s), follow our social media accounts, and/or register or subscribe to one of our mailing lists;
• Through government agencies or third party reporting services;
• Your application to participate, and participation, in a conference, training session or other event; and/or
• Through direct contact between you and our staff – for example: email, mail, telephone and direct meeting.

We will take reasonable steps to determine that the Personal Data we collect is accurate, up to date and complete.

The legal bases we rely on to process Personal Data

The legal bases on which we process Personal Data include:

• Consent: where you have consented to our use of your information.
• Contract performance: where your information is necessary to enter into or perform our contract with you or a third party (or to take steps before entering into such a contract).
• Legal obligation: where we need to use your information to comply with our legal and regulatory obligations.
• Legitimate interests: where we use your information to achieve a legitimate interest and our reasons for using it outweigh any prejudice to your data protection rights.
• Legal claims: where your information is necessary for us to defend, prosecute or make a claim against you, us or a third party.

We generally rely on our legitimate interests to process your Personal Data in connection with our ongoing relationship with you and the fulfilment of the processing purposes identified in this notice. We may however process your Personal Data when:

• it is necessary to enter into or perform a contract with you;
• we are subject to a legal obligation to do so; or
• we are required to collect your consent for a processing activity.

To the extent that we rely upon your consent (for example where required for processing special category Personal Data, sending marketing communications or cookie placement purposes) as the legal basis under which we process your Personal Data, you are entitled to withdraw your consent, at any time. Please contact us if you want to do so. Additional details can be found below.

Cookies

Cookies are small text files that are stored on your computer or other electronic device as a result of visiting a website. This allows the site to know that you have visited before and in some cases can be used to record your preferences. Cookies can be used/stored for two reasons:

• To help track usage and access patterns in order to improve, monitor, and manage a website, for advertising and communications, including advertisements elsewhere on the internet; or
• To record preferences in order to personalise your visit to that website.

Palladium uses cookies on its website(s). These include (but may not be limited to) the following cookies, and types of cookies:

• PHPSESSID, cookie generated by applications based on the PHP language. This is a general purpose identifier used to maintain user session variables. It is normally a random generated number, how it is used can be specific to the site, but a good example is maintaining a logged-in status for a user between pages.
• Lidc, used by LinkedIn for routing.
• li_gc, used by LinkedIn to store consent of guests regarding the use of cookies for non-essential purposes.
• _ga, contains a unique identifier used by Google Analytics to determine that two distinct hits belong to the same user across browsing sessions.
• _gid, contains a unique identifier used by Google Analytics to determine that two distinct hits belong to the same user across browsing sessions.
• _gat, used by Google Analytics to throttle request rate (limit the collection of data on high traffic sites)
• bcookie This is a Microsoft MSN 1st party cookie for sharing the content of the website via social media.
• _ga_*, contains a unique identifier used by Google Analytics 4 to determine that two distinct hits belong to the same user across browsing sessions.
• lastExternalReferrerTime, detects how the user reached the website by registering their last URL-address.
• lastExternalReferrer, detects how the user reached the website by registering their last URL-address.
• AnalyticsSyncHistory, used by LinkedIn to store information about the time a sync with the lms_analytics cookie took place for users in the Designated Countries
• UserMatchHistory, contains a unique identifier used by LinkedIn to determine that two distinct hits belong to the same user across browsing sessions.
• Bscookie, csed by the social networking service, LinkedIn, for tracking the use of embedded services.

3. Storage of Personal Data

We will store your Personal Data in both physical and electronic forms. We will take reasonable steps to see to it that all Personal Data collected from you is stored in a secure environment accessible only by our authorised personnel, in accordance with the Act.

We will endeavour to protect any Personal Data transmitted by you or received from us over the Internet; however, we cannot ensure or warrant the security of this information. These activities are conducted at your own risk. Once we receive your transmission, we will take reasonable steps towards its security.

4. Use and disclosure of your Personal Data

The way we use or disclose your Personal Data will depend on the reason(s) why we have received your Personal Data. The basis for the way we will use or disclose your Personal Data will be disclosed at the time of collection or later processing or as soon as reasonably practical.

Use

We collect your Personal Data for purposes including, but not limited to:

• Provision of services to you, employing you, or receiving services from you;
• Responding to enquiries;
• Assessing your suitability for potential employment or other contractual engagement;
• Submission of documents to our clients including expressions of interest, capability statements and tenders;
• Providing you with information; and
• Compliance with all relevant Acts or enforcement related activities.

Disclosure

We may disclose Personal Data that we collect from you for the purpose(s) that it was collected. We may disclose the Personal Data for other purposes where we have received your consent to do so or are required to do so by law.
Examples of where we may disclose your information include, but are not limited to:

• Other members of our group of companies;
• Employees and contractors within our group of companies and external providers to those companies, including service providers and contractors;
• Clients, potential clients, insurers, lawyers, accountants, professionals and others where we have a commercial relationship in place; and/or
• Government departments and agencies.

We will endeavour to take reasonable steps such that that the Personal Data we use or disclose is accurate, up to date, complete and relevant to the purpose of the use or disclosure. Where we appoint service providers who act as our data processor, these firms are subject to contractual obligations to implement technical and organizational security measures to safeguard the Personal Data and to process the Personal Data only as instructed.

Retention

We do not keep Personal Data for longer than is reasonably required, which will depend on the nature of the Personal Data we hold and the purposes for which it was received. Our retention approach for Personal Data is informed by the following principles:

• In the first instance, Personal Data will be retained as long as required by a relevant law (e.g. to ensure compliance with tax or legislative requirements);
• If a relevant law no longer requires us to maintain Personal Data (or that period has elapsed), the Personal Data may then still be retained if required by any relevant policy, contractual agreement or arrangement; and
• For Personal Data to which a relevant law or contractual agreement or arrangement does not apply, we will retain the Personal Data for as long as is required to manage our engagement and/or relationship with you plus a reasonable period afterwards to mitigate risks.

5. Sensitive Information

We may need to collect Sensitive Information such as health information, status, or your membership of a professional association. We will not collect this information without providing you with a purpose for collection and having a legal basis for processing it. All sensitive Information collected by us will be dealt with in accordance with the requirements of the relevant Act.

6. Unsolicited Personal Data

If we receive unsolicited Personal Data we will make a determination whether the information is reasonably necessary for, or directly related to our functions or activities. If it is, we will store the Personal Data in the same manner as if we received the Personal Data directly from you. If we find that it is not, we will destroy or de-identify the Personal Data. We will comply with any requirement of a relevant law to disclose the collection of such Personal Data.

7. Overseas Disclosure of your Personal Data

Palladium is a global company and we may disclose your Personal Data to our related bodies, corporate suppliers and services providers. Arrangements are in place between each relevant global entity across Palladium to protect the Personal Data to a common standard. This standard includes company-wide compliance with data protection policies, guidelines and SOPs.

We will take steps to limit the flow of your Personal Data across borders, transferring only where equivalent protection is in place, where the transfer is required for legitimate use, performance of contract or service administration (e.g. making payments) or where you otherwise consent. Subject to the above, your Personal Data may be accessible to our entities, suppliers, offices or employees located in various countries, where such access is required for one of the reasons above, or you otherwise consent.

We may allow your Personal Data to be processed by our external IT and data providers and centres located in Australia, United Kingdom and United States of America.

When disclosing your Personal Data to countries without adequate levels of legal protection, we will take appropriate measures to provide an adequate level of protection to your Personal Data.

8. Your option not to provide Personal Information

You may not wish to provide us with your Personal Information. Please note that in this circumstance we may be unable to assist you through answering your query, providing you with our services or otherwise contracting with you. You may be entitled to use a pseudonym for certain contact with us, but in doing so, we may not be able to receive (or provide) goods/services to you.

9. Access to and correction of your Personal Data

If required under the Act, you may request access to your Personal Data that we hold and we will attempt to provide the Personal Data in the manner you request. We may refuse your request for access to your Personal Data where permitted to do so under the Act, and we will provide you with a written notice that outlines our reasons for refusal. If permitted under the Act, we may charge you reasonable costs in relation to making this Personal Data available to you.

If required under the Act, you may also request us to correct the Personal Data we hold if you believe that the Personal Data is inaccurate, out of date, incomplete, irrelevant or misleading. Under certain circumstances permitted by the Act, we may refuse your request to correct your Personal Data and we will provide you with a written notice that outlines our reasons for refusal.

10. Contact and Complaints

If you would like further information on our policy, to contact us on any of the matters set out above, or if you have a complaint about a breach of your privacy you may contact us using the following email address privacy@thepalladiumgroup.com.

If making a complaint please provide us with sufficient detail to assist us with any investigation. We will acknowledge receipt of your complaint and undertake any appropriate investigations.

If you are unsatisfied with how we have resolved your complaint you may contact the privacy regulator in the relevant jurisdiction.

11. Changes to our Privacy Notice

We may make changes to this notice and any supplementary disclosures, including material changes, from time to time. The Notice will be updated on our website when we do so.

Version: 30 June 2024