This Agreement governs the processing of personal data by Finch Theory Limited (the Processor) on behalf of the Client (the Controller) in connection with the provision of consultancy and advisory services under the Finch Theory programme. It is intended to ensure that all personal data is handled lawfully, securely, and in line with UK data protection legislation.

The Agreement is supplementary to any Letter of Engagement or Terms of Business in place between the parties and does not replace those documents.

This Agreement is made in accordance with:

• the UK General Data Protection Regulation (UK GDPR);
• the Data Protection Act 2018; and
• any applicable guidance issued by the Information Commissioner's Office (ICO).

The Processor shall process personal data only in accordance with the Controller's documented instructions, as set out in this Agreement and in any associated engagement documentation.

The Client is the Data Controller and determines the purposes and means of processing. Finch Theory Limited acts as the Data Processor and processes personal data only on the instructions of the Controller.

Each party shall comply with its respective obligations under the UK GDPR and the Data Protection Act 2018 in connection with its role.

Personal data will be processed for the purpose of delivering the Finch Theory service, which is designed to review and improve the Client's employee benefits and payroll structure, support staff financial wellbeing, and enhance employee engagement and retention.

Processing will take the form of collection, review, analysis, storage, and reporting of data. It will not involve automated decision-making or profiling.

Data processed under this Agreement is limited to what is necessary for the purposes stated above. It may include:

• anonymised or aggregated employee data relating to benefits participation and contribution structures;
• pension and employee benefits scheme information; and
• payroll structure data, provided in anonymised or summary form wherever possible.

Where identifiable personal data is shared, this will be limited to the minimum necessary and handled in accordance with the data minimisation principle under Article 5(1)(c) UK GDPR.

Data subjects covered by this Agreement are current and former employees of the Client organisation.

Finch Theory Limited acknowledges that all information shared under this Agreement is commercially sensitive. The Processor undertakes to apply the same standard of care to the Client's data as it applies to its own confidential information, and as a minimum to apply appropriate technical and organisational measures to protect it.

Only those individuals within Finch Theory Limited who require access to the data in order to perform the services will be permitted to do so, and all such individuals are subject to binding confidentiality obligations.

The Processor shall implement appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. These measures shall take into account the nature, scope, context, and purposes of the processing, as well as the risks to individuals.

Such measures include, but are not limited to:

• access controls and password-protected systems;
• encrypted data transmission where applicable;
• restricted access on a need-to-know basis; and
• secure disposal of data when no longer required.

In the event of a personal data breach involving the Client's data, Finch Theory Limited will notify the Client without undue delay and, where feasible, within 72 hours of becoming aware of the breach. Such notification will include, to the extent available:

• a description of the nature of the breach, including categories and approximate number of individuals and records affected;
• the name and contact details of the relevant point of contact;
• a description of the likely consequences of the breach; and
• a description of the measures taken or proposed to address the breach.

The Controller remains responsible for any further notifications to the ICO or affected data subjects required under Articles 33 and 34 UK GDPR.

The Processor shall assist the Controller in fulfilling its obligations to respond to data subject rights requests, including rights of access, rectification, erasure, restriction, portability, and objection, as provided under Chapter III of the UK GDPR.

Where a data subject contacts the Processor directly, the Processor shall promptly refer the request to the Controller and shall not respond substantively without the Controller's instruction, unless required to do so by law.

Finch Theory Limited shall not engage any sub-processor in connection with the processing of the Client's personal data without the prior written consent of the Client.

Where sub-processors are engaged with the Client's consent, the Processor shall impose equivalent data protection obligations on the sub-processor by way of a written contract and shall remain fully liable to the Controller for the performance of those obligations.

The Processor shall not transfer personal data outside of the United Kingdom without the prior written consent of the Controller, and only where an appropriate transfer mechanism exists in accordance with Chapter V of the UK GDPR, including an adequacy decision, standard contractual clauses, or other approved safeguards.

Personal data will be retained by the Processor only for as long as is necessary for the purposes of this Agreement or as otherwise required by law. Upon termination of the engagement, the Processor shall, at the election of the Controller, either securely return or destroy all personal data processed on behalf of the Controller and confirm in writing that this has been done.

Anonymised, aggregated, or statistical data that cannot reasonably be used to identify individuals may be retained by the Processor for internal analysis and service improvement purposes.

The Processor shall make available to the Controller all information reasonably necessary to demonstrate compliance with this Agreement and with applicable data protection legislation. The Processor shall permit and contribute to audits or inspections conducted by the Controller or an auditor appointed by the Controller, on reasonable notice and at the Controller's cost, subject to any reasonable confidentiality requirements of the Processor.

This Agreement shall come into force on the date first written above and shall remain in effect for the duration of the engagement between the parties, unless terminated earlier.

Either party may terminate this Agreement on 30 days' written notice. Termination shall not affect any obligations that have accrued prior to the termination date. Upon termination, the provisions of Clause 12 (Data Retention and Deletion) shall apply.

This Agreement shall be governed by and construed in accordance with the laws of England and Wales. Any dispute arising under or in connection with this Agreement shall be subject to the exclusive jurisdiction of the courts of England and Wales.