IMI Employee Data Privacy Notice

This is an overview of what we do with your information and your rights.

Information we may collect about you

We may collect and process the following information (“Personal Data”) about you, whether such
information is provided by you or by a third party:

(a) Your biographical information including your name, gender, date of birth, details of family
members, previous job history, education details;

(b) Your contact information including your home address, telephone number(s), personal
email address (where provided);

(c) Your identification information including your national insurance number (or equivalent),
ID card or driving licence, passport information;

(d) Your performance information including management metrics, appraisals, feedback;

(e) Communications and internet information your correspondence and details of internet
use held on or made through IMI systems; and

(f) Payroll information including your salary details and bank account information.

Sensitive Personal Data

We may also collect Sensitive Personal Data about you as defined in Appendix 1. This may include
health information and medical records, criminal convictions data where allowed under applicable
laws, trade union membership and diversity information.

What legal basis do we have for using your personal data

The IMI legal entity that employs you is a so-called “Data Controller” for applicable data protection
law. We take care to ensure that your information is only used in an appropriate way. For each
use of personal information mentioned below, we note the purpose for which we use and disclose
it and the grounds for our use. An explanation of the scope of each of the grounds can be found at
Appendix 2

Generally, as your employer, we process your Personal Data on the basis that it is necessary in
relation to your individual contract of employment and where our legal duties as an employer
necessitates it. We may also process your Personal Data if necessary for the purpose of our
legitimate interests (except where such interests are overridden by the interests of the data
subject), such as to defend and prosecute legal claims and rights, and our other business interests.

Why we collect your Personal Data and our basis for using it

We may use your Personal Data in the following way:

(a) To manage staff relations, to ensure compliance with policies and laws, for promotions and
appraisals and for the performance of training.

Use basis: contract performance/employment legal obligations and rights, legitimate

interests (to enable us to effectively manage our staff).

1
IMI Employee Data Privacy Notice

(b) To store staff emails and staff created documents, these may contain Personal Data both
related to work and private matters (where IMI allows you to use a business account for
private purposes).

Use basis: contract performance/employment legal obligations and rights, legitimate

interests (to enable us to effectively manage our staff and our staff's output).

(c) To manage staff benefits including administering remuneration, insurance, payroll,

pensions, other employee benefits and tax. Disclosing to other group companies and to
others such as payroll providers, accountants, occupational health providers, fleet providers,
insurers, pensions administrators, hosting service providers and legal advisers.

Use basis: contract performance/employment legal obligations and rights, legitimate

interests (to enable us to provide you with your remuneration and benefits), consent (where
we are processing any health data).

(d) To manage recruitment including eligibility for work, hires, promotion and succession
planning.

Use basis: contract performance/employment legal obligations and rights, legitimate

interests (to enable us to effectively recruit staff).

(e) To comply with policies including in relation to claims, disciplinary actions or legal
processes or requirements and conducting investigations and incident response and we may
monitor your communications in these situations in accordance with GRP-IT12-002 IT User
Responsibilities.

Use basis: contract performance/employment legal obligations and rights, legitimate

interests (to enable us to effectively monitor staff legal and policy compliance).

(f) For security purposes for providing IT support, security and employee authentication.

Use basis: contract performance/employment legal obligations and rights, legitimate

interests (to enable us to ensure the security of our systems)

(g) To manage occupational health and absences for managing employee absences and
fitness for work and notifying family members in emergencies.

Use basis: contract performance/employment legal obligations and rights, legitimate

interests (to enable us to effectively manage our staffs' fitness for work)

(h) To comply with our legal obligations and to change our business structure we may
disclose your Personal Data in connection with proceedings or investigations anywhere in
the world to third parties, such as public authorities, law enforcement agencies, regulators
and third-party litigants. We may also provide your Personal Data to any potential acquirer
of or investor in any part of the IMI Group business for the purpose of that acquisition or
investment.

Use basis: contract performance/employment legal obligations and rights, legal obligations,
legal claims, legitimate interests (to enable us to cooperate with law enforcement and
regulatory authorities and to allow us to change our business)

2
IMI Employee Data Privacy Notice

(i) To monitor diversity, managing information as part of our diversity programme.

Use basis: legal obligation/employment legal obligations and rights, legitimate interests

(j) To manage collective agreements for administering collective employee arrangements

where these are in place.

Use basis: legal obligation/employment legal obligations and rights, legitimate interests

When you begin working for IMI, we ask you for the Personal Data which we need to fulfil your
contract of employment and to fulfil our obligations as employers. If you do not provide us with this
information, we may not be able to fulfil our obligations to you as your employer (such as to pay
you) or to fulfil our obligations generally as an employer (such as, where required, to provide an
occupational pension scheme).

Where we collect your Personal Data from

We may obtain your Personal Data from you or from third parties such as our business partners
and public registers. Background checks are only performed where allowed under local laws.

When do we send your Personal Data abroad?

We hold your Personal Data principally in the country in which you are employed. However, it is
sometimes necessary for us to provide details about your employment to our other group
companies situated outside the European Economic Area. This is for the purposes of administering
your employment contract or in relation to investigations or reports. When we do so, we will ensure
that such transfers ensure that an appropriate level of protection is given to the Personal Data. For
some systems, this includes the use of so-called “EU Model Clauses”.

Please contact the Divisional Legal and Compliance department if you would like to discuss the
mechanisms IMI uses to safeguard the export of your Personal Data.

How long do we keep your data for?

We keep records of your data for no longer than is necessary for the purpose for which we obtained
them and any other permitted linked purposes. In compliance with data minimization requirements,
our retention periods are based on business needs and records that are no longer needed are
either irreversibly anonymised (and the anonymised information may be retained) or securely
destroyed.

Updating your Personal Data

We will use reasonable endeavours to ensure that your Personal Data is accurate. To assist us
with this, you should notify us of any changes to your Personal Data that you have provided to us
by contacting your local or Divisional HR contact.

Relation to employment law, rights of employee bodies

The use of Personal Data set out in this document will be performed in compliance with local
employment law and, where applicable, in alignment with employee bodies as prescribed under
applicable laws.

3
IMI Employee Data Privacy Notice

What are your rights

If you are situated in the EU, you have certain rights in relation to your Personal Data. Please be
aware that certain exceptions apply to the exercise of these rights and so you will not be able to
exercise these in all situations. In addition, these will vary in different EU member states.

(a) Subject Access: You have a right to be provided with access to any data held about you by
IMI generally within 30 days of your request.

(b) Rectification: You can ask us to have inaccurate Personal Data amended.

(c) Erasure: You can ask us to erase Personal Data in certain limited circumstances and we will
take reasonable steps to inform other controllers that are processing the data that you have
requested the erasure of any links to, copies or replication of it.

(d) Withdrawal of consent: You can withdraw any consents to processing that you have given
us and prevent further processing if there is no other ground under which IMI can process
your Personal Data. Please note as stated above that IMI does not rely on consent for the
Processing of your Personal Data as employees.

(e) Restriction: You can require certain Personal Data to be marked as restricted whilst
complaints are resolved and also restrict processing in certain other circumstances.

(f) Portability: You can ask us to transmit the Personal Data that you have provided to us and
we still hold about you to a third party electronically.

(g) Raise a complaint: You can raise a complaint about our processing with the data protection
regulator in your jurisdiction (for example in the UK, the Information Commissioner's Office).

Your contact for any queries

If you have any queries then please contact your local or Divisional HR team or your Divisional
Legal and Compliance Team.

4
 Appendix 1

Definition of data protection terms

The following terms are used in this policy. These definitions are based on the European General
Data Protection Regulation 2016/679. However, there may be variants on how these terms are
defined in the laws of other countries and your Divisional Legal and Compliance team should be
contacted if you have any queries

Data Controller: this is the person or entity which alone or jointly with others determines the
purpose and means of the processing of Personal Data. The IMI entity that employs you is the
Data Controller of all employment details used in its business and IMI plc is also the Data Controller
in respect of certain processing activities, such as group wide investigations with policies.

Data Subject (“affected individuals”): all living individuals about whom an IMI entity in the EEA
holds Personal Data, including employees, customers and suppliers.

Data Processor: this is the person or entity which processes Personal Data on behalf of the Data
Controller (not including employees of the Data Controller) IMI is generally a Data Processor in
respect of most Personal Data (other than employee data) that is obtained in the course of
providing its services to its customers. IMI's suppliers and agencies that handle Personal Data on
our behalf will also be Data Processors.

Personal Data: information relating to an identified or identifiable natural person. These include
names, ID numbers, location data, online identifiers or one or more factors specific to the physical,
psychological, genetic, mental, economic, cultural or social identity of that person.

Sensitive Personal Data: Personal Data which reveals racial or ethnic origin, political opinion,
religious or philosophical beliefs, trade-union membership, and the processing of genetic data,
biometric data to uniquely identify a person or data concerning health, sex life and sexual
orientation. In the EU, Personal Data relating to criminal convictions or offences or related security
measures may only be processed when authorised by Member State or EU law If in doubt, please
contact your Divisional Legal and Compliance team.

5
 Appendix 2

Use basis

Under EU data protection law, we must establish and inform you of the legal basis or “ground” for
our use of your personal information. For each use of personal information in the “Why we collect
your Personal Data and our basis for using it”, we note the purpose for which we use and disclose
it and the grounds we use as a basis for our use.

An explanation of the scope of the main grounds available can be found below:

Consent: where you have consented to our use of your information (you will have been
presented with a consent form. In relation to any such use, you may withdraw your consent by
contacting your local or Divisional HR team or your Divisional Legal and Compliance Team.

Contract performance: where your information is necessary to enter into or perform our
contract with you.

Legal obligation: where we need to use your information to comply with our legal obligations.

Legitimate interests: where we use your information to achieve a legitimate interest and our
reasons for using it outweigh any prejudice to your data protection rights.

Legal claims: where your information is necessary for us to defend, prosecute or make a claim
against you, us or a third party.

Employment legal obligations and rights: where our legal duties as employers necessitate
the processing.