As part of our customer and supplier due diligence , you may be asked to complete a Supplier Completion Form- Compliance, a Business Intermediary Due Diligence Request Form or a Due Diligence Questionnaire and provide associated information as a potential customer or supplier (“ Due Diligence Information”) to a company in the Moy Park and Pilgrims Group including Moy Park Limited, Kitchen Range Foods Limited, Pilgrim’s Pride Ltd, Pilgrim’s UK Lamb Limited, Pilgrim’s Shared Services Ltd, Pilgrim’s Food Master’s UK Limited, Pilgrim’s Food Masters Ireland Limited, Oakhouse Foods Limited, Rollover Limited, Albert Van Zoonen BV, Moy Park France SAS and Moy Park Beef Orleans SARL and their affiliated companies (each described as “ we/ the Company” individually and collectively as “the Group”).

The particular Group company that you are establishing a business relationship with will be the “Data Controller” and you will be the “Data Subject” as defined under EU and UK GDPR of any personal data you provide in response to the Due Diligence Information and in response to any other information provided to us as part of the Company customer and supplier set up process.

The Company will comply with our obligations under the relevant data protection laws, including the: (i) EU General Data Protection Regulation ((EU) 2016/679) (‘EU GDPR’; (ii) UK General Data Protection Regulation (as defined in The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019) (‘UK GDPR’); and (iii) Data Protection Act 2018, and any subsequent legislation (together the ‘Data Protection Law’) when handling your personal data ( as defined by the Data Protection Law).

Overall responsibility for monitoring compliance with data protection sits with the Privacy Steering Group, the main contact of which is the Group Privacy Officer (who can be contacted at gpo@pilgrimssharedservices.com).

1. What information is being gathered and held?

Due Diligence Information that you have provided to the Company by completing the due diligence forms or as part of any associated tender or other pre-contract processes, communication, correspondence, or enquiries. We may also gather information about you from other third parties such as credit reference agencies and third party agencies that we use as part of our due diligence and compliance processes for example to screen against international sanctions lists and to complete appropriate due diligence in compliance with our Anti-Bribery and Anti-Corruption Policy and all applicable anti-bribery and anti-corruption laws and guidance. Occasionally we may sometimes collect additional information from publicly available sources, such as Companies House or publicly available internet and social media sites. To the extent that the information gathered falls into the category of personal data, this is collectively referred to as your personal data in the notice.

2. On what basis do we process your information?

The Due Diligence Information will be used by the Company to help achieve compliance with anti-corruption laws including the UK Bribery Act 2010 and the United States Foreign Corrupt Practices Act. The questions have been tailored to seek only information that is relevant to the Group’s anti-corruption compliance efforts. The lawful basis for processing this data is to comply with our legal obligations and for our legitimate business interests of the Company which include ensuring that we complete appropriate due diligence on customers and suppliers to ensure we comply with our internal compliance processes and policies, and we believe that these legitimate business interests are not incompatible with your rights and freedoms.

We will not normally process Special Category Personal Data or data relating to criminal offences save for in the following circumstances:

• you have provided us with the information with your explicit consent;
• where it is necessary to comply with our obligations under the law; or
• to enable us to meet our regulatory requirements relating to unlawful acts and dishonesty.

We will use information about you to determine your suitability to become an approved customer or supplier to the Company in compliance

with our legal obligations and internal compliance processes.

3. What happens if you fail to provide personal data?

The provision of any personal data as part of the Due Diligence Information is required for us to complete our customer and supplier due diligence processes prior to entering into a contract with you as a customer or supplier. You do not have to supply the information but a refusal to provide this personal data may prevent us from being able to process your enrolment onto our systems as a customer or supplier which may prevent us from entering into a contract with you.

4. Will you be subject to automated decision making?

Automated decision-making takes place when an electronic system uses personal data to make a decision without human intervention. You will not be subject to decisions that will have a significant impact on you based solely on automated decision-making unless we have a lawful basis for doing so. Where your data is subjected to automated processing, we will inform you in advance.

5. Who will your personal data be disclosed to?

Your personal data will be accessed by authorised staff at the Company who need to have access to that information to complete customer and supplier due diligence checks which will include relevant members of the supply chain, finance, commercial, legal and compliance teams.

The Company utilises the services of Pilgrim’s Shared Services Ltd (PSSL) to provide IT, finance, supply chain and legal and compliance support and other key function services which means the Company shares your information with PSSL who are bound by terms of confidentiality and must meet the Company standards in regards data protection. PSSL will be acting as the data processor for the Company in this respect. We will also share your information as necessary with our UK based sister companies.

We may also have to share your data with third parties, including third-party service providers and other entities in the group or where required by law, where it is necessary to administer the working relationship with you or where we have another legitimate interest in doing so. The following activities are carried out by third-party service providers:

• IT services;
• auditing;
• whistleblowing/ ethics helpline;
• lawyers in law firms in the course of obtaining legal advice and other professional advisors;
• company reference agencies and other background checks;
• responding to data subject access requests and data breaches; and
• with a regulator or to otherwise comply with the law.

We require third parties to respect the security of your data, to take appropriate security measures and to treat it in accordance with the law. We only permit third parties to process your personal data for specified purposes and in accordance with our instructions.

6. Will your personal data be transferred to third parties outside of the European Economic Area (EEA) or UK?

We may transfer the personal data we collect about you outside of the UK or EEA to a country that may have privacy protections less stringent than in the EEA or UK. For instance, we may transfer your personal data to our parent company, Pilgrim’s Pride Corporation (‘PPC’), and its majority shareholder, JBS USA, (both based in the United States of America) in order to complete due diligence checks on you and to report on our compliance with Anti-Bribery and Anti-Corruption laws or any related audit. We also use third-party processors to carry out due diligence and profile checks on potential customers and suppliers who are based in the United States of America.

In the absence of an adequacy decision from the EU Commission or UK Parliament, we will implement measures to ensure that your personal data receives an adequate level of protection, such as EU standard contractual clauses or UK International Data Transfer Agreement, together with technical and organisational safeguards to ensure that your personal data is treated in a way that is in compliance with and which respects the EU and UK laws on data protection. For further information, or to request copies, about the data transfer agreement or the safeguards in place please contact the Group Privacy Officer.

7. How long will we use your information for?

We will only retain your personal data for as long as necessary to fulfil the purposes we collected the personal data for, including for the purposes of satisfying any legal, accounting, or reporting requirements. For further information, please see our Retention Guidelines available from the Group Privacy Officer.

For further information on how the Company uses, handles and stores your data and your rights as a data subject please see the Company general Privacy Notice available on the Company internet site, copies of which are available from the Group Privacy Officer.

If you have any concerns or queries about our use of your personal data, please contact the Group Privacy Officer at gpo@pilgrimssharedservices.com.