Personal Data Protection Policy

Halcyon Agri Corporation Limited is committed to keeping all your personal information secure. We take the protection of your privacy and the confidentiality of your personal information very seriously, and we process personal information in compliance with all applicable data protection laws and regulations. This Privacy Policy explains how we collect, use and look after your personal information.

DATA CONTROLLER

The Personal Data collected by this website and your interaction with the HAC Group is collected by Halcyon Agri Corporation Limited (“HAC”) who acts as the Data Controller. This means that HAC is responsible for deciding how we hold and use your Personal Data. You should be aware that even though HAC is principally responsible for looking after your Personal Data, such information may be shared within the HAC Group for the purposes as described in this Privacy Policy. When using your Personal Data, each member of the HAC Group will comply with the standards as set out in this Privacy Policy.

DEFINITIONS

We use the following definitions in this Privacy Policy:

“HAC Group”, “we”, “us” or “our” means HAC and its subsidiaries (including Corrie MacColl Limited).

“Personal Data” means any data relating to an individual who can be identified from that data, or from that data and other information which we have or are likely to have access to (and includes information which our representatives or service providers have). In addition to factual information, it also includes any expression of opinion about an individual, and any indication of our intentions (or the intentions of any other person) in relation to such an individual.

HOW WE COLLECT PERSONAL DATA

3.1 These are some of the ways in which we collect Personal Data:

(a)	information we receive when you contact us through our website by filling in and submitting the Enquiry Form;
(b)	information we receive when you subscribe to our mailing list;
(c)	if you are a customer or potential customer, information obtained by us through our business dealings;
(d)	if you are a shareholder, information provided by you in connection with your shareholding; and
(e)	if you are a shareholder, information provided by you in connection with your shareholding; and

TYPES OF PERSONAL DATA WE COLLECT

4.1 These are the types of Personal Data that we collect:

(a)

Information that you provide to us. The nature of your relationship with us, and the kind of communication that you request from us, will determine the type of Personal Data we may ask for. For example, if you contact us through our website by submitting the Enquiry Form, or if you subscribe to our mailing list, we will ask you to provide your email address, first and last names, job title, name of the company you work for, and the country where you are based. If you are interested in joining our team, we may ask for your education and employment history.

(b)

Information that is passively or automatically collected when you visit our website. Such information includes how you arrive at our website, the type of browser and operating system you are using, your IP address, and your clickstream and timestamp information (e.g. the pages you have viewed, the time at which such pages were accessed, and the amount of time spent per page).

HOW WE USE PERSONAL DATA

5.1 Personal Data may be stored and used by us for the following purposes:

(a)	where we have obtained your specific consent;
(b)	if you have subscribed to our mailing list, to send you marketing communications (e.g. press releases, sustainability reports, quarterly reports, annual reports and other publications which we think may be of interest to you);
(c)	if you are a customer or potential customer, to administer and manage our business relationship (including performance of any legal agreement between us);
(d)	if you are a shareholder, to keep in touch with you in connection with your shareholding;
(e)	if you are a job applicant, to assess your suitability for a career opportunity in which you have expressed interest; and
(f)	to comply with applicable laws and regulations.

5.2 However we use Personal Data, we make sure that such use is lawful. The law allows or requires us to use Personal Data for various reasons. These include:

(a)	where we need to perform our contractual obligations;
(b)	where we have legal or regulatory obligations to discharge;
(c)	where we are required to do so under legal proceedings; and
(d)	where the use of Personal Data is necessary to pursue our legitimate interests, such as (by way of a non-exhaustive list):

(i)	to detect and prevent fraud and other potentially illegal activities;
(ii)	to protect our network and information security (e.g. prevention of personal data breaches and cyber-attacks);
(iii)	to establish, exercise or defend our legal rights; and
(vi)	to conduct analytics on our website traffic, e.g. pages and links clicked, patterns of navigation, time spent at a page, devices used, location of users, etc.

5.3 Some of these grounds for using Personal Data may overlap and there could be several grounds which justify our use of Personal Data.

5.4 We will take steps to ensure that Personal Data is accessed only by employees who have a need to do so for the purposes as described in this Privacy Policy. They are subject to a duty of confidentiality and will only use Personal Data in accordance with our instructions.

DISCLOSURE OF DATA TO THIRD PARTIES

6.1 We may share Personal Data within the HAC Group for the purposes as described in this Privacy Policy.

6.2 We may also share Personal Data outside of the HAC Group for the following purposes:

(a)	with third parties whom we have engaged to provide services to us (e.g. administrative, audit, logistics, information technology and research services). These third parties will be bound by appropriate data protection obligations and they will only use and process Personal Data on our behalf in accordance with our instructions and for the purposes as described in this Privacy Policy (and not for their own purposes);
(b)	where we are required under law or regulation to disclose Personal Data; this may include (by way of a non-exhaustive list) disclosure in response to a court order, or release of information to a government authority, regulator or law enforcement agency;
(c)	to the extent mandated by law for the protection of our legitimate interests; and
(d)	in the event that our business is sold or integrated with another business, Personal Data may be disclosed to the prospective buyer and its advisors (who will be bound by appropriate data protection obligations), and will be passed to the new owner when it acquires the business.

6.3 Please be assured that we will not sell, rent or give away your Personal Data to third parties for commercial purposes without your consent.

INTERNATIONAL TRANSFER OF PERSONAL DATA

7.1 HAC Group is a global business. Our customers and operations are located around the world. This means Personal Data is collected on a global basis, and may be transferred to locations outside of the country where it is collected.

7.2 We will always ensure that any international transfer of Personal Data is consistent with legal and regulatory requirements, e.g. (by way of a non-exhaustive list):

(a)	where Personal Data is transferred to a country outside of the European Economic Area (“EEA”), such country is recognised by the European Commission as providing an adequate level of protection for Personal Data;
(b)	where Personal Data needs to be transferred to a recipient based in a country outside of the EEA which is not recognised by the European Commission as providing an adequate level of protection for Personal Data, we will require such recipient to be bound by standard contractual clauses which are approved by the European Commission for the protection of Personal Data;
(c)	where Personal Data is transferred from within the European Union to the United States, the recipient is a certified participant in the EU-U.S. Privacy Shield Framework; and
(d)	where Personal Data is shared internationally within the HAC Group, such transfer is subject to Binding Corporate Rules which adequately safeguards the protection of privacy.

HOW LONG WE KEEP PERSONAL DATA

8.1 We will retain Personal Data for only as long as is reasonably necessary for the purposes as described in this Privacy Policy.

8.2 In some circumstances, however, legal or regulatory requirements may obligate us to retain Personal Data for a longer period of time.

YOUR RIGHTS

9.1 You have the following rights in relation to your Personal Data:

(a)	require us to provide information regarding your Personal Data, e.g. give you a copy of the Personal Data about you that we hold, let you know where we got your Personal Data, how we use your Personal Data, what we use it for, who we disclose it to, whether we transfer it to another country (and where), how we protect it and how long we keep it for (if such information is not already provided in this Privacy Policy);
(b)	require us to rectify your Personal Data if it is inaccurate or incomplete; we may seek to verify any new information provided by you before we rectify our existing records;
(c)	where the use of your Personal Data is based on your consent (see section 5.1(a)), you can withdraw your consent at any time; however, please note that we may still be entitled to use your Personal Data if we have another legitimate reason to do so, e.g. for a purpose as described in section 5.2;
(d)	where the use of your Personal Data is based on our legitimate interests (see section 5.2(d)), you can object to such use if you believe your fundamental rights and freedoms outweigh our legitimate interests; however, there may be circumstances where we have a legal basis to deny your request;
(e)	require us to delete your Personal Data, but only where:

(i)	you have withdrawn your consent for us to use your Personal Data (where the use of your Personal Data is based on your consent) (see section 5.1(a));
(ii)	it is no longer needed for the purpose for which it was collected;
(iii)	you have successfully objected to the use of your Personal Data (see section 9.1(d)); or
(vi)	we are required by law or regulation to do so.

However, we are not obliged to comply with your request to delete your Personal Data if we are legally entitled to retain it, e.g. for a purpose as described in section 5.2;

(f)	require us to retain but not use your Personal Data; note, however, that this right is only available to you where:

(i)	you dispute its accuracy, and we are verifying it (see section 9.1(b));
(ii)	its use is unlawful, but you do not want us to delete it;
(iii)	it is no longer needed for the purpose for which it was collected, but we still need it to establish, exercise or defend our legal rights; or
(vi)	you have raised your objection to the use of your Personal Data, and we are verifying whether we have a legal basis to deny your request (see section 9.1(d)).

Nonetheless, we are legally entitled to continue to use your Personal Data following a request by you not to use it, where:

(i)	we have your consent;
(ii)	we need to do so in order to establish, exercise or defend our legal rights; or
(iii)	we need to do so in order to protect the rights of another natural or legal person;

(g)	where you have given us your Personal Data, require us to provide such data to you in a structured, commonly used and machine-readable format, or transmit such data to a third party where this is technically feasible; note, however, that this right is only available to you where:

(i)	the legal basis for processing your Personal Data is either your consent or the performance of a contract with you; and
(ii)	such processing is carried out by us using automated means (i.e. excluding paper files);

(h)	where your Personal Data is transferred outside of the EEA, require us to provide information on the safeguards under which such information is shared; and
(i)	to lodge a complaint with your national data protection supervisory authority about how we use your Personal Data; we ask that you please speak with us first to resolve any issues, but you have the right to contact your national supervisory authority at any time if you wish to do so.

9.2 To exercise your rights, you may contact us at any time using the contact details provided in section 10. We may need to ask you for proof of identity when you contact us, so that we can be sure that your Personal Data is not disclosed to any person who has no right to receive it.

CONTACT DETAILS

10.1 If you have any questions regarding this Privacy Policy, or if you wish to unsubscribe from our mailing list at any time, please contact us at:

CORRIE MACCOLL LIMITED
Bishopsgate House 5-7
Folgate Street London E1 6BX
UNITED KINGDOM
Email: corporate@halcyonagri.com

10.2 The person above is also our Data Protection Officer for the purposes of the Singapore Personal Data Protection Act 2012,

10.3 If you have any concerns about how we use your Personal Data, please contact us in the first instance and we will do our best to address your concerns as quickly as possible. You may also lodge a complaint with your national data protection supervisory authority at any time if you wish to do so (see section 9.1(i)).

UPDATES

11.1 From time to time, we may update this Privacy Policy to take into account new legal requirements, advancements in information technology, or changes in the way we operate our business. We invite you to review our Privacy Policy from time to time so that you will always know what personal information we collect, how we collect it, how we use it and who we share it with.

11.2 This Privacy Policy was last updated on 25 May 2018.

Key Principles	Criteria
Security Controls	Comprehensive security measures implemented to ensure a controlled work environment and to minimise risk to our people and property
Security Certification	Over 120-point checklist covering container, trailer and unit loading device security, physical access controls, personnel and procedural security, physical & IT security, and emergency preparedness and disaster recovery. All LATEXPRO factories adopt the United States Customs & Trade Partnership Against Terrorism (C-TPAT) standards.

Key Principles	Criteria
Monitoring and Mitigating Key Impacts	Key resource usage and social impact metrics regularly monitored and published annually Complete review of biodiversity and social aspects and impacts periodically
Social Responsibility	Adopt ISO 26000 standards Address human rights, labour practices and fair operating practices in our operations testing facilities and qualified laboratory staff
Social Investment	Extensive social investment programmes are conducted to benefit local communities categorised under HEVEALEARN, HEVEAGROW, HEVEASPORTS, HEVEAHEALTH, HEVEABUILD, HEVEASAFE and HEVEALIFE

Key Principles	Criteria
Tapping and Field Latex	Field tappers’ safety Field latex transportation and emergency response Chemical handling and storage in field
Concentrated Latex Processing, Handling & Storage and Shipping	Centrifuge systems operations and maintenance Sampling and chemical addition procedures Bulking tanks and pressure vessels operations and maintenance Confined space work in tanks and vessels Loading and inspection of containers
Laboratory & Chemical Handling	Chemical handling, preparation and storage Chemical Spill Emergency Response
EHS Management System	Health assessments and personal protective equipment (PPE) issuance Factory emergency response and preparedness ISO 45001 and ISO 14001 Standards• Confined space work in tanks and vessels Stringent effluent and waste management procedures

Key Principles	Criteria
Quality of Raw Material	Control of tapping equipment cleanliness Field latex preservation standards Management of field latex collection and transport to factories Strict testing of field latex prior to processing
Quality of Process	Detailed start-up procedures for centrifuges High factory performance in QA audit Each LATEXPRO factory must have accredited laboratory testing facilities and qualified laboratory staff
Quality of Management	ISO 9001 certification Effective implementation of LATEXPRO Quality Masterplan

Key Principles	Criteria
Security Controls	Comprehensive security measures implemented to ensure a controlled work environment and to minimise risk to our people and property
Security Certification	Over 100 point checklist covering container, trailer and unit loading device security, physical access controls, personnel and procedural security, physical & IT security and emergency preparedness / disaster recovery Selected HEVEAPRO factories to be certified to the United States Customs & Trade Partnership Against Terrorism (C-TPAT)

Key Principles	Criteria
Environment	Key metrics regularly monitored and published annually Complete review of environmental aspects and impacts bi-anually ISO 14001 certification
CSR Policies and Reporting	Implemented in 2017, incorporating key elements of ISO 26000 standards. I67-question checklist covering human rights, labour practices, fair operating practices and social investments Publication of sustainability report in accordance with Global Reporting Initiative (GRI) framework
Social Investment Programmes	Extensive social investment programmes are conducted to benefit local communities categorised under HEVEALearn, HEVEAGrow, HEVEASports, HEVEAHealth, HEVEABuild, HEVEASafe and HEVEALife

Key Principles	Criteria
Monitoring and Control	Target of zero accidents Key metrics regularly monitored and published annually Complete review of risk assessments bi-annually Quarterly audits
Management	OHSAS 18001 certification Annual training conducted at each factory Dedicated health and safety officers

Key Principles	Criteria
Quality of Product	Statistical Process Control implemented and audited High performance benchmarks in laboratory tests on key natural rubber properties High performance in QA product audit programme
Quality of Factory	High factory performance in QA audit Each HEVEAPRO factory must have accredited laboratory testing facilities and qualiﬁed laboratory staff
Quality of Management	Effective implementation of HEVEAPRO Quality Masterplan ISO 9001 certiﬁcation

Key Principles	Criteria
Global Presence	Global Management Procurement offices in Southeast Asia Distribution offices across Asia, Europe and North America Centralised Head of Logistics
Logistical Assets	Land tank facilities in Europe and North America
Terminal Handling	Effective procedures implemented to provide temperature control, appropriate agitation and safeguards against contamination

Key Principles	Criteria
Certified Team	ISO 9001 certified Leadership roles held in regulatory organisations
Technical Expertise	Procurement specialists Centralised Head of Technology

Key Principles	Criteria
International Standards and Certification	Products adhere to ISO 2004 or ASTM D1076 international standards Factories monitored with periodic audits
Customised Products	Team collaboration with latex producers to produce customised products
Testing	Colloidal tests conducted at loading and unloading stages In-house accredited laboratory facilities in Europe and North America, with qualified laboratory staff Independent tests conducted at accredited third-party laboratories