Privacy & Cookies

Algeos is committed to complying with all applicable data protection and privacy legislation when collecting and using personal data of customers, colleagues and others. In summary, this means we:

(i) keep personal data secure and protected against unauthorisedaccess or disclosures;

(ii) handle personal data in a fair and transparent manner; and

(iii) respect the privacy and data protection rights of individuals.

This policy applies to all data subjects (e.g., customers, employees, suppliers) and our data processing activities.

Your Personal Data is important to us!

As a wholesale business with customers and colleagues throughout the UK and overseas, Algeos collects and handles large volumes of personal data. This is necessary for us to run our business, including managing employees, keeping our customers safe and trading online.

Effective use of personal data is particularly important to ensure we offer and supply products which best meet our customers’ needs as a data driven, digital business. We recognise that whilst personal data is a critical business asset, we must utiliseit in a way which respects individuals’ rights and complies with our legal duties.

Algeos is committed to complying with all applicable data protection laws including:

UK General Data Protection Regulation; and

Data Protection Act 2018

Algeos regularly reviews guidance issued by the UK’s data protection regulator, the Information Commissioner’s Office (ICO), to ensure we stay aligned with the latest compliance requirements.

Any breach of our legal obligations can have very serious consequences including:

exposing customers and colleagues to damage and distress;

enforcement action and high value fines being imposed; and

loss of customer goodwill and trust.

Duties and Responsibilities

Colleague responsibilities

All colleagues have a personal responsibility to help Algeos comply with Data Protection and Privacy laws. Colleagues must comply with data protection policies, and ensure they complete mandatory data protection training each year.

Our data protection policies provide clear guidance on how personal data must be treated, identifies key do’s and don’ts, and contains information about where to get further advice and how to report or escalate issues. We expect all colleagues to comply with our Acceptable Use Policy which sets out the rules on appropriate and safe use of Algeos systems and/or devices.

Data Protection Officer

Algeos have appointed a Data Protection Officer (DPO) who is principally responsible for ensuring that appropriate compliance controls and procedures are in place.

The DPO is also responsible for responding to requests by customers, employees and other individuals exercising their data protection rights.

The DPO works closely with our Systems and Cyber Security teams to ensure appropriate data security controls are applied to personal data.

Transparency and fair processing

To comply with our duties to process personal data in a fair and transparent manner, and comply with individuals’ rights, we provide appropriate data privacy notices explaining how personal data is used by Algeos.

Our company Privacy Policy can be viewed on our customer website: https://www.algeosacademy.com/privacy

Suppliers and service providers

We require any supplier, service provider or other third party that may process personal data on behalf of Algeos (defined as a “data processor”) to enter into a contract which includes appropriate data protection provisions. This includes the legal clauses required under the GDPR as well as more detailed data security obligations where appropriate.

Information Security Management

Our Cyber Security team operate to maintain appropriate data security controls for personal data and the systems in which it is held. This includes monitoring and assessing threats and responding to attempted attacks on our systems. We have procedures in place to manage data security incidents appropriately, including making appropriate notifications to regulators where required.

Compliance

All colleagues must comply with the relevant data protection and security policies and any failure to do so will be treated seriously. Non-compliance may result in disciplinary procedures.
We monitor compliance using a range of measures including:

• Training completion statistics
• Complaints by customers, employees and others
• Investigations by the ICO
• Queries and requests for advice
• Assurance activities undertaken by our Compliance Manager, including conducting Data Protection Impact Assessments which identify risks and mitigating actions.

Lawful Bases for Processing Personal Data

We process personal data only where there is a lawful basis to do so, as defined under Article 6 of the UK General Data Protection Regulation (UK GDPR). These lawful bases include:

• Consent; where individuals have given clear permission for us to process their personal data for a specific purpose.
• Contract; where processing is necessary to fulfil a contract we have with the individual, or to take steps at their request before entering into a contract.
• Legal Obligation; where processing is necessary to comply with a legal requirement.
• Legitimate Interests; where processing is necessary for our legitimate business interests, provided these are not overridden by the individual’s rights and freedoms.

We ensure that the appropriate lawful basis is identified and documented for each processing activity.

Data Subject Rights

Under UK GDPR, individuals have a range of rights in relation to their personal data. These include:

• Right of Access; to request a copy of the personal data we hold.
• Right to Rectification; to correct inaccurate or incomplete data.
• Right to Erasure; to request deletion of personal data where appropriate.
• Right to Restrict Processing; to limit how we use personal data in certain circumstances.
• Right to Data Portability; to receive personal data in a structured, commonly used format and transfer it to another controller.
• Right to Object; to object to processing based on legitimate interests or direct marketing.

Requests to exercise these rights can be submitted to our Data Protection Officer at: dpo@algeos.com

Data Retention and Minimisation

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, and in line with applicable legal and regulatory requirements. We apply the principle of data minimisation by ensuring that only the personal data required for specific purposes is collected and processed.

Regular reviews are conducted to ensure data is not held longer than needed, full details of our retention practices are documented in our Data Retention Policy statement available upon request.

International Data Transfers

At present, Algeos do not transfer personal data outside of the United Kingdom.
Should this change in the future, we will ensure that any international transfers are carried out in full compliance with UK data protection laws. This includes implementing appropriate safeguards such as adequacy decisions, Standard Contractual Clauses approved by the Information Commissioner’s Office, or other lawful mechanisms to protect the rights and freedoms of individuals.

Reporting and Queries

If you have data protection queries, concerns or need advice, please contact our Data Protection Officer: dpo@algeos.com.
If you believe there has been a breach of data security that has led to unauthorised access to, or loss of, personal data held in our systems, or in systems managed on our behalf by third parties, you can report the incident directly to the Information Commissioner’s Office (ICO), the UK’s data protection regulator: https://ico.org.uk/global/contact-us

This policy is subject to review annually.
7th July 2025