Data Protection Policy > Statement of Policy In the course of business, GKN deals with personal information about employees, customers, suppliers and business contacts. GKN is committed to ensuring that such personal information is treated with due respect for the privacy of the individual and is kept in secure conditions. Such information will only be retained for as long as is relevant to business requirements or to the interests of the individual to whom it relates. > General Principles 1. Each company must develop systems to manage personal information. The systems, whether relating to electronic or to manual processing of information, must comply with the general principles of this Policy and with the detailed requirements of any relevant local legislation. 2. All employees must deal with personal information which they receive in the course of their employment in compliance with the company systems and with the general principles of this Policy. 3. Personal information must only be obtained and/or retained where it is relevant to the pursuit of legitimate business objectives. 4. The use of such personal information must be in compliance with local legislative requirements. 5. Personal information must be kept in secure conditions, with due precautions to preserve confidentiality. These conditions must be maintained throughout the time the information is held and during its destruction or deletion. 6. Each company must have a nominated Data Controller, to whom queries about the processing of personal information should be addressed. On request from an individual to the Data Controller, the reasons for processing personal information and the type of information processed will be made known to the individual concerned. 7. Disclosure of identifiable personal information to other parties outside the GKN Group other than to fulfill legal obligations will only occur with the knowledge and consent of the individual to whom it relates. 8. Regular reviews of personal information held in each company must be carried out to ensure that such information is relevant, accurate and up to date. 9. All GKN companies and employees must comply with all document retention requirements under applicable laws and regulations and have in place suitable document management procedures relating to all forms of document and not confined to those containing personal information. Guidelines are attached as an Appendix to this Policy. This Policy must be read in conjunction with the GKN Code, the other GKN Policies and the requirements regarding their implementation. v1 – June 2006 -1- Appendix to Data Protection Policy Document Management Guidelines All Divisional Chief Executives are responsible for ensuring that suitable document management procedures are developed, either at Divisional or company level, relating to the retention or destruction of documents, including computer records and e-mail. > Guidelines 1. Procedures must be compatible with the legal requirements relating to the Division or company. 2. Procedures should be in writing and distributed to all employees. Periodic reminders as to the requirements should also be issued. 3. Procedures should specify that “document” covers all data held on electronic media as well as in hard copy and includes prior drafts of documents, e-mail messages, hand written notes and annotations. 4. Guidelines as to which documents should be retained and which should be discarded should be clear and include: • a list of documents which must be retained by law (for example, documents of incorporation, corporate registers, statutory returns and tax invoices) and any prescribed retention periods • a description of those documents which a company should keep to show that it is entitled to conduct its business and has title to its material assets (for example, shares, land, vehicles, intellectual property, etc.) • in relation to businesses operating within the Aerospace sector, any special requirements for documents with national or other security classifications or which are subject to specific industry requirements. 5. In relation to documents (or categories of documents) which may be discarded, procedures should state the period of time for which they should be retained prior to being discarded. 6. Procedures should include treatment of electronic copies of messages and documents. If paper documents are to be discarded, then copies on disk or back up tapes should be disposed of as well. The routine clearing of electronic documents such as e-mail, computer files and tape recordings should be encouraged. However, where it is necessary to keep paper records to comply with disclosure obligations in relation to litigation or enquiries of regulatory bodies, computerised versions should also be retained. 7. Ill considered comments (for example, hand-written notes on documents or by e-mail responses) should be discouraged as these can be ambiguous and may give rise to difficulties. 8. Procedures should encourage recipients of duplicated documents to destroy them as soon as the purpose for which they were distributed is accomplished on the basis that the author of the document would keep the original until that too may be discarded. v1 – June 2006 -2- Appendix to Data Protection Policy 9. Methods of destruction (for example, shredding or secure incineration of confidential documents) should be specified where appropriate. 10. Compliance with procedures should be monitored by key individuals within the Division or company as appropriate. At least one of these individuals should be fully conversant with the use of computerised records by the Division or company. > Requirements in the event of Legal Proceedings or Regulatory Investigations Irrespective of whether or not document management procedures have been implemented, when legal proceedings are brought by or against a Group company or it is to be investigated by a regulatory authority, all relevant employees should be informed immediately that documents (including those on electronic media) relevant to matters in dispute or under investigation are to be preserved pending further notice. > Practice The GKN Group Legal Department will be available to assist in the development of document management procedures either directly or by identifying suitable external advisers within the relevant jurisdiction. v1 – June 2006 -3-