DATA PROTECTION POLICY – MUZZY BBC Language Learning For Children

DATA PROTECTION POLICY

Person responsible: Benjamin Maddrell

Version number and date: Version 1, 24 May 2018

Next review date: May 2019

DATA PROTECTION POLICY

1 POLICY statement

1.1 This Data Protection Policy (“Policy”) sets forth the data processing, sharing and protection policies and practices of Growing Minds LLC (the “Company,” “we,” “us” or “our”). This Policy, together with the MUZZYBBC® and MUZZY123® Website Privacy Policy (“Privacy Policy”), is designed to ensure that the Company operates in compliance with applicable laws, rules and regulations including, without limitation, the General Data Protection Regulation of the EU (“GDPR,” and together with all other applicable laws, rules and regulations, the “Data Protection Laws”). The Data Protection Laws are designed to protect the use of individuals’ personal data and to provide them with certain rights regarding their personal data as same is held by third-party organisations.

1.2 The Company's Data Protection Officer (“DPO”) is responsible for ensuring that the Company complies with the Data Protection Laws and this Policy. The DPO is Benjamin Maddrell, who can be contacted at 917-292-8049 or at ben.maddrell@gmail.com. Any questions, concerns or notices regarding the Company’s data processing, sharing and/or protection policies and practices, including the interpretation or operation of this Policy, as well as any related complaints, should be addressed to the DPO.

1.3 The DPO will conduct a “data protection impact assessment” (as defined in the GDPR) for any new technology or personal data processing activity to be adopted by the Company, and ensure that such new technology or personal data processing activity, as applicable, fully complies with this Policy and all applicable Data Protection Laws.

1.4 This Policy is not part of any contract of employment with the Company and the Company may amend this Policy at any time. However, it is a condition of employment that employees adhere to this Policy at all times.

1.5 The Company holds and processes the personal data of consumers for the following purposes:

1.5.1 We process personal data to enable us to:

- provide foreign language tutorial products and/or services to our customers;

- maintain our accounts and records;

- promote our foreign language tutorial products and/or services;

- undertake research; and

- support and manage our employees.

2 Types of Data

2.1 There are two types of data that are protected under the Data Protection Laws: personal data and sensitive personal data.

2.2 Personal data is data that relates to a living individual who can be identified from that data or from that data together with other information which is in the possession of, or is likely to come into the control of, a data controller. Examples of personal data include name, identification number, location data, online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural and/or social identity of a particular person. It also includes any expression of opinion concerning a person.

2.3 Sensitive personal data is personal data consisting of information as to:

2.3.1 Racial or ethnic origin;

2.3.1 Political opinions;

2.3.3 Religious or other similar philosophical beliefs;

2.3.4 Trade union membership;

2.3.5 Genetic or biometric data;

2.3.6 Physical or mental health or condition;

2.3.7 Sexual life and/or sexual orientation;

2.3.8 The commission or alleged commission of any offence; or

2.3.9 Criminal proceedings for any offense committed or alleged to have been committed, the disposal of such proceedings or the sentence of any court in such proceeding.

2.4 There are more stringent restrictions for the processing of sensitive personal data under the Data Protection Laws. Although we will not ordinarily be acquiring sensitive personal data from our customers, if we do, then in all cases and subject to the provisions of the Data Protection Laws, sensitive personal data must not be processed without the consent of the data subject.

3 Acquisition and use of Personal Data

3.1 The Company needs to collect personal data from certain individuals and business entities in order to carry out its business of assisting individuals in obtaining foreign language tutorial products and/or services.

3.2 In the course of its business activities, the Company collects and uses personal data about:

3.2.1 Its employees, and the employees of its agents, associates and advertising partners;

3.2.2 The individuals who come into contact with the Company via its websites, or otherwise; and

3.2.3 Consumers who subscribe to receive information directly from the Company.

3.3 Where the Company uses personal data to contact individuals for marketing purposes, or where we provide personal data to third parties to use for marketing purposes, we will do so in compliance with the Data Protection Laws.

3.4 In addition, we may occasionally be required to collect and use certain types of personal data to comply with the requirements of applicable law. No matter how it is collected, recorded and/or used (e.g. on a computer or on paper), this personal data must be handled and used properly to ensure compliance with the Data Protection Laws.

3.5 The lawful and proper treatment of personal data by the Company is extremely important to the success of our business and in order to maintain the confidence of our employees and customers. All employees of the Company have a responsibility for ensuring that the Company respects personal data and deals with it in a lawful and correct manner.

3.6 Because we determine the purpose for which, and the manner in which, personal data is processed, the Company is considered a data controller under the GDPR.

4 Data Protection Principles

4.1 We support fully and comply with the following eight data protection principles:

4.1.1 Personal data shall be processed fairly and lawfully;

4.1.2 Personal data shall be obtained for one or more specific purpose(s) and strictly processed in a manner compatible with that or those purpose(s);

4.1.3 Personal data held must be adequate, relevant and not excessive;

4.1.4 Personal data must be accurate and kept up to date;

4.1.5 Personal data shall not be kept for longer than necessary;

4.1.6 Personal data shall be processed in accordance with the rights of data subjects;

4.1.7 Personal data must be kept secure; and

4.1.8 Personal data shall not be transferred to a country or territory outside of the European Economic Area (“EEA”) unless that country or territory ensures an adequate level of protection for the rights and freedoms of the data subjects in relation to the processing of personal data.

4.2 For guidance as to when personal data can be processed, please contact the DPO.

5 FAIR AND LAWFUL PROCESSING

5.1 Our employees, customers and any third parties whose data we acquire and process must be fully informed of the fair and lawful processing that the Company will undertake with respect to that data. We must ensure that they are provided with:

5.1.1 The identity of the data controller, i.e. the Company;

5.1.2 The purposes for which the data is intended to be processed; and

5.1.3 Any further information necessary to enable data processing in a fair way, for example, who the data may be disclosed or transferred to.

5.2 The Privacy Policy sets forth provisions describing the ways in which Company will process users’ personal data.

5.3 For personal data to be processed lawfully, certain conditions have to be met. These conditions may include, among other things, requirements that the data subject has consented to each specific processing activity, and that the processing is necessary for the legitimate interest of the data controller or the party to whom the data is disclosed. When sensitive personal data is being processed, different conditions must be met. In most cases, the data subject's explicit consent to the processing of sensitive personal data will be required.

5.4 In particular, consent must be expressly given, through a statement or clear affirmative action of the data subject. Silence, pre-checked boxes and inactivity are not sufficient means to obtain valid consent under the Data Protection Laws. Further, consent will not be deemed freely given under the Data Protection Laws where the consumer is not offered a genuine choice to refuse consent and still receive the underlying products/services. Data subjects must be informed of their right to withdraw consent, and Company must make available an easy, efficient way to do so. Records of consent must be maintained by the Company and provided to any applicable supervisory authority upon request.

6 PROCESSING FOR SPECIFIED PURPOSES

6.1 We will always have a clear reason for processing personal data and this reason will be communicated to the data subject, normally by:

6.1.1 The Privacy Policy;

6.1.2 Any notifications provided when a data subject uses the Company’s website; and

6.1.3 Any internal documents in relation to employees.

6.2 We are not permitted to collect personal data for one purpose and start to process it for a different purpose.

7 adequate, relevant and not excessive

7.1 Personal data will only be collected to the extent that it is required for the specific purpose(s) disclosed to data subjects. Any personal data which is not necessary for that purpose will not be collected in the first place. Personal data will only be processed in accordance with the limited purposes described above and will not be processed in a fashion that is excessive.

7.2 We will not collect personal data from a data subject on the off-chance that it may be needed in the future.

8 accurate data

8.1 Personal data will be accurate and kept up to date. Personal data that is incorrect or misleading is not accurate and steps will, therefore, be taken to check the accuracy of any personal data at the point of collection and at regular intervals thereafter.

8.2 In the context of its commercial marketing operations, the Company will work with its third-party marketing partners to ensure that personal data forming part of a marketing database/contact list is regularly checked and updated.

8.3 Personal data that is identified as out-of-date or inaccurate will be either updated or suppressed and destroyed.

9 data retention

9.1 Personal data will not be kept longer than is necessary for the purpose for which it was collected and/or processed. This means that personal data will be archived, and ultimately destroyed or erased from our systems, when it is no longer required.

9.2 For guidance on how long certain data is likely to be kept before being destroyed, please contact the DPO.

10 processing in accordance with the rights of data subjects

10.1 Personal data will be processed in accordance with the data subject's rights. Data subjects are entitled to:

10.1.1 Request access to a machine-readable copy of any personal data held about them by the Company (known as a data subject access request (“DSAR”);

10.1.2 Prevent the processing of their personal data for direct-marketing purposes;

10.1.3 Ask to have inaccurate personal data modified and/or amended;

10.1.4 Ask to have their personal data deleted from all Company servers, databases and other data storage media, as well as the servers, databases and other data storage media of any third party with whom Company shared such personal data;

10.1.5 Prevent processing that is likely to cause unwarranted substantial damage or distress to themselves or anyone else; and

10.1.6 Object to any decision that significantly affects them, where such decision is the result of an automated process with no human input.

10.2 A DSAR request must be made in writing. Therefore, if any Company employee receives an oral request, that employee should ask for it to be put in writing. Any written request for personal data from a data subject should be treated as a DSAR. If a Company employee receives a DSAR, that employee should pass it immediately to the DPO, who will deal with it appropriately or authorize the recipient to respond to it in accordance with this Policy. It is important that the request is passed to the DPO immediately as the Company is required by law to respond to a DSAR within forty (40) days.

Data Security

11.1 The Company must ensure that appropriate security measures are taken against unlawful or unauthorized processing of personal data, and against the accidental loss of, or damage to, personal data. Individuals may apply to the courts for compensation if they have suffered damage from such a loss.

11.2 The Data Protection Laws require the Company to put in place procedures and technologies to maintain the security of all personal data from the point of collection to the point of destruction. Maintaining data security means guaranteeing the confidentiality, integrity and availability of personal data, defined as follows:

11.3 Confidentiality means that only people who are authorized to use personal data can access it.

11.4 Integrity means that personal data should be accurate and suitable for the purpose for which it is processed.

11.5 Availability means that authorized users should be able to access personal data if they need it for authorized purposes. Personal data should, therefore, only be stored on the Company's central computer system and not on individual IT equipment (such as laptops).

11.6 The following measures are taken by the Company to protect its physical manifestations of personal data (i.e. printed paper documents) from unauthorized access:

11.6.1 When not required, the paper or files should be kept in a locked drawer or filing cabinet;

11.6.2 Employees should make sure paper and printouts are not left where unauthorized people could see them, such as on a printer; and

11.6.3 Data printouts should be shredded and disposed of securely when no longer required.

11.7 The following measures are taken by the Company to protect personal data that is stored on its IT systems so that unauthorized access does not occur:

11.7.1 All employees with computer access have their own user-id and passwords in order to log into the system. Within one (1) business day of the date that an employee is terminated, or voluntarily terminates employment with the Company, the user-id and password utilized by such employee shall be deactivated;

11.7.2 All passwords must be strong, changed regularly and never shared between employees;

11.7.3 Employees should always lock or log off their computer, laptop, iPad, tablet, mobile device or other electronic device when left unattended;

11.7.4 If personal data is stored on removable media (such as a CD, DVD or USB stick), these should be kept locked away securely when not being used;

11.7.5 Personal data should, at all times, be encrypted using a new version of Transport Layer Security (“TLS”) technology, not Secure Socket Layer (“SSL”) technology or older versions of TLS, including when such personal data is collected, distributed and/or stored;

11.7.6 Personal data should only be stored on designated drives and servers;

11.7.7

11.7.8 Personal data is backed up frequently. Those backups are regularly tested, in line with the Company’s standard backup procedures;

11.7.9 Personal data should never be saved directly to IT equipment (such as laptops). Personal data should always be stored centrally;

11.7.10 All servers and computers containing personal data are protected by approved security software and a firewall; and

11.7.11 Where appropriate, data must be encrypted before being transferred electronically. The ICT director/manager can explain how to send data to authorized external contacts.

11.8 Any stranger seen in entry-controlled areas should be reported.

11.9 The DPO will conduct an annual review and audit of the cyber security and physical security measures implemented by the Company, and update same, as applicable.

11.10 The DPO has established a comprehensive cyber security incident response plan, and regularly tests and updates same, as applicable, on an annual basis, or sooner if necessary.

11.11 The DPO has established policies/technology for detecting, responding to and reporting “personal data breaches,” which are defined under the GDPR as breaches of “security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.” The DPO will regularly test and update these policies/technology, as applicable, on an annual basis, or sooner if necessary. The DPO will ensure that all personal data breaches are reported to the “supervisory authority” of each EU Member State in which a data subject involved in a personal data breach resides within seventy-two (72) hours of the applicable personal data breach.

11.12 The DPO has established business continuity/disaster recovery policies, and regularly tests and updates same on an annual basis, or sooner if necessary.

data transfer The Company will transfer personal data from the EEA to the United States. In order to ensure an adequate level of protection for data subjects’ personal data, the Company shall prevent personal data from being transferred outside of the EU unless specific protections are in place, specifically that either: (a) an “adequacy” decision by the European Commission that the country in question has adequate levels of data protection laws/infrastructure; or (b) the cross-border recipient has appropriate data safeguards in place and that adequate legal remedies are available to the data subjects. The Company will not transfer data outside of the EEA to a third party unless we have taken steps to ensure that any such transfer is done in compliance with: (a) the GDPR; and (b) any other applicable Data Protection Laws. disclosure to third parties Where we have obtained the necessary express opt-in consent as required under all applicable Data Protection Laws (including the GDPR), we may share personal data that we hold with any member of our group, which means our subsidiaries, our ultimate holding company and its subsidiaries. The Company may sell or disclose, under a licence, contacts/marketing lists to selected third parties, but only where proper consent (in strict compliance with all Data Protection Laws) was obtained from the data subjects that comprise the subject contacts/marketing lists. Employees may not inadvertently (or otherwise) disclose personal data to third parties, unless the Company expressly authorizes them to do so. Unless the data subject has provided express opt-in consent as required under all applicable Data Protection Laws (including the GDPR), the Company will not provide her/his personal data to third parties for marketing purposes. The Company shall ensure that any third party that it shares personal data with agrees, in a binding contract, to receive, maintain and process all such personal data in strict compliance with all Data Protection Laws. Further, the DPO shall conduct a reasonable inquiry into the data protection and compliance policies and practices of all such third parties to ensure that such third parties are suitable recipients of personal data from the Company. In addition, the Company shall ensure that all third parties that it shares personal data with agree, in binding contracts, to immediately respond to any DSAR that they receive from the Company and/or a data subject, and that they comply with the applicable DSAR – including, where applicable, by deleting the personal data of the applicable data subject from each such third party’s servers, databases and other data storage media. Any employee found to have disclosed personal data to anyone outside of the Company, selected third parties, or anyone other than the data subject her/himself, may face termination of employment. We are able to send electronic marketing messages (such as emails and text messages) to our customers if the customers have provided consent as required under applicable Data Protection Laws. In addition to obtaining consent to send marketing communications to our data subjects, we will always provide those data subjects with the opportunity to subsequently opt-out of marketing communications and to be removed from our mailing lists, and the mailing lists of any third party to which we transfer personal data. We do this by providing the opportunity to opt-out: (a) at the point at which the data is collected; (b) through unsubscribe options set forth in our marketing material and on our website; and (c) at any time by contacting us via email, telephone and/or mail. Where a data subject withdraws her/his consent or otherwise opts out of marketing and/or otherwise processing her/his personal data, her/his personal data will be added to a suppression list, archived and ultimately destroyed. We obtain separate express opt-in consent before passing personal data to third parties who will use the personal data for marketing purposes. The DPO should be consulted before electronic communications or other marketing messages are sent to data subjects. ip addresses and cookies We may collect information about the behaviour of visitors to our website. This may include, where available, IP addresses, operating system and browser types. The information we collect is statistical data about our users’ browsing actions and patterns, and does not identify, and cannot be used to identify, any individual. We use cookies (small electronic files that collect information when someone visits a website). We use required, functional and advertising cookies. Some cookies only exist while viewers are online (session cookies), but persistent cookies remain on the viewer's computer, so that he/she can be recognised as a previous visitor when he/she next visits our website. We provide all visitors to our website with information on the types of cookies we use and what we use them for. The visitor can then submit her/his cookie preferences. Without limiting the foregoing, we obtain separate consent from visitors to our website before we, or any third-party partner, use any cookies on our website that track the web browsing behaviour, actions and/or preferences of any of our visitors. This consent can be revoked by website visitors at any time via the cookie preference options made available on our website, or via email. Employee Obligations All employees will, through appropriate training and responsible management: Abide by the terms of this Policy, all forms of guidance, codes of practice and procedures about the collection and use of personal data; Understand fully the purposes for which the Company uses personal data; Collect and process appropriate personal data only in accordance with the purposes for which it is to be used by the Company to meet its business needs or legal requirements; Only access personal data that they require to carry out their jobs properly; Ensure that personal data is inputted correctly into the Company’s systems by following the Company's standard protocols and format; Take reasonable steps to ensure that personal data is kept as accurate and up to date as possible, including updating personal data as inaccuracies are discovered and confirming data subjects’ details when they call; Ensure that personal data is destroyed (in accordance with the provisions of the Data Protection Laws) when it is no longer required; Upon receipt of a request from an individual for personal data held about her/him by or on behalf of the Company, immediately notify the DPO; Upon discovery of any personal data breach, potential personal data breach or any security vulnerability, whatsoever, immediately notify the DPO of same; Deal with all personal data in accordance with the Company’s security procedures; and Complete the staff training program. Any breach of the Data Protection Laws and/or this Policy shall be viewed as gross misconduct and may lead to termination of employment. COMPANY OBLIGATIONS The Company will: Ensure that there is always one person with ultimate responsibility for data protection – the DPO. Currently this position is held by Benjamin Maddrell, who can be contacted at 917-292-8049 or at ben.maddrell@gmail.com. Provide training for all staff members who handle personal data (if an employee is unsure of her or his responsibilities, she or he should notify the DPO who will consider whether further training is necessary); Provide clear lines of reporting and supervision for compliance with all applicable Data Protection Laws; Carry out regular checks to monitor and assess new processing of personal data; Undertake suitable and sufficient monitoring, including spot checks without notice, to ensure that the Data Protection Laws and this Policy are being complied with by the Company and all its employees; and Review and update this Policy as necessary, at least annually. the importance of compliance Where the Company fails to comply with the GDPR, the applicable supervisory authorities may impose: (a) administrative fines on Company in an amount equal to the greater of €20,000,000.00, or up to 4% of the Company’s total worldwide annual revenue of the preceding financial year; and (b) such other remedies as the supervisory authorities may adopt from time-to-time. Data subjects may bring an action against the Company seeking compensation for damages and/or distress suffered as a result of a breach of the GDPR or other Data Protection Laws by the Company with respect to their personal data.