Industrial Info Resources (IIR) Privacy Notice

The General Data Protection Regulation, otherwise known as the 2018 Data Protection Act came into effect from 25 May 2018. It sets out a series of new EU laws concerning how data is processed and used. The objective of the regulation is to strengthen and standardize data protection laws for all EU citizens. These regulations will apply to any organization that controls and/or processes data on behalf of an individual or group of individuals. Those responsible for adhering to these regulations include IIR employees, contractors, consultants, agents and third parties who have access to data either directly or indirectly.

Industrial Info Resources, Inc collects information on corporate industrial activity around the world (also known as IIR and including our brand name GMT).

IIR's mission is to connect the world's industrial professionals to allow them to be more productive and successful. Central to this mission is our commitment to be transparent about the data we collect about you, how it is used and with whom it is shared. This Privacy Policy sets out how we collect and use information.

We share your information within the IIR Group to help us provide our services, comply with regulatory and legal requirements, and improve our products and services.

We have a fully trained and resourced team supporting our Data Compliance objectives for Europe which we refer to as data champions within the organisation.

For any data compliance related query or assistance for further information in relation to EU data matters you can contact them as follows:

• E-mail: EUdataprivacy@industrialinfo.com
• Address: Parkmore East, Parkmore, Galway, H91 R2E9, Ireland
• Phone Number: 091 700 500

We collect information from a wide variety of sources including, but not limited to, business cards, trade shows, phone calls, public information and government filings, common contacts, information received from your employer, and web sites. Business contact information including limited personal information, such as job title, name, business phone number, business address, and business email address, may be collected in the course of our research on corporate industrial activity and information in the public domain.

We also collect information through our website, apps, social media, discussion forums, market research and our CCTV footage.

We currently collect and process the following information:

When you become an Industrialinfo.com member you provide your name, address, telephone number, email address, a unique login name, password, and password validation. This information is collected on the registration form for several reasons including: (i) personal identification; (ii) to allow us to contact you for customer service, if necessary; (iii) to customize the content of our site to meet your specific needs; and (iv) to make product improvements to Industrialinfo.com. In addition, your email address is collected to send you an email message confirming your new registration and each transaction online. As a member you will occasionally receive updates from us about sales, special offers and other noteworthy news items. However, you may always opt out of receiving these email messages at any time.

Our research agents collect and validate business information across the world which includes, Contact Names, Job Title, Plant and Maintenance Manager data, Plant Location Address, Number of employees, Years in operation, Industry sector, Energy source, Email and Contact telephone number.

Since 1983, we have been helping companies like yours with the most accurate and timely project and plant spending intelligence, and access to relevant products and services, based on the highest quality-assurance standards in the industry. Our core value is our ability to reduce the time it takes you to qualify project opportunities and to provide access for relevant products and services. Occasionally, Industrialinfo.com will hire a third party to act on our behalf for projects such as market research surveys or contest entry processing and will provide information to these third parties specifically for use in connection with these projects. The information we provide to such third parties is protected by a confidentiality agreement and is used solely for completing the specific project.

We use information about you:

• To enable IIR to provide relevant products and services;
• To enable IIR customers /licensees to make better decisions and or to send you Direct Marketing information that is relevant to your industry and or contact profile.
• To identify ways we can improve our products and services;
• To maintain and monitor your products and services;
• To protect your interests; and
• To decide and recommend how our products and services might be suitable for you and licensees to our research and information platform who may contact you directly with information relevant to your industry or job title based on your data profile.
• To provide our products and services under the terms and conditions we agree between us, we need to collect and use personal information about you. If you do not provide this personal information, we may not be able to provide you with access to relevant products and services.

We analyse the information that we collect on you through your use of our products and services, on our social media, websites and data collected and validated by our research team. This helps us understand your behaviour and how we interact with you. Examples of how we use this information include helping deliver market impact studies, research reports and notify you of events relevant to your industry and relevant to your job title and or plant type. In addition the information we collect assist us in personalising your experience with our organisation.

All of our processing is supported by a lawful basis, in order to meet our legal and regulatory obligations under current EU data compliance legislation.

Members can choose to provide Industrialinfo.com with certain preferences, credit card billing information, delivery address and other personal information. This information is primarily used to assist members in seeing news and making purchases quickly without having to type in the same information repeatedly.

"Cookies" are small pieces of information that are stored by your browser on your computer's hard drive. Industrialinfo.com uses cookies in several ways. We use cookies to allow you to login without having to type your login name each time. Instead, only your password is needed to access the system. We also use cookies to track usage of the "Guest" path and to serve advertisements through our advertising networks. Most Web browsers automatically accept cookies, but if you prefer, you can edit your browser options to block them in the future.

We also use cookies and similar technologies on the website to personalize and optimise your browsing experience and the website. A cookie is a file containing an identifier (a string of letters and numbers) that is sent by a web server to a web browser and is stored by the browser. The identifier is then sent back to the server each time the browser requests a page from the server. Cookies do not typically contain any information that personally identifies a user, but personal information that we store about you may be linked to the information stored in and obtained from cookies.

There are various cookie formats as follows:

• Essential Cookies: Allow us to recognize your device to help you navigate efficiently to obtain the information and services you have requested.
• Analytical and Customization Cookies: Allow our site to remember your preferences such as language selection, and help you to view information that is most relevant to your interests; these cookies also help us to maintain and improve our websites by providing information on how visitors find and use the sites, and how well the sites are performing.
• Marketing Cookies: The intention of marketing cookies is for us and our advertising partners to show you more relevant advertising across the internet based on your use of our site.

To change or update your cookie preferences please email EUdataprivacy@industrialinfo.com

Industrialinfo.com occasionally sponsors contests to give members the opportunity to win great prizes and information. Information collected by Industrialinfo.com for such contests can include contact information and survey questions. Contact information is used to notify contest winners and survey information is used to develop promotions and product improvements to Industrialinfo.com.

Industrialinfo.com values opinions and comments from members, so we sometimes conduct online surveys. These surveys are entirely optional for all members. Typically, the information is aggregated and used to make improvements to Industrialinfo.com and to develop appealing content, features and promotions for members.

Industrialinfo.com collects IP addresses to help diagnose problems with our servers and for system administration.

To use your information lawfully, we rely on one or more of the following legal bases:

• performance of a contract;
• legal obligation;
• our legitimate interests;
• your consent;
• protecting the vital interests of you or others; and
• public interest.

To help you better understand where these lawful bases may apply, these are some examples for each lawful basis. In some cases, the same information is processed under more than one lawful basis:

Lawful basis
Examples of what we use your information for:

• Performance of a contract — Processing your information is necessary for us to provide your products and services.
• We process your information to identify and authenticate you to use our products and services.
• Maintaining and monitoring your products and services.

Legal obligation
Examples of what we use your information for:

• We must process this information to comply with our legal obligations.
• Identify and authenticate our customers
• We may share your information with third parties when performing these checks.

Legitimate interest means the interests of the IIR Group of companies in conducting and managing our business when providing products and services. The core legitimate interests of the IIR Group are to provide the best customer service, introduce innovative products and services, and to protect our customers, employees and shareholders.

We will always assess whether the legitimate interest of IIR will adversely impact the rights and freedoms of the data subject prior to processing. We implement safeguards to ensure that the processing remains fair and balanced. We have produced an internal legitimate interest process based on Article 6(1)(f) of the GDPR which focuses on three key areas.

Our Risk Assessment to use Legitimate Interest to process data includes:

• The Purpose test
• The Necessity test
• The Balancing test

We process contact information you provide based on legitimate interest to include: contact name, job title, plant location address, number of employees, industry sector, contact email address, and contact landline telephone number.

Our risk assessments help us understand what information we need, our business requirements, the impact on our customers and employees, alternative options for processing and how long we hold the information for.

We may share information with our licensees who may contact you directly based on processing your data using Legitimate Interest as the basis for data processing subject to strict data usage policies which we include in our terms and conditions with our licensees.

We may share data with third parties where there is a legal requirement to do so or there is a public interest requirement. We may share your data with a third party where we need to carry out a credit check process or other legal requirements by our industry regulators.

Your data processing under legitimate interest can be withdrawn at any time by contacting our data compliance team as mentioned above.

We require your consent for processing certain contact information such as special category data as defined by the GDPR.

We ensure your consent is obtained under the following principles:

• Positive Action: Clear affirmative action is required. We will no longer use pre-ticked boxes, imply or assume consent in the event of no positive action from you.
• Free will: Your consent must be freely given and not influenced by external factors.
• Specific: We will be clear on what exactly we are asking your consent for.
• Recorded: We will keep a record of your consent and how we got it.
• Can be withdrawn at any time: We will stop data processing that requires your consent at any time you make a valid request. You can withdraw your consent at any time.

Special Categories of Personal Data is information relating to:

• Racial or ethical origin, political opinions or religious or philosophical beliefs
• Trade union membership
• Biometric data (we may collect voice, facial or fingerprint information to identify data subjects)
• Physical or mental health
• Sexual life/orientation
• Genetic data

Sharing information to protect you
In some instances where we are concerned about your health and safety, we may share information to protect you and others. This may include where we suspect that you, or others, may become a victim of crime. In these cases, we may share information with third parties to help ensure your safety and the safety of others.

Public interest

Prevention of fraud
We may share personal data under the public interest basis in relation to prevention of fraud. We may share information with third parties to reduce fraud risk and protect the public from financial loss.

We may disclose your personal data to any member of our group of companies insofar as reasonably necessary for the purposes, and on the legal bases, set out in this policy. We may disclose your personal data to our suppliers or subcontractors insofar as reasonably necessary. We may disclose your personal data where such disclosure is necessary for compliance with a legal obligation to which we are subject, or in order to protect your vital interests or the vital interests of another natural person. We may also disclose your personal data where such disclosure is necessary for the establishment, exercise or defence of legal claims, whether in court proceedings or in an administrative or out-of-court procedure. Data may be processed for the purposes of managing our relationships with customers, communicating with customers, keeping records of those communications, and promoting and delivering our products and services to customers.

Where we share data with a customer or licensee of IIR data, we consider that the customer, in its capacity as a licensee of the Database, act as an independent controller in respect of any processing that it conducts in respect of the personal data in the Database for its own purposes. For example, the customer is an independent controller in respect of any direct marketing that it conducts using contact information in the Database without the involvement of IIR. In this regard, IIR make this clear in both this privacy statement and in our terms and conditions with the customer of IIR that they may have their own obligations under data protection and ePrivacy law and must also take into account any additional data compliance regulations in their local jurisdiction.

The data that we collect, and process may be transferred to, and stored at a destination inside and or outside the European Economic Area ("EEA"). It may also be processed by staff operating outside the EEA who work for us. Such staff may be engaged in, among other things, the fulfilment of your orders, the processing of your payment details and the provision of support services. In particular, your data may be accessible to our staff outside the EEA or it may be stored outside the EEA. Our entire data processing system is designed to help safeguard your privacy rights and we maintain data processing agreements with all external subcontractors to ensure your data is safeguarded to the same standards as the GDPR regardless of the geo location the data is processed. If you would like further information, you may, at any time, contact us using the contact details provided at the bottom of this Privacy Policy.

Under data protection law, you have rights including:

Your right of access: You have the right to ask us for copies of your personal information.

Access to Your Information: At any time, you can view and/or update your membership information or your personal profile, which includes registration and preferences information, by following the appropriate link on our home page.

You have the right to obtain from the controller free information about your personal information stored at any time and a copy of this information. Furthermore, the European directives and regulations grant the data subject access to the following information:

• the purposes of the processing;
• the categories of personal information concerned;
• the recipients or categories of recipients to whom the personal information have been or will be disclosed, in particular recipients in third countries or international organisations;
• where possible, the envisaged period for which the personal information will be stored, or, if not possible, the criteria used to determine that period;
• the existence of the right to request from the controller rectification or erasure of personal information, or restriction of processing of personal information concerning the data subject, or to object to such processing;
• the existence of the right to lodge a complaint with a supervisory authority;
• where the personal information is not collected from the data subject, any available information as to their source;
• the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) of the GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and envisaged consequences of such processing for the data subject.

Moreover, the data subject has the right to obtain information as to whether personal information is transferred to a third country or to an international organization. Where this is the case, the data subject shall have the right to be informed of the appropriate safeguards relating to the transfer. If a data subject wishes to exercise this right of access, he or she may at any time contact us using the contact details provided at the bottom of this Privacy Policy.

Your right to rectification: You have the right to ask us to rectify information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.

Each data subject has the right to obtain from the controller without undue delay the rectification of inaccurate personal information concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal information completed, including by means of providing a supplementary statement.

If a data subject wishes to exercise this right to rectification, they may, at any time, contact us using the contact details provided at the bottom of this Privacy Policy.

Your right to erasure: You have the right to ask us to erase your personal information in certain circumstances.

• Right of Erasure: The personal information is no longer necessary in relation to the purposes for which it was collected or otherwise processed.
• The data subject withdraws consent to which the processing is based according to point (a) of Article 6(1) of the GDPR, or point (a) of Article 9(2) of the GDPR, and where there is no other legal ground for the processing.
• The data subject objects to the processing pursuant to Article 21(1) of the GDPR and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2) of the GDPR.
• The personal information has been unlawfully processed.
• The personal information must be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject.
• The personal information has been collected in relation to the offer of information society services referred to in Article 8(1) of the GDPR. If one of the aforementioned reasons applies, and a data subject wishes to request the erasure of personal information stored by the Controller, he or she may at any time contact us using the contact details provided at the bottom of this Privacy Policy. We shall promptly ensure that any legitimate request is addressed appropriately.

Your right to restriction of processing: You have the right to ask us to restrict the processing of your information in certain circumstances.

Right of restriction of processing
Each data subject shall have the right granted by the European legislator to obtain from the controller restriction of processing where one of the following applies: The accuracy of the personal information is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal information. The processing is unlawful, and the data subject opposes the erasure of the personal information and requests instead the restriction of their use instead. The controller no longer needs the personal information for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims. The data subject has objected to processing pursuant to Article 21(1) of the GDPR pending the verification whether the legitimate grounds of the controller override those of the data subject.

Your right to object to processing
You have the the right to object to the processing of your personal data in certain circumstances.

Opt Out Policy

At any time, you can unsubscribe from any Industrialinfo.com newsletter through links to those areas on Industrialinfo.com's home page. As a member or contest entrant you will occasionally receive email updates from us about special offers, new Industrialinfo.com services and other noteworthy news items. We hope you will find these updates interesting and informative. Of course, if you would rather not receive them, please contact us at EUdataprivacy@industrialinfo.com. Industrialinfo.com reserves the right to limit membership to those who will accept emails. Members will be notified via email prior to any actions taken.

Right to Object

Each data subject shall have the right granted by the European legislator to object, on grounds relating to his or her particular situation, at any time, to processing of personal information concerning him or her, which is based on point (e) or (f) of Article 6(1) of the GDPR. This also applies to profiling based on these provisions. This data controller shall no longer process the personal information in the event of the objection, unless we can demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or for the establishment, exercise or defence of legal claims.

Right to withdraw data protection consent

Each data subject shall have the right granted by the European legislator to withdraw his or her consent to processing of his or her personal information at any time. If the data subject wishes to exercise the right to withdraw consent, he or she may at any time directly contact us using the contact details provided at the bottom of this Privacy Policy.

Provision of personal information as statutory or contractual requirement; Requirement necessary to enter into a contract; Obligation of the data subject to provide the personal information; possible consequences of failure to provide such data We clarify that the provision of personal information is partly required by law (e.g. tax regulations) or can also result from contractual provisions (e.g. information on the contractual partner). Sometimes it may be necessary to conclude a contract that the data subject provides us with business contact information which may include limited personal information, which must subsequently be processed by us. The data subject is, for example, obliged to provide us with some business contact information, which may include limited personal information when our company signs a contract with him or her. The non-provision of the personal information would have the consequence that the contract with the data subject could not be concluded. Before personal information is provided by the data subject, in this circumstance the data subject must contact us using the contact details provided at the bottom of this Privacy Policy. Our privacy officer clarifies to the data subject whether the provision of the personal information is required by law or contract or is necessary for the conclusion of the contract, whether there is an obligation to provide the personal information and the consequences of non-provision of the personal information.

Your right to data portability

You have the right to ask that we transfer the information you gave us to another organisation, or to you, in certain circumstances.

Each data subject shall have the right granted by the European legislator, to receive the personal information concerning him or her, which was provided to a controller, in a structured, commonly used and machine-readable format. He or she shall have the right to transmit those data to another controller without hindrance from the controller to which the personal information has been provided, as long as the processing is based on consent pursuant to point (a) of Article 6(1) of the GDPR or point (a) of Article 9(2) of the GDPR, or on a contract pursuant to point (b) of Article 6(1) of the GDPR, and the processing is carried out by automated means, as long as the processing is not necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. Furthermore, in exercising his or her right to data portability pursuant to Article 20(1) of the GDPR, the data subject shall have the right to have personal information transmitted directly from one controller to another, where technically feasible and when doing so does not adversely affect the rights and freedoms of others. In order to assert the right to data portability, the data subject may at any time contact us using the contact details provided at the bottom of this Privacy Policy.

You are not required to pay any charge for exercising your rights. If you make a request, we have one month to respond to you.

Please contact us at EUdataprivacy@industrialinfo.com if you wish to make a request.

We care about the protection of your user information and use industry standard safeguards to do so. Of course, it's important to keep in mind that no data transmission on the Internet is guaranteed to be 100% secure. All data processed by us is protected by appropriate industry standard, physical, electronic, technical and organizational safety measures. We treat data as an asset that must be protected against loss and unauthorized access. If you are concerned that your privacy may have been breached, please contact us as provided below.

To meet our legal and regulatory obligations, we hold your information while you are a customer, employee, contact and or prospective customer and for a period of time after that.

Examples of retention periods are as follows:

• Customer: 6 years after the customer relationship ends
• Prospective Customer: 6 years after the relationship ends
• Revenue /Tax records: 7 years after the date of the document
• Employee records: 6 years after the relationship ends
• Health and safety reports and legal matters: 10 years after any incident was reported

We continuously assess and delete data to ensure it not held for longer than necessary.

Material displayed on the Website is provided without any guarantees, conditions or warranties. IIR will not be liable for interruptions to operations or any other interference, including technical interference, over which it has no control. Further, IIR does not accept responsibility for errors in the data you enter including your registration details. This includes, but is not limited to, submission errors caused by transmission failures; delays; typographical errors; telephone or network failures; computer, electronic, or Internet hardware or software failures: the inability of any site to accept all of IIR's data; and tampering. IIR does not provide any assurance or guarantee that you will win prizes in any draw, or at all.

Whilst IIR takes reasonable measures to detect and eliminate viruses from the Website, IIR cannot ensure that the website will be free from viruses and does not accept any liability in this respect. You are recommended to take all appropriate measures before downloading or accessing information from the Website including social media and search engine security measures.

Users cannot knowingly use the site to introduce viruses and Trojans.

You must not misuse the Website by knowingly introducing viruses, trojans, worms or other material which is malicious or technologically harmful. You must not attempt to gain unauthorised access to the Website, the server on which the Website is stored, or any server, computer or database connected to the Website. You must not attack the Website via a denial-of-service attack or a distributed denial-of-service attack. By breaching this provision, you would commit a criminal offence under the Computer Misuse Act 1990. IIR will report any such breach to the relevant law enforcement authorities and will cooperate with those authorities by disclosing your identity to them. In the event of such a breach, your right to use the Website will cease immediately. IIR will not be liable for any loss or damage caused by a distributed denial-of-service attack, viruses or other technologically harmful material that may infect your computer equipment, computer programs, data or other proprietary material due to your use of the Website or use of any website linked to it. However, IIR will take adequate measures from their end to ensure that such incidents do not occur.