National Utility Service is committed to safeguarding the privacy of your information. Protecting the confidentiality and security of your information has always been an integral part of how we conduct our business worldwide.

GDPR/Personal Data Policy

Issue Date: June 2020

On 25 May 2018, the European Union (“EU”) enacted the General Data Protection Regulation (“GDPR”) which underpins fundamental rights for EU citizens, unifies previous data protection rules and establishes clear principles for organizations that process personal data when performing a service or providing goods. Importantly, the GDPR’s broad powers reach organizations outside of the EU and provide guiding principles regarding processing, retention, and the accuracy of personal data held by an organization.

NUS Consulting Group, meaning National Utility Service, Inc. as well as its subsidiaries and affiliates (“NUS”) is a global energy management consultancy headquartered in the United States and operating throughout Europe, North America, South Africa, and Australia. Through the provision of energy management services, NUS is responsible for processing energy invoice data and offering information technology applications to access and analyze such data through its proprietary online energy information system, NUSdirect. NUS’s global presence and service offering mean that it is responsible for compliance with the GDPR (as well as other similar data protection laws), and this GDPR Policy outlines NUS’s use and processing of personal data.

Overview

Under the GDPR, a data controller is defined as a natural or legal person that determines the purposes and means of processing personal data. A data processor is defined as a natural or legal person which processes data on behalf of a controller. Typically, NUS is a data processor as it collects and processes personal data on behalf of clients in compliance with an underlying service agreement. NUS does not use client personal data for its own purposes. NUS takes the processing of client personal data seriously and is committed to protecting individuals’ privacy under this GDPR Policy. NUS has implemented appropriate technical and organizational measures in such a manner that processing meet

the requirements of the GDPR and ensure the protection of the rights of clients and data subjects. NUS requires all its international offices and employees to comply with the standards and procedures outlined in this GDPR Policy, and act in full compliance with applicable laws and regulations. NUS will review this Policy from time to time to confirm its compliance with the GDPR.

General Principles

NUS limits the collection of personal data to information relevant for authorized processing purposes and relies on specific, explicit and legitimate interests when processing personal data. A part of its energy management services, NUS may collect client data including employee names, job titles, company names, email addresses, postal addresses and system log data. Processing this type of personal data is necessary for NUS to (i) provide professional energy management services to clients; (ii) create and administer NUSdirect user accounts; (iii) prevent, detect and fight fraud or other illegal or unauthorized activities; and (iv) ensure legal and regulatory compliance. All personal data will be processed lawfully, fairly and in a transparent manner concerning the data subject. Personal data will be adequate, relevant and limited to that necessary to the purposes for which it is processed and data subjects may withdraw his/her consent at any time by contacting NUS.

Data Security

NUS uses appropriate technical and organizational measures to ensure appropriate security and protection of personal data against unauthorized access, misuse, alteration, destruction or damage, theft and accidental loss. NUS restricts access to personal data to those employees who require such information to provide services or perform job functions. NUS recognizes that while it has adopted enhanced precautions to protect personal data, no system or data transfer is entirely free of risk.

Data Transfer, Storage, and Archiving

In providing services on behalf of its clients, NUS shares certain personal data between its international offices. NUS commits to maintaining appropriate technical and organizational measures that facilitate transfers of personal data outside of the EU as required by GDPR. NUS may transfer, store, and archive personal data outside the country where the individual is located. This includes countries outside the European Economic Area (EEA) that provide an adequate level of protection for personal data. NUS’s data hosting centers are located in the UK. NUS will keep personal data no longer than is necessary for the purposes for which the personal data is processed.

Third-Party Transfer

Generally, NUS does not transfer personal data to third parties. However, there may be limited instances where NUS uses third-party providers to support, run and manage NUS information technology systems. Examples of third-party providers that NUS may use include, but are not limited to, website hosting and management, data analysis, data backup, security, and cloud storage services. NUS will only use third-party providers that are required to maintain appropriate levels of security and protection when processing personal data, as instructed by controllers and to flow those same obligations down to their sub-processors. NUS may also disclose personal data to (i) professional advisors (e.g., lawyers, auditors, etc.) as necessary in connection with the operating of NUS’s business or as requested by clients to whom the personal data relates; or (ii) law enforcement, regulatory and other government agencies, and professional bodies, as required by and/or in accordance with applicable law or regulation.

Records of Processing Activities

Where applicable and required by law, NUS will maintain a record of all categories of processing activities carried out on behalf of clients and individuals.

Rights of the Data Subject

Under the GDPR, NUS clients and individual data subjects have the following rights:

  1. The right to obtain confirmation as to whether NUS possesses personal data about him/her;
  2. The right to receive a copy of his/her personal data;
  3. The right to obtain certain information about how and why NUS processes his/her personal data;
  4. The right to request for his/her personal data to be amended and rectified where it is inaccurate and to have incomplete personal data completed;
  5. The right to erase his/her personal data when certain requirements are met;
  6. The right to restrict personal data processing when certain requirements are met;
  7. The right to object to the processing of his/her personal data;
  8. The right to data portability;
  9. The right to withdraw consent; and
  10. The right to lodge a complaint with the data protection regulatory authority when NUS infringes the law.

Data Deletion

Typically, within ninety (90) days of the expiration or termination of any client contractual services engagement or as other specified in clients’ services agreement, NUS will

use commercially reasonable efforts to destroy or return all personal data, unless otherwise instructed by the client in writing and on a timely basis. Notwithstanding the foregoing, NUS shall retain (i) personal data for the sole purpose of compliance with any applicable law, rule or regulation; and (ii) electronic records or files containing personal data which have been created pursuant to the normal course of back-up procedures.

Governance

Under the GDPR, the appointment of a Data Protection Officer (DPO) is required where a controller or processor meets certain criteria, including as required by EU member state law, where an entity is a public authority, where an entity undertakes regular and systematic monitoring, or where an entity’s core activities consist of large scale processing of special types of personal data. NUS is not required to appoint a DPO; nevertheless, NUS has appointed a person responsible for monitoring NUS’s internal GDPR compliance and, advising on NUS’s data protection obligations.

Training

NUS commits to providing appropriate and regular data protection training to personnel having permanent or regular access to clients' personal data.

Notification of a Personal Data Breach

In accordance with the GDPR, NUS agrees to provide prompt notice to clients whenever it becomes aware of a personal data breach. Notice shall include (i) the nature of the personal data breach including, where possible, the categories and approximate number of data subjects concerned; (ii) communicate the name and contact details of the where more information can be obtained; (iii) a description of the likely consequences of the breach; and (iv) description of the measures taken or proposed to be taken to address the breach and mitigate possible adverse effects.