PUBLIC

RM plc Privacy Policy

Page 1 of 16

RM plc

Document Title:

Information Security Classification:

Public

Status:

Definitive

Version Number:

2.6

Date:

08/06/23

PUBLIC 
RM plc Privacy Policy  
 
Page 2 of 16 
 
Table of Contents 
     
1.    INTRODUCTION ..................................................................................................................................... 4 
1.1  BACKGROUND ............................................................................................................................................ 4 
1.2  PURPOSE AND SCOPE OF THIS POLICY ........................................................................................................ 4 
1.3  LAWFUL BASIS FOR PROCESSING ............................................................................................................... 4 
1.4  CONTACT DETAILS:..................................................................................................................................... 5 
1.5  RM GROUP WEBSITES................................................................................................................................ 5 
2.    HOW WE GET YOUR PERSONAL DATA ............................................................................................... 6 
2.1    INFORMATION ABOUT YOU THAT YOU GIVE US ............................................................................................... 6 
2.2   INFORMATION ABOUT YOU THAT WE COLLECT ............................................................................................... 6 
2.3  INFORMATION WE RECEIVE FROM OTHER SOURCES ...................................................................................... 6 
3.  HOW WE USE YOUR PERSONAL DATA ............................................................................................... 7 
3.1  INFORMATION YOU GIVE US ......................................................................................................................... 7 
3.2  INFORMATION WE COLLECT ABOUT YOU ....................................................................................................... 7 
3.3  MARKETING ............................................................................................................................................... 8 
3.4  SHARING WITH RM GROUP COMPANIES ...................................................................................................... 8 
3.5  SHARING WITH THIRD PARTIES ................................................................................................................... 8 
3.6  SOCIAL MEDIA .........................................................................................................................................10 
4.  DISCLOSURE OF YOUR INFORMATION ............................................................................................10 
5.   WHERE WE STORE YOUR PERSONAL DATA ...................................................................................11 
6.   HOW YOUR DATA IS PROTECTED .....................................................................................................11 
7.   HOW LONG YOUR DATA IS KEPT .......................................................................................................12 
8.   YOUR DATA PROTECTION RIGHTS ...................................................................................................12 
INDIVIDUALS’ RIGHTS.........................................................................................................................................12 
Right to be informed ...................................................................................................................................12 
Right of access ...........................................................................................................................................12 
Right to rectification ....................................................................................................................................12 
Right to erasure ..........................................................................................................................................12 
Right to data portability ...............................................................................................................................13 
Right to object .............................................................................................................................................13 

PUBLIC

RM plc Privacy Policy

Page 3 of 16

Rights related to automated decision making including profiling ................................................................13

Withdrawing consent ..................................................................................................................................13

Third party websites ....................................................................................................................................13

Right of complaint to the ICO......................................................................................................................13

9. SUBJECT ACCESS REQUESTS ..........................................................................................................13

10. CHANGES TO OUR PRIVACY POLICY................................................................................................14

11. CONTACT .............................................................................................................................................14

12. EU REPRESENTATIVE ........................................................................................................................14

13. RM CAREERS PRIVACY STATEMENT................................................................................................15

Information we may collect .........................................................................................................................15

How we may use this Information ...............................................................................................................15

Where we store your personal data ............................................................................................................15

PUBLIC

RM plc Privacy Policy

Page 4 of 16

1. INTRODUCTION

1.1 Background

The RM Group of businesses creates and maintains an extensive range of innovative solutions and services -

all designed or selected to meet the specific needs of educational users:

● RM’s Schools Technology business provides software, services and technology to schools and

colleges in the UK;

● RM’s Assessment business provides e-assessment services and education data analysis to exam

boards and central government in the UK and internationally; and

● RM Resources provides physical and curriculum resources for schools and nurseries in the UK and

internationally.

The GDPR (General Data Protection Regulation) and the Data Protection Act 2018 set out the legal obligations

for organisations in regard to the processing of personal data.

(For the purposes of this Privacy Policy, “We”, “Us”, ”Our”, “RM” and “RM Group” means RM plc (Reg No.

01749877) and The Educational Resources Ltd (Reg No. 03100039), RM Education Ltd (Reg No. 01148594),

RM Results, TTS Group Ltd (Reg No. 04373761) and West Mercia Supplies, which are registered in England

and Wales, and SoNET Systems Pty Ltd (Australian Company Number 093 532 435) and RM Education

Solutions India Pvt (Corporate Identification Number U72200KL2003PTC015931), respectively registered in

Australia and India. See the latest RM plc Annual Report for further details about RM.)

1.2 Purpose and scope of this Policy

RM is committed to protecting and respecting the privacy of individuals.

This Privacy Policy outlines how RM collects, stores and uses personal information that it collects about

customers, candidates, examiners, job applicants, and visitors to the RM Group websites in the relevant

jurisdictions, notably in the UK and EU.

This Privacy Policy is intended for circulation to RM’s customers, suppliers and other interested parties. It is

supported by an internal data protection framework.

This Privacy Policy is intended for use in conjunction with the RM plc Data Protection Policy (available on

request), the Terms of Website Use and the Cookies Policy (which are available on each RM Group

company’s website). These documents set out the basis on which any personal data we collect from you, or

that you provide to us, will be processed by us.

1.3 Lawful Basis for Processing

We will only process your data if there is a lawful basis for such processing. In the UK and the EU, the lawful

basis for processing Personal Data will be one of the following:

• Consent. You have given RM clear and specific consent for processing your data.

• Contract. You, or the organisation you work for, have entered into a contract with us in which the

processing of your data is required.

• Legal obligation. We need to process your data in order to comply with a common law or statutory

obligation.

• Legitimate interests. We have a legitimate interest in processing your data in circumstances where it

would be reasonable for you to expect such data processing and where there is a minimal privacy

impact. Some direct marketing activities may be based on legitimate interests. Where legitimate interest

is deemed to apply, RM will have carried out a Legitimate Interest Assessment.

Outside of the UK and the EU, we will use these lawful bases to the extent we are allowed to do so under the

laws of the relevant jurisdiction. Where this is not allowed, we will comply with the laws of the relevant

jurisdiction.

PUBLIC

RM plc Privacy Policy

Page 5 of 16

All international transfers of personal data will be compliant with applicable law and protected by appropriate

technical and organisational measures.

1.4 Contact details:

For the purpose of data protection legislation, the data controller is either:

(a) RM Educational Resources Ltd (which includes the trading entities “The Consortium” and “TTS”)

(b) RM Education Ltd (which includes the trading entity RM Results)

which each has their registered office at: 142B Park Drive, Milton Park, Abingdon, Oxon. OX14 4SE; or

(d) RM Education Solutions India Pvt (“RMESI”)

which has its registered office at Unit No.8A, Carnival Techno Park, Technopark, Kariyavattom PO,

Trivandrum - 695581, Kerala, India.

Additional information for job applicants can be found at the end of this policy under section 13.

1.5 RM Group websites

It is possible that our websites contain links to other sites. RM is not responsible for the privacy practices or the

content of such websites. The websites may also include comment fields, chat rooms, forums, message boards,

and news groups. Please remember that any information that is disclosed in these areas becomes public

information and you should exercise caution when deciding to disclose your personal information.

Wherever this Privacy Policy refers to a website, we are referring to the applicable one of:

In respect of RM Educational Resources Ltd:

https://www.tts-group.co.uk

https://www.consortiumeducation.com

www.consortiumworldwide.com

www.tts-international.com

www.educationsupplies.com

In respect of RM Education Limited:

https://rm.com

https://www.rmeasimaths.com

https://compare.rm.com

In respect of RMESI:

https://www.rmesi.co.in/

In respect of RM plc

http://www.rmplc.com

PUBLIC

RM plc Privacy Policy

Page 6 of 16

2. HOW WE GET YOUR PERSONAL DATA

2.1 Information about you that you give us

(a) when filling in forms on our websites (listed in 1.5 above);

(b) by corresponding with us by phone, email or otherwise;

(d) when you register to use our websites;

(e) when you subscribe to our services;

(f) when you place an order on one of our websites;

(g) when you leave reviews for products, participate in discussion boards or other social media

functions on our websites

(h) when you enter a competition, promotion or survey;

(i) when you attend an RM activity, such as a seminar;

(j) when you report a problem with our websites;

(k) when you participate in a market research panel run by RM; and

(l) when you apply for a job at RM, either directly or through an agency.

The information you give us may include your name, address, e-mail address and phone number, organisation,

job role or title, financial and credit card information and some interests / preferences.

Additional information for job applicants can be found at the end of this policy under section 13.

2.2 Information about you that we collect

Visits to websites

With regard to each of your visits to our websites we will automatically collect the following information:

(a) technical information, including your login information, the Internet protocol (IP) address used to connect

your computer to the Internet, browser type and version, time zone setting, browser plug-in types and

versions, operating system and platform; and

(b) information about your visit, including the full Uniform Resource Locators (URL), clickstream to, through

and from our site (including date and time), products you viewed or searched for, page response times,

download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks,

and mouse-overs), methods used to browse away from the page platform and any phone number used

to call our customer service number.

CCTV

When you visit one of our offices, RM may record CCTV footage of you. The operation of CCTV is governed by

the CCTV Policy, which is closely aligned with the ICO’s guidance on this subject. A copy of this policy is

available upon request.

2.3 Information we receive from other sources

This is information we receive about you if you use any of the websites we operate or other services we provide.

In these cases we will have informed you when we collect that data if we intend to share those data internally

and combine it with data collected on our websites. We will also have told you for what purpose we will share

and combine your data.

We work closely with third parties (including, for example, business partners, sub-contractors in technical,

payment and delivery services, advertising networks, analytics providers, search information providers, credit

reference agencies).

PUBLIC

RM plc Privacy Policy

Page 7 of 16

We may also purchase marketing lists, containing contact data, from trusted third parties. We will always ensure

that there was an appropriate lawful basis for the collection of this data,

3. HOW WE USE YOUR PERSONAL DATA

3.1 Information you give us

We will use the information you give us:

(a) to carry out our obligations arising from any contracts entered into between you and us and to

provide you with the information, products and services that you request from us;

(b) to provide you with information about other goods and services we offer that are similar to those

that you have already purchased or enquired about where we have a legitimate business purpose

to do so;

This may include updates, future roadmaps, technical articles and product information. You can

unsubscribe from these at any time.

(d) to notify you about changes to our service;

(e) to ensure that content from our site is presented in the most effective manner for you and for your

computer; and

(f) to notify you about any recalls of goods that you have or may have purchased from RM.

3.2 Information we collect about you

We will use the information we collect about you:

(a) to administer our websites and for internal operations, including troubleshooting, data analysis,

testing, research, statistical and survey purposes;

(b) to improve our websites to ensure that content is presented in the most effective manner for you

and for your computer;

(d) as part of our efforts to keep our websites safe and secure;

(e) to measure or understand the effectiveness of advertising we serve to you and others, and to

deliver relevant advertising to you; and

(f) to make suggestions and recommendations to you and other users of our websites about goods

or services that may interest you or them.

IP addresses

The Internet protocol (IP) address used to connect your computer to the Internet. We use your IP address for

the following purposes:

1. Issue triage: if you notify us of an issue, or our monitoring identifies an issue, then the information

within the servers’ logs is used to identify the root cause and, wherever possible, identify a fix.

2. Issue trending: this provides us with aggregated trend data so we can monitor the quality of the

service year-on-year.

3. Application usage data: we use server logs to review system usage, both for issue triage and for

service reporting year-on-year.

4. Service analytics data: we do Pingdom and Microsoft to gather analytical data.

We use cookies on our websites to improve your experience on the websites, mainly so that we don't have to

ask you for your information on every page you visit. It also allows us to personalise the information shown to

be closer to your interests.

We (or third-party data processors acting on our behalf) may collect, store, and use your personal information

for individual website experience improvement.

PUBLIC

RM plc Privacy Policy

Page 8 of 16

For detailed information on the cookies we use and the purposes for which we use them see our Cookie policy

which can be found on every RM Group website.

3.3 Marketing

We collate the information collected about you or provided by you in order to offer you a more tailored marketing

experience but always where we either have your consent or where RM have a legitimate business purpose to

do so.

For marketing purposes, we may collect, store and use the following kinds of personal data:

(a) information about your computer and about your visits to and use of this website (including your IP

address, geographical location, browser type, referral source, length of visit and number of page

views);

(b) information that you provide to us for the purpose of registering with us (including name, company,

telephone number and email address); and

If you have recently purchased products or services from us, we may contact you with information about goods

or services similar to those which were the subject of the previous sale or negotiations.

When we communicate with you by email for the purpose of marketing, we will always provide you with

information about how to stop receiving such communications from us in the future.

If your email address is linked to a business account, we may process your data on the basis of legitimate

interests. However, it is possible that we would also recognise your email as belonging to an individual and, in

that scenario, we would process your data only if you have given consent. It is possible for one email address

to be against both business and personal classifications.

For example, MrTeacher@gmail.com is linked to a school account. RM will market to you in your business

capacity on the basis of legitimate interests until you unsubscribe to these emails. Additionally, since the email

address is classified as also belonging to an individual, we will market to you in your personal capacity only if

we have received your consent to do so. Your consent may be withdrawn at any time.

We do not knowingly solicit information from children and we do not knowingly market our services to children.

3.4 Sharing with RM Group companies

RM’s provision of the products or services to you may require the transfer of data to RM Education Limited’s

wholly-owned subsidiary, RMESI, which operates outside the European Economic Area (EEA). India has not

been approved by the European Commission as having adequate protections in place for the purpose of the

transfer of personal data. You agree that RM will be permitted to transfer your data to RMESI provided that RM

shall have entered into an agreement with RMESI based upon standard contractual clauses approved by the

European Commission for transfers of personal data to processors outside of the EEA and which agreement

shall include security obligations on RMESI.

RM has a central database which all RM Group companies can access. It is possible that some personal data

(such as the name on an invoice, or a contact at a school) will be visible by all RM Group companies.

3.5 Sharing with Third Parties

PUBLIC

RM plc Privacy Policy

Page 9 of 16

RM may share your data with trusted third parties using one of the following lawful bases:

• Consent: where you have provided consent for your data to be shared.

• Legitimate Interests: where sharing the data is in RM’s legitimate business interests and not

outbalanced by the need to protect your individual rights.

• Contract: where sharing your data is required for the performance of a contract.

• Legal obligation: where sharing your data is required in order to comply with law.

Where data is shared to fulfil our contractual obligations, and RM is acting as a data processor, enquiries as to

the scope and nature of such data sharing should be raised, in the first instance, with the data controller, e.g.

school, awarding body, etc.

We may share your data with trusted third parties for the following reasons:

(a) We may share your data with third parties directly involved in the provision of RM products and

services where you have requested those RM products and services, e.g. delivery companies.

(b) We may share your data with third parties indirectly involved in the provision of RM products and

services, e.g. service providers for our websites and email providers.

services that we provide. The lawful basis for such data sharing will either be your consent or our

legitimate interests, depending on the purpose and nature of processing involved. Such third parties

may include:

• Survey providers

• Data analytics and matching providers

• Market research organisations

• Event registration providers

and your data will be processed in accordance with their privacy policy or the terms of RM’s

agreement with these third parties. However, data sharing of this kind may be excluded in some

contracts where RM is acting as a data processor.

(d) We may share your data with third parties such as law enforcement authorities, either on the basis of

legitimate interests or because we have a legal obligation to do so.

Where you have provided explicit consent, or have not opted out of receiving such communications, we may

share your data with third parties in order that you can be contacted to complete surveys, so we can study how

our customers use our products and services and improve our offering accordingly. You are not obliged to

complete any survey sent to you and may request that past reviews be deleted.

Where you have provided explicit consent to receive marketing communications, we may also share your data

with third parties involved in the delivery of such communications. (See also “3.6 Social Media” below.)

RM will never sell your data to third parties.

Other than when we are sharing your data in order to comply with our legal obligations, all third parties

processing your data on our behalf are subject to the following conditions:

• A contract, and relevant data processing agreement, will be in place.

• Data must only be processed for specific purposes and in accordance with RM’s instructions.

• Appropriate security measures must be in place to protect your data.

• Data provided or accessed will be minimised, and where appropriate, pseudonymised.

• The data must not be used for the third party’s own purposes.

• Data must be deleted when it is no longer required or at the end of the contract.

PUBLIC

RM plc Privacy Policy

Page 10 of 16

• Where you request this, we will ask third parties to delete your data from their systems.

When your data is transferred to a third party located outside of the European Economic Area (EEA), we will

enter into an agreement based upon standard contractual clauses approved by the European Commission for

transfers of personal data to processors outside of the EEA and this agreement shall include security obligations

on the third party.

A list of all sub-processors used is available upon request.

3.6 Social Media

RM uses social media to provide customers and potential customers with news about products, services,

competitions and events. You can follow RM on social media platforms, but how your data is processed will be

subject to the terms and conditions, including the privacy policy, of these platforms.

On some of our websites when we ask for your consent for direct marketing, we may also ask for your consent

to share your details with social media platforms so that they can provide you with targeted marketing. If you

give us your consent, but then at a later date wish to stop receiving targeted marketing from RM in this way, you

can either opt out directly by telling us or by changing your marketing preferences on the platform.

However, you may also receive targeted advertising on social media platforms based on your browsing history,

whether or not you follow us. RM has no control over the marketing you receive in this way, and you should

manage your marketing preferences within the platform if you wish to change the marketing you receive.

If we have sought, and you have given us, your consent, we may also share your anonymised data with social

media platforms for the purpose of identifying other potential customers (“lookalikes”) who have a similar online

profile to you.

4. DISCLOSURE OF YOUR INFORMATION

Sharing your personal information

When you share your data with us, you agree that we have the right to share your personal information with:

(a) Any member of the RM Group, which means our subsidiaries, our ultimate holding company and

its subsidiaries, as defined in section 1159 of the UK Companies Act 2006;

(b) Selected third parties including:

• business partners, suppliers and sub-contractors for the performance of any contract we enter

into with them or you;

• advertisers and advertising networks that require the data to select and serve relevant adverts

to you and others provided we have a lawful basis to do so;

• analytics and search engine providers that assist us in the improvement and optimisation of our

websites; and

• credit reference agencies for the purpose of assessing your credit score where this is a condition

of us entering into a contract with you.

Disclosure to third parties

We will disclose your personal information to third parties:

(a) In the event that we sell or buy any business or assets, in which case we will disclose your personal

data to the prospective seller or buyer of such business or assets;

(b) If any RM Group company or substantially all of its assets are acquired by a third party, in which

case personal data held by it about its customers will be one of the transferred assets;

obligation, or in order to enforce or apply our terms of use or terms and conditions of supply and

other agreements; or to protect the rights, property, or safety of any of our RM Group companies,

PUBLIC

RM plc Privacy Policy

Page 11 of 16

our customers, or others. This includes exchanging information with other companies and

organisations for the purposes of fraud protection and credit risk reduction.

5. WHERE WE STORE YOUR PERSONAL DATA

The data that we collect from you may be transferred to, and stored at:

(a) Third party cloud-hosted environments, e.g. Microsoft Azure, using servers that reside only in EEA.

(b) Third party data centres, using servers that reside only in the UK.

RM staff operating outside the European Economic Area ("EEA") who work for us (employed by our

wholly-owned subsidiary, RM Education Solutions India Pvt) or for one of our suppliers. Such staff may

be engaged in, among other things, the fulfilment of your order, the processing of your payment details

and the provision of support services. By submitting your personal data, you agree to this transfer,

storing or processing. We will take all steps reasonably necessary to ensure that your data is treated

securely and in accordance with this Privacy Policy.

6. HOW YOUR DATA IS PROTECTED

Security

RM uses a range of security measures in order to protect Personal data, managed through a Group Information

Security Framework, based on ISO 27001, the international standard for information security management. In

addition, a number of business units, including RM Education Solutions India Pvt, are certified to ISO

27001:2013. Further details are available upon request to the Data Protection Officer (details below).

A wide range of technical controls are used, including but not limited to:

• Data encryption

• Anti-virus and anti-malware software

• Network monitoring

• Access management

• Vulnerability scanning and penetration testing

A wide range of non-technical controls are used, including but not limited to:

• Physical security controls at RM offices

• Security policies, including Data Classification & Handling, Data Protection, etc.

• Security training

The implementation of such controls may vary between specific products and services.

Security: websites

All websites have security measures in place to protect the loss, misuse and alteration of the information under

our control. Where necessary RM will inform law enforcement agencies or other relevant organisations

regarding misconduct.

All information you provide to us is stored on our secure servers. Any payment transactions will be encrypted

and utilise technologies to ensure PCI DSS compliance. Where we have given you (or where you have chosen)

a password which enables you to access certain parts of our websites, you are responsible for keeping this

password confidential. We ask you not to share a password with anyone.

PUBLIC

RM plc Privacy Policy

Page 12 of 16

Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our

best to protect your personal data, we cannot guarantee the security of your data transmitted to our websites;

any transmission is at your own risk. Once we have received your information, we will use strict procedures and

security features to try to prevent unauthorised access.

7. HOW LONG YOUR DATA IS KEPT

RM has established a data retention framework based on statutory and non-statutory guidance. The framework

applies to both digital and non-digital data. In regard to the retention of personal data of individuals who are

neither employees nor former employees, data retention schedules will be applied in accordance with the

following:

(a) Contracts

(b) Product-specific and service-specific data retention schedules

Data retention schedules will be documented and will be communicated, either through terms and conditions of

the relevant product and / or service, or upon request.

8. YOUR DATA PROTECTION RIGHTS

Individuals’ Rights

In accordance with data protection legislation, RM recognises that data subjects have specific rights that must

be protected and observed.

Right to be informed

RM provides employees, customers and other third parties with information about how personal data is

collected, processed and managed. RM seeks to provide this information in language that is clear, concise and

intelligible. This information is intended to be easily accessible for internal and external users.

Right of access

RM provides data subjects with access to the personal data that it manages as a data controller. A Subject

Access Request (SAR) process has been defined (see paragraph 8 below) and communicated. Data subjects

for whom RM is not the data controller but may process their personal data, should – in the first instance –

contact the data controller directly when requesting such access.

Right to rectification

RM recognises the right of individuals to have inaccurate or incomplete data to be amended. Data subjects for

whom RM is not the data controller, should – in the first instance – contact the data controller when making a

data rectification request.

Right to erasure

RM recognises the right of individuals to request for their data to be deleted or removed where there is no

compelling reason for its continued processing. RM will, in all cases, follow the ICO’s guidance on how and

when such a request should be observed.

RM maintains a data retention schedule so that personal data is not retained for longer than is necessary with

regard to the purpose for which the data was original collected. However, some personal data may be required

to be retained in order to observe other legal or regulatory obligations. In addition, in line with the ICO’s guidance

on the constraints that existing when deleting data retained in digital back-ups, RM will seek to place such back-

ups beyond effective use.

PUBLIC

RM plc Privacy Policy

Page 13 of 16

Right to data portability

Where the right of portability applies, as defined by the ICO, RM will provide data in a form that is structured,

commonly used and in a machine-readable form. In most cases, this will be the CSV format.

Right to object

RM recognises the right of individuals to object to the processing of their personal data, where such objections

are allowable under data protection legislation.

Rights related to automated decision making including profiling

RM does not use automated decision making where such decisions have a significant effect on data subjects.

Withdrawing consent

You have the right to ask us not to process your personal data for marketing purposes. We will usually inform

you (before collecting your data) if we intend to use your data for such purposes or if we intend to disclose your

information to any third party for such purposes. You can exercise your right to prevent such processing by not

checking certain boxes on the forms we use to collect your data. You can also exercise the right at any time by

contacting us using the details set out in paragraph 10 below.

In “My Account”, there is a privacy dashboard. If you register, you will get an RM account. That will give you

access to an area to show your preferences for communication.

Each time you receive electronic marketing information from us, you have the option to decline to receive further

marketing information from us.

To stop receiving email communications from RM in the future, you can:

1. click on the opt-out link in the email and follow the instructions; or

2. reply to the email with “UNSUBSCRIBE” in the subject line; or

3. for RM Education Limited customers only, visit rm.com/unsubscribe and provide your email address.

If you change your preferences, we will endeavour to ensure our systems reflect this within one (1) week of

receiving your alteration.

Please note that if you terminate your RM account, but have also subscribed to newsletters, for example, you

must additionally unsubscribe from these in order to cease receiving communication. This also applies to any

third parties you have agreed we can share your information with.

To prevent you receiving such communications from RM in the future, you can send a letter clearly identifying

yourself and asking that we remove you from our contact lists. Contact details are set out in paragraph 10 below.

Third party websites

Our websites may, from time to time, contain links to and from the websites of our partner networks, advertisers

and affiliates. If you follow a link to any of these websites, please note that these websites have their own privacy

policies and that we do not accept any responsibility or liability for these policies. Please check these policies

before you submit any personal data to these websites.

Right of complaint to the ICO

Should you have a concern about RM’s information rights practices, please report it to us for investigation. If,

following our internal review, you are not satisfied, you can report the matter to the Information Commissioner’s

Office.

9. SUBJECT ACCESS REQUESTS

PUBLIC

RM plc Privacy Policy

Page 14 of 16

The Data Protection Legislation gives you the right to access information held about you. Your right of access

can be exercised in accordance with such legislation.

Upon receipt of a written request to our Data Protection Officer (see paragraph 11 below for contact details),

and upon validation of the requestor’s identity, RM will within one (1) month:

(a) confirm whether any of your personal data is being processed;

(b) provide a description of the personal data, the reasons it is being processed and whether it is given

to any other organisations; and

If the request is particularly complex or numerous, RM may extend the period for repose by up to two (2) months.

If the request is manifestly unfounded or excessive, RM may charge a fee or refuse to respond.

If disclosing the personal data will adversely affect the rights and freedoms of others, RM may withhold such

personal data. This may extend to intellectual property and trade secrets.

10. CHANGES TO OUR PRIVACY POLICY

Any changes we make to the Privacy Policy in the future will be posted on each website. Please check back

frequently to see any updates or changes to this Privacy Policy.

11. CONTACT

If you have any questions or comments about this Privacy Policy, please contact our Data Protection Officer:

RM Data Protection Officer

142B Park Drive

Milton Park

Abingdon, Oxfordshire

OX14 4SE

United Kingdom

Telephone: +44 (0) 8450 700300

Fax: +44 (0) 8450 700400

Email: dataprotection@rm.com

12. EU REPRESENTATIVE

As RM processes personal data of EU nationals, and in compliance with the UK GDPR Article 27, we have

appointed Willans Data Protection Services as our representative in the EU. They can be contacted as

follows:

Address: Willans Data Protection Limited, 2 Pembroke House, 28-32 Upper Pembroke Street, Dublin, Ireland

D02 EK84.

Email: https://www.willansdataprotectionservices.com/make-a-data-request/

Telephone: 00 353 1 447 0402

PUBLIC

RM plc Privacy Policy

Page 15 of 16

13. RM CAREERS PRIVACY STATEMENT

We understand that when searching for employment a large amount of personal and highly confidential data is

disclosed and we take our responsibility to protect this very seriously. This section sets out the basis on which

any personal data we collect from you, or you provide to us, will be processed by RM Careers.

The collection and processing of your personal data will be done in accordance with the principles and

safeguards set out in this Privacy Policy.

This policy is designed to be compliant with, and will be implemented in accordance with the UK GDPR, and

any other associated legislation. However, RM will observe the requirements of local laws for applicants outside

the UK and EU.

Information we may collect

We generally collect personal data contained in your CV, or submitted with your application and/or any personal

information form, such as name, address, home phone number, work phone number, mobile phone number(s),

e-mail addresses and general contact information.

We collect and may disclose statistical information gathered as a whole (e.g. total number of applicants and

applicant origin) for internal reporting purposes. However, we never disclose information that identifies any

individual for such purposes.

If you receive an offer from us, we may conduct a limited background check, or ask a third party to do this on

our behalf. The nature of the check may depend on the role for which you have received an offer. Any such

background check will be compliant with the laws of the country in which the role you have applied for is located.

Further information is available on request.

How we may use this Information

RM gathers the personal information required for you to be considered for job vacancies within RM and to

conduct research relating to our recruitment activities. Generally, the information gathered from you is used to

assist you to search for RM job vacancies, apply for RM job vacancies and to be processed for each job

application you submit. As such, it may require us to release your personal information with your consent to RM

hiring managers, administrators and third party contractors. These RM hiring managers, administrators and third

party contractors may be in the UK or in other parts of the world including outside the European Economic Area

("EEA"). By registering with RM, you agree that your information may be shared with RM hiring managers,

administrators and third party contractors for the purpose of supporting you to find suitable RM job vacancies,

applying for RM job vacancies, supporting our research relating to our recruitment activities and processing you

for each job application you submit and you consent to the transfer of your information outside the EEA.

RM uses all reasonable means to ensure that third party sources use your personal information only for the

purposes for which it was provided and in adherence to the RM Privacy Policy.

Where we store your personal data

Your personal data is stored on secure servers hosted by RM-approved contractors. These servers reside in

the EEA.

RM is a global organisation, and therefore your data may be transferred to any of our operating businesses

throughout the world with your consent, for the purpose of being considered for any RM job vacancy you apply

for, or for being matched to, specific RM job vacancies and being contacted by a RM hiring manager,

administrator or third party contractor to discuss your interest and suitability.

By submitting your personal information, you agree to RM transferring, storing and processing your personal

data outside the EEA. In particular, you agree to our wholly owned subsidiary, RMESI, processing your data

outside the EEA. For roles based in Australia, you also agree to our group company, SoNET Systems Pty Ltd,

processing your data outside the EEA.

PUBLIC

RM plc Privacy Policy

Page 16 of 16

How long is your personal data retained

If your application was unsuccessful, we will retain your personal data for a period of twelve (12) months, before

deleting the same.