MAY 1, 2015
JMJ ASSOCIATES

PRIVACY AND DATA PROTECTION POLICY


1. POLICY STATEMENT

1.1 This Global Privacy and Data Protection Policy articulates the minimum worldwide standards within JMJ Associates, LLC and its subsidiaries and affiliates around the world (“We” or “JMJ Associates”), with regards to the collection, storing, processing and use of personal information or personal data of individuals, including our employees, independent contractors, customers and suppliers.

1.2 JMJ Associates respects and is committed to protecting the personal information of our covered individuals. We follow privacy policies and data protection principles to comply with the law and develop a culture in which respect for private life, data protection, data security and confidentiality of personal information is seen as the norm. The principles set out in this Policy are aligned with concepts and requirements from the European Union’s Data Protection Directive and the U.S. Department of Commerce’s Safe Harbor Privacy Principles.

1.3 All of our employees, external associates and other contracted parties are obliged to comply with this Policy when processing personal data on our behalf. Specific practices are tailored to meet the legal and regulatory requirements of the countries and regions in which JMJ Associates operates. Any breach of this Policy may result in disciplinary or other enforcement action.


2. LOCAL STANDARDS AND DOCUMENTS

2.1 In some countries, local laws or regulations may provide stricter requirements than set forth in this Policy. In such cases, the stricter requirements apply. JMJ Associates’ General Counsel, in coordination with the Chief Information Officer, is responsible for determining whether stricter limitations apply to the processing of personal data and for adopting the appropriate country-specific policies.

2.2 This Policy is not intended to replace other contracts, notices or policies provided by JMJ Associates to its employees or others in accordance with regional, national and local laws and regulations. In the event of any conflict between this Policy and such other contracts or notices, the local contracts or notices will prevail.


3. ABOUT THIS POLICY

This Policy applies to the collection, storage, processing, transfer and use of personal information concerning identifiable people. The types of personal data that we may be required to handle include information about current, past and prospective employees, independent contractors, suppliers, customers and others with whom we communicate. The personal data, which may be held on paper or on a computer or other media, is subject to certain local and national rules and legal safeguards that must be satisfied when we obtain, handle, process, transfer and store personal data.


4. U.S. SAFE HARBOR PRINCIPLES

4.1 It is the policy of JMJ Associates to comply with the requirements of the U.S.-EU Safe Harbor Framework, as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information from European Union member countries. JMJ has certified that it adheres to the Safe Harbor Privacy Principles of notice, choice, access, onward transfer, security, data integrity and enforcement with respect to all personal information transferred from the EU to the US within the scope of its Safe Harbor certification. In addition, certain personal information may be subject to more specific privacy policies of JMJ Associates, which are also consistent with the U.S.-EU Safe Harbor Framework.

4.2 For example, personal information obtained from or relating to clients or former clients is further subject to the terms of any specific privacy notice provided to the client, any contractual arrangements with the client, and applicable laws (including, without limitation, local, national and regional laws and regulations), and professional standards.

4.3 To learn more about the Safe Harbor program, please visit www.export.gov/safeharbor.


5. DEFINITION OF DATA PROTECTION TERMS

Definitions of commonly used data protection terms vary from country to country. Generally, personal data or personal information means any information or set of information that identifies or could be used to identify (together with other information) a living individual, for example names and addresses. Personal data includes personal data howsoever processed, including manually processed data. Personal data does not include information that is anonymised or aggregated. Sensitive personal data includes any personal data that reveals race, ethnic origin, political opinions, religious or philosophical beliefs, information that concerns health or sex life, and information about criminal or administrative proceedings and sanctions. Sensitive personal data can only be processed under strict conditions, including the express permission of the person concerned. Data subjects for the purpose of this Policy include all living individuals about whom we hold personal data. Processing is any activity that involves use of the data. It includes obtaining, recording or holding the data, or carrying out any operation or set of operations on the data including organising, amending, retrieving, using, disclosing, erasing or destroying it. Processing also includes transferring personal data to third parties. Agent means any third party data processor, for example a vendor or supplier that processes personal data provided by JMJ Associates on its behalf and under its instructions.


6. FAIR AND LAWFUL PROCESSING

JMJ Associates must process personal data in a fair and lawful manner. Specifically, we must:

(a) Collect only as much personal data as is required by law or needed for the purposes about which the individual has been informed;
(b) Collect personal data in a fair and non-deceptive manner;
(c) Collect personal data from individuals consistent with local country and jurisdictional laws and regulation; and
(d) Verify that personal data collected from third parties is reliable and legally obtained.


7. NOTIFYING DATA SUBJECTS

7.1 If we collect personal data directly from data subjects, we will inform them about:

(a) The purpose or purposes for which we intend to process that personal data.
(b) The types of non-Agent third parties, if any, to which we will disclose that personal data.
(c) The choices and means with which data subjects can limit our use and disclosure of their personal data.

7.2 We will provide notice to individuals in clear and conspicuous language when individuals are first asked to provide personal data to us, or as soon as practicable thereafter. In any event, we will provide notice before we use the personal data for a purpose other than that for which it was originally collected.

7.3 If we receive personal data from our affiliates in the EU, namely JMJ Associates Limited (UK), we will use that information in accordance with the notices those entities provided to the individuals to whom that personal data relates and the choices made by those individuals.


8. OBTAINING CONSENT

8.1 JMJ Associates must obtain consent from individuals when required or appropriate. Consent must be obtained in accordance with local country laws and regulations. Additional safeguards that may be required may vary from country to country.

8.2 We will provide individuals with the opportunity to opt out of any disclosure of their personal data to any non-Agent third party or the use of that data for a purpose other than the purpose for which it was originally collected or subsequently authorised by the individual.

8.3 With regard to sensitive personal data specifically, unless we have received the individual explicit consent (opt-in) to do so, we will not disclose sensitive personal data to a non-Agent third party or use sensitive personal data for a purpose other than the purpose for which it was originally collected or subsequently authorised by the individual.

8.4 We will provide individuals with reasonable methods to exercise their choices.


9. USE AND RETENTION

JMJ Associates must use, process, store and/or retain personal data only for legitimate business purposes or as authorised by the individual. Specifically, JMJ Associates will use, store and/or process personal data consistent with the stated purposes for which it was collected, the consent obtained from the individual and contractual, regulatory and local country and regional laws and requirements. We will take all reasonable steps to destroy, or erase from our systems, all data which is no longer required.


10. PROCESSING IN LINE WITH DATA SUBJECT'S RIGHTS

We will process all personal data in line with data subjects' rights, in particular their right to:

(a) Request access to any data held about them and to have inaccurate data amended (see paragraph 15 below).
(b) Prevent the processing of their data for direct-marketing purposes.


11. ONWARD TRANSFER OF PERSONAL DATA

We will obtain assurances from our Agents that they will safeguard personal data in accordance with this Policy. Appropriate assurances include a contract between us and the Agent that requires the Agent to confirm that it will comply with the appropriate data protection obligations. Please contact our General Counsel, Michael R. Miller, if you have received a contract from, or are looking to develop a relationship with, an Agent on behalf of JMJ Associates.


12. DATA SECURITY

12.1 We will take appropriate security measures against unlawful or unauthorised processing of personal data, and against the accidental loss of, or damage to, personal data.

12.2 We will put in place procedures and technologies to maintain the security of all personal data from the point of collection to the point of destruction. Personal data will only be transferred to a third party data processor if it agrees to comply with those procedures and policies, or if it puts in place adequate measures himself.

12.3 Security procedures include:

(a) Non-secured devices. Personal data is not to be kept or stored on non-secured devices or local drives. Personal data may only be stored on corporate network devices that are approved by our IT department as having adequate security for authorised access. If you are using your own device, following verification by IT you may be required to review and confirm your agreement to a separate policy outlining the use of such device.

(b) Entry controls. Any stranger seen in entry-controlled areas should be reported.

(c) Secure lockable desks and cupboards. Desks and cupboards should be kept locked if they hold confidential information of any kind. (Personal information is always considered confidential.)

(d) Methods of disposal. Paper documents should be shredded. Digital storage devices should be physically destroyed when they are no longer required.

(e) Equipment. Data users must ensure that individual monitors do not show confidential information to passers-by and that they log off from their PC when it is left unattended.


13. DATA INTEGRITY

We will take reasonable steps to ensure that personal data we hold is accurate and kept up to date. We will check the accuracy of any personal data at the point of collection and at regular intervals afterwards. We will take reasonable steps to destroy or amend inaccurate or out-of-date data.


14. DISCLOSURE AND SHARING OF PERSONAL INFORMATION

14.1 We may share personal data we hold with any affiliate or subsidiary of our corporate group.

14.2 Subject to paragraph 14.3 below, we may also disclose personal data we hold to third parties as required for normal business operations, including providing services to our customers, and as otherwise required or permitted by applicable laws.

14.3 When disclosing personal data to third parties, we must only disclose personal data for the purposes identified in our notice to the data subjects and verify that our actions align with the consent provided by the data subject as noted in paragraph 8 above, in addition to any legal and/or regulatory requirements.


15. ACCESS AND CORRECTION

15.1 Data subjects must make a formal request for information we hold about them and data subjects may correct information we hold about them. Requests must be made in writing.

15.2 JMJ Associates must authenticate individuals before allowing access to or providing personal data.

15.3 Employees and independent contractors who receive a written request should forward it to Michael R. Miller, General Counsel, immediately.


16. MONITORING AND ENFORCEMENT

JMJ Associates is committed to monitoring and enforcing ongoing compliance with this Policy and with applicable data protection and privacy laws and regulations around the world. The Chief Information Officer is responsible for working with JMJ Associates’ General Counsel to ensure such compliance.


17. DISPUTE RESOLUTION

17.1 Any questions or concerns regarding our use or disclosure of personal data, whether from an individual employee or contractor, or one of our clients, suppliers or other business associates, should be addressed to Michael R. Miller, General Counsel, at the address given under Contact Information below.

17.2 We will investigate and attempt to resolve any complaints and disputes regarding the use and disclosure of personal data in accordance with the provisions of this Policy.


18. CHANGES TO THIS POLICY

We reserve the right to change this Policy at any time and will update this webpage accordingly. Where appropriate, we will notify data subjects of those changes by mail or email.


19. CONTACT INFORMATION

Questions or comments regarding this Policy and any notifications required by this Policy should be submitted to the General Counsel of JMJ Associates by mail or e-mail as follows:

Attention: Michael R. Miller
8310-1 N. Capital of Texas Highway #440,
Austin, Texas 78731, United States of America
E-mail: mmiller@jmj.com