PRIVACY NOTICE PURSUANT TO ARTICLES 13 AND 14 OF THE UK GENERAL DATA PROTECTION REGULATION (UK GDPR) AND PURSUANT TO THE UK DATA PROTECTION ACT 2018

for candidates applying for employment or for various types of working or collaborative relationships

We take data protection very seriously and therefore wish to inform you about how your data is processed and the rights you may exercise under current data protection legislation, in particular the EU Regulation 2016/679 (hereinafter also referred to as the “GDPR”).

1. Data Controller and DPO

Vivienne Westwood Ltd

Westwood Studios, 9-15 Elcho Street,

London SW11 4AU, England (UK)

Contact details Email:privacy@viviennewestwood.com

Data Protection Officer (DPO)

Email contact details:

dpoltd@viviennewestwood.com

1. Categories of data subject to processing

The categories of “personal data” (pursuant to Article 4(1) of the GDPR) processed by the Data Controller may include, by way of example but certainly not limited to:

• Personal and identification data (e.g. first name and surname, date of birth, place of birth, nationality, national insurance number, etc.);
• Contact details (such as, for example, address, email address, telephone number, etc.);
• Data relating to education, professional experience and activities carried out;
• Personal data, other than that previously indicated, contained in the cover letter and/or CV regarding tastes, preferences, interests, hobbies, etc.;
• Personal data related to the management of the recruitment process (such as, for example, salary requirements, notes regarding interviews conducted, tests carried out, scores awarded, letters of recommendation received, communications to coordinate interviews);
• Personal data collected during pre-employment checks, in particular checks on the ‘right to work’;
• Technical and usage data generated by interaction with the application platform, where applicable, such as logs, date and time of application submission, application status and communications sent via the platform;
• In exceptional cases, where required by the nature of the vacant position, personal data derived from the data subject’s online identity;
• In exceptional cases, special categories of personal data, specifically health status, where the Data Controller is in one of the situations referred to in section 60(6) of the Equality Act 2010.

1. Purposes and legal bases for the processing of personal data

1. Purposes aimed at fulfilling a legal obligation (pursuant to Article 6(1)(c) of the UK GDPR)

The processing of personal data is intended to enable the assessment of the data subject’s (candidate’s) application, whether for a specific vacancy or an unsolicited application, and in particular, in this context, for the following purposes:

1. compliance with legal obligations relating to the application and any subsequent recruitment. With regard to the processing of special categories of personal data, and specifically data concerning health, for the exceptions set out in section 60(6) of the Equality Act 2010 (for example, reasonable adjustments to the selection process or to assess whether the candidate is able to perform a function intrinsic to the job in question), the basis for processing is Article 9(2)(b) of the UK GDPR.

The retention period for personal data, in relation to the purposes set out in this section, is:

For purpose a: 12 months from the end of the recruitment process. With specific reference to detailed health data, until the end of the recruitment process.

These retention periods may be extended in the event of a dispute or a reasonable risk of a dispute arising.

1. Purposes relating to the performance of a contract or pre-contractual measures (pursuant to Article 6(1)(b) of the UK GDPR)

The purpose necessary for the performance of pre-contractual measures is:

1. Where the data subject has received a conditional or unconditional job offer, management of the stage of the selection process relating to the preparation of the employment or collaboration contract (including, by way of example and without limitation, the collection of any information necessary for recruitment or collaboration and for entering into the relevant contract);
2. Creation and maintenance of the account to manage applications in accordance with the terms and conditions accepted by the data subject at the time of creating the account, including any updates to those terms and conditions.

The retention period for personal data, in relation to the purposes set out in this section, is:

For the purpose at: 6 months from the end of the selection process if the offer is not accepted or the contract is not finalised. Conversely, if the contract is finalised, the retention period will follow the specific timeframes provided for or required in relation to the individual employment or collaboration relationships established and indicated in the respective privacy notices.

These retention periods may be extended in the event of a dispute or a reasonable risk of a dispute arising.

For purpose b: until the account is deleted at the data subject’s request or due to account inactivity, which is equivalent to 1 year.

1. Purpose for the pursuit of a legitimate interest (pursuant to Article 6(1)(f) of the UK GDPR)

The retention period for personal data, in relation to the purposes set out in this section, is:

For purposes a and b: 6 months from the end of the selection process.

These retention periods may be extended in the event of a dispute or a reasonable risk of a dispute arising.

1. Purposes covered by the data subject’s consent (pursuant to Article 6(1)(a) of the UK GDPR)

The purpose requiring consent is:

1. Retention of the candidate’s profile and information arising from the selection process for a period following the end of the selection process in order to offer the data subject new job opportunities should they arise in the near future.

The retention period for personal data, in relation to the purposes set out in this section, is:

For purpose a: 1 year from the date consent is given.

1. Recipients or categories of recipients of personal data * (pursuant to Article 13(1)(e) of the UK GDPR)
2. The Data Controller may disclose your data to:
3. Internal departments and functions of the Data Controller;
4. Companies and professional service providers offering IT services, including electronic data processing, software and cloud management, website management and IT consultancy;
5. occupational health doctor (where a pre-employment medical examination or other health-related measures are required), in the event of recruitment;
6. Employment consultants and professional firms (solicitors, accountants, etc.) providing support in the event of a job offer or collaboration being prepared;
7. Companies providing the platform through which applications are collected and managed;
8. Companies providing platforms through which job advertisements are published;
9. Companies and consultants specialising in recruitment.
11. * Further information on the Recipients is available from the Data Controller at the contact details provided above.
13. Recipients or categories of recipients of personal data (pursuant to Article 13(1)(f) of the UK GDPR) and transfer of data to third countries

The Data Controller informs you that it does not intend to transfer your data outside the UK for the purposes set out above.

1. Rights of the Data Subject (pursuant to Article 13(2)(b) of the UK GDPR)

The data subject may exercise the following rights:

• the data subject’s right of access [Article 15 of the EU Regulation] (the right to be informed about the processing of their Personal Data and, where applicable, to receive a copy thereof);
• the right to rectification of one’s Personal Data [Article 16 of the EU Regulation] (the data subject has the right to have inaccurate personal data concerning them rectified);
• the right to erasure of one’s Personal Data without undue delay (‘right to be forgotten’) [Article 17 of the EU Regulation] (the data subject has, and will continue to have, the right to have their data erased);
• the right to restrict the processing of one’s Personal Data in the cases provided for in Article 18 of the EU Regulation, including in the event of unlawful processing or where the data subject contests the accuracy of the Personal Data [Article 18 of the EU Regulation];
• the right to data portability [Article 20 of the EU Regulation], the data subject may request their Personal Data in a structured format in order to transmit it to another controller, in the cases provided for in that Article;
• the right to object to the processing of one’s Personal Data [Article 21 of the EU Regulation] (the data subject has, as will have, the right to object to the processing of their personal data);
• the right not to be subject to automated decision-making [Article 22 of the EU Regulation] (the data subject has, and will continue to have, the right not to be subject to a decision based solely on automated processing);

Furthermore, pursuant to the Use and Data Access Act of 2025, the data subject has the right to lodge a complaint with the Data Controller: the data subject has the right to lodge a complaint directly with the Data Controller if they consider that their rights, as recognised by data protection legislation, have been infringed.

Further information regarding the data subject’s rights may be obtained by requesting a full extract of the articles referred to above from the Data Controller.

With regard to the purposes for which consent is required, the data subject may withdraw their consent at any time, and the effects shall take effect from the moment of withdrawal, subject to the time limits provided for by law. In general terms, the withdrawal of consent takes effect only for the future.

The aforementioned rights may be exercised in accordance with the provisions of the Regulation, including by sending an email to the following address: privacy@viviennewestwood.com.

In accordance with Article 19 of the UK GDPR, the Data Controller shall inform the recipients to whom the personal data have been disclosed of any rectifications, erasures or restrictions on processing requested, where this is possible.

To ensure a quicker response to your requests made in the exercise of the above rights, these may be addressed to the Data Controller using the contact details provided in point 1.

1. Right to lodge a complaint (pursuant to Article 13(2)(d) of the UK GDPR)

If the data subject considers that their rights have been infringed, they have the right to lodge a complaint with the Data Protection Authority, in accordance with the procedures set out by the Authority at the following web address

http://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/4535524 or by sending a written communication to the Information Commissioner’s Office.

1. Possible consequences of failure to provide data and the nature of the provision of data (pursuant to Article 13(2)(e) of the UK GDPR)
2. In the case of compliance with legal or contractual obligations

Please note that where the legal basis for the processing purposes is a legal or contractual (or even pre-contractual) obligation, the data subject must necessarily provide the requested data.

Otherwise, the Data Controller will be unable to pursue the specific purposes of processing.

1. Where the data subject has given consent

For other purposes for which consent is required, the data subject may withdraw their consent at any time, and the withdrawal will take effect from the moment it is made, subject to the time limits provided for by law. In general terms, the withdrawal of consent applies only to the future. Therefore, processing carried out prior to the withdrawal of consent will not be affected and will remain lawful.

Failure to give consent, or giving only partial consent, may prevent the full provision of services or the performance of activities (for example, participation in the selection process), in relation to the specific purposes for which consent is withheld.

When data is no longer required, it is routinely deleted; if deletion is impossible or would require a disproportionate effort due to a particular storage method, the data may not be processed and must be stored in areas that are not accessible

1. The source from which the personal data originates and, where applicable, whether the data comes from publicly available sources (pursuant to Article 14(2)(f) of the UK GDPR)

If the data subject did not apply of their own accord but was invited to apply, the Data Controller obtained the data used to make initial contact from the following categories of sources: job search platforms, companies and professionals in the recruitment sector.

The data subject has the right to request further information from the Data Controller via the contact details set out in point 1 of this notice.

1. Absence of fully automated decision-making pursuant to Article 22 of the UK GDPR

The use of fully automated decision-making processes as detailed in Article 22 of the GDPR is currently excluded. Should it be decided in the future to implement such processes for individual cases, the data subject will be notified separately where required by law or via an update to this policy.

1. Methods of processing
2. Personal data will be processed in paper, computerised and electronic form and entered into the relevant databases (candidates, etc.), to which the following may have access and thus become aware of the data: by staff expressly designated by the Data Controller as Data Processors and Authorised Persons for the processing of personal data, who may carry out operations of consultation, use, processing, comparison and any other appropriate operation, including automated processing, in compliance with the provisions of law necessary to ensure, amongst other things, the confidentiality and security of the data, as well as the accuracy, up-to-date nature and relevance of the data in relation to the stated purposes.