Employee Privacy Notice

We do not actively collect any special categories of personal data – as that term is defined in the General Data Protection Regulation (EU) 2016/679 – from employees. However, certain characteristics you manifestly make public, such as racial or ethnic origin, religious beliefs, and physical or mental health condition, may be revealed through CCTV footage. CCTV recordings is retained in accordance with this Employee Privacy Notice and are not used to infer characteristics about you.

2. Use of Employee Personal Information

Only the minimum data necessary is collected and limited in use to reasonable employment–related and business purposes, including:

• Workforce Planning and Recruitment: for example, for business forecasting, employee assignment planning and budgeting, managing, promoting and terminating staff.
• General Human Resources Management and Administration: for example, for career development, performance management, compensation and benefits management, administering payroll, managing reward and recognition programs, collaborating on charitable donations and volunteer opportunities, reimbursing expenses, managing absences, training staff, and carrying out disciplinary or grievance procedures.
• Performance of Business Operations: for example, to carry out day to day business activities, to ensure business continuity, to enforce rights and protect business operations, and to pursue available remedies and limit damages the organization may sustain.
• Security Management: for example, to ensure the security of the organization’s premises, assets, information, and staff.
• Legal and Regulatory Compliance: for example, to respond to law enforcement requests; as required by applicable law, court order, or governmental regulations; to ensure compliance with health & safety requirements and other legal or fiscal obligations, or in connection with litigation or an internal investigation or audit and to ensure compliance with the organization’s Code of Conduct and Business Ethics and policies regarding anti– money laundering, bribery, and corruption.
• Provide immigration support: If applicable and as permitted by applicable law, to assist with immigration support, such as applying for visas or work permits.
• Business transactions: for example, to evaluate or conduct a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of the organization’s assets, whether as a going concern or as part of bankruptcy, liquidation, or similar proceeding, in which personal information held about you is among the assets transferred.
• As otherwise described to you at the time your personal information is collected.

3. Disclosures of Employee Personal Data

Employee personal data may be disclosed for the following reasons:

• You request or consent to the disclosure.
• There is an emergency and physical safety is at risk.
• In connection with an investigation, such disclosure is reasonable.
• The information is necessary to process an insurance claim.
• Auditors require the personal data as part of an audit.
• To obtain advice of professional advisors, such as tax, legal, accounting, and other business advisors.
• Applicable laws, a court order, a warrant, or a government or legal authority instructs the disclosure of certain information.
• Other purposes where applicable laws do not require your knowledge or consent.

4. Recipients of Employee Personal Data

In connection with the use and disclosure of your personal data as described in this Employee Privacy Notice, the data is made available to the following categories of recipients:

• Team Members at various group companies: To establish, manage, or terminate your employment.
• Service Providers: Service providers are used to operate, host, and facilitate the organization’s operations and business, including human resources operations, and to provide services to you on behalf of the organization, such as recruitment providers,
  financial investment service providers, insurance providers, healthcare providers and other benefits providers, and payroll support services. We require our service providers by written contract, to implement appropriate security measures designed to protect your
  personal data in accordance with applicable law or regulation.
• Professional advisors: Personal information may be accessible to professional advisors that are implementing or updating technical systems or providing legal or consulting services. These services are provided under and governed by contracts.
• Government authorities and law enforcement: In certain situations, the disclosure of personal data may be required in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
• Business transfers: Your personal data may be transferred to a third party as part of a merger, acquisition, bankruptcy, or other transaction in which that third party assumes control of the business (in whole or in part) you work for.

Personal data is also made available to the above recipients and/or third parties for purposes of fulfilling legal obligations under applicable law, regulation, court order or other legal process, such as preventing, detecting, and investigating potentially illegal or prohibited activities; preventing, detecting and investigating security incidents; protecting the rights, property, or safety of you, the organization, or another party; enforcing any agreements with you; responding to claims; and resolving disputes.

5. Employee Data Subject Rights

Applicable data protection or privacy law provides employees with the following privacy rights, subject to certain exceptions and limitations, including:

• Right of Access: You have the right to obtain confirmation whether your personal data is being processed, and, where that is the case, obtain a copy of your personal data.
• Right to Rectification (Correction): You have the right to correct inaccurate personal data and the right to have incomplete personal data completed.
• Right to Erasure (Right to be Forgotten): You have the right to request your personal data be erased.
• Right to Restriction of Processing: You have the right to restrict the processing of your personal data.
• Right to Data Portability: You have the right to request the transfer of your personal data directly to you or to another organization in a structured, commonly used, and machine–readable format.
• Right to Object: You have the right to object to the processing of your personal data.

You have the right to lodge a complaint regarding the use of your data if your request or concern is not satisfactorily resolved. You may approach your local data protection/supervisory authority, including:

• EEA – European Data Protection Board
• UK – Information Commisioner’s Office
• Australia – Office of the Australian Information Commissioner

Under specific circumstance, these rights may be limited. For example, if fulfilling your request would reveal personal information about another individual, or if you ask for the deletion of personal information which must be retained to comply with applicable or which is needed to defend claims against the organization. If there is an exception to fulfilling your request, it will be communicated clearly and fully to you.

To exercise any of these rights, please contact the Data Privacy Office directly at: dataprotection@rbglobal.com. Please note, we may take steps to verify your identity by matching the information you provide with your request with the information we have on file about you. Depending on the sensitivity of the information at issue, we may utilize more stringent verification
methods.

6. International Transfers

As a global organization, your personal data will be transferred to one or more RB Global group companies or to third parties for the purposes described in this Employee Privacy Notice. Group companies or service providers may be located in countries other than where you reside, and those countries may have data protection laws that are different from the laws of the country in which you are located.

If your personal data is transferred to an RB Global recipient or third party in a country that is not considered to provide adequate protection under applicable data protection or privacy law, measures designed to ensure that your personal data is adequately protected are employed and, where required, an appropriate transfer mechanism is put in place.

For intra–RB Global transfers to a US recipient, RB Global, Inc.’s US operating subsidiaries participate in the EU–U.S. Data Privacy Framework Principles (“EU–U.S. DPF”) and the UK Extension to the EU–U.S. DPF (together with the EU–U.S. DPF, the “Principles”) as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of all human resources personal data (as defined in the Principles) that is transferred from the European Union (“EU”), the European Economic Area (“EEA”), and the United Kingdom (“UK”) to the United States within the scope of its certification. To learn more about the Data Privacy Framework (“DPF”)
program, and to view our certification, please visit the Data Privacy Framework site here.

The following RB Global, Inc.’s US operating subsidiaries adhere to the Principles: Ritchie Bros. Auctioneers (America) Inc., IronPlanet, Inc., Ritchie Bros. Asset Solutions Inc., Rouse Services LLC, Rouse Appraisals, LLC, Rouse Analytics, LLC, Rouse Sales, LLC, and SmartEquip, Inc. The following RB Global, Inc.’s US operating subsidiaries adhere to the Principles as well as the Swiss-U.S. Data Privacy Framework Principles (the “Swiss-US DPF”) regarding the collection, use, and retention of human resources personal data (as defined in the Swiss-US DPF) that is transferred from Switzerland to the United States: Insurance Auto Auctions of Georgia LLC, Insurance Auto Auctions Tennessee LLC, Auto Disposal Systems Inc. Decision Dynamics LLC, Impact Texas LLC, Automotive Recovery Services, Inc., Insurance Auto Auctions, Insurance Auto Auctions Corp.

In cases where transfers or disclosures (or onward transfers) to third parties are made, we rely on a service provider’s certification to the Principles (if sent to the US and applicable) and/or contractual means to require administrative and technological safeguards designed to mitigate the threat of unauthorized access, use or disclosure of your information (such as standard data protection clauses issued or approved by the European Commission). We will remain liable under the Principles for any failure by a third party to comply with the Principles or our contractual arrangement with them unless, where permitted by applicable law, we prove we are not
responsible for the event giving rise to the damage.

For information on how to exercise your data subject rights under the Principles, follow the instructions in section 5 of this notice above.

Please contact us if you have any questions about the transmission of information among RB Global recipients or our transfers to service providers using the contact information in section 10 below. In compliance with the Principles, RB Global, Inc.’s US operating subsidiaries commit to cooperate and comply respectively with the advice of the panel established by the EU data protection authorities (DPAs) and the UK Information Commissioner’s Office (ICO) with regard to unresolved complaints concerning our handling of human resources personal data received in reliance on the Principles and Swiss-US DPF in the context of the employment relationship.

Under certain conditions, a binding arbitration option may be available to you in order to address complaints not resolved by any other means. For further information, please visit the DPF site by clicking here. RB Global, Inc.’s US operations are subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission with respect to all matters associated with the Principles and Swiss-US DPF.

7. Additional EU/EEA and UK Notices

Legal Basis for Processing. If you are an employee in the EU/EEA or UK, the legal basis for collecting and using the personal data described above depends on the personal data concerned and the context in which it is collected. The types of legal bases include:

• Consent: You have given clear consent for the processing of your personal data and can choose to withdraw your consent via email as described in Section 5 above.
• Legitimate Interests: The processing is necessary in connection with legitimate interests in the employment relationship and which do not override your data protection interests or fundamental rights and freedoms.
• Necessity: The processing is necessary for the performance of a contract to which you are a party.
• Legal Obligations: The processing is necessary to comply with legal obligations, such as retaining records relating to the employment relationship for periods required under applicable laws or regulations.

In the EU/EEA and UK, the legal basis for processing your personal data are as follows:

• The organization requires the personal data to comply with legal obligations in relation to administering and managing the employment relationship or to exercise rights in the field of employment.
• Processing of data to carry out the employment contract is based on necessity.
• Processing of data relating to your employment that you share with us or based on performance are based on the legitimate interest of managing the employment relationship, such as career development and resource planning.
• Processing of data relating to your health is a based on the legitimate interest of ensuring health and safety in the workplace and administering benefits programs.
• The limited processing of special categories revealed CCTV is based on the legitimate interest of monitoring the organization’s premises.
• Processing of information about you when you choose to participate in a survey or event is based on your consent.
• The processing of data about you for security purposes is based on a legitimate interest in protecting systems and networks.
• Processing of data about you for business continuity and record keeping purposes is based on a legitimate interest in operating the business in an efficient and appropriate manner.

If you have questions about or need further information concerning the legal basis on which personal data is collected and used, please see the “Contact Us” section below. Control of Personal Data. In the EU/EEA and UK, the following group companies control the
processing of your personal data:

• For Ritchie Bros. positions, one the of the following local RB Global operating companies
  depending, on where you reside and work:
  • in Germany, Ritchie Bros. Deutschland GmbH;
  • in France, Ritchie Bros. Auctioneers France SAS
  • in Italy, Ritchie Bros. Italia S.r.l.
  • in the UK, Ritchie Bros. UK Limited
  • in Ireland, IronPlanet Limited
  • in Spain or Portugal, Ritchie Bros. Spain, SL.
  • in the Netherlands, Ritchie Bros. B.V. or Ritchie Bros. Shared Services
  • in Poland, Ritchie Bros. Polska Sp. z.o.o.
  • in Finland, Ritchie Bros. Finland Oy
  • in Sweden, Ritchie Bros. Sweden AB
• For any Synetiq positions:
  • Synetiq Limited, located at Bentley Moor Lane, Adwick–le–Street, Doncaster, DN6 7BD.
• For any positions that will support Rouse and/or SmartEquip operations:
  • SmartEquip, Inc., located at Building 501 Merritt 7, Fifth Floor, Norwalk, CT 06851, USA, or Rouse Services LLC, located 8383 Wilshire Blvd #900, Beverly Hills, CA 90211, USA, as applicable, jointly with the RB Global group operating company that is your employer.
  • In the EU/EEA, Ritchie Bros. Shared Services B.V. acts as legal representative for SmartEquip. and Rouse.
  • In the UK, Ritchie Bros. UK Limited.
• For any positions that will support Ritchie Bros. Financial Services operations:
  • Ritchie Bros. Financial Services Ltd. located at 9500 Glenlyon Parkway, Burnaby, British Columbia, Canada, V5J 0C6 jointly with the RB Global group operating company that is your employer.
  • In the EU/EEA Ritchie Bros. Shared Services B.V. acts as legal representative for Ritchie Bros. Financial Services.
  • In the UK, Ritchie Bros. UK Limited.

8. Security & Retention

The organization maintains appropriate technical and organizational measures, including, but not limited to, reasonably designed administrative, physical, and technical safeguards, designed to protect the personal data obtained as discussed in this Employee Privacy Notice from accidental or unlawful destruction, loss, alteration, unauthorized disclosure, and access. However, no system of safeguards can guarantee the security of your personal information. As an employee, you have a role to play in ensuring personal data is secured against
unauthorized access or disclosure by following organizational policies.

Unless a longer retention period is required by law and as documented in organizational policies, your personal data will be retained for only as long as is needed to fulfill the purposes outlined in this Employee Privacy Notice. When the retention of your personal data is no longer required for these purposes or to comply with applicable law, it will either be deleted or anonymized.

9. Changes to this Privacy Notice

The organization reserves the right to amend the Employee Privacy Notice at any time. Updated notices will be posted with new effective dates.

10. How to Contact Us

If you have any questions or concerns regarding this Employee Privacy Notice or the collection and use of your personal data, or for copies of any documents mentioned, please contact us directly at: dataprotection@rbglobal.com

The organization’s address is:

RB Global
Data Protection Office
Two Westbrook Corporate Center
Suite #1000
Westchester, Illinois, 60154

Toll Free: +1.800.663.1739