European Union General Data Protection Regulation Notice

OVERVIEW
Purpose and Intended Audience
This Notice provides information regarding General Dynamics Information Technology’s compliance with the European Union General Data Protection Regulation (“GDPR”).

This notice is intended for all GDIT employees and applicants who work, or will work, in the European Union, European Economic Area, and Switzerland. This Notice is also intended for all GDIT employees who have access to personal data for covered individuals, or responsibility for systems, processes, or vendors that interface with personal data for covered individuals.

General Dynamics Information Technology, Inc. and its managed affiliates (collectively, “GDIT” or “we”) make reasonable efforts to protect the personal data of covered individuals. This Notice aims to provide guidance to GDIT employees on the standards that govern GDIT’s compliance with GDPR principles for these covered individuals. It also aims to provide covered individuals with transparent information regarding the processing of their personal data.

Scope and Responsibility
This Notice applies to GDIT and all managed affiliates. It covers all personal data related to GDIT’s employees, applicants for employment, contract workers, and consultants who work, or will work, in the European Union, European Economic Area, and Switzerland. All employees of GDIT that have access to such personal data are responsible for conducting themselves in accordance with this Notice. GDIT employees responsible for engaging third parties to handle personal data covered by this Notice on behalf of GDIT (e.g., temporary staff, independent contractors, sub-contractors, business partners, or vendors) are responsible for obtaining appropriate assurances that such third parties have an obligation to conduct themselves in accordance with the
applicable provisions of this Notice, including any applicable contractual assurances required by GDPR principles.

Failure of a GDIT employee to comply with this Notice may result in disciplinary action up to and including termination.

Definitions
Listed below are the definitions that pertain to this Notice. Where a term is not specifically defined in this section, the definitions of Article 4 of the GDPR shall apply. GDIT is the data controller.

“GDIT” – General Dynamics Information Technology and its managed affiliates, including CSRA, Inc.; Government Systems Overseas Corporation; ARMA Global Corporation; Buccaneer Systems and services, Inc.; GCI, Inc.; SC3 LLC; and all other affiliates not specifically listed.

“Personal data” – any information relating to an identified or identifiable natural person (“data subject”). An identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to his/her physical, physiological, mental, economic, cultural or social identity. Data is considered personal when it enables anyone to link information to
a specific person, even if the person or entity holding that data cannot make that link.

“Processed” or “processing” personal data – this term is broadly defined and includes any manual or automatic operation (or set of operations) on personal data, including its collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, use, transmission, dissemination or publication, alignment or combination, and even restriction, erasure, or destruction.

“Personnel” or “you” or “your” – all employees of GDIT who work in the European Union, EuropeanEconomic Area, and Switzerland. As applicable, this may also refer to applicants for employment, contract workers, and consultants who work, or will work, in the European Union, European Economic Area, and Switzerland.

"Data Controller" - a person or entity who, either alone or jointly or together with other persons or entities, determines the purposes for which and the manner in which any personal data are, or are to be, processed. For purposes of this Policy, the Data controller is GDIT. For questions, contact Donald Creston (Donald.Creston@gdit.com, 703-995-1982).

“Sensitive personal data” – personal data that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.

NOTICE

1. General Rule

Personal data shall be collected and processed in compliance with the requirements of the GDPR and/or other applicable local data privacy laws (“Privacy Laws”).

GDIT collects and processes personal data relating to its personnel primarily for job-related purposes. You can find a list of the purposes for which we process your personal data in Section 4 of this Policy. We do not collect and process more or other types of personal data than are necessary to fulfill the respective purposes. We will only use personal data as set forth in this Policy, unless you have specifically provided your consent to another use of your personal data or such use is otherwise permissible under applicable Privacy Laws. You shall be informed about the categories of personal data collected and how the personal data will be processed. If we intend to use your personal data for purposes other than those for which the personal data was originally collected, we will inform you in advance. Where the processing is subject to your consent, we will use your personal data for a different purpose only with your permission. Access to the personal data shall be role-based and consistent with the job duty responsibilities of GDIT’s employees who are given access.

2. Personal Data Collected and Held

Unless limited by local legislation, the following personal data will typically be collected, processed, and stored as part of the personnel record GDIT holds on you:

-Your identity: to include last name, first name, maiden name; date of birth; sex;
home address; home telephone number; home email, name and telephone number
of a contact in case of emergency; passport number and related materials for
processing of residency or other immigration status (if applicable); adhesion to the
Catholic and Evangelic Church (in Germany and Switzerland only and exclusively for
host country tax purposes); driver's license number (if applicable); work permit
number; social security number (if applicable and only as required for payroll,
benefit and insurance purposes); country of birth and nationality (if applicable);
bank account details; employee identification number; and, if any, your disability
rate (if applicable) as required for GDIT to comply with its legal duty; your disability and veteran status (if applicable); marriage certificates and banking loan information for processing for relocation matters; and personal banking information for
processing of payroll.
-Family status: to include marital status; last name, first name and date of birth of
your spouse or partner (should you and your spouse or partner wish to be added to
your insurance); last name, first name, and date of birth of your children (should you
wish to add them to your insurance); insurance information; retirement account
information; passport number and related materials for processing of residency or
other immigration status; school forms for local school enrollment or tuition
payments.
-Employment terms and conditions: to include fixed-term contract or open-ended
contract (if applicable); part-time or full-time job; hire date; termination date;
division; department; reporting structure; job title; pay grade; work telephone number and work email address; job description; salary schedule and other compensation elements; participation in and elements of awards under the executive compensation plan, if applicable; related payments; actual working hours or shift time; retirement fund contribution; tax and source tax deductions; absence management (in particular sick leave, leave of absence, family leave, parental leave); paid holidays (if applicable); time off given in compensation for extra time worked); personnel representative status (such as whether there is an applicable works council).
-Education and development: to include diplomas and training certificates held; languages and proficiency (if applicable); curriculum vitae detailing your work experience and if applicable, military experience (but not the reasons for deferment or rejection from the military service, if any); continuous training; mobility situation and management of career development actions; performance evaluations; training programs completed.
-Data collected through the Ethics Hotline (if applicable): You or a complainant can
submit complaints or inquiries on an anonymous basis to the General Dynamics Ethics hotline. If you or a complainant wishes to use your or their identity, then the following personal data may be collected: last name, first name, job title, and contact information of the person who contacted the compliance hotline (the complainant); last name, first name, job title, and contact information of the person who is the subject of the communication to the compliance hotline; last name, first name, job title, and contact information of the person(s) involved in the collection and processing of the complaint; alleged facts reported by the complainant; followup required to verify the alleged facts; and information obtained or created in connection with reporting the complaint.

3. Collection and Processing of Sensitive Data

In principle, no personal data revealing your political opinions, religious or philosophical beliefs, sex life or sexual orientation, the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, are collected or processed by GDIT.

However, racial or ethnic origin personal data (e.g. your identified race and ethnic origin as provided by you at your time of hire or when you voluntarily self-disclose such information after your time of hire) may be collected and processed by GDIT to the extent that GDIT is required to do so in order to comply with its affirmative action and equal employment opportunity obligations.

Further, health-related personal data (e.g., absence records associated with illness or
accidents, including possible exposure to certain materials or contaminants; maternity leave; disabilities; work-related injuries or claims; etc.) may be collected and processed by GDIT to the extent GDIT is required to do so in order to comply with its labor and social security obligations or to manage the safety at the workplace.

Additionally, personal data related to trade union membership may be collected and processed for purposes of administering the terms of union agreements, benefits and retirement plans, and other activities governed by collective bargaining agreements.

4. Purposes of the Personal Data Processing

Where it is necessary, we use your personal data to help ensure effective personnel
administration, for the following purposes:

-Payroll, Benefits, and Insurance: Personal data are used to administer the salaries, benefits, and insurance that you receive under your employment agreement, including annual merit increases, any other salary adjustments, annual bonus payments and retirement plan management, including other benefits provided to retirees; income tax; and social security withholdings.

-Travel Arrangements and Business Expense Processing: Personal data is used to make travel arrangements and to process business expenses associated with business travel; to process business expenses associated with approved coursework, books and periodicals, and training; to process business expenses associated with approved business expenditures.

-Performance Review and Management: GDIT uses personal data to facilitate personnel
performance management and career development, notably through annual performance
appraisals; annual salary reviews, and; if any, disciplinary measures in accordance with local legislation.

-Succession Planning and Leadership Development: Personal data may also be used for
succession planning and leadership development of employees.

-Administration of Executive Compensation Program or Other Similar Employee Equity Plan: Personal data may be used in the administration of the executive compensation program or other similar employee equity plan.

-Legal Obligations: We also use your personal data to comply with our legal obligations, such as income tax and social security withholdings; “Catholic and Evangelic Church tax” (in Germany only and exclusively for tax purposes); disability and family leave obligations; or cooperation with courts, including civil actions, and with law enforcement agencies in legal investigations regarding suspected criminal activities or other suspected illegal activities. Subject to local law requirements, GDIT may use your personal data to protect our legal rights or support any claim, defense or declaration in a case or before any jurisdictional and/or administrative authority or arbitration or mediation panel, in the context of disciplinary actions/investigations or of internal or external audit and inquiries.

-Security: Some of your personal data are collected and processed for security purposes
including office access and IT resources access. Personal data may be collected in the
course of IT resources security procedures, including security penetration tests, for which IT experts will try to access our system to find any security breaches.

-General Management and Human Resources Administration: Personal data may also be used for administration purposes, including employee feedback through the use of employee surveys and contacting employees; administration of email systems and company directories; assignment of offices and other Company equipment; assignment of identification badges; and evaluations performed for purposes such as headcount, diversity and inclusion measures and overall corporate programs to promote an optimal workplace. personal data may also be used for GDIT’s planning and budgeting; financial reporting; corporate reorganizations; outsourcing; restructuring; and acquisitions and divestments. personal data may also be used for human resources administration such as to obtain feedback from personnel about GDIT and the work-life environment, so as to identify areas where the organization can improve and related matters.

-Reporting: Personal data may be collected through the compliance hotline implemented by General Dynamics Corporation as a means of allowing employees to report allegations
related to the following matters, or other areas of concern: accounting, internal accounting controls, auditing matters, bribery, banking and financial crime; facts affecting the vital interest of GDIT; or issues related to employees’ physical or moral integrity. The collected personal data may be transferred to General Dynamics Corporation located in Falls Church, Virginia USA in the event that the message received through the reporting system may affect substantially the legitimate interests of General Dynamics Corporation, GDIT or any of their affiliates.

-Monitoring: We will only monitor your use of GDIT IT Resources in accordance with applicable statutory requirements (including, if applicable, notification of relevant
authorities) and, if applicable, works council agreements.

-Performance in Your Job Within GDIT: To assign a workspace, office, computers, other GDIT equipment, to keep track of the individuals to whom the equipment is assigned, and to enable access to GDIT’s IT systems and applications, including third party applications used to perform your job.

5. Legal Basis for Processing
We only process your personal data so far as such Processing is legally permitted. Please see below for a more comprehensive description of the legal basis on which we process your personal data. Among other things, the Processing of your personal data is based on the legal principles set out below.

5.1. For the Performance of a Contract with You
GDIT may enter into legal contracts with you other than your employment contract, e.g.,
with regards to fringe benefits or cost of living allowances. We may process your personal data to comply with legal obligations arising from these contracts.

5.2. Compliance with a Legal Obligation
GDIT is subject to a number of statutory requirements, e.g., to ensure compliance with legal obligations throughout GDIT. To comply with these requirements, we must process certain personal data, for example personal data that we collect through the compliance hotline. Such legal obligations may sometimes require the processing of certain Sensitive personal data.

5.3. Safeguarding Legitimate Interests
GDIT will process certain personal data in order to safeguard our own or any third party’s interests. This may include personal data collected for General Management and Human Resources Administration, Security, Reporting, Monitoring, and Legal Obligation purposes.

5.4. Processing in the Context of Employment
Furthermore, we will process certain personal data in the context of your employment
contract. This may include, for example, administrative processing of your personal data to manage, plan and organise your work and your workplace, e.g., to manage the payment of your salary. If you refuse to provide your personal data, which are required in the context of your employment, you might face adverse effects such as the loss of certain benefits, or we might not be able to fulfil our legal obligations to you, i.e. the employment contract cannot be performed.

6. Personal Data Retention Period and Place of Storage
GDIT will only keep your personal data for so long as they are relevant for the purposes for which they were collected or as required by law.
GDIT’s personnel's personal data are held in paper, electronic, and other formats, and must be securely stored and accessible only in accordance with job responsibilities. Refer to GDIT’s policies on record retention practices.

7. Conditions of Disclosure of Personal Data
Access to personal data is given to those individuals of GDIT and its affiliates who need such access for a purpose listed above or where required by law. These parties include human resources, international human resources, talent management, finance, accounting and payroll, contracts, procurement, ethics, business services, security, tax, and other department personnel who require access to administer designated responsibilities. Personal data may also be disclosed to information technology personnel, controllers and accounting personnel, and relevant business managers. GDIT will from time to time and for the purposes listed above, need to make some of your personal data available to:

(i) Government administrations (for example tax authorities or social security services) or judicial authorities.

(ii) Your current, past, or prospective employers.

(iii) Other employees within GDIT, General Dynamics Corporation and their affiliates or
subsidiaries.

(iv) Employment or recruitment agencies.

(v) External advisers (including GDIT’s independent public accountants, authorized
representatives of internal control functions such as auditors or attorneys, corporate
security, and corporate legal) and to companies which provide services to GDIT] for assisting GDIT in human resources management (such as payroll services, candidates’ assessment purposes and outplacement services).

(vi) Third parties in the course of GDIT’s general management (payroll administrators,
benefits providers and administrators, information technology systems providers, financial institutions, retirement plan institutions, and consultants, and professional advisors and consultants).

(vii) Customers and clients.

(viii) Distributors and suppliers of goods or services.

(ix) Travel agencies.

(x) Insurance companies.

(xi) Outsourcers for various services.

In addition, where permitted by applicable law, personal data may be disclosed in
connection with a corporate restructuring, sale, or assignment of assets, merger, divestiture, or other changes of control or financial status of General Dynamics Corporation, GDIT, or any of their affiliates. Finally, and to the extent permitted by applicable laws, personal data may be transferred to respond to internal or external audit and inquiries, to law enforcement requests, to administrative or judicial authorities or where required by applicable laws, court orders, or government regulations (including disclosures to tax, employment/labor or other authorities).

You can be assured that your personal data are disclosed or transferred to GDIT’s
employees or to the recipients within the departments listed in Paragraph 7 above who
need to use your personal data for the purposes described in this Notice, and that your
personal data will be treated confidentially. GDIT requires from the service providers to whom your personal data may be transferred that they undertake to process your personal data only on behalf and subject to GDIT’s instructions and to implement appropriate security measures to keep your personal data confidential.

8. Transfer of personal data Outside of the EU
As certain of the recipients listed in the above paragraphs may be located outside the EU where the data protection laws might not provide a level of protection equivalent to the laws in your jurisdiction, GDIT has taken the appropriate measures to comply with the requirements of the Privacy Law to secure transfer of personal data outside EU.

9. Security Measures Implemented to Protect Personal Data

GDIT has undertaken efforts to put into place appropriate technical and organizational
security measures to minimize the risk of unauthorized or unlawful disclosure or access to, or accidental or unlawful loss, destruction, alteration or damage to your personal data. These measures will help ensure an appropriate level of security in relation to the risks inherent to the processing and the nature of the personal data to be protected. Your personal data will only be accessible to those Company employees who have a need-toknow your personal data for the performance of their job duties.

We work to have appropriate physical, technical and organizational security measures in place to protect the security of your data that we process. These security measures may be updated over time when legal and technological developments occur.

10. Your Rights

You have specific legal rights relating to the personal data GDIT collects and Processes about you. In certain circumstances, you may have rights to:
-Access your personal data that GDIT stores.
-Correct the personal data GDIT holds about you.
-Erase your personal data.
-Restrict GDIT use of your personal data.
-Object to GDIT use of your personal data.
-Withdraw your consent, if applicable.
-Receive your personal data in a usable electronic format and transmit it to a third
party (right to data portability).

You may contact the responsible persons as listed below at any time if you would like to access the personal data that GDIT holds about you or if you want to exercise your rights. You may access information concerning the source of the personal data, e.g., the purposes for which your personal data are being used, the categories of personal data concerned and the details of the parties with whom GDIT may share your personal data. Pursuant to the law, you may object to the processing of your personal data for legitimate reasons, notably the transfer of your personal data to some recipients. Please note that where GDIT collects, holds and processes your personal data to perform its obligations under your employment contract you may not oppose to such processing.
You further have the right to lodge a complaint with a relevant supervisory authority if you believe that we may have infringed your rights.

11. Changes to this Notice

This Notice may be updated from time to time. Any such changes will posted on GDIT’s
website and will be available by contacting the data privacy officer listed below.

12. Contact Information

-Data privacy officer contact information: Donald P. Creston, 3211 Jermantown Road,
Fairfax VA 22030, 703-995-1982, Donald.Creston@gdit.com
-Alternate contact for further information: General Dynamics Information
Technology, Legal Department, 3211 Jermantown Road, Fairfax VA 22030, 703-995-8700 or 1-800-242-0230