Notice of employee and applicant data processing practices

This notice (“Notice”) provides you with information about Liberty Mutual Canada (“Liberty Mutual” or
“we”) data processing activities with respect to personal data collected from and about job applicants,
employees, and contract employees in Canada.

As your employer, we need to collect personal information about to manage human resources, assign work, assess performance, ensure health and safety, protect electronic network security and meet our legal obligations. We will always only use what is necessary to address operational realities to respect your privacy.

We will collect and process personal information about you as a Liberty Mutual employee, or contract employee from your job interview process, at the start of your employment and in the course of your employment, as more specifically defined in the Classes of Personal Data listed in the Annex (“Personal Data”). In addition to the other processing referred to in this Notice, we locally process your Personal Data to the extent permitted or required under applicable law, for purposes connected with your employment, such as human resources and payroll management and administration. The Personal Data
categories that we process locally are listed in the Annex, which include contact information, compensation and benefits information, information on your role in our organization, etc. The list in the Annex is divided into different classes of Personal Data as we do not collect, use and process all Personal Data for the same purposes.

Your Personal Data will also be processed, where necessary, for the purposes of complying with legal or regulatory obligations, investigating infringements of the law or Liberty Mutual policies (including disciplinary and grievance matters) and establishing, exercising or defending legal rights of members of the global group of Liberty Mutual companies (the “Liberty Mutual Group”). Your Personal Data will also be processed in the operation and management of Liberty Mutual Group IT systems which systems may be hosted internally (for example, through MS Teams Social Channels or recorded Skype or MS Teams meetings) or externally.

We will transfer a subset of your Personal Data to other parties as described below under the section on “Recipients,” as permitted under applicable data privacy law for the following purposes:

Last revision: August 2023

The following recipients or categories of recipients will receive access to some of your Personal Data.

We will include certain Personal Data in a global human resources information system (“HRIS”), whic is a
global tool that assists the Liberty Mutual Group to administer human resources and employee compensation at an international level and permits employees to manage their own Personal Data in some cases. Specifically, we will transfer Class 1, 2 and 3 Data to HRIS servers in the United States. Liberty
Mutual’s Parent company, Liberty Mutual Group Inc. in the United States may host such respective servers
or may utilize 3rd party servers but in either case will be responsible as controller for security access within the databases for Personal Data in the HRIS. This transfer of Personal Data will enable the Liberty Mutual Group to benefit from improved cross-border human resources management and to centralize payroll and benefits administration, which will reduce costs and minimize data transfer between Liberty Mutual Group entities by less secure means. With the exception of Class 1 Data, which is available to everyone in the Liberty Mutual Group to facilitate cooperation, only human resources managers and authorized employees with a need to know have access to the Personal Data. Certain executives, managers and employees at other worldwide affiliates of the Liberty Mutual Group may also have access to certain Personal Data, however, on a “need-to-know” basis if there are legitimate business purposes, e.g., supervisor-reporting relationships across national borders. A list of such affiliates is available upon request.

In addition, we make certain Personal Data available to affiliated and unaffiliated service providers on a
“need-to-know” basis or other third parties, as permitted under applicable data privacy law. By way of
example, some Personal Data in the HRIS will be available to Liberty Mutual Group Inc. and an employee
benefit plans service provider (who will have access to certain Class 3 Data), third parties who provide payroll support services to the Liberty Mutual Group, and government agencies and entities as required by law.

Many of these recipients will be located or may have relevant operations outside of your country or province, such as in the United States, where the data protection laws may not provide a level of protection equivalent to the laws in your jurisdiction. By way of entering into appropriate data transfer agreements, we have established or confirmed that Liberty Mutual Group Inc. will provide an adequate level of protection for the Personal Data and that appropriate technical and organizational security measures are in place to protect Personal Data against accidental or unlawful destruction, accidental loss or alteration, unauthorized disclosure or access, and against all other unlawful forms of processing. Any onward transfer recipients are subject to appropriate data transfer agreements.

Data collected for the purposes hereunder will be stored only as long as necessary during the term of your employment relationship with Liberty Mutual, during a transition period (e.g., for the provisioning of ongoing pensions and other benefits, or the compliance of Liberty Mutual’s obligations regarding data retention as established in the applicable laws), or for purposes of documenting proper termination of the employment relationship (e.g., vis-à-vis tax authorities, etc.). If a judicial or disciplinary action is initiated or anticipated, the Personal Data may be stored until the end of such action, including any potential periods for appeal, and will then be deleted or archived and in the case of Class 4 Data the lesser of the above or as permitted by applicable law. Your Personal Data will not be kept in a form that allows you to be identified for any longer than is reasonably considered necessary by Liberty Mutual for achieving the purposes for which it was collected or processed or as it is established in the applicable laws related to data retention periods.

Last revision: August 2023

Under applicable law, you may have, among others, the rights: (i) to check whether and what kind of Personal Data we hold about you and to access or to request copies of such data, (ii) to request correction, supplementation or deletion of Personal Data about you that is inaccurate, and (iii) to request Liberty Mutual to stop the collection, processing or use of Personal Data about you, except to the extent required or permitted under applicable statute or other law. Where you agreed to provide your personal information on a voluntary basis, for example, through a diversity and inclusion program, you may withdraw consent at any time and we will delete the relevant information.

Please address such request and any other questions concerns regarding this Notice to your Privacy Officer, Jessica Seppi, at 416 307 4695 or via email at jessica.seppi@libertymutual.com.

Last revision: August 2023

When you apply for a position at Liberty Mutual, we will need to collect certain personal information from you to assess your application against the requirements of the position. We will collect no more information than is necessary for that purpose.

To assess your application for a position at Liberty Mutual, we need your name, your address and phone number to contact you, your curriculum vitae (CV) stating your qualifications, professional certifications, as applicable, and work experience to assess your application.

As a first step in screening applications, we may apply an automated process to pre-screen applications for objective eligibility criteria such as required license or level of education. You have the right to request access to your personal information we used through this automated pre-screening process, to have it corrected if it is inaccurate and to make representations to the person handling your application if you believe there was an error in the automated pre-screening of your application.

If you are considered for the position, we will ask you for references and we may ask information about your Canadian residency status if applicable.

If we hire you, the application collected through your application will be part of your employee file and protected as described above in relation to employee personal information.

If we cannot hire you, we retain your personal information for two months after having contacted you to provide you an opportunity to inquire about the recruitment process or we seek your consent to retain your personal information for longer to consider you for another position. At the end of these periods, your personal information is destroyed.

Class 1 data: Generally available contact information

Class 2 Data: Qualified HR Data including but not limited to:

Class 3 Data: Benefit Plans and Payroll Administration Service Provider Data including but not limited to:

Class 4 Data: Locally process data only: