CAMBIUM GLOBAL TIMBERLAND LIMITED

Data Protection Policy

1
Introduction

1.1
Cambium Global Timberland Limited (the “Fund“)
is regulated by the Jersey Financial Services Commission and has adopted this data protection policy (the “Policy“) to ensure it meets its obligations under Data Protection (Jersey) Law, 2018 (as the same may be amended, varied or replaced) (the “DPL“) and to the extent that goods or services are offered to individuals within the EU, the EU data protection regime introduced by the General Data Protection Regulation (Regulation 2016/679) (“GDPR” and, collectively with the DPL, hereinafter referred to as the “Data Protection Legislation“).

1.2
This Policy
describes how Personal Data must be collected, handled, stored, disclosed and
otherwise “Processed” to meet the Fund’s data protection obligations
and to comply with the Data Protection Legislation.

1.3
The purpose of this Policy is to ensure that everyone involved in the
processing of Personal Data at the Fund is fully aware of, and complies with,
the requirements of the Data Protection Legislation.

1.4
A “Privacy Notice” exists which provides information for
external individuals as to how their Personal Data is being processed.

1.5
In preparing the Policy, the Fund has taken into account the nature,
scale and complexity of its business and in particular the fact that it relies
broadly on an outsourced model and the support of its delegates and affiliates
for the performance of its functions. As the Fund does not regularly and
systematically monitor Data Subjects on a large scale, it has not appointed a
data protection officer. The Fund’s board of directors (the “Board“) is ultimately responsible
for ensuring that the Fund meets its legal obligations and operates in full
compliance with the Data Protection Legislation.

2
Definitions

2.1
“Data Controller”
means any natural or legal person, which, alone or jointly with others,
determines the purposes and means of the Processing of Personal Data (in this
case, the Fund).

2.2
“Data Processor”
means a natural or legal person who processes Personal Data on behalf of the
Data Controller such as a fund administrator, depositary, distributor, investment
manager, alternative investment fund manager, registrar and/or other delegates
that receive Personal Data.

2.3
“Data Subject”
means an identified or identifiable natural person who is the subject of
Personal Data.

2.4
“Personal Data”
means any personal information relating to a Data Subject, such as name,
residential address, email address, contact details, corporate contact
information, signature, nationality, place of birth, date of birth, tax
identification, credit history, correspondence records, passport number, bank
account details, source of funds details and details relating to an investor’s investment
activity.

2.5
“Privacy Notice”
means the data protection disclosure statement prepared in respect of the Fund
outlining the Fund’s data protection obligations and the data protection rights
of Data Subjects investing in the Fund, as required under the Data Protection
Legislation.

2.6
“Processing” means
performing any operation or set of operations on Personal Data, whether or not
by automatic means, including collecting, recording, organising, storing,
amending, using, retrieving, disclosing erasing or destroying it. The rules
around the Processing of Personal Data apply whether the activity takes place
in the European Union (“EU“)
or not, where the Processing activities are related to (i) the offering of
goods and services to Data Subjects that are in the EU; or (ii) the monitoring
of their behaviour which takes place within the EU.  Furthermore, as the Fund will process
data as relating to Data Subjects, such as Directors, it will be required to
process in accordance with the DPL.

3
The Fund as Data Controller

3.1
The Fund is a Data Controller and shall comply with its obligations as
such under the Data Protection Legislation.

3.2
When Processing Personal Data, there may also be times where other
service providers to the Fund (including the administrator) will to the extent
they determine the purpose and the means of processing, may also be
characterised as Data Controllers under the Data Protection Legislation.  This however, does not exonerate the
Fund from its responsibilities as a Data Controller.  It is important that, if there is any
risk of the Fund acting as a Data Controller jointly with a service provider, for
governance and legal reasons a review of the relevant contractual arrangements should
be undertaken to determine the purpose and means of data processing and the
attribution of responsibilities between the parties.

4
Data Protection Principles

4.1
Personal Data shall be:

(a)
processed fairly, lawfully and transparently;

(b)
collected for specified, explicit and legitimate purposes and not
further processed in a manner that is incompatible with those purposes;

(c)
limited to what is required for the stated purpose or purposes;

(d)
accurate, complete and up to date;

(e)
retained for not longer than is necessary for the stated purpose or
purposes;

(f)
kept safe and secure;

(g)
provided to a Data Subject on request (please see Section 5); and

(h)
not transferred to people or organisations situated in countries without
adequate protection.

4.2
Fair and transparent Processing

Fairly obtained
Personal Data requires that the Data Controller, either before or at the time
the Personal Data is collected, makes the Data Subject aware of the following:

(a)
the identity and contact details of the Data Controller;

(b)
the purpose in collecting the Personal Data as well as the legal basis
for Processing;

(c)
if one such legal basis, is the legitimate interests of the Data
Controller, the legitimate interests of the Data Controller or third party and
an explanation of those interests (where Processing is based on this ground);

(d)
the persons or categories to whom the Personal Data may be disclosed;

(e)
details of any transfers outside of the European Economic Area (“EEA“) and a description of the safeguards
in place and the means by which to obtain a copy of them;

(f)
the period for which the Personal Data will be stored;

(g)
the Data Subject’s right to access Personal Data;

(h)
the Data Subject’s right to rectify Personal Data if inaccurate;

(i)
the Data Subject’s right to erasure of Personal Data;

(j)
the Data Subject’s right to the portability of their Personal Data;

(k)
the Data Subject’s right to limit Processing;

(l)
the Data Subject’s right to withdraw consent;

(m)
the Data Subject’s right to object to Processing, in certain
circumstances; and

(n)
the Data Subject’s right to lodge a complaint with The Office of the Data Protection Commissioner in Guernsey.

The Fund
generally meets these requirements through the provision to Data Subjects of
the Privacy Notice in shareholder communications. The Privacy Notice has been
circulated to all existing Data Subjects of the Fund immediately prior to the
Data Protection Legislation taking effect.

The Fund will
ensure that all information and communications relating to the Processing of
Personal Data will be clear, concise, transparent, intelligible, easily
accessible and easy to understand using clear and plain language. The Fund will
ensure that these transparency requirements are adhered to at all stages of the
collection and Processing of Personal Data.

If any of the
information described above changes after it has been provided to the Data
Subject, the Data Subject shall be provided with an update to the information.

4.3
Lawful Processing

The Fund can
process Personal Data lawfully to the extent that at least one of the following
applies;

(a)
where the Data Subject has given consent to the Processing (although it
is preferred wherever possible that alternate grounds of processing be utilised
and that the Fund only rely on consent to Process as a last resort);

(b)
where Processing is necessary for the performance of the contract with
the Fund;

(c)
where Processing is necessary in order to protect the vital interests of
the Data Subject or another natural person;

(d)
where Processing is necessary for compliance with a legal obligation to
which the Fund is subject; and/or

(e)
where Processing is necessary for the purposes of the legitimate
interests of the Fund or a third party and such legitimate interests are not
overridden by the Data Subject’s interests, fundamental rights or freedoms.

4.4
Purpose Limitation

The Fund will
only collect and process Personal Data for purposes that are specific, explicit
and for legitimate purposes. The Fund will process Personal Data for the
following purposes;

(a)
to reflect an investor’s ownership of shares in the Fund (i.e. where
this is necessary for the performance of the contract to purchase shares in the
Fund or to process redemption, conversion, transfer and additional subscription
requests or the payment of distributions);

(b)
to discharge its anti-money laundering and terrorist financing/sourcing
of funds obligations to verify the identity of its customers (and, if
applicable their beneficial owners) or for prevention of fraud or for
regulatory or tax reporting purposes or in response to legal requests or
requests from regulatory authorities (i.e. where this is necessary for
compliance with a legal obligation to which the Fund is subject); and/or

(c)
for direct marketing purposes (that is, the provision of information to
Data Subjects on products and services) or for quality control, business and
statistical analysis or for tracking fees and costs or for customer service,
training and related purposes (i.e. where this is necessary for the purposes of
the legitimate interests of the Fund or a third party and such legitimate
interests are not overridden by the Data Subject’s interests, fundamental
rights or freedoms and provided that the Fund is acting in a fair, transparent
and accountable manner and has taken appropriate steps to prevent such activity
having any unwarranted impact on the Data Subject, noting the right of the Data
Subject to object to such uses, as discussed below).

The Fund will
not process Personal Data in a manner that is incompatible with the purposes
communicated to Data Subjects without first advising the Data Subjects of any
other purpose and the applicable basis upon which Processing is conducted.  

4.5
Personal Data Minimisation

The Personal
Data collected will be adequate, relevant and limited to what is necessary in
relation to the purposes for which it is being processed.

4.6
Accurate Records

The Fund will
ensure that the Personal Data held is accurate and kept up to date. The accuracy
of any Personal Data will be checked at the time of collection and at regular
intervals or triggers thereafter. The Fund will take all reasonable steps to
amend inaccurate or out-of-date Personal Data.

4.7
Storage Limitation

The Fund will
not keep Personal Data longer than is necessary for the purpose or purposes for
which it was collected. It will take all reasonable steps to erase all Personal
Data which is no longer required. The Fund will be clear when informing the
Data Subject about the length of time for which Personal Data will be kept or
the criteria for determining such length of time and the reason why the
information is being retained.

4.8
Security

In processing
Personal Data, the Fund shall implement appropriate technical and
organisational measures to ensure a level of security appropriate to the risk,
taking into account the state of the art, the costs of implementation and the
nature, scope, context and purposes of processing as well as the risk of
varying likelihood and severity for the rights and freedoms of natural persons.
In particular, the Fund shall take all appropriate security, technical security
and organisational measures to address the risks of accidental or unlawful
destruction, loss, alteration, unauthorised disclosure of, or access to
Personal Data transmitted, stored or otherwise processed.

The Fund will
seek assurances from any service providers that act as Data Processors for the Fund
that they have implemented appropriate information security measures which
comply with the relevant conditions of the Data Protection Legislation.

4.9
Transferring Personal Data to a country outside the EEA

The Fund itself
will not transfer Personal Data but anticipates that its Data Processors may
transfer Personal Data to entities located outside of the EEA. 

Data Processors
may only transfer Personal Data outside of the EEA (a) with the written consent
of the Fund (which will only be provided subject to certain conditions being
satisfied); (b) where required to do so by EU or the law of an EU member state
to which the relevant Data Processor is subject or (c) in certain limited
circumstances, set out in the Data Protection Legislation eg: in pursuance of
compliance with decisions of public authorities of the Bailiwick based on an
international agreement improving international obligations on the Bailiwick

Subject to the
provision by the Data Processor of appropriate safeguards in compliance with the
Data Protection Legislation and subject to the availability of rights and
effective legal remedies for Data Subjects, or shall otherwise be in accordance
with the requirements of the Data Protection Legislation.

5
Data Subject Rights

5.1
Right to Access

The Data
Subject shall have the right to obtain confirmation from the Fund as to whether
or not Personal Data concerning them is being processed.

Where the Fund
is Processing their Personal Data, the Data Subject will have the right to
access such Personal Data and the following information (without limitation);

(a)
the purpose of the Processing;

(b)
the categories of Personal Data concerned;

(c)
the persons or categories of persons to whom the Personal Data may be
disclosed, in particular recipients in third countries or international
organisations;

(d)
the envisaged period for which the Personal Data will be stored, or, if
not possible, the criteria used to determine that period;

(e)
the existence of the right to request from the Fund rectification or
erasure of the Personal Data or restriction of Processing of Personal Data
concerning the Data Subject or to object to such Processing;

(f)
the right to lodge a complaint with the Data Protection Commission;

(g)
where the Personal Data is not collected for the Data Subject, any
available information as to their source; and

(h)
the existence of automated decision-making, including profiling,
referred to in Article 22(1) and (4) and, at least in those cases, meaningful
information about the logic involved, as well as the significance and the
envisaged consequences of such Processing for the Data Subject.

Where Personal
Data is transferred to a third country or an international organisation, the
Data Subject shall have the right to be informed of the appropriate safeguards
relating to the transfer.

The right to
obtain a copy of the Personal Data undergoing Processing will not adversely
affect the rights and freedoms of others, meaning the relevant information will
be redacted where necessary.

The Fund will
not charge a fee for complying with the Data Subject’s access request unless it
can demonstrate that the request is excessive in nature, having regard to the
number of requests made by the Data Subject. In such cases a reasonable fee
based on administrative costs may be charged.

The information
must be provided without delay and within at least one month. Where requests
are complex, the Fund will be able to extend the deadline for providing the
information to three months. However, it must still respond to the request
within a month, explaining why the extension is necessary.

The Fund may
refuse to act upon a request that is manifestly unfounded or excessive in
nature, in which case it will inform the Data Subject of its reasons as soon as
practicable in writing and inform the Data Subject of their right to lodge a
complaint with the Supervisory Authority (see paragraph 7.2 below).

A request may
be made by an individual, such as an investor or a director, and may be made in
electronic format as well as by written request.

5.2
Right to be forgotten/erasure of Personal Data

The Data
Subject shall have the right for Personal Data to be erased without undue delay
in certain contexts including, but not limited to, where the Personal Data has
been Processed unlawfully or where the Personal Data is no longer necessary in
relation to the purposes for which it was collected or otherwise.

Given the
specific nature for which the Fund uses the Personal Data it collects, this is
not likely to be applicable to the Data Subjects of the Fund.

5.3
Right to the restriction of Processing

Data Subjects
have the right to require that the Fund restrict Processing of Personal Data in
certain circumstances including, but not limited to, where the Personal Data is
inaccurate, is no longer required in light of the purposes of the Processing or
the Data Subject has exercised their right to object (pending verification of
any legitimate grounds of the Fund which overrides those of the Data Subject).

Where
Processing has been restricted, such Personal Data shall, with the exception of
storage, only be processed with the Data Subject’s consent. The Fund will
inform the Data Subject before the restriction of Processing is lifted.

5.4
Right to object

The Data
Subject shall have the right to object, on grounds relating to their particular
situation, at any time to Processing of Personal Data concerning them where the
Processing is based on the legitimate interests pursued by the Fund.

The Fund shall
no longer process the Personal Data unless the Fund demonstrates compelling
legitimate grounds for the Processing which override the interests, rights and
freedoms of the Data Subject or for the establishment, exercise or defence of
legal claims.

Data Subjects
shall have the right to object to the Processing of Personal Data for direct
marketing purposes at any time. Where the Data Subject objects to Processing
for direct marketing purposes, the Personal Data shall no longer be processed
for such purposes. 

5.5
Right to portability

Where the conditions are
met in Section 14(1)(b) of the DPL the Data Subject has the right to request
the transmission of its personal data.
This right is limited if the transmission were to adversely affect the
rights and freedoms of others.

6
Third Party Service
Providers

6.1
Where the Fund instructs a third party to process personal data on its
behalf (a third party Data Processor), the Data Processor must enter into a
written agreement with the Fund that:

(a)
provides details of the processing of Personal Data that they are being
instructed to carry out;

(b)
requires the third party to process the Personal Data only in accordance
with the Fund’s written instructions and to the extent necessary for them to
fulfil their obligations to the Fund under the agreement;

(c)
requires the third party to implement appropriate technical and
organisational measures and controls to ensure the confidentiality and security
of the personal data; and

(d)
imposes any additional data processing obligations required by the Data
Protection Legislation.

6.2
The data processing agreement should be signed by both parties before
any Personal Data is transferred to the Data Processor.

6.3
Any party making amendments or unable to adhere to the data processing
agreement should be referred to the Board before the agreement is signed. 

6.4
When contracting with a Data Processor, it is important that the Fund
conducts appropriate due diligence both at the outset of the relationship and
on a periodic basis. The due diligence should ensure that the Data Processor is
capable of complying with the requirements of the written agreement as detailed
above.

7
Co-operation with
supervisory authorities

7.1
The Fund shall cooperate, on request, with the relevant supervisory
authority in the performance of its tasks.

7.2
The relevant supervisory authority for the Fund is the Data Protection Authority in
Guernsey (the “Supervisory Authority“) although
EU resident Data Subjects may lodge complaints with the supervising authority
in respect of data protection in the jurisdiction of their residence.

8
Keeping records of all
Processing

8.1
The Fund shall maintain accurate and complete records of all the
Processing activities it undertakes directly. This requires that the Fund
determine what Personal Data it holds, where it came from and who the Fund
shares it with. Similarly each Data Processor will be required to maintain
accurate and complete records of all Processing activities it undertakes
directly.

8.2
A record of the Fund’s Processing activities is contained in Appendix I.

8.3
The Fund will retain Personal Data for a period of up to seven years
following the Data Subject’s disinvestment from the Fund or at the point from
when the business relationship with the Fund has ceased. Information may be
retained for a longer period where this is necessary for compliance with a
legal obligation or for the establishment, exercise or defence of a legal
claim. The Fund and its duly authorised delegates will refrain from collecting
any further Personal Data and shall take appropriate steps to dispose of any
records containing Personal Data, to the extent that this is operationally feasible
and proportionate.

9
Reporting of Personal Data
breaches

9.1
If the Fund detects and records a Personal Data breach, it shall notify
the Supervisory Authority without delay, and in any case not later than 72
hours, unless the breach is unlikely to result in a risk to the rights of the
Data Subject. A notification template is set out in Appendix II.

9.2
Each Data Processor shall notify the Fund without undue delay after
becoming aware of a Personal Data breach and shall include in any such
notification the applicable information referred to in the Data Protection
Legislation (as set out in Appendix II) and shall provide all reasonable
assistance to the Fund in connection with any such Personal Data breach,
including in particular facilitating the Fund communicating details of any
Personal Data breach to the relevant Data Subject if required, as described at paragraph
9.4.

9.3
The Fund shall document all Personal Data breaches, comprising the facts
relating to the Personal Data breach, its effects and the remedial action
taken.

9.4
Unless one of the conditions set out in sub-paragraphs (a) to (c) below are met, the Data Subject must also be notified without undue
delay if the Personal Data breach is likely to result in a high risk to their
rights and freedoms. The notification shall describe in clear and plain
language the nature of the breach, the name of the contact point where more information
can be obtained, the likely consequences and measures taken to mitigate or address
the breach.

Notification to
the Data Subject is not required in the following circumstances:

(a)
where the relevant Personal Data is encrypted/protected in a manner making
it unintelligible to unauthorised persons;

(b)
where the Fund has taken subsequent measures which ensure that the high
risk to risks and freedoms of the Data Subject from the breach is no longer
likely to materialise;

(c)
where an individual notification would involve disproportionate effort
(e.g. public communication or similar is sufficient).

10
Board Oversight and Updates
to this Policy

10.1
The Board will be responsible for the oversight of compliance with this
Policy. It will review the appropriateness of this Policy annually and will
ensure that it is operating as intended. It will also review this Policy to
ensure that it continues to be compliant with applicable national and
international regulations, principles and standards.

10.2
This Policy shall be reviewed and updated as necessary on at least an
annual basis or as and when is required or deemed necessary by the Fund.
Material changes to this Policy will be approved by the Board.

Appendix I – Records
of Processing activities in accordance with Article 30 of
the GDPR

The Data Controller

Appendix II –
Notification Letter Template (required information under Article 20 of the GDPR)

Data Protection Commissioner

Office of the Information Commissioner

One Liberty Place

Liberty Wharf

La Route De La Liberation

St Helier

Jersey

JE2 3NY

[insert date]

Dear [* ]

Notification of Breach

[Insert a description of the nature of the Personal Data breach including where
possible, the categories and approximate number of Data Subjects concerned and
the categories and approximate number of Personal Data records concerned].

[Insert the name and contact details of the data protection officer or other contact point where
more information can be obtained].

[Insert a description of the likely consequences of the Personal Data breach].

[Insert a description of the measures taken or proposed to be taken by the Data Controller to address
the Personal Data breach, including, where
appropriate, measures to mitigate its possible adverse effects].

Yours sincerely,

Data Protection Manager

Praxis Fund Services (Jersey) Limited