Extract

Binding Corporate Rules

for Customer, Supplier

and Vendor Data
PART I GENERAL INTRODUCTION

Introduction
FedEx Employees are expected to handle information with care. In particular, the security and
confidentiality of all proprietary information and data Processing, including Personal Data, must be
safeguarded in accordance with applicable laws and regulations. The BCRs aim to provide a clear
statement on the protection of Personal Data in order to provide for an adequate level of protection
for Customers, Suppliers and Vendors Data originating from the EEA Processed within FedEx
globally.

The capitalised terms which are used in this extract are explained in Appendix 1.

Scope
The BCRs pertain to the Personal Data of natural persons that are, or are employed by, Customers,
Suppliers and Vendors of FedEx. The BCRs do not apply to any other data relating to corporate,
institutional or governmental Customers, Suppliers or Vendors, except where local law determines
otherwise.

The BCRs are binding on FedEx as a Data Controller and do not apply when FedEx is acting as a Data
Processor for a Third Party. Furthermore, the BCRs only apply to Personal Data originating from the
EEA and Switzerland, regardless of the nationality or location of the Customers, Suppliers and
Vendors.

Local laws and conflict

FedEx must always comply with any applicable legislation relating to Personal Data. Individuals keep
any rights and remedies they may have under applicable local law. Therefore, the BCRs apply only
where it provides supplemental protection compared to local law. Some requirements are qualified
by the wording “if applicable local law so requires.” If this qualifier is included in the BCR provision
and local law has a similar provision, then the stricter of the BCRs or local law must be followed.

Other policies
The BCRs operate in conjunction with the Global Privacy Policy which applies to FedEx worldwide. In
case of conflict between the BCRs and the Global Privacy Policy, the BCRs prevail. Furthermore, the
BCRs may be complemented through other policies that are consistent with the BCRs. All FedEx data
protection policies and notices that are not consistent with the BCRs or impose less restrictive
requirements will be superseded by the BCRs.
PART II POLICY STATEMENTS

Purposes and grounds for Processing Personal Data

FedEx Processes the Personal Data for the following Business Purposes:

• Product development, research and improvement of FedEx products and/or services. This
purpose addresses Processing that is necessary for the development and improvement of FedEx
products and/or services, research and development;

• Performing agreements with Customers, Vendors and Suppliers including tracking and tracing
of FedEx services, communication with Individuals and other parties involved in contracts and
responding to requests for (further) information for Customers, Vendors or Suppliers, dispute
resolution and development;

• Relationship management and marketing for commercial activities including Processing

necessary for the development and improvement of FedEx products and/or services, account
management, customer service and the performance of (targeted) marketing activities in order
to establish a relationship with a Customer and/or maintaining as well as extending a
relationship with a Customer, Vendor or Supplier and for performing analyses with respect to
Personal Data for statistical and scientific purposes;

• Business process execution, internal management and management reporting addressing

activities such as managing company assets, conducting internal audits and investigations,
finance and accounting, implementing business controls, provision of central processing
facilities for efficiency purposes, managing mergers, acquisitions and divestitures and
Processing Personal Data for management reporting and analysis;

• Safety and security. This purpose addresses activities such as those involving safety and health,
the protection of FedEx and Customer, Supplier or Vendor assets and the authentication of
Customer, Supplier or Vendor status and access rights;

• Protecting the vital interests of Individuals. This is where Processing is necessary to protect the
vital interests of an Individual, e.g., for urgent medical reasons;

• Compliance with legal obligations. This addresses the Processing of Personal Data as necessary
for compliance with laws, regulations and sector specific guidelines to which FedEx is subject,
e.g., the matching of the names of Customers, Suppliers and Vendors against denied parties’
lists.

Furthermore, all Processing of Personal Data must be based on one of the following grounds:
a) Individual’s consent;
b) Necessary for the performance of a contract with the Individual;
c) Necessary for compliance with a legal obligation to which the Data Controller is subject;
d) Necessary to protect the vital interests of the Individual or another person;
e) Necessary to perform a task carried out in the public interest;
f) Necessary for the purposes of the Data Controller’s legitimate interests, except when the
interests are overridden by Individual’s interests or rights.

When seeking Individual’s consent, FedEx will inform the Individual in clear and plain language of
the intended Processing. Consent must be given by a statement or clear affirmative action. Where
Processing is undertaken at the Individual’s request, he is deemed to have provided consent.

If a Business Purpose as described above does not exist or if applicable local law so requires, FedEx
shall (also) seek Individual’s consent. FedEx shall provide simple, fast and efficient procedures that
allow the Individual to withdraw his consent at any time.
FedEx will Process Personal Data of Dependents of Individuals if:
a) The Personal Data were provided with Individual’s or Dependent’s consent; or
b) Processing of the Data is reasonably necessary for the performance of a contract with the
Individual;
c) The Processing is required or permitted by applicable local law.

Use for other Purposes

Generally, FedEx will only use Personal Data for the purposes for the Original Purpose. Processing
the Personal Data for a Secondary Purpose is only permitted if the Original and Secondary Purposes
are closely related or with the consent of the Individual.

A closely related Secondary Purpose exists provided that necessary arrangements are made for:
• Transfer of the Personal Data to an Archive; or
• Internal audits or investigations; or
• Implementation of business controls; or
• Statistical, historical or scientific research; or
• Dispute resolution or litigation; or
• Legal or business consulting; or
• Insurance purposes.

Where the use of Personal Data for a Secondary Purpose has an adverse impact on the Individual’s
privacy, FedEx will take additional measures as necessary, such as a) limited access to the Personal
Data, b) additional confidentiality requirements, c) additional security measures, d) informing the
Individual, or e) providing an opt-out opportunity.

Processing Special Personal Data

As a general principle, Special Personal Data will not be processed by FedEx except:
a) With the explicit consent of the Individual;
b) Where Personal Data have manifestly been made public by the Individual;
c) If the Processing is necessary for the establishment, exercise or defence of legal claims or
when courts act in their judicial capacity;
d) If the Processing is necessary to comply with an obligation of local law;
e) If the Processing is necessary to protect the Individual’s vital interest, but only where it is
impossible to obtain the Individual’s explicit consent first.

Specifically, FedEx processes racial or ethnic and criminal data in the following instances:
a) Racial or ethnic data (such as photos or videos): FedEx may take photos or videos of
Individuals with their consent at business events and keep these photos or videos for
promotion purposes. FedEx may also process Individual’s photos i) for inclusion in Supplier
directories, ii) for the protection of Customer assets as well as FedEx and Employee assets,
iii) for site access and security reasons and iv) to comply with legal obligations.
b) Criminal data may be processed by FedEx to protect its interests.

Data minimisation, accuracy and storage limitation

Processing of Personal Data by FedEx shall be guided by the principle of data minimisation. This
means that FedEx only Processes Personal Data that are reasonably adequate for and relevant to the
applicable Purposes and not be kept longer than necessary for the Purposes. Promptly after a
retention period has ended, the Personal Data will be deleted, anonymized or transferred to an
Archive (unless this is prohibited by law or an applicable records retention schedule).

FedEx applies commercially reasonable efforts to keep the Personal Data accurate, complete and up
to date. It is the Individual’s responsibility to inform FedEx regarding any changes to their data.

Transparency of the Processing

FedEx provides Individuals, generally through privacy policies or notices, with information regarding
a) the identity and contact details of the FedEx Company responsible for the Processing and the Data
Protection Lead and b) the categories of Personal Data concerned, the purposes and the grounds of
the processing. In addition and if local law so requires, FedEx provides Individuals with the following
information:
c) Legitimate interests pursued by FedEx if the Processing is based on this ground;
d) Where applicable, the (category of) recipients of the Data;
e) Where applicable, the international transfer of the Personal Data to a Third Party;
f) The period for which the Personal Data will be stored or the criteria used to determine this;
g) The existence of data subject rights of the Individual;
h) If applicable, the existence of automated decision making including Profiling.

Individual’s rights
Individuals have the following rights with regard to their Personal Data:
• Access to the Personal Data FedEx processes relating to them;
• Rectification of the Personal Data in the event that the Personal Data are factually inaccurate,
incomplete or irrelevant to the purposes of the Processing;
• Deletion of the Personal Data in the event that the Personal Data are incorrect, incomplete or not
Processed in compliance with applicable law or the BCRs.

The Individual should send his request to the Data Protection Lead or any other responsible function
indicated in the relevant local complaints procedures. If no contact person or contact point is
indicated, the Individual may send his request to FedEx using the contact details indicated in the
general contact section of the local FedEx website.

FedEx will inform the Individual in writing as to whether, and if so to what extent, the request will be
granted, or the ultimate date on which he will be informed. The response will be provided at the
latest within one month of receipt of the request. If necessary and taking the complexity and the
amount of the requests into account, this period may be extended for a maximum of two months.

The Individual may file a complaint if a) the response to the request is unsatisfactory, b) he has not
received a response as required or c) the time period is unreasonably long and the Individual’s
objection to this has not resulted in a shorter period.

FedEx may deny Individual’s request if a) the request relates to a large quantity of Personal Data or is
not made sufficiently specific and the Individual does not respond to a request to further specify the
request, b) the request is made within an unreasonable time interval of a prior request or otherwise
constitutes an abuse of rights or c) the request entails a restriction, erasure, blockage or deletion of
Personal Data that FedEx is required by law to Process. The Individual will be informed of the
motivation for the denial of its request.

Security and confidentiality requirements

FedEx takes appropriate commercially reasonable technical and organisational measures to protect
the Personal Data against misuse or accidental, unlawful, or unauthorised destruction, loss,
alteration, disclosure, acquisition or access. FedEx will ensure that only authorised and trained Staff
members may Process Data.

FedEx will also ensure that a breach of security leading to the accidental or unlawful destruction,
loss, alteration, unauthorised disclosure of, or access to, Personal Data will be notified to the
competent supervisory authority and Individuals taking into account the requirements under
applicable law.

Direct marketing
If FedEx Processes Personal Data for direct marketing purposes, the Individual will be informed. If
applicable law so requires, FedEx will only send unsolicited commercial communication with the
prior consent of the Individual and offer him the opportunity to opt-out of further direct marketing
communication. The Individual can object to receiving marketing communications from FedEx or
withdraw his consent. In that event, FedEx will take steps to immediately cease the processing for
direct marketing purposes.

FedEx will not knowingly use any Personal Data of Individuals under the age of sixteen years for
direct marketing.

Automated decision making, including profiling

Individuals will not be subjected to decisions that have legal consequences for them and have been
taken solely on the basis of the automated Processing, including Profiling. Automated decision
making is allowed when 1) the decision is necessary for the conclusion or execution of a contract
between FedEx and the Individual, 2) local law authorises automated decision making and suitable
measures are taken to safeguard the Individual’s rights and freedoms or 3) the Individual has given
its explicit consent.

Transfer of Personal Data to Third-Party Controllers

FedEx shall only transfer Personal Data to a Third-Party Controller if the transfer serves a) the
legitimate purposes for which the Personal Data is Processed and b) the transfer is compatible with
the purpose for which the Personal Data were initially collected. FedEx shall enter into a written
agreement with the Third-Party Controller.

Transfer of Personal Data to Data Processors

If FedEx uses a Data Processor, FedEx will ensure that this Processor:
a) Provides adequate technical and organisational measures to protect the Personal Data
against loss or any form of unlawful Processing;
b) Only Processes Personal Data on the instructions of the relevant FedEx Company that acts as
a Data Controller; and
c) Only enlists a sub processor with the prior written consent of the FedEx Company acting as
Data Controller.
The responsibility toward the Individual for the compliance of a Processor engaged by the FedEx
Company with a processor agreement lies with the FedEx Company.

Transfer of Personal Data to Third-Party Processors

The FedEx Company acting as Data Controller will enter into a written contract with the Third-Party
Processor or provide a Power of Attorney to another FedEx Company or Employee to do so on its
behalf. The contract will include at least the following obligations:
a) Processing in accordance with the documented instructions from and for the purposes
authorised by FedEx;
b) Confidentiality of the Personal Data by the Third-Party Processor and its duty to impose
confidentiality on persons authorised to process the Personal Data;
c) Appropriate security measures by Third-Party Processor to protect the Personal Data and
assist FedEx in complying with its obligations with respect to security;
d) Enlist sub processors only with the prior written authorisation of FedEx and impose on the
sub processor the same obligations as imposed on the Third-Party Processor under the
written contract whereas the initial Processor remains fully liable to FedEx for the
performance of sub processor’s obligations;
e) Assist FedEx in complying with its obligations to respond to Individual’s rights, such as right
of access and rectification;
f) FedEx’s right to review compliance by the Third-Party Processor with its obligations under
the processor agreement;
g) Promptly informing FedEx of any actual or suspected security breaches;
h) Taking adequate remedial measures as soon as possible in the event of any actual or
suspected security breach and promptly providing FedEx with all relevant information and
assistance as requested by FedEx;
i) Deletion or return of (copies of) Personal Data to FedEx upon its request after the end of the
provision of data processing services unless applicable law requires storage.
Transfer of Personal Data to a Third Party in a country that does not provide an adequate level of
protection
The transfer Personal Data to a Third Party in a country that does not provide an adequate level of
protection is only permitted if one of the following applies:
a) Contract between FedEx and the relevant Third Party that provides for safeguards at a similar
level of protection as that provided by the BCRs or the contract shall conform to any model
contract requirements under applicable local law, if any; or
b) Third party has been certified under any other program that is recognized as providing an
“adequate” level of protection; or
c) Binding corporate rules implemented by the Third Party, an approved code of conduct, an
approved certification mechanism or a similar transfer control mechanism which provide
adequate safeguards under applicable law. Prior to the transfer, the BCRs must be approved
by EU supervisory authorities.

An incidental transfer may also take place if it is absolutely necessary for:

a) Performance of a contract with the Individual or to take necessary steps at the request of the
Individual prior to entering into a contract;
b) The conclusion or performance of a contract concluded in the interest of the Individual
between FedEx and a Third Party; or
c) To protect a vital interest of the Individual; or
d) The establishment, exercise or defence of legal claims; or
e) To satisfy a pressing need to protect an important public interest (prior approval of the Data
Protection Lead is required and suitable measures must be taken to safeguard the legitimate
interests of the Individual); or
f) If the transfer is required or permitted by any law or regulation to which the relevant FedEx
Company is subject (prior approval of the Data Protection Lead is required and suitable
measures must be taken to safeguard the legitimate interests of the Individual).

In the event that none of the above measures are in place or if local law so requires, FedEx shall
(also) request Individual’s consent for the transfer of Personal Data to a Third Party located in a
country without an “adequate” level of protection. Prior to this request, FedEx shall inform the
Individual as to the a) purpose of the transfer, b) identity of the transferring FedEx Company, c)
identity of the (categories of) Third Parties to which Personal Data will be transferred, d) categories
of Data, e) country to which Personal Data will be transferred and f) the fact that Personal Data will
be transferred to a country without an “adequate” level of data protection.

Overriding interest
An overriding interest may exist where the Processing is necessary in the interest of a) the protection
of the legitimate business interests of FedEx or the continuity of FedEx business operations, b)
preventing or investigating (including cooperating with law enforcement) suspected or actual
violations of law; or otherwise protecting or defending the rights or freedoms of FedEx, its
Employees or other persons. Setting aside obligations of FedEx or rights of Individuals based on an
overriding interest, requires approval by the Corporate Data Protection Office.
PART III SUPERVISION, COMPLIANCE AND LEGAL ISSUES

Supervision of Data Protection and Responsibilities

The FedEx Corporate Data Protection Office (“Corporate DPO”) is responsible and accountable for
compliance and implementation of the BCRs and reports directly to the FedEx Global Chief
Compliance & Governance Officer who makes regular reports for the FedEx Board of Directors. The
Corporate DPO maintains members in Europe (“European Office”), which has the responsibility for
cooperating with, acting as contact point for the European data protection supervisory authorities
and as a contact point for any data subjects within the EEA or Switzerland. The Corporate DPO is
assisted by the Data Protection Manager and Data Protection Lead.

Training
FedEx Staff members who have access to Personal Data receive information and instruction in order
to properly implement the BCRs. Staff members with permanent or regular access to the data are
trained and informed on the handling and protection of data in connection with the BCRs. Attending
training courses, which are to be repeated at regular intervals, is mandatory for Staff members.

Audits and Compliance

The FedEx Internal Audit Department (Audit) evaluates and reports on compliance with the BCRs on
a regular basis. In the event of non-compliance, the relevant audit professional will work with the
relevant Data Protection Lead and the Corporate DPO to take remediation measures. The audit
professional will track the progress of these measures. The audit covers all aspects of the BCRs and
shall be carried out in the course of the regular activities of Audit or at the request of the Corporate
DPO. The Corporate DPO can also request an audit conducted by an external auditor.

The competent data protection authorities can conduct an audit of a participating FedEx Company
itself or have it conducted by an accredited independent auditor. Such official BCR audit is limited
exclusively to compliance by the participating FedEx Company.

Data Protection and Security Impact Assessment (“PSIA”)

In the event the Personal Data is likely to present a high degree of risks to the rights and freedoms of
Individuals, FedEx will carry out an assessment of the impact of an envisaged Processing. This
assessment will include an assessment of the risks to the rights and freedoms of Individual, the
measures envisaged to address the risks, safeguards, security measures and mechanisms to ensure
the protection of the Personal Data and compliance with the BCRs.

Privacy by Design
FedEx shall adopt internal policies and shall implement appropriate measures that meet the
principles of data protection by design and by default. This means:
a) Implementation of appropriate technical and organisational measures and procedures at the
time of the determination of the means and at the time of the Processing itself in order to
comply with the BCRs;
b) Implementation of mechanisms for ensuring that only those Personal Data are Processed
which are necessary for each specific purpose, both in terms of the amount of the data and
the time of their storage. In particular, those mechanisms must ensure that Personal Data are
not accessible to an indefinite number of individuals.

Complaints Procedure
Individuals can file a complaint in the event FedEx does not comply with the BCRs or violates their
rights under applicable law. The local complaints procedure shall ensure the initiation of an
investigation and ensure the involvement of the appropriate Data Protection Lead. If appropriate, a
consultation with a government authority that has jurisdiction over a particular matter about the
measures to be taken will take place.

FedEx shall inform the Individual within one month after the receipt of the complaint either i) of its
position as to the complaint and any action taken or to be taken by FedEx or ii) when the Individual
will be informed of its position, which date shall be no later than one month thereafter. If necessary,
extension of this period is possible for a maximum of two months. FedEx will inform the Individual
as to the extended period.

Complaint may also be escalated with the Corporate DPO if:

a) The resolution by the appropriate Business Unit is unsatisfactory;
b) The Individual has not received a response as described above;
c) The time period provided to the Individual is unreasonably long and Individual’s objection
has not resulted in a shorter period in which he will receive a response;
d) The response is unsatisfactory.

Legal issues
The BCRs shall be governed by and interpreted in accordance with Dutch law and complaints shall
be supervised by the Dutch Data Protection Authority, which is also authorised to advise FedEx on
the application on the BCRs at all times.

Any complaints or claims of an Individual concerning supplemental rights under the BCRs shall be
directed to the local FedEx legal entity or directly to the Corporate DPO. Individuals can choose to file
complaints or claims concerning supplemental rights with the local competent supervisory authority
or with the Dutch Data Protection Authority. Individuals can choose to lodge claims before the
competent jurisdiction of the local FedEx legal entity in the European Union or the competent court
in Amsterdam, the Netherlands.

Additional safeguards, rights or remedies under the BCRs are granted by and enforceable against
FedEx Corporation or the local FedEx Company.

FedEx is only liable for direct damages suffered by an Individual resulting from a violation of the
BCRs. Where Individuals can demonstrate that they have suffered damage and establish facts which
show that it is likely that the damage has occurred because of a breach of the BCRs, FedEx will have
to prove that the relevant FedEx Company was not responsible for the breach of the BCRs.

All FedEx Companies shall trustfully cooperate and assist one another in the event of inquiries and
complaints from Individuals with regard to non-compliance with the BCRs.

Non-compliance with the BCRs

Non-compliance of Staff with the BCRs may be regarded as a serious breach of trust and may result
in a sanction, such as suspension or other measures under labour law, which may include summary
dismissal. Non-compliance by Staff that are not Employees may result in termination of the relevant
contract. Raising issues relating to compliance by Staff will not be penalized. The FedEx Whistle-
Blower procedure and other non-retaliation policies are applicable.

Updating the BCRs

Any substantive changes to the BCRs shall be reported to each FedEx Company and to the relevant
supervisory authorities as soon as practicable within three months of the amendment. Any other
non-substantive changes shall be reported to each FedEx Company and the relevant supervisory
authorities on an annual basis. The notification contains a brief explanation of the reasons justifying
the changes.
Implementation of the BCRs
The BCRs will enter into force as of 19 July 2017. The transition period for compliance with the BCRs
is two years. Upon request the full text of the BCRs will be made available to the Individual.

FedEx Express – European Office FedEx Corporation

Attn: Legal Department Attn: Legal Department – Compliance
Taurusavenue 111 1000 Ridgeway Loop Road, Ste 600
2132 LS Hoofddorp Memphis, TN 38120
The Netherlands United States of America
Tel: + 31 (0)88 393 9000 Tel: +1 1.901.818-6686
Email: dataprotection@tnt.com Email: dataprivacy@fedex.com
APPENDIX 1: DEFINITIONS

Archive means a collection of Personal Data that are no longer necessary to achieve the purposes for which they were originally collected or
that are no longer used for general business activities, but are used only for historical, scientific or statistical purposes, dispute resolution,
litigation, investigations or general archiving purposes.

Business Unit means a FedEx Company that is a local, regional or universal part of the global FedEx enterprise, as appropriate.

Customer means any Third Party that purchases, may purchase or has purchased a FedEx product or service.

Data Controller means the party processing the Personal Data that determines the means and the purposes of the Processing.

Data Processor means the party that is a separate legal entity, Processing the Personal Data on behalf of the Controller and at its direction.

Data Protection Lead means the first line Data Protection Lead for a Business Unit appointed that is someone in local business management
with primary budget responsibility that can be held accountable for the actual implementation of and compliance with the BCRs.

Dependant means the spouse, partner or child belonging to the household of the Individual, as indicated by the Individual.

Employee means an employee, job applicant or former employee of FedEx. This term does not include people working at FedEx as external
consultants or employees of Third Parties providing services to FedEx.

FedEx means FedEx Corporation and all FedEx Companies, including TNT Express B.V. and TNT entities.

FedEx Company means a FedEx entity and any company or legal entity.

Individual means any Customer, Supplier or Vendor that is a natural person or any employee or any person working for a Customer, Supplier or
Vendor whose Data is being processed.

Original Purpose means the purpose for which Personal Data was originally collected.

Personal Data means any information relating to an identified or identifiable Individual.

Processing or to Process means any operation that is performed on Personal Data, whether or not by automatic means.

Profiling means any form of automated processing of personal data consisting of using those data to evaluate certain personal aspects relating
to a natural person.

Secondary Purpose means any purpose other than the Original Purpose for which Personal Data is further Processed.

Special Personal Data means Personal Data concerning a person’s religious or philosophical beliefs, race or ethnic origin, political opinions,
health and sexual life, biometric data in order to uniquely identify a person, trade union membership, criminal convictions and offences or
related security, or any other type of Data that qualifies as Special Personal Data under applicable local law.

Staff or Staff members means all Employees and other persons who Process Personal Data as part of their respective duties or responsibilities.

Supplier means any Third Party that provides goods or services to FedEx.

Third-Party Controller means a Third Party that Processes Personal Data and determines the purposes and means of such Processing.

Third-Party Processor means the Third Party, Processing the Personal Data on behalf of the Controller and at its direction.

Third Party means any person, private organisation or government body outside FedEx.

Vendor means a Third Party other than Customer or Supplier that has or had a business relationship or strategic alliance with FedEx.