Introduction
EXPEDEX GLOBAL, along with its subsidiaries and affiliated companies, acknowledges the significance of robust privacy protections and is dedicated to adhering to relevant data privacy laws, regulations, internal policies, and standards. These protections are fundamental to building a trustworthy organization, maintaining the confidence of customers and employees, and ensuring compliance with local laws. This Global Privacy Policy (“Policy”) is grounded in universally accepted principles on data protection.
Scope
This Policy applies universally to all employees and entities of EXPEDEX. Individual operating companies are prohibited from adopting policies that contradict this Policy. Supplementary data protection requirements for individual operating companies, regions, or countries may be established with approval from the Global Chief Compliance and Governance Officer (“GCCGO”).
Application of Local Laws
Each operating company of EXPEDEX is responsible for adhering to this Policy. If there are indications that local legal requirements or other obligations conflict with the duties outlined in this Policy, the relevant operating company must notify the GCCGO. In cases of conflicts between local laws, rules, or regulations and the Policy, EXPEDEX will endeavor to find a pragmatic solution that reconciles these requirements.
Definitions
Personal Data: Any information that can directly or indirectly identify a natural person, including but not limited to employees, customers or employees of customers, vendors or employees of vendors, job applicants, or any other third party.
Examples:
- Names
- Government-issued identification numbers (e.g., social security, driver’s license)
- Addresses
- Phone numbers
- Email addresses
- Photos
Processing: Any operation performed on Personal Data, with or without automated systems, including but not limited to collection, storage, organization, retention, archiving, recording, viewing, modification, adaptation, alteration, querying, use, retrieval, forwarding, transmission, or combination of data. This also encompasses disposal, deletion, erasure, destruction, or blocking of data.
Examples:
- Storing information in databases
- Viewing information stored on another computer
- Transferring information between databases
Data Protection Principles
EXPEDEX is accountable for and must demonstrate compliance with the following data protection principles:
- Fair and Lawful: Personal Data must be collected and Processed fairly and lawfully, respecting the rights of the individual related to their Personal Data.
- Purpose Specification: Personal Data can only be used or Processed for the purpose defined at the time of collection and shall not be further used or Processed in any manner incompatible with that purpose.
- Collection Limitation: EXPEDEX only collects Personal Data necessary to fulfill the specified purpose at the time of collection and to the extent allowed by local law.
- Deletion: Personal Data no longer required for the specified purpose at the time of collection shall be deleted according to applicable retention schedules unless exempted by the Legal Department.
- Data Quality: Personal Data should be accurate, and if necessary, kept up to date.
- Security Safeguards: Personal Data must be protected using technical, managerial, and physical security measures against risks of loss or unauthorized access, destruction, use, modification, or disclosure.
- Transparency: Individuals must be informed at the time of collection about how their Personal Data is being used or Processed. They should be aware of who is collecting the Personal Data, the purpose of Processing, and if third parties will Process the Personal Data, that adequate safeguards are in place. All notices must be approved by the Legal Department.
- Individual Participation: Individuals have the right to access their Personal Data and, where appropriate, to correct or delete it and exercise any other rights provided by local law.