BRT is committed to processing and protecting your Personal Data in accordance with the law, both during its business operations and as part of the services it provides. Privacy is a value that BRT recognises and respects.

 

1. Company Policy concerning processing and protection of personal data

This policy is an integral part of the management system for the processing and protection of personal data of BRT S.p.A. with registered office in Italy, Milan, Via Tiziano 32, 20145 and administrative headquarters in Italy, Via Enrico Mattei 42, 40138, Bologna with tax code and VAT number 04507990150, registered with the Milan Register of Companies, “R.E.A.” 1734257 (hereinafter also referred to as "BRT"). This policy describes the principles and guidelines that BRT applies to protect your “Personal Data” and aims at clarifying the following points:

  • BRT's role in providing its services;

  • the nature of the Personal Data we collect and the reasons why we collect it;

  • how we use your Personal Data;

  • what your rights as a data subject are.

This policy applies to the processing of personal data within the management of shipments entrusted to BRT and the services provided by BRT on-line. All operations on your Personal Data are carried out in compliance with current legislation and in particular with the European Regulation on the protection of personal data (Reg. EU 2016/679 hereinafter referred to as “GDPR”), and the Personal Data Protection Code (Italian Legislative Decree 196/2003 as subsequently amended, hereinafter the “Privacy Code”).

1.1 What is BRT's role in providing its services?

In light of the operating modes with which BRT carries out its services, Personal Data relating to shipments and their recipients are processed by BRT in full autonomy. Therefore, BRT is the data controller within the framework of its core activity.

BRT has full decision-making authority over how its information technology infrastructure is configured and, consequently, how your Personal Data is processed. Such autonomy and decision-making power is not consistent with the characteristics of the data processor, as outlined in the relevant regulation and guidelines.

BRT remains obliged to process the Personal Data of shipments and their recipients with the utmost care and confidentiality, fulfilling all legal obligations pertaining to data controllers as defined in the field of processing and protection of personal data.

As part of the management of certain services, BRT collaborates with two companies with which it has entered into a joint control agreement (see below the section “Joint control agreement”).

1.2 How does BRT manage the protection of personal data?

BRT considers the protection of your Personal Data and privacy from the design phase of new products and services (principles of “privacy by design” and “privacy by default”) and, where appropriate, when these products or services are revised or updated. To ensure the security of your Personal Data and safeguard your rights, BRT implements measures to protect your Personal Data such as:

  • adopting procedures to exercise the rights of the data subjects and in case of violation of Personal Data;

  • conducting cybersecurity and GDPR compliance surveys/audits prior to implementation of a project or application;

  • verifying warranties submitted against the GDPR requirements by suppliers managing Personal Data on behalf of BRT;

  • conducting internal audits with recommendations and monitoring and updating improvement actions;

  • defining, together with internal business managers, relevant and reasonable retention periods for Personal Data, not exceeding the time necessary to achieve the purpose of the processing;

  • drafting and updating the record of processing activities;

  • implementing a training plan related to the protection of Personal Data with regular training sessions for all employees;

  • committing to confidentiality by BRT employees and all persons authorised to process Personal Data;

  • coordinating a network of data protection contacts that includes all our branches in Italy and all the companies belonging to the group to which BRT belongs, i.e. GeoPost/DPDGroup.

1.3 What Personal Data are collected by BRT?

BRT undertakes to collect only the personal data strictly necessary to provide the services requested.

BRT normally requires only personal data (name and surname) and contact details (address, telephone number, email) in order to carry out a transport service or to register for an online service.

If optional data is requested, you will be provided with a clear explanation of the personal data BRT needs to provide the requested service and the data you may choose to provide voluntarily.

1.4 Where does the data we process come from?

If you ship a package, we receive your Personal Data when you contact us, access one of our branches or a shipping point.

If you are the recipient of a shipment, we receive your Personal Data from the senders (companies or individuals), i.e. our customers. Your Personal Data is provided to us, along with shipping information or notification instructions, primarily in electronic form through third-party shipping systems or ours. This occurs within the contractual relationship established with you pursuant to Article 6 (paragraph 1b) of the GDPR; in fact, we need your Personal Data to deliver the goods that the sender sends you. In addition, we receive your Personal Data from other couriers that make use our services to deliver packages; for example, if goods come from abroad, we receive your Personal Data from our foreign partner to whom the sender has entrusted the shipment.

Finally, we receive Personal Data directly from you when you enter personal information in your user area (delivery address, delivery preferences, etc.) of our website.

If you are a visitor to our website, we receive your Personal Data through various features of the website. We use cookies for this purpose or ask you directly for information. Our priority is optimising our website and providing you with information about our services. You can restrict cookies or disable them completely at any time by making the appropriate selection.

Your Personal Data will be used to propose other services only if you have consented to receive commercial communications. In any case, you can revoke your consent at any time.

1.5 To whom are your personal data transferred?

Your Personal Data may be transferred to:

  • various departments within BRT, i.e. offices in charge of carrying out the required services;

  •  external providers, i.e. IT service providers, other types of providers, including our transportation providers (if applicable, data are transmitted under the conditions of Article 28 of the GDPR);

  • companies of the Group to which BRT belongs, for the provision of services (if applicable, pursuant to a joint control agreement signed by the parties);

  • subsidiaries of BRT (if applicable, pursuant to a joint control agreement signed by the parties).

1.6 Can your Personal Data be transferred to non-EU countries?

BRT conducts all Personal Data processing activities within the European Union (EU).

However, for some specific services, BRT may use data processors or business partners located outside the EU. Some of your Personal Data may, therefore, be transferred to them for the sole purpose of carrying out their services. In such cases and in accordance with the regulations in force, BRT requires its Data Processors to provide the necessary guarantees to ensure regulated and secure transfers, mainly by requiring them to sign the standard contractual clauses of the European Commission.

1.7 How long will BRT retain your Personal Data?

Different retention periods apply depending on the services we provide. BRT undertakes not to retain your Personal Data beyond the time necessary for the provision of the service or the achievement of the processing purpose, and, if applicable, in accordance with the retention periods defined by the relevant legal terms.

1.8 Joint control agreement

BRT determines, together with other companies, the purposes and means of processing to manage certain services and implement the processing of Personal Data resulting therefrom (see paragraphs 1.8.1 and 1.8.2 below). Pursuant to Article 26 of the GDPR, BRT and the other data controllers have entered into a joint control agreement. In particular, this agreement describes the responsibilities and obligations of each of the joint controllers, the relationship with data subjects and how data subjects can exercise their rights with respect to the GDPR; the security and confidentiality measures adopted to protect their personal data, the defined retention periods, and the procedure to be implemented in the event of detection of a data breach.

Currently BRT has entered into a joint control agreement with:

  • GeoPost SA, with registered office in Issy-les-Moulineaux (France) 26 Rue Guynemer, parent company of DPDGroup;
  • Fermopoint s.r.l., with registered office in Treviolo (BG), Via Nelson Mandela no. 20, a company controlled by BRT.

Below you will find more information about the processing covered by joint control agreements.

1.8.1 Processing of Personal Data under joint control agreements: GeoPost SA

Shipment delivery and interactions with unregistered recipients (myBRT service for the recipient)

Purpose: operational management of the delivery and pick-up (return) service in order to facilitate the improvement and efficiency of these services, including managing delivery tools and orders/collection requests, facilitating delivery services, tracking packages from recipients, improving knowledge and interaction with recipients and potential customers, managing returns, and collecting recipient satisfaction levels.

Legal basis: execution of the contract to which the data subject is a party (operational management of delivery and collection), Legitimate interest of the Joint controllers (service improvement, recipient satisfaction), Legal obligation (returns management).

Personal data subject to processing: common personal data of the sender or the recipient, if or only when this subject is a natural person (e.g. name/surname, user name, e-mail, address, telephone number, shipping number, date of birth, contact details, additional information necessary for identity checks, etc.).

Retention: your personal information will be retained for 6 months in the active database; thereafter, it will be retained in a limited-access archive database for as long as required by law. The shipping address is stored for 3 years based on the need for reliable data and route planning.

For more information about this processing, please see the specific myBRT policy.

  • Customer Services and Claims Management for international shipments

Purpose: provision of Customer Care services related to international shipments, measurement of service performance.

Legal basis: execution of a contract to which the data subject is a party (for claims management), legitimate interest of the Joint controllers (for performance measurement).

Personal data subject to processing: common data of the sender or the recipient, if or only when this subject is a natural person (e.g. shipping address, e-mail, telephone number, number of the shipment, number of the collection request, case number, cash on delivery amount, free text fields within the request forms, information on the content of the package, etc.).

Retention: user's personal data will be retained for 6 months after case closure in the database and 6 months in the archive database.

  • Embargo checks

Purpose: to identify any subjects on international sanctions lists and shipments destined for countries subject to embargo measures.

Legal basis: legal obligation.

Personal data subject to processing: common data of the sender or recipient, if or only when this subject is a natural person (e.g. name, surname, e-mail, address, telephone number, shipment number, survey result).

Storage: personal data will be stored 30 days in the live database, 30 days to 2 years in the restricted access database, 2 to 10 years in the archive database (by law, access allowed only to the system administrator of the control application).

  • customs processes.

Purpose: managing notifications and payment of duties and taxes, generating proof of payment.

Legal basis: legal obligation.

Personal data subject to processing: common data of the sender or recipient, if or only when this subject is a natural person (e.g. name, e-mail, telephone number, SMS, contact data, shipment number, IP address, contents of packages associated with the value of the goods).

Storage: personal data will be stored 6 months in the live database, 5 years in the archive database.

  • Shipment delivery and interactions with registered recipients (myBRT service for the recipient)

Purpose: operational management of the delivery and collection (return) service of the goods in order to facilitate the improvement and efficiency of these services, direct marketing activities.

Legal basis: performance of the contract to which the data subject is a party (delivery and collection service), legitimate interest of the Joint controllers (improvement of services), express consent (direct marketing).

Personal data subject to processing: common personal data of the sender or recipient, if or only when this subject is a natural person (e.g. name/surname, username, e-mail, address, telephone number, shipping number, date of birth, contact details, additional information necessary for identity checks, delivery preferences, etc.). The data may also concern third parties and/or the neighbour who collects the package instead of the recipient.

Retention: personal data will be retained for 2 years after the last connection. The shipping address is stored for 3 years based on the need for reliable data and route planning.

For more information about this processing, please see the specific myBRT policy.

  • Whistleblowing alerts

Purpose: managing whistleblowing reports; investigations and follow-up on reports; execution of data analysis activities (for statistical purposes) starting from anonymized data.

Legal basis: legal obligation, legitimate interest of the Joint controllers. Personal data subject to processing: personal data of the reporter, only if he/she chooses to share them with BRT, personal information put in free text of the alerts and/or in the related attachments.

Storage: personal data will be stored in a form that allows the identification of the data subjects for the time necessary to process the specific report and in any case no later than five years from the date of communication of the final outcome of the reporting procedure.

1.8.2 Processing of Personal Data under joint control agreements: Fermopoint S.r.l.

Delivery of shipments through the network of PUDO stores (PickUp DropOff)

Purpose: operational management of the process of delivery and collection of goods through the network of PUDO stores.

Legal basis: performance of the contract to which the data subject is a party or of pre-contractual measures.

Personal data subject to processing: common personal data of the sender or the recipient, if or only when this subject is a natural person (e.g. name/surname, username, e-mail, address, telephone number, shipping number, contact details, additional information necessary for identity checks, etc.).

Storage: Personal Data will be stored 12 months in the live database, 10 years in the archive database.

1.9 Are your Personal Data protected?

BRT undertakes to take all measures to protect the security and confidentiality of your Personal Data and, in particular, to prevent any damage, deletion or unauthorised access by third parties.

To that end, BRT has a security policy of information systems based on the ISO 27001 standard, which defines guidelines for good information security management practices. The policy covers human, physical, organisational, and technical security controls.

If your Personal Data is affected by a security breach (destruction, loss, alteration or disclosure), BRT undertakes to comply with its obligation to notify Personal Data breaches, in particular to the Italian Data Protection Authority and to inform you as soon as possible, in the cases provided for, under Article 34 of the GDPR.

1.10 What are your rights on your Personal Data?

You can contact BRT and the other joint controllers at any time to exercise your rights under current legislation on personal data:

  • Right of access: you may obtain a copy of your Personal Data being processed;

  • Right of Rectification: you may update your Personal Data or request to rectify your processed Personal Data;

  • Right to object, in particular to prevent direct marketing: you can communicate your preference not to receive direct marketing or ask to stop the processing of your Personal Data;

  • Right to erasure: you may request your Personal Data to be erased;

  • Right to restriction of processing: you may request to suspend the processing of your Personal Data;

  • Right to data portability: you may request to retrieve your Personal Data for reuse.

Whenever you sign up for a service or provide Personal Data, you will be told in the specific privacy notices the addresses to which any requests by the data subject may be sent.

All requests must be submitted providing the information necessary to identify the requesting subject. BRT and the other joint controllers undertake to respond to the requests of the data subject without undue delay and, in any case, within the time provided for by law.

1.11 Recipients of Personal Data

Your Personal Data may be processed by external subjects operating as autonomous data controllers such as, by way of example, authorities and supervisory and control bodies and in general subjects, public or private, entitled to request the Personal Data. The Personal Data may also be processed by external parties on behalf of the joint controllers designated as data processors, who are given adequate operating instructions. These entities are essentially included in the following categories:

  1. enterprises providing transportation services;
  2. enterprises and professionals offering banking, administrative and accounting services, as well as the protection of credit and the rights of the joint controllers;
  3. enterprises and professionals offering insurance services;
  4. enterprises providing management, maintenance and development services for information systems of the joint controllers;
  5. enterprises offering support in conducting market research.

1.12 Contacts

If you have any questions about BRT's use of your Personal Data, including with respect to processing with other joint controllers, you may write to us to the following address: [email protected]

1.13 DPO (Data Protection Officer)

The appointment of a DPO reflects the commitment of BRT and the joint controllers to ensure the protection, security and confidentiality of Personal Data.

BRT's DPO can be contacted at the following address: [email protected]

For information about GeoPost SA visit the following page:https://www.dpd.com/group/en/data-privacy-policy/

After contacting us, if you believe that your rights in relation to your data have not been respected, you may lodge a complaint with the Italian Data Protection Authority.

1.14 Amendments to this Privacy Policy

This policy is updated regularly. The update date and revision number are indicated at the bottom.

BRT reserves the right to change its policy at any time with or without notice. We therefore advise you to periodically consult the website to be aware of any changes.

1.15 Third-party cookies and services

We and our partners use cookies or other tracking systems to make it easier for you to use the site, to improve the performance and security of the site, and to provide you with customised advertising based on your use and profile. These cookies, apart from the necessary ones, require your consent before they are deposited. Your choices will apply to the providers and purposes listed in the “Cookie Settings”. You can revoke your consent at any time by managing your cookies via the “Cookies” button in the footer of our website.

2. GLOSSARY

All capitalised terms are defined as follows:

“Personal Data Protection Company Policy” means this policy describing the measures taken to process and manage your Personal Data and your rights as a data subject.

“Personal Data”: indicates any information about you that can be used to identify you, directly or indirectly as a natural person.

“Processing” means any single or structured operation performed on your personal data.

“Data Breach”: means a security incident involving the accidental or fraudulent destruction, loss, alteration, unauthorised disclosure of or access to your Personal Data.

3. DISCLOSURES

The following disclosures describe in detail the main services offered by BRT:

- CUSTOMER privacy notice dedicated to customers who entrust us with their shipments;

- RECIPIENT privacy notice dedicated to the recipients of shipments;

- myBRT privacy notice dedicated to those who use the myBRT service.