Policy for the processing and protection of personal data

This policy is an integral part of the management system for the processing and protection of personal data of BRT S.p.A. with registered office in Italy, Milan, at Milano, Via Tiziano 32, 20145 with tax code and VAT number 04507990150, registered with the Milan Register of Companies, “R.E.A.” 1734257 (hereinafter also referred to as "BRT"). This policy describes the principles and guidelines that BRT applies to protect your “Personal Data” and aims at clarifying the following points:

• BRT's role in providing its services;
• the nature of the Personal Data we collect and the reasons why we collect it;
• how we use your Personal Data;
• what your rights as a data subject are.

This policy applies to the processing of personal data within the management of shipments entrusted to BRT and the services provided by BRT on-line. All operations on your Personal Data are carried out in compliance with current legislation and in particular with the European Regulation on the protection of personal data (Reg. EU 2016/679 hereinafter referred to as “GDPR”), and the Personal Data Protection Code (Italian Legislative Decree 196/2003 as subsequently amended, hereinafter the “Privacy Code”).

In light of the operating modes with which BRT carries out its services, Personal Data relating to shipments and their recipients are processed by BRT in full autonomy. Therefore, BRT is the data controller within the framework of its core activity.

BRT has full decision-making authority over how its information technology infrastructure is configured and, consequently, how your Personal Data is processed. Such autonomy and decision-making power is not consistent with the characteristics of the data processor, as outlined in the relevant regulation and guidelines.

BRT remains obliged to process the Personal Data of shipments and their recipients with the utmost care and confidentiality, fulfilling all legal obligations pertaining to data controllers as defined in the field of processing and protection of personal data.

As part of the management of certain services, BRT collaborates with two companies with which it has entered into a joint control agreement (see below the section “Joint control agreement”).

BRT considers the protection of your Personal Data and privacy from the design phase of new products and services (principles of “privacy by design” and “privacy by default”) and, where appropriate, when these products or services are revised or updated. To ensure the security of your Personal Data and safeguard your rights, BRT implements measures to protect your Personal Data such as:

• adopting procedures to exercise the rights of the data subjects and in case of violation of Personal Data;

• conducting cybersecurity and GDPR compliance surveys/audits prior to implementation of a project or application;

• verifying warranties submitted against the GDPR requirements by suppliers managing Personal Data on behalf of BRT;

• conducting internal audits with recommendations and monitoring and updating improvement actions;

• defining, together with internal business managers, relevant and reasonable retention periods for Personal Data, not exceeding the time necessary to achieve the purpose of the processing;

• drafting and updating the record of processing activities;

• implementing a training plan related to the protection of Personal Data with regular training sessions for all employees;

• committing to confidentiality by BRT employees and all persons authorised to process Personal Data;

• coordinating a network of data protection contacts that includes all our branches in Italy and all the companies belonging to the group to which BRT belongs, i.e. GeoPost SA.

BRT undertakes to collect only the personal data strictly necessary to provide the services requested.

BRT normally requires only personal data (name and surname) and contact details (address, telephone number, email) in order to carry out a transport service or to register for an online service.

If optional data is requested, you will be provided with a clear explanation of the personal data BRT needs to provide the requested service and the data you may choose to provide voluntarily.

If you ship a package, we receive your Personal Data when you contact us, access one of our branches or a shipping point (PUDO/Locker).

If you are the recipient of a shipment, we receive your Personal Data from the senders (companies or individuals), i.e. our customers. Your Personal Data is provided to us, along with shipping information or notification instructions, primarily in electronic form through third-party shipping systems or ours. This occurs within the contractual relationship established with you pursuant to Article 6 (paragraph 1b) of the GDPR; in fact, we need your Personal Data to deliver the goods that the sender sends you. In addition, we receive your Personal Data from other couriers that make use our services to deliver packages; for example, if goods come from abroad, we receive your Personal Data from our foreign partner to whom the sender has entrusted the shipment.

Finally, we receive Personal Data directly from you when you enter personal information in your user area (delivery address, delivery preferences, etc.) of our website.

If you are a visitor to our website, we receive your Personal Data through various features of the website. We use cookies for this purpose or ask you directly for information. Our priority is optimising our website and providing you with information about our services. You can restrict cookies or disable them completely at any time by making the appropriate selection.

Your Personal Data will be used to propose other services only if you have consented to receive commercial communications. In any case, you can revoke your consent at any time.

Your Personal Data may be transferred to:

• various departments within BRT, i.e. offices in charge of carrying out the required services;
• external providers, i.e. IT service providers, other types of providers, including our transportation providers (if applicable, data are transmitted under the conditions of Article 28 of the GDPR);
• companies of the Group to which BRT belongs, for the provision of services (if applicable, pursuant to a joint control agreement signed by the parties);
• subsidiaries of BRT (if applicable, pursuant to a joint control agreement signed by the parties).

BRT conducts all Personal Data processing activities within the European Union (EU).

However, for some specific services, BRT may use data processors or business partners located outside the EU. Some of your Personal Data may, therefore, be transferred to them for the sole purpose of carrying out their services. In such cases and in accordance with the regulations in force, BRT requires its Data Processors to provide the necessary guarantees to ensure regulated and secure transfers, mainly by requiring them to sign the standard contractual clauses of the European Commission.

Different retention periods apply depending on the services we provide. BRT undertakes not to retain your Personal Data beyond the time necessary for the provision of the service or the achievement of the processing purpose, and, if applicable, in accordance with the retention periods defined by the relevant legal terms.

BRT determines, together with other companies, the purposes and means of processing to manage certain services and implement the processing of Personal Data resulting therefrom (see paragraphs 1.8.1 and 1.8.2 below). Pursuant to Article 26 of the GDPR, BRT and the other data controllers have entered into a joint control agreement. In particular, this agreement describes the responsibilities and obligations of each of the joint controllers, the relationship with data subjects and how data subjects can exercise their rights with respect to the GDPR; the security and confidentiality measures adopted to protect their personal data, the defined retention periods, and the procedure to be implemented in the event of detection of a data breach.

Currently BRT has entered into a joint control agreement with:

• GeoPost SA, with registered office in Issy-les-Moulineaux (France) 26 Rue Guynemer, parent company of DPDGroup;
• Fermopoint s.r.l., with registered office in Treviolo (BG), Via Nelson Mandela no. 20, a company controlled by BRT.

Below you will find more information about the processing covered by joint control agreements.

• Iterations with codified customers

Purpose: Operational management of the delivery and collection of goods, sending communications relating to existing contractual relationships (e.g., contractual changes, changes to operations, collection of expressions of interest, communications relating to insurance procedures for transported goods, operation of dedicated portals), measuring service performance, sending promotional and commercial communications relating to services/products offered by the Company, or notification of events organized and promoted by the Data Controller.

Legal bases: Performance of a contract to which the data subject is a party (for contractual communications), legitimate interest of the Data Controller (for performance measurement), express consent (for promotional and commercial communications).

Personal data subject to processing: Common data of the customer's contact person(s) (e.g., name, email, telephone number, login credentials for myBRT - business and myBRT - logistics services).

Retention: The user's personal data will be retained for the entire duration of the contractual relationship, and after its termination, for 10 years.

• Customer Services and call center management

Purpose: Provision of Customer Care services for domestic shipments, performance service measurement.

Legal bases: Performance of a contract to which the data subject is a party (for complaint management), legitimate interest of the Joint Controllers (for performance measurement).

Personal data processed: Common data of the sender or recipient, if or only when the sender or recipient is a natural person (e.g., shipping address, email address, telephone number, shipment number, collection request number, case number, cash on delivery amount, free text fields within request forms, information on the contents of the package, etc.).

Retention: The user's personal data will be retained for 24 months after the case is closed.

• Access control to company offices and operating units (Hubs and depots)

Purpose: Protection of property and people within company offices and operating units (safety and security), assignment of authorization badges (where applicable).

Legal basis: Legitimate interest of the Data Controller.

Personal data processed: Common and identifying data of those wishing to access company premises and areas (e.g., names, ID details).

Retention: Visitors' personal data will be retained for 30 days (up to 7 days for CCTV systems, where applicable).

• Participation in Contests and Competitions

Purpose: Verification of participants' eligibility, identification of participants and winners, communication with participants and notification of winners, publication of winners, contact for commercial purposes.

Legal bases: Performance of a contract to which the data subject is a party (for the management of participation in contests/competitions), express consent (for contact for commercial purposes).

Personal data processed: Participant identification data (surname, first name); contact information (telephone number, email address)

Retention: Your personal data will be retained for 6 months after the case is closed in the database and for 6 months in the archive database.

For further information regarding this processing, please consult the specific policies published for each ongoing initiative.

• Participation in remote meetings

Purpose: Organizing invitations to participants, identifying them, and conducting activities.

Legal basis: Performance of a contract to which the data subject is a party (for managing participation in contests/competitions), express consent (for registrations, where applicable).

Personal data processed: Participant identification data (e.g. name/surname); contact information (telephone number, email address)

Retention: We do not retain your personal data for a period longer than necessary to fulfill the purpose for which we collected it, which generally coincides with the duration of the existing contractual relationship.

• Shipment delivery and interactions with unauthenticated users (myBRT consumer)

Purpose: operational management of the delivery and pick-up (return) service in order to facilitate the improvement and efficiency of these services, including managing delivery tools and orders/collection requests, facilitating delivery services, tracking packages from recipients, improving knowledge and interaction with recipients and potential customers, managing returns, and collecting recipient satisfaction levels.

Legal basis: execution of the contract to which the data subject is a party (operational management of delivery and collection), Legitimate interest of the Joint controllers (service improvement, recipient satisfaction), Legal obligation (returns management).

Personal data subject to processing: common personal data of the sender or the recipient, if or only when this subject is a natural person (e.g. name/surname, user name, e-mail, address, telephone number, shipping number, date of birth, contact details, additional information necessary for identity checks, etc.).

Retention: your personal information will be retained for 6 months in the active database; thereafter, it will be retained in a limited-access archive database for as long as required by law. The shipping address is stored for 3 years based on the need for reliable data and route planning.

For more information about this processing, please see the specific myBRT policy.

• Customer Services and Claims Management for international shipments

Purpose: provision of Customer Care services related to international shipments, measurement of service performance.

Legal basis: execution of a contract to which the data subject is a party (for claims management), legitimate interest of the Joint controllers (for performance measurement).

Personal data subject to processing: common data of the sender or the recipient, if or only when this subject is a natural person (e.g. shipping address, e-mail, telephone number, number of the shipment, number of the collection request, case number, cash on delivery amount, free text fields within the request forms, information on the content of the package, etc.).

Retention: user's personal data will be retained for 6 months after case closure in the database and 6 months in the archive database.

• Embargo checks

Purpose: to identify any subjects on international sanctions lists and shipments destined for countries subject to embargo measures.

Legal basis: legal obligation.

Personal data subject to processing: common data of the sender or recipient, if or only when this subject is a natural person (e.g. name, surname, e-mail, address, telephone number, shipment number, survey result).

Storage: personal data will be stored 30 days in the live database, 30 days to 2 years in the restricted access database, 2 to 10 years in the archive database (by law, access allowed only to the system administrator of the control application).

• Customs processes.

Purpose: managing notifications and payment of duties and taxes, generating proof of payment.

Legal basis: legal obligation.

Personal data subject to processing: common data of the sender or recipient, if or only when this subject is a natural person (e.g. name, e-mail, telephone number, SMS, contact data, shipment number, IP address, contents of packages associated with the value of the goods).

Storage: personal data will be stored 6 months in the live database, 5 years in the archive database.

• Shipment delivery and interactions with authenticated users (myBRT consumer)

Purpose: operational management of the delivery and collection (return) service of the goods in order to facilitate the improvement and efficiency of these services, direct marketing activities.

Legal basis: performance of the contract to which the data subject is a party (delivery and collection service), legitimate interest of the Joint controllers (improvement of services), express consent (direct marketing).

Personal data subject to processing: common personal data of the sender or recipient, if or only when this subject is a natural person (e.g. name/surname, username, e-mail, address, telephone number, shipping number, date of birth, contact details, additional information necessary for identity checks, delivery preferences, etc.). The data may also concern third parties and/or the neighbour who collects the package instead of the recipient.

Retention: personal data will be retained for 2 years after the last connection. The shipping address is stored for 3 years based on the need for reliable data and route planning.

For more information about this processing, please see the specific myBRT consumer information notice.

• Whistleblowing alerts

Purpose: managing whistleblowing reports; investigations and follow-up on reports; execution of data analysis activities (for statistical purposes) starting from anonymized data.

Legal basis: legal obligation, legitimate interest of the Joint controllers.

Personal data subject to processing: personal data of the reporter, only if he/she chooses to share them with BRT, personal information put in free text of the alerts and/or in the related attachments.

Storage: personal data will be stored in a form that allows the identification of the data subjects for the time necessary to process the specific report and in any case no later than five years from the date of communication of the final outcome of the reporting procedure.

• KPI Reporting

Purpose: Operational management of the delivery and collection (return) service for goods to facilitate the improvement and efficiency of these services.

Legal basis: Legitimate interest.

Personal data processed: Personal data of the sender or recipient, only when the recipient is a natural person (e.g., first name/surname, email, address, telephone number, shipment number).

Retention: Personal data is retained for 6 months and subsequently anonymized. The shipping address is retained for 3 years based on the need to have reliable data and to be able to plan itineraries.

• Delivery of shipments through the network of PUDO stores (PickUp DropOff)

Purpose: operational management of the process of delivery and collection of goods through the network of PUDO stores.

Legal basis: performance of the contract to which the data subject is a party or of pre-contractual measures.

Personal data subject to processing: common personal data of the sender or the recipient, if or only when this subject is a natural person (e.g. name/surname, username, e-mail, address, telephone number, shipping number, contact details, additional information necessary for identity checks, etc.).

Storage: Personal Data will be stored 12 months in the live database, 10 years in the archive database.