GlobalPrivacy,Policy,1,TableofContents,Introduction...............................................................................2,Policy,Overview,Scope,Applicationof Local Laws,Definitions..................................................................................3,Data Protection Principles......................................................4,Security and Access.................................................................5,SpecialCircumstances.............................................................6,DataTransferringorProcessingby,Third Parties,ProcessingofSpecialCategoriesof,Personal Data,TelecommunicationsandInternet,Communication and Responsibilities....................................7,Related Policies,Anti-Retaliation,Policy Policy ,CustodianAdoption ,Date,2,Introduction,PolicyOverviewApplicationofLocalLaws,FedExCorporation(togetherwithitssubsidiariesandEach operating company of FedEx is responsible for ,affiliated companies,“FedEx”)recognizestheimportancecompliance withthisPolicy.Ifthereisreasontobelievethat,ofhaving effectiveprivacyprotectionsinplaceandislocallaw requirementsorotherlegalobligationscontradict,committedto compliance with applicable data privacy laws, theduties underthisPolicy,therelevantoperating,regulations, internal policiesandstandards.Thesecompanymustinform theGCCGO.Intheeventofconflicts,protectionsformthefoundationof a trustworthy company, betweenapplicablelocal laws,rulesorregulationsandthe,are necessary to maintain the confidence ofcustomersandPolicy,FedExwillworktofinda practicalsolutionthat,employeesandensurethecompany’sown compliancereconcilestheserequirements.,withsuchlocallaws.ThisGlobalPrivacyPolicy (“Policy”)is,basedongloballyaccepted,basicprincipleson,dataprotection.,Scope,ThisPolicyappliesworldwidetoallemployeesand,companies of FedEx.
Individual operating companies may not ,adopt policies inconsistentwiththisPolicy.Supplemental,dataProtection requirementsforindividualoperating,companies,regionsor countriesmaybecreatedwiththe,approvaloftheGlobalChief ComplianceandGovernance,Officer(“GCCGO”).,3,Definitions,PersonalData—AnyinformationthatcandirectlyorNotes:,indirectly beusedtoidentifyanaturalperson,whetherthat,individualisan employee,acustomeroremployeeofa,customer,avendoror employeeofavendor,ajob,applicantoranyotherthirdparty.,Examples:,•Names,•Government-issued identification numbers ,(social security and driver’s license numbers, ,etc.),•Addresses,•Phonenumbers,•Emailaddresses,•Photos,Processing—AnyoperationperformedonPersonalData, ,withorwithouttheuseofautomatedsystems,suchasto ,collect,store,organize,retain,archive,record,view,modify, ,adapt, alter, query, use, retrieve, forward, transmit or ,combine,data.
This also includes disposing of, deleting, erasing, ,destroying or blocking data.,Examples:,•Storinginformationindatabases,•Viewinginformationstoredonanothercomputer,•Transferringinformationfromonedatabaseto,another,Datathathasbeenanonymizedsuchthatindividuals,cannotbe identifieddoesnotconstitutePersonalData.,Thetransportationofphysicalmedia(documents,,computers, etc.) containing Personal Data does not constitute ,Processing of that Personal Data.,4,DataProtection Principles,PersonalDatawillbecollected,recordedandusedinaproper5.DataQuality.PersonalDatashouldbeaccurate,,and professionalmanner,whetherthePersonalDataisonandif necessary, kept up to date.,paper,in computerrecordsorrecordedbyanyother,means.,FedExisaccountableforandmustbeabletodemonstrate ,compliancewiththefollowingprinciplesofdataprotection.,1.FairandLawful.WhenProcessingPersonalData,,therights of the individual related to their ,Personal Data must be protected.
Personal Data ,must be collected and Processed fairly and ,lawfully.,2.PurposeSpecification.PersonalDatacanbeused,or Processedonlyforthepurposedefinedatthe,timeof collection and shall not be further used or ,Processed in any manner incompatible with that ,purpose.
Personal Data may not be collected and ,stored for potential future use unless allowed by ,local law.,3.CollectionLimitation.FedExonlycollects,Personal Datanecessarytomeetthespecified,purposeatthe time of collection and only to the ,extent allowed by local law.,4.Deletion.
Personal Data no longer needed for ,the purpose specified at the time of collection ,shall be deletedaccordingtoapplicable,retentionschedules unless it is subject to an ,exception from the,LegalDepartment.,6.Security Safeguards.
Personal Data must be ,protected using technical, managerial and ,physical securitymeasuresagainstriskoflossor,unauthorized access, destruction, use, ,modification or disclosure.,7.Transparency.Individualsmustbenotifiedat,the timeofcollectionhowtheirPersonalData,isbeing usedorProcessed.Theymustbe,awareofwhois collecting the Personal Data, ,the purpose for the,ProcessingofthePersonalDataandifthirdparties,will Process the Personal Data, that adequate ,safeguards areinplace.Allsuchnoticesmustbe,approvedbythe Legal Department.,8.Individual Participation.
To the extent ,required bylocallaw,individualshavearightto,accesstheir,PersonalDataand,whereappropriate,tocorrect,or delete it and exercise any other right provided ,by local law.,5,SecurityandAccess,PersonalDataisclassifiedasconfidential.Anyunauthorized PersonalDatamustbesafeguardedfromunauthorized,Processingofsuchdatabyemployeesisprohibited.Any access andunlawfulProcessingordisclosure.Thisapplies,Processingundertakenbyanemployeethatisnotpartofregardlessof whether datais Processed electronically or in ,hisor herlegitimatedutiesisprohibited.Employeesmaypaper form.
Before theintroductionofnewmethodsofdata,haveaccess toPersonalDataonlyasisappropriatefortheProcessing,aprivacy impactassessmentshouldbe,typeandscopeof thetaskinquestion.ThisrequirestheperformedfornewITsystems, whichmayleadto,definitionandseparation,as wellasimplementation,ofrolesimplementingtechnicalandorganizational measuresto,andresponsibilities.protectPersonalData.,EmployeesareprohibitedfromusingPersonalDataEmployees are expected to follow FedEx Information ,outside ofthescopeoftheiremploymentatFedEx,toSecurity Standards,whichcanbefoundbysearching,discloseitto unauthorizedpersonsortomakeitavailablekeyword “standards.”NotethatInformationSecurity,inanyotherway outside the permitted business use.
classifiesalldata as Sensitive, Internal or Public.
Depending ,Supervisors must inform theiremployeesatthestartofon its classification, PersonalDatamustbeprotectedin,theemploymentrelationshipaccordancewiththe applicableInformationSecurity,about the obligation to protect Personal Data.
This obligation Standards.,shall remaininforceevenafteremploymenthasended.,Intheeventofsuspiciousactivity,suspected,cyberattack, suspectedsecurityincident,orpossible,breachofPersonal Data, all FedEx employees must notify ,Information Security immediatelyviatheIncident,NotificationWebsite,keyword “incident”orcall901/224-,2021or901/224-2022toreport theincident.,SecuringPersonalData,PersonalDatamustbesafeguardedfromunauthorizedaccess,6,Special Circumstances,DataTransferringorProcessingby TelecommunicationsandInternet,Third Parties,PersonalDatamaynotbetransferredtoacountryoutside,the countryoforiginunlessthetransferhasbeenapproved,bythe LegalDepartment,whowillensureanadequate,levelofdata protectionorsuitablesafeguardsareinplace.,Ifavendoror thirdpartyisengagedtoProcessPersonal,Data,adatatransfer agreementmustbeinplacewiththat,externalprovider.An external provider can Process Personal ,Data only in accordance with instructions from FedEx.,ProcessingofSpecialCategoriesof ,Personal Data,SpecialcategoriesofPersonalDatathatarehighlysensitive,can beProcessedonlyundercertainconditions.These,categories includeanindividual’sracialandethnicorigin,,politicalbeliefs, religiousorphilosophicalbeliefs,union,membershiporthehealth andsexuallifeofthedatasubject.,Underlocallaw(s),furtherdata categoriesmaynecessitate,specialtreatment.PersonalData,thatrelatestoacrimecanoftenbeProcessedunderspecial ,requirementsoflocallaw.Leaverequests,thatinclude,special categoriesofdata,willbehandledbylocalHuman,Resourcesand LegalDepartments.,Ifthereareplanstoimplementanewsystem,procedure,or Process that includes Personal Data in a special ,category, the GCCGOmustbeinformedinadvance.,Telephoneequipment,emailaddresses,intranetand,Internet, alongwithinternalsocialnetworksareprovided,primarilyfor work-relatedassignments.Theycanbeused,withinthe applicablelegalregulationsandinternalpolicies.,Intheeventof limitedacceptableusageforprivate,purposes,thelocallawson secrecy of telecommunications ,and any local telecommunication laws must be observed.,7,Communication and Responsibilities,AllEmployeesareresponsiblefor:,•Reading and complying with this Policy and ,related policies,alongwithrelated,documents/guidelinesthatmay be developed ,and maintained to implement the requirements of ,this Policy.,•ReportingviolationsofthisPolicy.,Managementisadditionallyresponsiblefor:,•Ensuringallreportingpersonnelunderstand,the requirements of this Policy.,•Ensuringappropriatesafeguardsareinplaceto,protect Personal Data.,•Providingallnecessarytrainingand/or,guidancetoassist with the implementation ,process, and for monitoring compliance with ,this Policy.,RelatedPolicies,•CodeofBusinessConductandEthics,•InformationSecurityStandards,•Yourcompany’sUseofComputerResourcesPolicy,•Yourcompany’sPre-employmentScreeningPolicy,•Yourcompany’sRecruitmentPolicy,•Yourcompany’sDataRetention,and DestructionSchedules,•Keyword“incident”,Anti-RetaliationPolicy,FedExprohibitsanyformofretaliationforreportingingoodfaith a,suspectedviolationofthisPolicy.,PolicyCustodian,GlobalChiefCompliance&GovernanceOfficer,AdoptionDate,ThisPolicywasadoptedeffectiveMay1,2018.