Binding Corporate Rules

Introduction and scope

As a leading global express, delivery and logistics service provider, the proper and compliant processing of personal data – on employees, couriers, customers, shippers, consignees and others – is a top priority for the Aramex Group. The importance of the use of personal data for the worldwide business model which the Aramex Group has developed is undeniable, but so is the potential impact upon individuals that improper use of their personal data may have.

The Aramex Group acknowledges its responsibility to ensure that its activities involving the use of personal data comply with all applicable regulations around privacy and personal data protection. These binding corporate rules (“Aramex BCRs”) have been developed, based on the requirements laid down in the EU General Data Protection Regulation (“GDPR”) and applicable guidance from EU Supervisory Authorities, to meet this goal. They aim to clearly explain, for the benefit of individuals, business partners and Supervisory Authorities:

The rules which all Aramex Group members (whether within or outside the EEA) must respect when processing personal data;
The flows of personal data sharing which may take place within the Aramex Group; and
The rights which individuals, whose personal data is processed by the Aramex Group (“Data Subjects”), are entitled to exercise against the Aramex Group.

The Aramex BCRs are a part of a wider set of internal policies, procedures, guidelines and templates developed by the Aramex Group, called the Aramex Group Data Protection Compliance Framework (“Aramex G-DPCF”). The Aramex G-DPCF, in turn, has been developed by Aramex in order to ensure a consistent and high-standard approach to the protection of personal data throughout the Aramex Group. As the GDPR reflects one of the highest standards for personal data protection worldwide, with internationally acknowledged data protection principles, the Aramex Group decided to base the Aramex G-DPCF on the GDPR’s requirements and obligations – thereby requiring Aramex Group members to follow its principles, regardless of where they are established.

Within the Aramex G-DPCF, the Aramex BCRs also serve as a transfer tool under the GDPR, in order to allow for international transfers of Personal Data between Aramex Group members (even those outside of the EEA). They have been approved for this purpose by the Dutch Supervisory Authority (Autoriteit Persoonsgegevens) – the BCR Lead.

The main target audience for the Aramex BCRs are the Data Subjects, whose personal data may be processed by the Aramex Group – including Aramex employees, couriers, customers, consignees and shippers, among others (whether or not they are EEA citizens/residents, all such Data Subjects fall under the scope of the Aramex BCRs). With this in mind, the Aramex BCRs have been carefully drafted so as to be as clear, understandable and practical as possible, considering the rights, freedoms and interests of those individuals.

These Aramex BCRs apply to all personal data processed by Aramex Group members, whether or not those personal data originate from within the EEA, and regardless of whether the relevant Data Subjects are EEA citizens/residents or not.

Definitions

Please see below a list of definitions which may help you to better understand some of the terms used in the Aramex BCRs.

Aramex Internal Audit Team means the central team within the Aramex Group responsible for coordination of internal audits;
Aramex BCRs means these binding corporate rules, which apply to the Aramex Group;
Aramex Incident Response Team means the central team within the Aramex Group responsible for coordination and management of security incidents, including Personal Data Breaches;
Aramex Information Security Team means the central team within the Aramex Group responsible for coordination and management of information security;
Aramex G-DPCF means the Aramex Group Data Protection Compliance Framework, which is a set of internal policies, procedures, guidelines and templates developed by the Aramex Group based on the GDPR, in order to ensure a consistent and high-standard approach to the protection of Personal Data throughout the Aramex Group. The Aramex G-DPCF includes the Aramex BCRs;
Aramex Group means the group of Aramex companies which are listed in Annex I to these binding corporate rules;
Aramex Group DPO means the team with specific knowledge and competence regarding data protection regulations and practices, appointed by the Aramex Group to assist in compliance with the GDPR;
Aramex Group Representative means Aramex Nederland B.V., the Aramex Group member appointed in writing to represent the Aramex Group members which are not established in the EU/EEA with regard to their respective obligations under the GDPR. The Aramex Group Representative is also the Aramex Group member with delegated data protection responsibilities under the Aramex BCRs, thereby assuming responsibility for compliance with the Aramex BCRs on behalf of the Aramex Group members which are not established in the EU/EEA;
Aramex Privacy Team means the central team within the Aramex Group responsible for coordination of privacy and data protection-related matters. The Aramex Privacy Team includes, among its members, the Aramex Group DPO;
Automated Decision-Making means decisions based only on automated Processing, including Profiling, that produce legal effects concerning the natural person or similarly significantly affect the natural person;
BCR Lead means the lead Supervisory Authority for the Aramex BCRs, under Arts. 47(1) and 64 GDPR, as well as the European Data Protection Board’s Recommendations 1/2022 on the Application for Approval and on the elements and principles to be found in Controller Binding Corporate Rules (Art. 47 GDPR) – the Dutch Supervisory Authority (Autoriteit Persoonsgegevens);
Biometric Data means Personal Data resulting from specific technical Processing relating to the physical, physiological or behavioural characteristics of a natural person, which allows or confirms the unique identification of that natural person, such as facial images or dactyloscopic data;
Consent means any freely given, specific, informed and unambiguous indication of a Data Subject's wishes by which he or she signifies, by means of a statement or by a clear affirmative action, agreement to the Processing of Personal Data relating to him or her;
Controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data; where the purposes and means of such processing are determined by Union or Member State law, the Controller or the specific criteria for its nomination may be provided for by Union or Member State law;
Data Processing Agreement means a written agreement which is binding on a Processor with regard to a Controller, and which meets the minimum requirements laid out in the Aramex BCRs (see Engagement of Processors, below);
Data Management Agreement means a written agreement entered into between two or more organisations which are involved in a relationship involving the Processing of Personal Data, in order to comprehensively regulate their respective data protection compliance responsibilities. A Data Management Agreement may incorporate Data Processing Agreement terms, Joint Controllership Agreement terms and or additional terms to regulate relationships between independent Controllers;
Data Subject means an identified or identifiable natural person – an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
DPIA means data protection impact assessment – an assessment of the impact of envisaged Processing operations on the protection of Personal Data, meeting the requirements of the Article 29 Data Protection Working Party’s Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is “likely to result in a high risk” for the purposes of Regulation 2016/679 and those laid out in the Aramex BCRs (see Privacy risk assessments and Data Protection Impact Assessments, below).
EEA means the European Economic Area;
EU means the European Union;
GDPR means Regulation (EU) 2016/679, of the European Parliament and of the Council, of 27 April 2016;
Genetic Data means Personal Data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which results, in particular, from an analysis of a biological sample from the natural person in question[1];
Health Data means Personal Data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status;
Information Systems (or IT Systems / IT Tools) means any device or group of interconnected or related devices, one or more of which, pursuant to a program, performs automated Processing of Personal Data, as well as Personal Data stored, Processed, retrieved or transmitted by them for the purpose of their operation, use, protection or maintenance;
Inspections means inquiries, information requests and inspections carried out by Supervisory Authorities;
Intra-Group Agreement means the Intra-Group Agreement concerning the adoption of a Group Data Protection Compliance Framework (“Aramex G-DPCF”), including Binding Corporate Rules (“Aramex BCRs”) pursuant to Article 47 of Regulation (EU) 2016/679, signed by all Aramex Group members as a means of adherence to the Aramex G-DPCF and Aramex BCRs;
Joint Controllership Agreement means a written agreement entered into between two or more Controllers which jointly determine the purposes and means of a Processing activity (or set of activities), in order to transparently determine their respective responsibilities for compliance with the obligations under the GDPR, in particular as regards the exercising of the rights of the Data Subject and their respective duties to comply with information and transparency obligations, by means of an arrangement between them unless, and in so far as, the respective responsibilities of the controllers are determined by EU or Member State law to which the Controllers are subject;
Judicial Data means Personal Data relating to criminal convictions and offences or related to security measures (in the criminal/penal context);
LIA means legitimate interests assessment (or “balancing test”) – an assessment as to whether legitimate interests pursued by the Aramex Group may be overridden by the interests or fundamental rights and freedoms of Data Subjects which require protection of Personal Data, meeting the requirements of the Article 29 Data Protection Working Party’s Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC;
Personal Data means any information relating to a Data Subject;
Personal Data Breach means any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to Personal Data transmitted, stored or otherwise Processed;
Persons Authorised means any natural persons authorised by and under the authority of the Aramex Group to Process Personal Data, including: employees and former employees, general managers, executives, collaborators and independent consultants, part-time and job-sharing workers, interns etc., without any distinction as to their role, function and/or level within the Aramex Group. The definition also includes consultants and employees of third parties providing services to the Aramex Group, and, in general, all those who use Aramex Group corporate equipment or authorised personal equipment to perform tasks on behalf of the Aramex Group, operate in the Aramex Group’s IT network or become aware of relevant corporate information, such as, but not limited to: (a) Personal Data related to clients, employees and suppliers, including e-mail addresses; (b) any commercial, financial, strategic and/or confidential information about the Aramex Group’s business; and (c) information related to corporate processes, including trademarks, patents and intellectual property rights, irrespective of any detrimental effects in the event of disclosure of this information;
Privacy Contact means an Aramex Group staff member appointed, on behalf of one or more Aramex Group members, to act as a contact point for Data Subjects and Supervisory Authorities, as well as to coordinate with the Aramex Privacy Team on privacy and data protection-related matters relevant to those Aramex Group members. Privacy Contacts are bound to confidentiality and may be assisted by external legal consultants advising on privacy and data protection-related matters;
Processing (as well as Process, Processed, and other variations) means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as the collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
Processor means a natural or legal person, public authority, agency or other body which Processes Personal Data on behalf of the Controller;
Profiling means any form of automated Processing of Personal Data consisting of the use of Personal Data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;
Recipient means a natural or legal person, public authority, agency or another body, to which the Personal Data is disclosed (excluding public authorities which may receive Personal Data in the framework of a particular inquiry in accordance with Union or Member State law);
Restriction of Processing means the marking of stored Personal Data with the aim of limiting their Processing in the future;
Special Categories of Personal Data means Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, Genetic Data, Biometric Data (when Processed for the purpose of uniquely identifying a natural person), Health Data or data concerning a natural person's sex life or sexual orientation;
Sub-Processor means a Processor engaged by another Processor, in order to assist in the Processing of Personal Data on behalf of the Controller;
Supervisory Authority means an independent public authority which is established by a Member State and tasked with monitoring the application of the GDPR, in order to protect the fundamental rights and freedoms of Data Subjects in relation to the Processing of their Personal Data and facilitate the free flow of Personal Data throughout the EEA.

[1] The Aramex Group does not process genetic data, as defined in Article 4(13) GDPR. This definition was only included for the sake of completeness, to complement the definition of “Special Categories of Personal Data” below.

What principles are followed by the Aramex Group, when Processing Personal Data?

As mentioned above (see Introduction and scope), the Aramex BCRs, as part of the Aramex G-DPCF, are built upon both the rules laid down in the GDPR. These rules include the basic principles to be followed whenever Personal Data is Processed by the Aramex Group, which we explain below.

3(1) Transparency

To comply with the principle of transparency, the Aramex Group will actively inform you about how your Personal Data is Processed, through different privacy policies and information notices. These documents must explain:

Which Aramex Group member(s) acts as a Controller for your Personal Data, and how they (and the Aramex Group DPO, as well as the Aramex Group Representative where relevant) can be contacted;
Contact details for the relevant local Privacy Contacts (see How can I exercise my rights and file complaints under the Aramex BCRs?);
Which categories of your Personal Data may be collected and further Processed by the Aramex Group;
Why your Personal Data is Processed (for what purposes?);
- In particular, where an Aramex Group member may rely on legitimate interests as a legal basis (see Lawfulness), an explanation of the legitimate interests pursued;
How the Aramex Group ensures the lawfulness of this Processing (what legal bases are relied on?);
The Recipients (or categories of Recipients) – whether Aramex Group members or not – with which your Personal Data may be shared;
Whether your Personal Data may be transferred to other countries (in particular, whether Personal Data may be transferred outside of the EU/EEA) and, if so, what mechanisms are relied on to ensure the lawfulness of those transfers (see Transfers of Personal Data from within the EEA to outside of the EEA);
How long your Personal Data will be retained by the Aramex Group (see Data minimisation, Storage limitation and Accuracy);
What rights you are entitled to exercise against the Aramex Group (see What rights do I have under the Aramex BCRs?, below), as well as how you can enforce your rights (see How can I exercise my rights and file complaints under the Aramex BCRs?);
Whether you are required to provide Personal Data to the Aramex Group, under a legal or contractual obligation, or as a requirement in order to enter into a contract with the Aramex Group, as well as the possible consequences for you if you refuse to do so;
Whether we will carry out any Automated Decision-Making using your Personal Data – in these cases, the information we give you should allow you to understand the logic involved (how an algorithm will use your Personal Data to arrive at an automated decision), the significance and possible consequences of these activities for you (what decisions may be taken, and what effects this can have on you), and how you can react to these decisions (see Rights concerning Automated Decision-Making);
The sources (or categories of sources) from which the Aramex Group has obtained Personal Data on you, where you have not given Personal Data to the Aramex Group directly; and
Any other information which may be needed to ensure that you can clearly understand how your Personal Data may be used, and what associated risks and safeguards exist.

This information must also allow you to understand:

The scope of the Aramex BCRs (see Introduction and scope, and How does Personal Data flow within the Aramex Group?);
Your right to enforce certain provisions of the Aramex BCRs directly against Aramex Group members, as a third-party beneficiary (see Data Subjects’ enforcement of the Aramex BCRs);
The manner in which you can submit complaints related to the Aramex BCRs to the Aramex Group (see How can I exercise my rights and file complaints under the Aramex BCRs?);
The Aramex BCRs’ provisions on liability and jurisdiction (see Data Subjects’ enforcement of the Aramex BCRs); and
The Aramex BCRs’ provisions on data protection principles (as covered in this section, and the below sections).

All of the above information must be provided in writing and in full (not in a summarised form).

This is done within the privacy policies uploaded to Aramex Group websites and applications, as well as within other information notices which may be given to you (depending on your specific relationship with the Aramex Group, such as the information notices given to Aramex Group employees). You can also obtain a copy of the Aramex BCRs upon request (see Data Subjects’ enforcement of the Aramex BCRs).

The Aramex Group strives to ensure that any information given to you about how your Personal Data is Processed is kept up-to date, as well as easy to access and understand – in particular, efforts are made to use language which is concise, clear, plain and intelligible to the foreseen target audience. This includes information within privacy policies and notices, but also within any communications exchanged with you (such as when responding to your requests).

3(2) Fairness

To comply with the principle of fairness, other than ensuring that you are kept properly informed about how your Personal Data may be used (see above), the Aramex Group has implemented internal measures to ensure that Personal Data is only used in a manner which safeguards your rights. In particular:

Before deciding to Process your Personal Data, the Aramex Group must clearly define and identify the specific purpose(s) for which your Personal Data is to be used (for example, “to track shipment deliveries”, or “to examine applicant’s resumes / CVs and to get in contact with applicants who have submitted their applications to the Aramex Group via the Aramex Group’s websites” – see also Purpose limitation and Data minimisation, Storage limitation and Accuracy);
These purposes must be legitimate, and must be explicitly told to you when your Personal Data is collected;
These purposes will serve as a benchmark in order to determine how much and what kinds of Personal Data should be collected, as well as for how long they will be retained.

Personal Data will not be Processed for a given purpose if it is possible to achieve that purpose’s goals without using Personal Data (for example, where the Aramex Group can meet a given objective using only anonymous or aggregated information about its customers). If strictly necessary, the Aramex Group will only use Personal Data which is both adequate and relevant to meet the purposes in question.

As a rule, the Aramex Group will only keep Personal Data for as long as strictly needed for the relevant purposes to be met. After this, those Personal Data will either be fully deleted, anonymised or aggregated. To keep track of this, the Aramex Group has set internal time limits for Personal Data retention, which are used to periodically check whether stored Personal Data is still necessary.

The Aramex Group further strives to confirm that any Personal Data it Processes is accurate and up to date – for example, by allowing you to request that your Personal Data be corrected or completed, and by confirming Personal Data with you whenever feasible.

Finally, to ensure Personal Data integrity, confidentiality and availability, the Aramex Group has implemented internal organisational measures (such as policies and procedures) and technical measures (security measures applied to the IT Systems and IT Tools used by the Aramex Group to store or Process Personal Data) to prevent any unauthorised use of Personal Data.

3(3) Lawfulness

To comply with the principle of lawfulness, the Aramex Group ensures that it only uses Personal Data where this is lawful, under the GDPR. To do so, the Aramex Group carefully identifies which of the six legal bases listed in the GDPR may apply to any activity performed on Personal Data, considering its purpose:

(1) You have provided Consent for the Aramex Group to Process your Personal Data, for a given purpose;

(2) The Aramex Group needs to Process your Personal Data in order to perform a contract with you, or otherwise to take steps you requested prior to entering into a contract (for example, to respond to questions you raised concerning the Aramex Group’s services);

(3) The Aramex Group needs to Process your Personal Data in order to comply with its legal obligations;

(4) The Aramex Group needs to Process your Personal Data to protect your vital interests, or of another individual; or

(5) The Aramex Group has identified a specific, legitimate interest in Processing your Personal Data and, after a thorough assessment, has concluded that using Personal Data to meet this interest does not create a relevant negative impact upon your rights, freedoms or interests which require the protection of Personal Data.

In exceptional situations, Aramex may be specifically mandated by local authorities / public bodies to assist in the performance of tasks in the public interest (e.g., the delivery of essential goods to individuals in public crisis situations). In these cases, the Aramex Group may Process a limited amount of Personal Data on individuals as necessary to allow the performance of those tasks (e.g., names and contact details).

3(4) Purpose limitation

As mentioned above (see Fairness), before deciding to use Personal Data, the Aramex Group must identify the specific purposes for which Personal Data is to be used. Those purposes must not only be legitimate, but must also be explicitly shared with you before we start processing your Personal Data for those purposes, in order to comply with the principle of purpose limitation (see also Transparency).

The rule is that any Personal Data collected by the Aramex Group should only be used for the specific purpose(s) for which it was originally collected, for other purposes which are compatible with the original purposes, or for other purposes for which the Aramex Group is able to identify an appropriate legal basis (see Lawfulness).

The Aramex Group has reflected the rules, within the GDPR, on assessing whether two purposes are compatible within the internal policies included in the Aramex G-DPCF. In particular, to perform this assessment, the Aramex Group will consider:

The link that exists between the original purpose and the other purpose;
The context of the collection of Personal Data (in particular, your relationship with the Aramex Group will be considered);
The types of Personal Data involved;
The possible consequences for you of using your Personal Data for the other purpose; and
The appropriate safeguards which the Aramex Group can put in place, such as encryption or pseudonymisation (which are methods by which your Personal Data is altered or masked, so that it is not directly linkable to you).

Whenever the Aramex Group decides to further process your Personal Data – in other words, to process your Personal Data for a purpose which is different to that for which your Personal Data was originally collected by the Aramex Group – you will be kept appropriately informed of this, through the Aramex Group’s privacy policies and information notices, or through ad hoc communications carried out by the Aramex Group (see Transparency).

3(5) Data minimisation, Storage limitation and Accuracy

As mentioned above (see Fairness), Personal Data will not be Processed for a given purpose if it is possible to achieve that purpose’s goals without using Personal Data (for example, where the Aramex Group can meet a given objective using only anonymous or aggregated information about its customers). If strictly necessary, the Aramex Group will only use Personal Data which is both adequate and relevant to meet the purposes in question. These rules are followed in order to comply with the principle of data minimisation.

To comply with the principle of storage limitation, as also mentioned above (see Transparency, Fairness and Lawfulness), the Aramex Group will, as a rule, only keep Personal Data for as long as strictly needed for the relevant purposes to be met. After this, those Personal Data will either be fully deleted, anonymised or aggregated.

To keep track of this, the Aramex Group has set internal time limits for Personal Data retention, which are used to periodically check whether stored Personal Data is still necessary. These time limits, or retention periods, are defined by use of three main criteria:

Necessity: The first criterion which the Aramex Group uses to define a retention period is the normal period of time during which Personal Data must be stored, in order to allow the main purposes for its collection (or other compatible purposes) to be fulfilled (for example, Personal Data on the shipper and consignee for a delivery needs to be stored at least until that delivery has been successfully completed).
Once this period of time has elapsed, the Aramex Group will assess whether continued retention of the Personal Data is necessary (based on the below two additional criteria). The Aramex Group will, based on the results of this assessment, either (1) delete or anonymise those Personal Data or (2) archive those Personal Data, if further retention complies with at least one of the below two criteria.
Legal Obligation: The second criterion which the Aramex Group uses to define a retention period is the minimum statutory retention periods which may be defined in laws applicable to an Aramex Group member (for example, depending on the jurisdiction in question, each Aramex Group member may be required to keep records of deliveries completed, including Personal Data on the respective shippers and consignees, for a given period of time as determined by the laws applicable to them). This criterion only applies where there is a legal obligation to retain Personal Data (or documents containing Personal Data) for a specific period of time. Where these minimum retention periods exceed the period of time defined by the first criterion, the Aramex Group will extend the retention period in order to ensure it complies with its legal obligations.
Legal Permission: The final criterion which the Aramex Group uses to define a retention period is whether or not the laws applicable to an Aramex Group member afford the possibility for Personal Data to be retained further, if a legitimate interest in doing so exists (for example, Personal Data on the shipper and consignee for a delivery may be retained for an additional period of time, if these Personal Data are suitable to serve as evidence of an Aramex Group member’s correct completion of the delivery). This criterion may allow the Aramex Group to extend the retention of Personal Data beyond the period of time defined by use of the first two criteria.

Where Personal Data are further retained based on Legal Obligation and/or Legal Permission, the Aramex Group will, as a rule, archive those Personal data under conditions of restricted access, so that they are only used (1) to comply with any relevant legal obligations, and (2) to serve the legitimate interests identified.

To comply with the principle of accuracy, as also mentioned above (see Fairness), the Aramex Group further strives to confirm that any Personal Data it may Process is accurate and up-to-date – for example, by allowing Data Subjects to request that their Personal Data be rectified or completed, and by confirming Personal Data with Data Subjects whenever feasible (for example, when completing deliveries, Aramex Group members may contact the consignees in order to confirm the accuracy of the delivery addresses held; job applicants are also allowed to amend information provided within applications made to the Aramex Group; and Aramex Group employees are allowed to autonomously update certain categories of Personal Data stored on Aramex Group HR management systems). In particular, as noted below, you are entitled to exercise a variety of rights concerning the use of your Personal Data against Aramex Group members – including the right to rectification.

3(6) Special Categories of Personal Data

The GDPR sets out that the Processing of Special Categories of Personal Data is, as a rule, prohibited. Under a GDPR standard, it is therefore only lawful to Process Special Categories of Personal Data, in the context of a given Processing activity, where (1) that activity can be supported by a valid legal basis, and (2) that activity falls within the scope of a valid derogation to that rule.

The Aramex Group’s core activities generally do not require the Processing of any Special Categories of Personal Data. As such, in line with the abovementioned rule, the Aramex Group generally does not Process any Special Categories of Personal Data.

However, there are certain circumstances where the Aramex Group may be required to Process these types of Personal Data (for example, when addressing work-related health requirements with specific employees or contractors), including Judicial Data (for example, when performing legally required customer screening, to ensure compliance with customs and import/export restrictions). Where this is the case, the Aramex Group will continue to abide by the GDPR’s principles and will implement appropriate safeguards to protect that Personal Data and other fundamental rights of the Data Subjects concerned, subject to any potential conflicts with local legislation (see How are conflicts between the Aramex BCRs and local applicable legislation managed?, below).

Given that the Processing of Special Categories of Personal Data, by their very nature, represents an increased level of risks to the rights, freedoms and interests of Data Subjects, the Aramex Group pays particular attention to ensuring their proper Processing. No Special Categories of Personal Data will be Processed unless the Aramex Group can validly rely on one of the 6 legal bases available to it (see Lawfulness, above) AND one of the following circumstances applies:

You have given the Aramex Group explicit Consent to Process certain Special Categories of Personal Data for a specific purpose;
The use of Special Categories of Personal Data is strictly necessary for the Aramex Group to carry out its obligations and/or exercise its rights as an employer (as determined by local laws/legal obligations, or by a legally valid and appropriate collective agreement);
The use of Special Categories of Personal Data is necessary to protect your vital interests, or those of another individual, and you are physically or legally incapable of giving the Aramex Group Consent to this end;
You have manifestly made the Special Categories of Personal Data in question public;
If, in the context of legal claims or similar proceedings brought by or against the Aramex Group, it is necessary to use certain Special Categories of Personal Data as evidence;
If the use of Special Categories of Personal Data, such as Health Data, is necessary for occupational medicine purposes, health security, monitoring and alert purposes, the prevention or control of communicable diseases and other serious threats to health (as determined by local laws/legal obligations);
If the use of Special Categories of Personal Data, such as Health Data, is necessary for reasons of a substantial public interest (based on appropriate local laws/legal obligations), or for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health (as determined by local laws/legal obligations); or
Special Categories of Personal Data are to be Processed for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes, based on appropriate local laws/legal obligations and subject to adequate safeguards – notably, technical and organisational measures to ensure respect for the principle of data minimisation (see Data minimisation, Storage limitation and Accuracy, above), such as pseudonymisation or aggregation/anonymisation of Personal Data.
The above applies to all Processing of Special Categories of Personal Data originating in the EEA carried out by the Aramex Group, including any transfers of Special Categories of Personal Data from within the EEA to outside the EEA (addressed below).
Judicial Data, on the other hand, can only be Processed by the Aramex Group where it can validly rely on one of the 6 legal bases available to it (see Lawfulness, above) AND when the intended Processing is authorised by EU or EU Member State law providing for appropriate safeguards for the rights and freedoms of data subjects. This applies to all Processing of Judicial Data originating in the EEA carried out by the Aramex Group, including any transfers of Judicial Data from within the EEA to outside the EEA (addressed below).
The Processing of Judicial Data which is also Special Categories of Personal Data must also comply with all of the above requirements set out for Special Categories of Personal Data.
To ensure compliance with the above, the Aramex Group has implemented internal policies to identify and determine the most appropriate legal bases (and derogations) which may apply when Processing Personal Data in general, as well as Special Categories of Personal Data specifically.
In some jurisdictions where the Aramex Group operates, local legislation may require the Aramex Group to Process certain Special Categories of Personal Data or Judicial Data even beyond the cases set out in the GDPR. In such a scenario, if the Aramex Group is strictly bound to complying with those requirements, it will still continue to abide by the GDPR’s principles to the greatest extent possible (see How are conflicts between the Aramex BCRs and local applicable legislation managed?, below).
Transfers of Special Categories of Personal Data or Judicial Data from within the EEA to outside the EEA which are carried out by the Aramex Group (including remote access, by a Recipient located outside of the EEA, to Special Categories of Personal Data or Judicial Data stored within the EEA) must be based on lawful transfer mechanisms and, where necessary adequate supplementary measures – the latter are necessary even if the Recipient is another Aramex Group member (see Transfers of Personal Data from within the EEA to outside of the EEA, below).

3(7) Security

3(7)(1) Security measures

To ensure that all Personal Data Processed by the Aramex Group is kept confidential, available and safe from any unauthorised access, changes or destruction, the Aramex Group has defined a set of internal technical and organisational security measures, which are applied to Personal Data and to the equipment used to Process Personal Data. These measures – which are regularly audited, tested and assessed, to ensure they remain effective over time – have been selected considering the state of the art, the costs of implementation, the potential risks for Data Subjects and the nature of the Personal Data at hand, with the ultimate goal of ensuring an adequate level of Personal Data security.

3(7)(2) Privacy risk assessments and Data Protection Impact Assessments

As part of its efforts to proactively identify potential security risks and measures which can be taken to mitigate their impact, the Aramex Group has implemented an internal procedure to assess any relevant risks to your rights, freedoms or interests which may arise from the ways in which it seeks to Process your Personal Data (for both existing and new projects). Where these projects present greater risks – for example, due to the large number of Data Subjects concerned, the specific types of Personal Data which may be Processed, or the specific purposes which the project seeks to fulfil – the Aramex Group bolsters this assessment with its internal procedure for carrying out, documenting and revising Data Protection Impact Assessments (DPIAs).

By carrying out a DPIA, the Aramex Group is able to map out the ways in which a project will involve the use of Personal Data and the parties which will be involved (whether within the Aramex Group, such as certain teams or departments, or outside the Aramex Group, such as certain suppliers). This then allows the Aramex Group to understand whether the project may represent threats or risks to Data Subjects’ privacy, or to any of their other rights, freedoms or interests. After having identified those threats or risks, the Aramex Group can put in place safeguards to reduce their impact and/or likelihood to an acceptable level. Finally, the procedure allows for the DPIA to be documented, so that the Aramex Group’s assessment of a project can be shared with requesting Supervisory Authorities upon request.

If a project assessed via a DPIA shows high risks to Data Subjects which the Aramex Group is not comfortable that it can sufficiently mitigate, the lead Supervisory Authority for the Aramex Group will be consulted by the Aramex Privacy Team (in coordination with the Aramex Group Representative and the relevant Aramex Group members) before the project is rolled out.

By including a process to keep DPIAs up to date, both periodically and whenever the project in question suffers any material changes, the Aramex Group is able to ensure that DPIAs performed remain updated and that a clear picture of the potential risks and measures to address them is always available.

3(7)(3) Policy on Acceptable Use of Aramex Information Resources

As an additional means of ensuring security within the Aramex Group, internal policies have been implemented around the acceptable use of information resources and IT Systems/Tools. These policies have been developed based on relevant guidance from EU and EEA Supervisory Authorities, and seek to:

provide practical and precise rules to persons using Aramex Group IT Systems/Tools on how those IT Systems/Tools should be used (including also the Aramex Group’s IT network and corporate e-mail system), in order to prevent problems, inefficiencies, costs or threats to the Aramex Group’s IT network, or to the security of the IT Systems/Tools and data within that network;
set out the circumstances under which the Aramex Group may monitor activities performed on those IT Tools, in line with the principles of fairness and data minimisation, with the sole purposes of safeguarding IT network/System/Tool integrity and protecting sensitive information (including Personal Data stored or Processed by the Aramex Group); and
provide information to staff on the possibility for the Aramex Group to initiate disciplinary procedures if the Aramex Group’s internal policies are not respected.

3(7)(4) Management of security incidents and Personal Data Breaches

It is also important not only to prevent potential security threats, but also to react to them swiftly and decisively when they occur. If not, security incidents affecting Personal Data can harm the Data Subjects concerned (for example, causing them to lose control of their Personal Data, become exposed to the possibility of identity theft or fraud, or even suffer damages to their reputation or social standing). The Aramex Group has therefore set up internal policies and procedures on the management of these security incidents (Personal Data Breaches), managed by the Aramex Incident Response Team.

The Personal Data Breach management workflow at the Aramex Group can be broken down as such:

Information Collection. Relevant security incidents can be reported internally (by Aramex Group staff, for example) or externally (by suppliers or even by Data Subjects, for example). These reports are to be communicated to the Aramex Incident Response Team – which includes the Aramex Privacy Team, the Aramex Group Representative and members of the IT / Information Security, Human Resources, Legal, Operations, Marketing or other departments (depending on the nature of the Personal Data Breach), as well as the relevant Privacy Contacts (depending on the location of the Personal Data Breach).
Report Assessment. Reports received by the Aramex Incident Response Team will be assessed in a two-step process.
1. The first step is to determine whether or not a reported security incident has affected Personal Data under the Aramex Group’s responsibility – in other words, whether a Personal Data Breach has actually occurred.
2. The second step is to classify the Personal Data Breach in question, according to (1) the type of Personal Data Breach suffered, and (2) the level of risk for the affected Data Subjects.
Notification and Communication. After the two-step assessment performed by the Aramex Incident Response Team, the next step is to comply with any notification/communication obligations which may fall upon the Aramex Group.
1. If the Personal Data Breach affected Personal Data for which an Aramex Group member is responsible as a Processor, that Personal Data Breach will be notified to the relevant Controller (whether an Aramex Group member or not) without undue delay, and in accordance with the terms of the Data Processing Agreement in place.
2. As a rule, if the Personal Data Breach affected Personal Data for which an Aramex Group member is responsible as a Controller, that Personal Data Breach will be notified to the competent Supervisory Authority – depending, essentially, on the location of the Personal Data Breach – within 72 hours from the moment in which the Aramex Incident Response Team completes the two-step assessment. This notification will be coordinated by the Aramex Privacy Team.
  1. The only exception to this rule is that, where the circumstances around a Personal Data Breach allow the Aramex Group to reasonably conclude that it is unlikely that a relevant risk to any Data Subjects will arise from the Personal Data Breach (for example, because it only affected a limited amount of non-sensitive Personal Data, and was promptly dealt with), the Aramex Privacy Team may refrain from notifying.
  2. If it is not possible for the notification to be completed with all relevant and legally required information within 72 hours, the Aramex Group will share all available information with the competent Supervisory Authority within that deadline. As more information becomes available, it will be provided in phases.
3. Additionally, if the Aramex Incident Response Team assigns a high risk level to a Personal Data Breach, and no relevant risk-mitigating circumstances exist, the Aramex Group will also, as a rule, inform the affected Data Subjects about what happened, as soon as feasible and without undue delay. This will include advice on how to react to the Personal Data Breach (for example, changing passwords). These communications will be made in coordination with the competent Supervisory Authorities and law enforcement authorities, where appropriate.
Recording. All assessed security incidents are documented in a register. This includes security incidents which end up not being classified as a Personal Data Breach (“false positives”), as well as Personal Data Breaches of varying levels of severity which may occur. This register documents the entire incident – including a description of what happened, the types of Personal Data impacted, the Data Subjects affected, the effects of the Personal Data Breach and other relevant circumstances surrounding the Personal Data Breach – as well as the steps taken by the Aramex Group to address it (corrective and preventive measures). This register can be consulted by Supervisory Authorities upon request.
Lessons Learned. The final step, once the Personal Data Breach has been managed, is to make sure the Personal Data Breach has been properly documented (by collecting further evidence and information as needed) and – where necessary – decide on and implement new or strengthened security measures to prevent similar events from happening in the future. In this step, the Aramex Incident Response Team may also assess the Aramex Group’s Personal Data Breach management policies and procedures, as well as its own performance, to ensure all components where effective and efficient, and identify areas for improvement.

3(8) Processors and Restrictions on Onward Transfers

“Onward transfers”, in this section, refers to the transfer of Personal Data by an Aramex Group member to a Recipient (which does not belong to the Aramex Group, and is thus not bound to the Aramex BCRs) located outside of the EEA, or which will Process those Personal Data outside of the EEA.

3(8)(1) Engagement of Processors

The Aramex Group may engage a variety of suppliers, vendors and subcontractors to assist in its business activities. The services provided by some of these business partners will involve their Processing of Personal Data on behalf of the Aramex Group (for example, a subcontractor engaged to process payroll for Aramex Group employees will need to use Personal Data on those employees in order to properly provide its services). In this case, the business partner will generally be qualified as an external Processor for the Aramex Group.

To ensure that the Aramex Group only engages external Processors which provide sufficient assurances of compliance with applicable data protection requirements – including an adequate level of knowledge, reliability and resources to protect Personal Data – the Aramex Group has implemented internal guidelines and checklists which are to be used to assess each Processor engaged (as part of the due diligence/vetting process performed for each external Processor).

All Processors must be bound by a written Data Processing Agreement between them and the Aramex Group (or, at least, the Aramex Group member engaging them). This agreement must regulate, as a minimum:

the details of the Personal Data Processing activities which the Processor will perform (including rules and restrictions on transferring Personal Data to other countries, in particular those outside of the EEA, and on any subsequent onward transfers);
the duration of the Personal Data Processing activities to be performed by the Processor;
the types of Personal Data which will be Processed by the Processor;
the categories of Data Subjects whose Personal Data is involved;
the rights and obligations of the Aramex Group, as Controller;
- the obligations of the Processor; in particular:
  - to only Process Personal Data according to the Aramex Group’s documented instructions. The Processor can only deviate from these instructions if they are required to do so by applicable Union or Member State law – if this is the case, the Processor will need to inform the Aramex Group of this beforehand (whenever they are legally allowed to do so).
  - to make sure that all persons it authorises to access and process Personal Data on behalf of the Aramex Group are committed to confidentiality;
  - to implement adequate Personal Data security measures, so that any potential risks for Data Subjects arising from the Personal Data Processing activities to be performed by the Processor are properly managed;
  - to only engage Sub-Processors (meaning, further entities engaged by the Processor to assist in the provision of services to the Aramex Group) which offer sufficient guarantees of data protection compliance and where duly authorised to do so by the Aramex Group. Any Sub-Processors engaged must be bound by the same, or substantially similar data protection obligations as assumed by the Processor towards the Aramex Group. The Processor must also keep the Aramex Group informed of any Sub-Processors engaged, so that the Aramex Group can decide whether or not to authorise or object to new Sub-Processors. The Processor must remain liable for all Sub-Processors it engages;
  - to assist the Aramex Group in ensuring a correct response to Data Subjects seeking to exercise their rights, under the GDPR and/or the Aramex BCRs;
  - to assist the Aramex Group with the management of Personal Data Breaches (including an obligation to report any detected Personal Data Breaches to the Aramex Group without undue delay) and Data Protection Impact Assessments (as well as any requests for prior consultation from a Supervisory Authority) related to the Processor and its services;
  - to delete or return all Personal Data to the Aramex Group after the end of the provision of services, at the Aramex Group’s choice. The Processor will only be allowed to keep Personal Data for longer if applicable Union or Member State law requires them to do so;
  - to make all information needed to demonstrate its compliance with the above available to the Aramex Group, and allow for and contribute to audits which the Aramex Group may wish to perform on the systems, tools and premises it uses to Process Personal Data for the Aramex Group;
  - to notify the Aramex Group if it determines that it, or any relevant Recipient (e.g., a Sub-Processor) located outside of the EEA, is not able to ensure an adequate level of protection for the Personal Data transferred, considering the appropriate safeguards and supplementary measures defined (see Transfers of Personal Data from within the EEA to outside of the EEA).
if the services provided or activities performed by the Processor will involve transfers of Personal Data from within the EEA to outside of the EEA, the obligation for those transfers to be suspended or terminated, if an Aramex Group member becomes aware that the relevant Processor (or any relevant Recipient located outside of the EEA) is not able to ensure an adequate level of protection for the Personal Data transferred, considering the appropriate safeguards and supplementary measures defined (see Transfers of Personal Data from within the EEA to outside of the EEA).

Where an Aramex Group member is informed, by a Processor, of the Processor’s inability to Process Personal Data strictly under the instructions provided by the Aramex Group member (for example, due to conflicting local legal requirements), or otherwise becomes aware of this inability, the Aramex Group member must report this to the Aramex Group Representative, via the Aramex Privacy Team. Transfers of Personal Data to a Processor may be suspended or terminated in the event that this situation substantially undermines the safeguards afforded to Data Subjects under the Aramex BCRs.

3(8)(2) Engagement of other subcontractors

Not all of the suppliers, vendors or subcontractors which may be engaged by the Aramex Group to provide services involving the Processing of Personal Data can be qualified as Processors. This is generally the case where the subcontractor’s services: (i) inherently require a large degree of autonomy concerning the Processing of Personal Data, or (ii) are subject to a specific legal framework which imposes upon them requirements around the Processing of Personal Data which must be followed regardless of any instructions the Aramex Group might provide to the contrary (for example, auditors, law firms, insurance providers, or other delivery service providers).

Additionally, in some cases, the Aramex Group relies on cooperation and assistance between its members, rather than outsourcing (for example, where an Aramex Group member may Process the completion of a delivery in its territory on behalf of another).

Where these subcontractors, whether external or internal, cannot be qualified as Processors due to the nature of their services, the Aramex Group decides, on a case-by-case basis, whether the subcontractor should be qualified as a joint Controller alongside the Aramex Group, or as an independent Controller.

Where a subcontractor is identified as a joint Controller, a Joint Controllership Agreement will be drafted and entered into with that subcontractor, tailored specifically to address the services which the subcontractor is to provide. These agreements must allocate responsibility for compliance with relevant privacy and data protection-related obligations between the Aramex Group and the subcontractor, including, as a minimum:

The implementation of technical and organisational measures to ensure compliance with the general data protection principles (see What principles are followed by the Aramex Group, when Processing Personal Data?, above);
The identification of appropriate legal bases for the Processing activities to be developed (see Transparency, Fairness and Lawfulness, above), and the implementation of technical and organisational measures to ensure that those legal bases can be properly leveraged (for example, ensuring that all relevant requirements around validity of Consent are met, or that an LIA has been performed);
The implementation of appropriate technical and organisational security measures;
The management of Personal Data Breaches, including the completion of any required notifications/communications of Personal Data Breaches to Supervisory Authorities and Data Subjects;
The performance of DPIAs, where required in light of the specific circumstances under which Personal Data is Processed;
- The correct and compliant engagement of Processors (if applicable);
- Cross-border transfers of Personal Data (if applicable);
The management of contacts with Data Subjects (including the need to address Data Subject requests in a timely and adequate manner) and Supervisory Authorities.
Where a subcontractor is identified as an independent Controller, the Aramex Group will include a relevant section within the service agreement (or equivalent agreement) entered into with that subcontractor, so as to ensure that appropriate contractual safeguards, based on the general data protection principles, protect any Personal Data which may be Processed by the subcontractor in connection with the provision of their services.
In more complex situations, where a subcontractor cannot be cleanly qualified solely as a Processor, joint Controller or independent Controller (notably, because they perform a variety of different activities involving Personal Data, some of which may be on behalf of the Aramex Group, and others which may be for their own purposes), the Aramex Group will strive to enter into a Data Management Agreement with the subcontractor. Data Management Agreements are crafted to fit the particular activities performed by these subcontractors, and may incorporate Data Processing Agreement terms, Joint Controllership Agreement terms and or additional terms to regulate relationships between independent Controllers, as needed to comprehensively regulate the relationship.

3(8)(3) Transfers of Personal Data from within the EEA to outside of the EEA

If a subcontractor has been engaged in order to assist Aramex Group members located within the EEA, but the subcontractor is located outside of the EEA (or stores Personal Data outside of the EEA, either directly or through a Processor / Sub-Processor), the Aramex Group will ensure that this potential transfer of Personal Data is properly regulated. One of the following transfer tools must be available:

The country or territory where the subcontractor is located (or where the Personal Data is stored) must have been the subject of an adequacy decision from the European Commission;
If there is no adequacy decision available for that country or territory:
- One of the following safeguards must be in place:
  - The subcontractor (or their Processor / Sub-Processor) must be bound by a written agreement containing standard data protection clauses adopted or approved by the European Commission, or ad hoc contractual clauses approved by a competent Supervisory Authority;
  - The subcontractor (or their Processor / Sub-Processor) must be bound by its own binding corporate rules, which must have been formally approved under the GDPR;
  - The subcontractor (or their Processor / Sub-Processor) must have adhered to a code of conduct or certification mechanism which enables the lawful transfer of Personal Data, which must have been formally approved under the GDPR, and binding and enforceable commitments must have been taken to apply appropriate safeguards, including with regard to the rights of Data Subjects;
- An assessment of the legal systems and practices applicable to the countries or territories outside of the EEA in which Personal Data is to be Processed (i.e., a Data Transfer Impact Assessment, carried out and managed under the terms defined in the Aramex BCRs – see How are conflicts between the Aramex BCRs and local applicable legislation managed?, below) must be performed, through the submission of a questionnaire to the Processor. Based on the results of this assessment, supplementary measures may need to be further implemented to ensure the lawfulness of the transfer, such as:
  - Contractual measures, such as representations and warranties concerning the lack of local applicable laws or other requirements upon the Processor to:
    - Create or maintain back doors to the Processor’s systems used to store or otherwise process Personal Data which are accessible to public authorities;
    - Facilitate public authorities’ access to the Processor’s systems used to store or otherwise process Personal Data;
    - Remain in possession of any encryption keys used to encrypt Personal Data; or
    - Disclose to public authorities any encryption keys used to encrypt Personal Data;
  - Technical measures, such as systems, tools and/or mechanisms to guarantee lawful end-to-end encryption, both in transit and at rest, for all Personal Data transfers between the Aramex Group and the Processor (or the Processor and any further Processors it may engage), and any onward transfers of Personal Data performed by the Processor (for example, to other authorised Processors);
  - Organisational measures, such as a procedure to appropriately manage local data disclosure requests from public authorities, requiring the Processor and any other authorised Processors it may engage to:
    - Take no action concerning requests which are not legally binding, or which the Processors are not strictly required to respond to;
    - If a request affects Personal Data Processed on behalf of the Aramex Group, notify the relevant Aramex Group member of the request before responding to the request, in order to allow the Aramex Group to intervene (unless this is forbidden under applicable local laws);
    - In the event that the Processor is not legally allowed to notify the relevant Aramex Group member of the request before responding to the request, notify the Aramex Group member of its inability to continue to comply with the Standard Contractual Clauses or other appropriate safeguards implemented (without identifying the specific provisions with which the Processor can no longer comply);
    - Use all legal possibilities to challenge such requests, as well as any non-disclosure provisions attached to those requests;
    - Ensure that it only discloses the strict minimum amount of Personal Data needed to address the request lawfully, and only at the moment on which it strictly required to do so under the applicable laws;
  - Document any requests for access to Personal Data received from public authorities and the response provided, alongside the legal reasoning and the actors involved (for example, whether the Aramex Group member has been notified of the request and what response was provided by the Aramex Group, the assessment of the legality and scope of the request made by the Processor, etc.), and make that documentation available to the Aramex Group upon request.
On an exceptional basis, if none of the above safeguards are available, and the specific transfer of Personal Data in question is limited, occasional and non-repetitive, one of the following derogations must apply:
- The Data Subjects (whose Personal Data is to be transferred) have given explicit Consent to the transfer, after having been informed of the potential risks;
- The transfer is necessary to perform a contract with a Data Subject, or to implement pre-contractual measures at the Data Subject’s request;
- The transfer is necessary to conclude or perform a contract entered into in the interest of the Data Subject, between the Aramex Group and another person;
- The transfer is necessary for important reasons of public interest;
- The transfer is necessary for the establishment, exercise or defence of legal claims;
- The transfer is necessary to protect the Data Subject’s vital interests, or those of other persons, where the Data Subject is incapable of giving Consent.

In residual, exceptional cases, and only for transfers which are not repetitive and concern only a limited number of Data Subjects, these transfers may also be carried out when needed for the purposes of compelling legitimate interests pursued by the Aramex Group. This option is subject to the following additional requirements:

The interests pursued by the Aramex Group are not overridden by the interests or rights and freedoms of the Data Subjects – to ensure this all circumstances surrounding the transfer must be carefully assessed by the Aramex Group, and suitable safeguards must be provided to protect the fundamental rights and freedoms of natural persons with regard to the Processing of their Personal Data;
The Data Subjects must be informed that this derogation will be relied on; and
The competent Supervisory Authorities must be informed of any transfers taking place under these terms.

3(9) Accountability

To comply with the principle of accountability, the Aramex Group must go beyond merely complying with all the relevant data protection principles and rules within the GDPR and the Aramex BCRs – each Aramex Group member is responsible also for being able to prove its compliance. To achieve this, the Aramex Group relies on several different means of documenting evidence of its compliance, which can be made available to Supervisory Authorities (and, to an extent, to Data Subjects) upon request. These include (but are not limited to):

Records of Processing Activities. Aramex Group members maintain written detailed records (including in electronic form) of the Personal Data Processing activities they perform, which can be made available to Supervisory Authorities upon request. Each record contains the following information:
- The name and contact details of the Aramex Group member (and their representative in the EU/EEA, if applicable);
- The name and contact details of the Privacy Contact for that Aramex Group member, as well as the contact details for the Aramex Privacy Team;
- A description of the different types of Processing activities performed by each Aramex Group member. Further information is provided on each group of activities identified:
  - Purposes for which Personal Data is Processed;
  - Categories of Data Subjects concerned;
  - Categories of Personal Data Processed;
  - Applicable legal bases/derogations (see Lawfulness, above);
  - Third-party Processors and Controllers involved;
  - Whether Personal Data is transferred outside of the Aramex Group member’s jurisdiction (or outside of the EU/EEA, for EU/EEA-based Aramex Group members);
  - Retention periods applicable to the Personal Data Processed; and
  - IT Systems/Tools (such as software programs and applications, or paper-based archives) used to Process Personal Data.
Legitimate Interests Assessments. The Aramex Group has developed a tool, based on the Article 29 Data Protection Working Party’s Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC. Whenever the Aramex Group is considering the possibility of using a specific, legitimate interest identified as a legal basis for a given project involving Personal Data (see Lawfulness, above), this tool allows the Aramex Group to carry out and document an assessment as to whether the interest identified is overridden by the interests or fundamental rights and freedoms of the Data Subjects whose Personal Data would be impacted.
Register of Data Subject Requests. The Aramex Group maintains registers to keep track of requests submitted by Data Subjects to exercise their rights under applicable data protection laws (including the GDPR), as well as of complaints filed by Data Subjects under the Aramex BCRs (see How can I exercise my rights and file complaints under the Aramex BCRs?). These registers allow the Aramex Group to ensure that all requests are promptly addressed, and to show how each individual request was handled.
Agreements. The Aramex Group enters into (as appropriate) and archives service agreements, Data Processing Agreements, Data Management Agreements, Joint Controllership Agreements and other relevant contractual documentation entered into with its business partners and customers (also, see Engagement of Processors and Engagement of other subcontractors, above). This is done not only to set out clearly defined rules on how Personal Data should be Processed, but also to comply with the GDPR and other applicable data protection laws’ requirements around the engagement of business partners and customers.
Data Breach Severity Assessments. The Aramex Group has developed a tool, based on European Union Agency for Cybersecurity’s Recommendations for a methodology of the assessment of severity of personal data breaches. This tool allows the Aramex Group to assess the impact which a Personal Data Breach may have upon the affected Data Subjects, by using information collected on a specific Personal Data Breach to calculate an overall severity score. The results of these assessments are documented for accountability’s sake, and used to inform decisions on whether there is a need to notify competent Supervisory Authorities, or even the affected Data Subjects, about a Personal Data Breach (in particular, where high risks are detected, and it is important for Data Subjects to take action in order to prevent further harm).
Register of Personal Data Breaches. The Aramex Group maintains registers to keep track of security incidents which affect Personal Data Processed by any Aramex Group members. These registers describe each specific incident, link it to its corresponding Data Breach Severity Assessment, and identify subsequent measures taken by the Aramex Group to notify the incident, remediate the incident and prevent future similar occurrences.
Data Protection Impact Assessments. The Aramex Group has developed a tool, based on the Article 29 Data Protection Working Party’s Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is “likely to result in a high risk” for the purposes of Regulation 2016/679. This tool is used by the Aramex Group to perform DPIAs for specific projects (see Privacy risk assessments and Data Protection Impact Assessments, above).

3(10) Data protection by design and by default

In order to comply with all of the abovementioned principles, the Aramex Group has taken steps to ensure that the protection of Personal Data is a fundamental and integral part of all of its internal procedures.

The Aramex Group has sought to implement the concept of data protection by design by revising and implementing new internal policies and procedures, so that its current and future activities and projects involving Personal Data are developed, from the ground up, with the data protection principles in mind. As part of this approach, particular focus is paid to the principle of data minimisation, as a means to implement the concept of data protection by default – as a rule, only the strict minimum amount and types of Personal Data will be collected and used by the Aramex Group in any given activity or project (unless a Data Subject willingly chooses to allow the Aramex Group to use more or other Personal Data).

The Aramex Group’s measures to achieve this have focused, essentially, on:

Security. All applications, services and products offered by the Aramex Group have data security measures built into them directly from the moment of their development and design. These measures are chosen based on several different factors – including the types of Personal Data which they will Process, the methods by which users will access the applications/services/products, and the industry standards / accepted best practices on security within the Aramex Group’s sector – in order to ensure that any Personal Data involved will be adequately secured against unauthorised access, disclosure, changes or deletion. These measures are audited on a regular basis, to make sure that they continue to effectively protect the Personal Data which is under Aramex Group responsibility. Furthermore, business partners engaged by the Aramex Group to Process Personal Data are scrutinised to ensure that they are able to offer at least a substantially equivalent level of data security as the Aramex Group does.
Management of Personal Data Breaches. As noted above (see Management of security incidents and Personal Data Breaches, above), the Aramex Group has developed an internal policy on management of security incidents, including Personal Data Breaches. This policy establishes a coherent and effective workflow to ensure that any relevant incidents are properly assessed by the Aramex Incident Response Team, allowing the Aramex Group to promptly notify any relevant incidents (if needed) and restore normality (through security measures to remediate the effects of an incident, and to stop such incidents from happening again).
Authorisations and Appointments. Whenever the Aramex Group allows someone, such as an employee or a contractor, to access Personal Data under Aramex Group responsibility, that person is required to accept an Authorisation to Process Personal Data (which is included in the Aramex Group’s Policy on Acceptable Use of Aramex Information Resources). This Authorisation will bind those individuals to confidentiality concerning any Personal Data accessed, as well as the obligation to only Process those Personal Data according to instructions given by the Aramex Group, and to comply with all of the Aramex Group’s internal policies (especially those related to security). If the Aramex Group engages a Processor, that Processor (if approved after the initial due diligence/vetting process) will be subjected to appropriate data protection obligations by means of a written Data Processing Agreement (see Engagement of Processors, above). As for other business partners which may interact with Personal Data under Aramex Group responsibility, the Aramex Group will, whenever feasible and appropriate, enter into written Data Management Agreements or Joint Controllership Agreements to ensure that obligations requiring respect for the abovementioned data protection principles are put in place (see Engagement of other subcontractors, above).
Group Data Protection Officer. The Aramex Group has appointed a Group Data Protection Officer (the Aramex Group DPO). The Aramex Group DPO is responsible for informing and advising the Aramex Group’s highest levels of management (at the Group-level and at the local-level) on data protection matters under the GDPR – including the management of Data Subject requests and Personal Data Breaches, the assessment of data protection-related agreements and the performance of LIAs and DPIAs – and for assisting the Aramex Group in the development of its global data protection notices, guidelines, policies and procedures – in particular, in the development and maintenance of the Aramex G-DPCF. The Aramex Group DPO acts as part of the Aramex Privacy Team, which jointly oversees the activities of the Privacy Contacts appointed for each of the countries in which the Aramex Group operates.
Aramex Privacy Network. As further explained below (see Aramex Privacy Network), in each country where the Aramex Group operates, a Privacy Contact has been appointed. Privacy Contacts are in charge of assisting the Aramex Privacy Team with the local implementation of the Aramex Group’s global data protection notices, guidelines, policies and procedures (adjusting for any specific applicable local requirements) and with the management of local compliance matters – such as reporting and addressing local Data Subject requests and Personal Data Breaches, managing exchanges with local Supervisory Authorities, and maintaining/updating local data protection documentation (including Records of Processing Activities and information notices).
Policies. The Aramex G-DPCF was developed based on the GDPR’s data protection principles, rules and requirements. It is a set of internal policies, procedures and guidelines (including a specific policy with focus on the implementation of data protection by design and by default) which are binding upon Aramex Group members, employees and other Persons Authorised. Through the Aramex G-DPCF, the Aramex Group has turned data protection into a core operational concern – auditable checks and controls have been set up to ensure that the different departments within Aramex Group members are aware of the Aramex G-DPCF’s rules and implement them appropriately, for any existing and new activities, addressing any doubts and practical concerns with the Privacy Contacts and the Aramex Privacy Team.
Training. As further explained below (see Training and awareness-raising), the Aramex Group holds annual mandatory training courses on privacy, data protection, information security and the Aramex G-DPCF (including the Aramex BCRs). All individuals authorised to access Personal Data, such as Aramex Group employees, are required to attend and complete these courses. Additionally, more specific and targeted training sessions (focused on specific countries and/or specific departments) are held when deemed appropriate by the Aramex Privacy Team. All training sessions and courses share the same goals: to ensure that individuals are aware of the rules in place within the Aramex Group, and the potential risks for Data Subjects which may arise if those rules are not properly followed.
Assessments. Under the coordination of the Aramex Privacy Team, the Aramex Group subjects both new and existing projects and activities involving the use of Personal Data to different assessments, in order to ensure that data protection rules are complied with, and that risks to Data Subjects are sufficiently mitigated. Where a preliminary privacy risk assessment suggests that a given project or activity represents a potentially high risk for Data Subjects, that project or activity will be subjected to a full DPIA (see Privacy risk assessments and Data Protection Impact Assessments, above) under the supervision of the Aramex Privacy Team. If the Aramex Group intends to leverage a specific and identified legitimate interest as a legal basis for a given project or activity, a full assessment (see Accountability, above) will be completed as well. These assessments are to be performed, ideally, before the project or activity starts (in particular, for new activities), so that data protection requirements can be built in from the design phase.
Information Notices. As noted above (see Transparency, Fairness and Lawfulness), the Aramex Group takes care to ensure that it communicates transparently with Data Subjects, both when communicating directly with any individuals (for example, to manage requests made by Data Subjects) and through the different information notices and privacy policies used. These information notices are designed to be as clear and understandable as possible regarding the projects or activities to which they refer, as well as to reflect the information required by the GDPR and additional details which may generally be of interest to Data Subjects. As a rule, the Aramex Group provides these notices to Data Subjects before any of their Personal Data is collected.
Legal Bases. As noted above (see Transparency, Fairness and Lawfulness), the Aramex Group will only use Personal Data for a specific purpose if it has been able to identify a legal basis which allows this. To ensure that this is followed within the Aramex Group, specific policies on the identification and implementation of legal bases (including descriptions of each legal basis’s scope of application and examples) have been implemented. These policies require the Aramex Group to precisely identify the legal basis applicable to a given project or activity before it starts, and to take all needed compliance steps to ensure that that legal basis can be used (for example, where Consent is chosen, the method by which Consent will be requested is to be designed so that it meets all of the GDPR’s requirements).
Data Subject Rights. To ensure that it is able to identify and properly respond to requests made by Data Subjects to exercise their rights – under the GDPR, other applicable data protection laws, and the Aramex BCRs (see What rights do I have under the Aramex BCRs?, below) – the Aramex Group has implemented practical internal procedures, including a workflow that provides guidance on how to address requests from receipt to conclusion. One core aspect of assessments performed on new and current activities and projects within the Aramex Group is a confirmation that no substantial obstacles to the exercise of any of these rights are created (for example, any new systems acquired to store Personal Data must allow the querying, extraction, editing, copying, deletion or Restriction of Processing of Personal Data, where this is necessary to address a specific request from a Data Subject).
Cooperation with Supervisory Authorities. Through the different measures taken by the Aramex Group to ensure compliance with the principle of accountability (see Accountability, above), the Aramex Group is able to provide evidence of data protection compliance upon request. This, along with internal procedures implemented to provide practical instructions on providing assistance to Supervisory Authorities in connection with their tasks, allows the Aramex Group to cooperate more effectively with any inquiring Supervisory Authorities.

What rights do I have under the Aramex BCRs?

The GDPR provides a variety of rights to Data Subjects regarding how they can control the use of their Personal Data. The Aramex Group has implemented internal procedures to ensure that these rights can be addressed against all Aramex Group members (within or outside the EEA), by means of the Aramex G-DPCF. Additionally, Data Subjects can enforce specific sections of the Aramex BCRs against any Aramex Group member, as explained further below.

4(1) Right of Information

You have the right, as a Data Subject, to information about the Processing activities carried out by the Aramex Group regarding your Personal Data. This right is recognised and addressed by the Aramex Group through the different information notices and privacy policies made available to Data Subjects, which contain a minimum set of information about those activities (see Transparency, above), and by affording Data Subjects the ability to directly ask for information (see Right of Access, below).

4(2) Right of Access

You are allowed to ask any Aramex Group member to confirm whether or not they Process any Personal Data on you. If they do, then you can also ask to access those Personal Data, as well as for any of the below information:

The purposes for which your Personal Data is Processed;
The categories of your Personal Data which are Processed;
The Recipients (or categories of Recipients) to which your Personal Data has been, or will be, disclosed (in particular those which are located outside of the EEA);
The safeguards put in place to address any transfers of your Personal Data to Recipients located outside of the EEA (see Processors and Restrictions on Onward Transfers);
The period of time during which your Personal Data will be retained by the Aramex Group – if not possible to specify this, then the criteria used to determine that period;
Your rights as a Data Subject, and how to exercise them;
The sources from which your Personal Data was collected;
The existence of any Automated Decision-Making, including Profiling – where this is done, then you can ask for meaningful information about the logic involved, the significance and the foreseen consequences of these Processing activities.

Other than the above, you can also ask for a copy of your Personal Data which is Processed by any given Aramex Group member. The first copy you ask for will be provided free of charge; any other copies may be subject to reasonable fees, based on the administrative costs involved in providing the copies. Generally, these copies will be provided in a commonly used electronic format.

4(3) Right to Rectification

If any Aramex Group member holds Personal Data on you which is inaccurate, incomplete or out-of-date, you can ask that Aramex Group member to correct, complete or update those Personal Data.

4(4) Right to Erasure (“right to be forgotten”)

There are certain circumstances under which you can ask any Aramex Group member to delete Personal Data they hold on you. These include:

Where the Aramex Group member no longer has a need to use your Personal Data (considering the purposes for which your Personal Data were collected and used);
Where you previously provided Consent to use your Personal Data, and wish to withdraw that Consent (unless there is another legal basis which allows the Aramex Group member to continue using your Personal Data);
Where you have objected to the continued use of your Personal Data (see Right to Object, below), and the Aramex Group member cannot demonstrate overriding legitimate grounds which allow them to continue using your Personal Data;
Where your Personal Data have been unlawfully Processed;
Where an Aramex Group member is required to erase your Personal Data in order to comply with its obligations under EEA or Member State law.

If one of the above cases applies, then the Aramex Group member will, as a rule, be required to delete or anonymise your Personal Data without undue delay. However, there are exceptions to this rule – in particular, where an Aramex Group member needs to continue Processing your Personal Data in order to:

Exercise the right of freedom of expression and information;
Comply with its obligations under EEA or Member State law;
To perform a task carried out in the public interest (particularly in the area of public health, subject to certain safeguards);
Carry out archiving activities in the public interest, scientific or historical research activities or statistical activities, subject to certain safeguards and only to the extent that erasing or anonymising the Personal Data would make the purposes of those activities impossible to achieve, or would seriously impair them;
To establish, exercise or defend against legal claims.

If none of these exceptions apply, and the request for erasure is valid, the Aramex Group member must erase (or anonymise) your Personal Data from all of its IT Systems, including any backup systems. If the Aramex Group member has made your Personal Data public, then they will take reasonable steps to inform others that you have asked for the erasure of your Personal Data, and that any links to, copies or replications of your Personal Data should also be destroyed.

4(5) Right to Restriction of Processing

You can also ask any Aramex Group member to temporarily restrict the Processing of your Personal Data, if one of the following cases applies:

You have challenged the accuracy of some or all of your Personal Data which is being Processed by a given Aramex Group member (see Right to Rectification, above) – in this case, you can ask that use of your Personal Data be restricted until the Aramex Group member has been able to either confirm the accuracy of the Personal Data, or otherwise correct them;
An Aramex Group member is unlawfully Processing your Personal Data, but you do not wish for the Aramex Group member to erase those Personal Data;
You want to establish, exercise or defend against a legal claim, and you need an Aramex Group member to continue storing your Personal Data in order to do so effectively;
You have objected to the continued Processing of your Personal Data (see Right to Object, below) – in this case, you can ask that use of your Personal Data be restricted until the Aramex Group member has been able to either confirm or override your objection.

If an Aramex Group member grants your request for Restriction of Processing, your Personal Data will be marked as “restricted” and, as a rule, not further used for any purpose other than storage until the restriction is lifted. The only exceptions to this are:

Where you provide Consent for your restricted Personal Data to be used for a specific purpose;
Where the Aramex Group member needs to use your Personal Data to establish, exercise or defend against legal claims;
Where the Aramex Group member needs to use your Personal Data to protect the rights of another natural or legal person; or
Where the Aramex Group member needs to use your Personal Data to meet objectives of important public interest of the EEA or a Member State.

4(6) Right to Notification (regarding Rectification, Erasure or Restriction)

Whenever you make a request to exercise the right to rectification (see Right to Rectification, above), the right to erasure (see Right to Erasure ("right to be forgotten"), above) or the right to restriction of processing (see Right to Restriction of Processing, above), and the Aramex Group complies with your request, any rectification, erasure or restriction of Processing carried out will be communicated to all Recipients of your Personal Data, unless this is impossible or would involve a disproportionate effort on the Aramex Group’s end.

The Aramex Group will also inform you about those Recipients if you request this.

4(7) Right to Data Portability

You are also allowed to ask an Aramex Group member to share specific categories of your Personal Data with you in a structured, commonly used and machine-readable format (in other words, a format which allows software applications to identify, read and extract your Personal Data and their structure).

If you make a request for data portability, this request will apply to any Personal Data on you which meets all three of the following requirements:

You have either actively or passively shared those Personal Data with an Aramex Group member (for example, Personal Data you provide when filling in online forms, or Personal Data collected from your usage of Aramex applications);
Those Personal Data are Processed by that Aramex Group member by automated means (as opposed to manual, paper-based folders or files, for example);
The Processing of those Personal Data is based on your Consent, on the need to perform a contract with you, or on the need to take steps before entering into a contract with you, at your request.

Once you receive these Personal Data, you are allowed to share them with other Controllers (even if they are not Aramex Group members). Where technically feasible, you can even ask the Aramex Group member to pass on your Personal Data to another Controller for you.

4(8) Right to Object

You are generally allowed to object to an Aramex Group member’s use of your Personal Data, in two specific situations:

General objection. You can object to the use of your Personal Data by an Aramex Group member, if that use is based on the pursuit of a specific legitimate interest.
In this case, you must explain, in your objection, why you believe your particular situation justifies that the Aramex Group member should stop using your Personal Data for a given purpose. The Aramex Group member will accept your objection, unless it can show that compelling and legitimate reasons (which are reasonably deemed to override your particular justification) exist for the use of your Personal Data to continue.
If an objection is accepted, your Personal Data will no longer be Processed for the purpose to which you objected (unless this is necessary to establish, exercise or defend against legal claims).
Specific objection – marketing and associated Profiling. You can object to the use of your Personal Data by an Aramex Group member for direct marketing purposes, including Profiling which is related to those purposes.
In this case, you do not need to justify your objection. Whenever one of these objections is received, the Aramex Group (and not just the member in question) will stop the Processing your Personal Data for direct marketing purposes (and associated Profiling purposes).

4(9) Rights concerning Automated Decision-Making

As a rule, you have a right not to be subjected to Automated Decision-Making based on your Personal Data. As such, Aramex Group members are only allowed to perform these activities:

If they are strictly necessary for the Aramex Group member to enter into or perform a contract with you;
If you have provided explicit Consent for these activities; or
If these activities are authorised by applicable EEA or Member State law.

Whenever an Aramex Group member wishes to carry out Automated Decision-Making, it must abide by the safeguards implemented by the Aramex Group to ensure that your rights, freedoms and legitimate interests are protected. In particular:

Data Subjects must be clearly informed about any Automated Decision-Making activities to be performed – in particular, meaningful information must be shared on the logic which is followed in these activities, the consequences which may arise for Data Subjects, and any safeguards involved;
Data Subjects must be allowed to react against any automated decisions – in particular, they can ask the Aramex Group member to re-assess, verify or validate automated decisions, by:
- Requesting a human review of the automated decision;
- Expressing their point of view regarding the automated decision; and
- Contesting the automated decision.

4(10) Right to withdraw Consent

Where an Aramex Group member relies on your Consent as a legal basis to Process your Personal Data (see Lawfulness above), you are entitled to withdraw that Consent, in a manner as easy as it was to provide that Consent, and at any time, without needing to provide a reason or explanation for this.

If you withdraw your Consent:

All Processing operations lawfully relying on such Consent as a legal basis until the moment of withdrawal will remain lawful;
The Aramex Group member must stop any further Processing operations relying on your Consent as a legal basis;
If no other legal basis exists which justifies the continued Processing of your Personal Data, those Personal Data must be deleted, aggregated or otherwise anonymised without undue delay.

4(11) Data Subjects’ enforcement of the Aramex BCRs: Third-Party Beneficiary Clause

As a Data Subject, you are also expressly granted rights to enforce certain provisions of the Aramex BCRs against Aramex Group members, as a third-party beneficiary. This means that you can specifically require Aramex Group members to live up to specific obligations within the Aramex BCRs, and can submit complaints or file legal claims in order to ensure this. These include the following provisions:

The data protection principles mentioned in the Aramex BCRs, including in relation to lawfulness of processing, security and personal data breach notifications, and restrictions on onward transfers (see What principles are followed by the Aramex Group, when Processing Personal Data?, above);
The Data Subject rights mentioned in the Aramex BCRs, including the rights of information, access, rectification, erasure, restriction, notification regarding rectification or erasure or restriction, objection to processing, and the right not to be subject to decisions based solely on automated processing, including profiling (see What rights do I have under the Aramex BCRs?, above);
The right to submit complaints under the Aramex BCRs, via the complaint handling procedure (see How can I exercise my rights and file complaints under the Aramex BCRs?, below);
The provisions on liability and jurisdiction, as well as regarding Data Subjects’ rights to judicial remedies, redress and compensation (see directly below).

While you can always use the Aramex BCR complaint handling procedure to submit complaints about how an Aramex Group member has Processed your Personal Data (see How can I exercise my rights and file complaints under the Aramex BCRs?, below), you can also submit your complaints to any competent EEA Supervisory Authority, or file a claim with any competent EEA court (even if you decide not to use the Aramex BCR complaint handling procedure).

In particular, you can choose to file complaints concerning the Aramex BCRs with the EEA Supervisory Authority of your Member State of habitual residence, place of work or place where the infringement allegedly took place.

You can also choose to bring legal claims concerning the Aramex BCRs against any EEA-based Aramex Group member directly, or otherwise – and, in particular, where a non-EEA Aramex Group member is the target of your claim – against the Aramex Group Representative:

Aramex Nederland B.V.

Fokkerweg 300, 1438 AN, Oude-Meer, P.O. Box 728, 2130 AS Hoofddorp, the Netherlands.

These legal claims can be filed, at your choice, before the courts of your habitual residence (if you reside in the EEA), or before the courts of the territory where an EEA-based Aramex Group member is established.

All Aramex Group members acknowledge and accept that, when filing such a legal claim, Data Subjects may also choose to be represented by a not-for-profit body, organisation or association, provided that that entity has been properly constituted in accordance with the law of an EU Member State, has statutory objectives which are in the public interest, and is active in the field of the protection of the rights and freedoms of individuals with regard to the protection of personal data.

Where so determined by the competent courts or authorities, you are entitled to judicial remedies and the right to receive compensation for any damages suffered as a result of a breach of the abovementioned elements of the Aramex BCRs by any Aramex Group member. The burden of proof that a breach was not caused by an Aramex Group member, or that no such breach actually occurred, will rest with the Aramex Group (i.e., the relevant EEA-based Aramex Group member, or otherwise the Aramex Group Representative) – where you can demonstrate that you have suffered damage and establish facts which show it is likely that this damage occurred due to a breach of the Aramex BCRs by an Aramex Group member, the Aramex Group will need to demonstrate that no Aramex Group member is responsible for the event which caused those damages to you, or that no breach of the Aramex BCRs took place, in order to discharge itself from liability for those damages.

The Aramex Group Representative accepts responsibility for breaches of the abovementioned elements of the Aramex BCRs by any non-EEA Aramex Group member. The Aramex Group Representative will (in coordination with the Aramex Group global headquarters) take the necessary action to remedy those breaches, and will be liable for any compensation awarded to you as a result of damages suffered due to those breaches. As such, the competent courts or authorities in the EEA have the jurisdiction and powers needed to act against the Aramex Group Representative regarding such breaches, and Data Subjects have the rights and remedies against the Aramex Group Representative regarding such breaches, as if those breaches had been caused by the Aramex Group Representative in the Netherlands.

If a breach is caused by an EEA-based Aramex Group member, that Aramex Group member will be held directly responsible for this. Your complaints and legal claims should address that member directly, rather than the Aramex Group Representative.

The right to transparency and easy access regarding the Aramex BCRs – this requires the Aramex Group to ensure that the Aramex BCRs are easily available to you and any other Data Subjects with an interest in accessing them.
The provisions on conflicts between local applicable legislation and the Aramex BCRs, including obligations in case of local laws and practices affecting compliance with the BCR-C and in case of government access requests (see How are conflicts between the Aramex BCRs and local applicable legislation managed?, below);
The duty for Aramex Group members to cooperate with Supervisory Authorities (see Audit programme & cooperation with Supervisory Authorities, below); and
The duty for the Aramex Group to inform Data Subjects about any update of the Aramex BCRs and the list of Aramex Group members bound to compliance with the Aramex BCRs, including by publishing new Aramex BCRs versions without undue delay (see How will any relevant changes to the Aramex BCRs be reported?, below);
This section of the Aramex BCRs itself, which operates as a third-party beneficiary clause and thereby grants Data Subjects enforceable rights regarding all of the Aramex BCRs elements mentioned in this section against any and all Aramex Group members (see How can I exercise my rights and file complaints under the Aramex BCRs? for more information on how these rights can be enforced).

These third-party beneficiary rights under the Aramex BCRs are brought to Data Subjects’ attention in the information notices and privacy policies used by the Aramex Group.

How can I exercise my rights and file complaints under the Aramex BCRs?

The Aramex Group has appointed at least one Privacy Contact for each of the jurisdictions where it is located. Privacy Contacts are Aramex Group staff members, who are bound to confidentiality and may be assisted by external legal consultants advising on privacy and data protection-related matters. If you submit any complaints or requests under the Aramex BCRs through Aramex’s Privacy Request Form, the relevant Privacy Contact (depending on the jurisdiction to which your request relates) will be primarily in charge of addressing your complaint or request.

Other than through the aforementioned Privacy Request Form, you can also submit complaints or requests by sending a letter to the following address:

Aramex International LLC Building and Warehouse No. 3, Umm Ramool, PO Box 95946, Dubai, UAE.

If your request or complaint is not related to a specific jurisdiction, or there are other specificities which make it hard or impossible to determine the correct Privacy Contact to reach out to, the Aramex Privacy Team will assess the situation and share the request or complaint with the relevant Privacy Contact(s), or otherwise address the request or complaint directly.

We strongly encourage you to use the above points of contact when filing a request or complaint with the Aramex Group (in particular, the Privacy Request Form), as this makes it easier to track and respond to your requests/complaints quickly. However, this is not mandatory – the Aramex Group will also process requests or complaints of which it becomes aware by different channels.

Requests or complaints will be duly acknowledged by the relevant Privacy Contact (or otherwise by the Aramex Privacy Team). The Privacy Contact, in coordination with the Aramex Privacy Team (or otherwise the Aramex Privacy Team itself), will then liaise with the relevant teams/departments within the relevant Aramex Group members , in order to investigate the subject-matter of the request or complaint. As a rule, your request or complaint will be addressed by the Privacy Contact, in coordination with the Aramex Privacy Team (or otherwise by the Aramex Privacy Team directly), without undue delay and within one month from receipt.

If a request or complaint is deemed particularly complex, or if you make multiple successive requests or complaints, the deadline for response may be extended by a maximum of up to two (2) additional months, if necessary. You will be informed of any such extensions, along with an explanation for the extension and a reasonable estimate of the timing for a response, without undue delay and within one month from receipt of your request or complaint.

Requests or complaints which you send us by letter will generally be addressed by a response letter from Aramex, unless you ask us to respond by electronic means (e.g., e-mail). Conversely, requests or complaints which are received through our Privacy Request Form or other electronic means will generally by addressed by secure electronic means, unless you ask us to respond by letter.

Responses to requests or complaints may be as follows:

If it is concluded that the request or complaint which you submitted is valid/justified, any steps needed to address your request, or remedy the issue which you have complained about, will be taken.

If it is concluded that a request or complaint you make cannot or should not be acted upon, you will be told why in the response. You will also be reminded that, in reaction to this, you can file a complaint through the Aramex BCRs and/or you can file a complaint with Supervisory Authorities, other competent authorities or the competent courts (see Data Subjects’ enforcement of the Aramex BCRs, above).

Please note that the Aramex Group may refuse to act on requests received from Data Subjects regarding their rights (under the GDPR, local laws or the Aramex BCRs) if the Data Subject in question cannot be identified. In this scenario, you will be informed of this and asked for additional information, so that you (or the relevant Data Subject, if that is someone else) can be properly identified. Once it becomes possible to confirm your identity (or the identity of the Data Subject you may be representing), the request will be addressed.

You can also dispute any response received in writing, by responding via e-mail or via the physical address indicated above. Disputes will be referred to the Aramex Privacy Team, which will review the case and give you a revised decision: either to accept the original response, or to amend it. The revised decision will be given, as a rule, within two (2) months from your dispute.

The Aramex Privacy Team may respond as follows:

If the Aramex Privacy Team concludes that the request or complaint which you submitted is valid/justified, the Aramex Privacy Team will arrange for any necessary steps to be taken to address it within the Aramex Group, and remedy the issue which is the object of the complaint (in coordination with the relevant Privacy Contact(s), if any).
If the Aramex Privacy Team concludes that it cannot or should not act upon a request or complaint you make, they will let you know why in their response. You will also be reminded that, in reaction to this, you can file a complaint through the Aramex BCRs and/or you can file a complaint with Supervisory Authorities, other competent authorities or the competent courts (see Data Subjects’ enforcement of the Aramex BCRs, above).

Responses will be given free of charge, unless a request is considered to be manifestly unfounded or excessive (particularly if requests become repetitive). In this case, you may either be charged a reasonable fee for your request to be processed, based on the administrative costs of responding to the requests, or your request may be refused.

If you are dissatisfied with any response received from the Aramex Privacy Team (even where a request or complaint of yours is deemed valid/justified), you can file another complaint through the Aramex BCRs and/or you can submit a complaint to any competent EEA Supervisory Authority, or file a claim with any competent EEA court (see Data Subjects’ enforcement of the Aramex BCRs).

Finally, please bear in mind that it is not mandatory to use the Aramex BCR complaint handling procedure. You can also decide to directly submit complaints/claims to any competent EEA Supervisory Authority or EEA court, regardless of whether you decide to use this procedure beforehand or not (see Data Subjects’ enforcement of the Aramex BCRs).

How does Personal Data flow within the Aramex Group?

The global headquarters of the Aramex Group are located in Dubai (United Arab Emirates) and Amman (Jordan). Given that several processes within the Aramex Group are managed or supported centrally at the global headquarters (for example, human resource management, supplier management, marketing campaign management and legal affairs management), there are flows of Personal Data from each Aramex Group member (including those within the EEA) to the global headquarters. These flows may occur actively – such as when an Aramex Group member actively sends Personal Data to the global headquarters – or passively – such as when the systems used by an Aramex Group member to Process Personal Data allow those Personal Data to be accessed by the global headquarters directly.

Residually, Aramex Group members may also exchange Personal Data with one another, if this is necessary to complete cross-border deliveries (for example, one Aramex Group member may share Personal Data on shippers and consignees with an Aramex Group member within another country, if this is necessary to allow a delivery to that other country to be completed properly).

The possibility for these transfers to take place is brought to Data Subjects’ attention in the information notices and privacy policies used by the Aramex Group. Data Subjects are advised also of the safeguards which are put in place to ensure the lawfulness and security of those transfers.

More precisely, Personal Data is transferred within the Aramex Group primarily for the following purposes, as detailed in the information notices and privacy policies made available to Data Subjects (see Transparency, above):

Processing Purpose	Data Subjects	Personal Data	Information Notice(s)
Human resource management	· Employees; · Employee family members (spouse, children…).	· Name; · Contact details; · Date of birth; · National ID document (e.g., passport); · Photograph; · Driver’s license; · CV; · Job title; · Department; · Employer of record; · Attendance records; · Training records; · Performance assessments; · Leave records; · Disciplinary records; · Bank account details; and · Other categories of personal data which might be included within documents stored in an employee’s file, managed by local HR teams or by the central HR Shared Services Team at the Aramex Group global headquarters on behalf of given Aramex Group members.	· Employee Information Notice.
Recruitment management	· Job applicants.	· Name; · Nickname; · Contact details; · Address; · Country/region of residence; · Current company; · Current position; · LinkedIn/Facebook profile URLs; · Employment background; · Educational background; · Language skills and proficiency; · CV; · Cover letter; · Availability to start; · Previous offers from Aramex Group members; · Previous employment with Aramex Group members; · Relationship with relatives working for Aramex Group members; · Eligibility to work in country of application; · Gender; · Date of birth; · Nationality.	· Recruitment Information Notice.
Subcontractor, supplier, vendor and franchisee management	· Individual subcontractors, suppliers or vendors; · Contact persons within actual or potential subcontractors, suppliers, vendors and/or franchisees;	· Name; · Professional contact details; · Job title; · Employer; · Country; · Date of birth; · National ID document (e.g., passport); · Photograph; · Driver’s license; · CV; · Attendance records; · Performance assessments; · Delivery records; · Geolocation (collected during shipment deliveries); · Disciplinary records; and · Other categories of personal data which might be included within documents stored in the contractor’s file, managed by local HR/operations teams.	· Aramex Fleet Privacy Policy; · Additional information included in contracts entered into with contractors, suppliers, vendors and/or franchisees.
Customer and service provision management	· B2C customers; · Contact persons within actual or potential B2B customers; · Individual consignees and shippers.	· Name; · Contact details (personal or professional, depending on the type of customer); · National ID document; · Gender; · Date of birth; · Country of residence; · Postal address; · Payment details; · Shipment history (logs of details, actions taken and interactions had with customers in connection with deliveries made at customer request, or to customers); · Job title (for contact persons within B2B customers); · Employer (for contact persons within B2B customers); · Mailing/delivery address; · Contents of shipments; · Existence/absence of relevant trade-restricting sanctions; · Additional data required for shipment clearance as per local regulations (e.g., national ID number / document copies).	· Customer/Master Privacy Policy; · Aramex SMART Privacy Policy.
Marketing campaign management	· Marketing contacts.	· Name; · Contact details; · Date of birth; · Aramex service purchase history (e.g., goods ordered, date, origin and destination of shipments); · Location (country); · Job title (for B2B contacts); · Company/organisation; · LinkedIn profile URLs.	· Customer/Master Privacy Policy.
Legal affairs management	· Individuals involved in contract negotiation, litigation, legal and non-legal claims (including contract signatories, contact persons, claimants, legal counsel and others).	· Name; · Address; · E-mail address; · Telephone number; · Job title; · Legal bar/ID number (if applicable); · Date of birth; · National ID documents; · Bank account details; · Employee file (if applicable, typically for employment-related cases); · Other Personal Data which may be disclosed in connection with litigation proceedings (for example, in pleadings or during discovery).	· All relevant information notices/privacy policies.
IT system administration and security	· Users of Aramex Group systems, IT tools and the Aramex Group network.	· Details on incidents flagged by incident detection systems (date/time of event, sender/user ID and/or contact details, recipient ID and/or contact details, name of file(s) involved, specific file contents triggering an incident flag), device data (IP address, corporate device ID): · Activity logs on Internet browsers and cloud systems used by the Aramex Group (user ID, date/time of events, type of event – URL accessed, actions performed); · Personal contact details (personal mobile/home phones, personal e-mail address, personal address).	· Policy for the Acceptable Use of Aramex Information Resources; · All relevant information notices/privacy policies.

Furthermore, Special Categories of Personal Data are transferred within the Aramex Group primarily for recruitment and human resource management purposes, where relevant. This is also detailed in the information notices and privacy policies made available to Data Subjects (see Transparency, above):

Processing Purpose	Data Subjects	Personal Data	Information Notice(s)
Human resource management	· Employees.	· Health data (information on physical limitations, disabilities and/or health status which is professionally relevant).	· Employee Information Notice.
Recruitment management	· Job applicants.	· Relevant physical disabilities/limitations.	· Recruitment Information Notice.
Customer and service provision management	· Individual consignees and shippers; · Other individuals.	· Contents of shipments (during a legally-required shipment inspection, shipment contents may inadvertently disclose information on a shipper, consignee or third party which could amount to Special Categories of Personal Data – however, the Aramex Group will not use such information for any purpose, unless necessary to properly complete the inspection as required by law).	· Customer/Master Privacy Policy; · Aramex SMART Privacy Policy.
Legal affairs management	· Individuals involved in litigation, legal and non-legal claims (including contract signatories, contact persons, claimants, legal counsel and others).	· Medical information (if applicable, typically for injury-related cases); · Other Special Categories of Personal Data which may be disclosed in connection with litigation proceedings (for example, in pleadings or during discovery).	· All relevant information notices/privacy policies.

Finally, Judicial Data is transferred within the Aramex Group mainly for compliance/screening purposes (meaning, to screen employees, customers and suppliers against applicable restricted persons lists, trade restriction lists and other “blacklists” relevant to the Aramex Group’s sector, as needed to ensure compliance with national and international legal obligations), as well as for legal affairs management (where individuals’ criminal history may be Processed if applicable, typically for theft-related cases).

All of these transfers are covered by the Aramex BCRs. All Aramex Group members must comply with the Aramex G-DPCF and the Aramex BCRs. This means that any and all Personal Data Processed by the Aramex Group will be used in compliance with the GDPR’s principles, as well as with any applicable local requirements.

How are Aramex Group members and employees bound to the Aramex BCRs?

7(1) Aramex Group members

All Aramex Group members (see Annex I, below, for a list of these members) have signed an Intra-Group Agreement binding them to comply with the terms of the Aramex G-DPCF – which includes the Aramex BCRs. This Intra-Group Agreement allows the enforcement of the Aramex G-DPCF and Aramex BCRs rules against any member which breaches their terms. This creates a binding effect for the Aramex BCRs, which covers the entire Aramex Group.

No Personal Data will be transferred, on the basis of the Aramex BCRs, to an Aramex Group member which is not effectively bound by the Aramex BCRs, or which cannot deliver compliance with the Aramex BCRs.

Aramex Group members will remain bound to the Aramex BCRs for as long as they remain a part of the Aramex Group, as a rule. If, for any reason, an Aramex Group member ceases to be bound by the Aramex BCRs, then either:

All Personal Data transferred to that Aramex Group member under the Aramex BCRs must be destroyed or returned to the Aramex Group member(s) which transferred the Personal Data, at their choice; or
That Aramex Group member may be allowed to further retain the Personal Data transferred to it under the Aramex BCRs, provided that the Aramex BCRs’ rules on onward transfers (see Transfers of Personal Data from within the EEA to outside of the EEA, above) are followed – with that Aramex Group member acting as a “subcontractor” / “Recipient”.

If an Aramex Group member determines that it is unable to comply with the Aramex BCRs, for whatever reason, it must notify the Aramex Group Representative and Aramex Privacy Team of this without undue delay. This situation will be managed under the same rules provided for the management of conflicts with the Aramex BCRs (see How are conflicts between the Aramex BCRs and local applicable legislation managed?, below). Where an Aramex Group member is in substantial or persistent breach of the Aramex BCRs, or fails to comply with a binding decision of a competent court or Supervisory Authority regarding the Aramex BCRs, transfers of Personal Data from within the EEA to that Aramex Group member, under the Aramex BCRs, must be promptly terminated (without prior suspension or consideration of supplementary measures).

The Aramex Privacy Team will keep a fully updated list of Aramex Group members bound by the Aramex BCRs, which will be published along with the Aramex BCRs (see How will any relevant changes to the Aramex BCRs be reported?) and made available to the BCR Lead (and data subjects) upon request – no transfers of personal data to new Aramex Group members will be carried out until those members are effectively bound by the Aramex BCRs and are able to comply with them in practice. Any changes to this list will be published, notified to relevant data subjects (where feasible), and reported by the Aramex Privacy Team, in coordination with the Aramex Group Representative, to the BCR Lead on an annual basis.

7(2) Aramex Group employees (and other authorised persons)

As mentioned above (see Data protection by design and by default), any persons which an Aramex Group member authorises to Process Personal Data (such as its employees) are required to accept the Aramex Group’s Policy on Acceptable Use of Aramex Information Resources. This policy contains an Authorisation to Process Personal Data, which includes obligations of confidentiality, the obligation to follow the Aramex Group’s instructions when Processing Personal Data and the obligation to comply with the Aramex Group’s internal policies, procedures and security measures.

Aramex employees, and any other persons accepting the Aramex Group’s Policy on Acceptable Use of Aramex Information Resources (e.g., certain individual contractors), are therefore explicitly required to abide by the rules of the Aramex BCRs.

Employees are advised, in particular, that a failure to abide by the terms of the Aramex Group’s Policy on Acceptable Use of Aramex Information Resources (including the terms of the Authorisation), or by the rules within the Aramex BCRs (and, more globally, within the Aramex G-DPCF) may have disciplinary consequences for them. In more serious cases, employees may be terminated for failure to follow those rules. This creates a binding effect for the Aramex BCRs as well, which covers all Aramex Group employees, and other persons who may be authorised to Process Personal Data (such as individual contractors).

How does the Aramex Group ensure the effectiveness of the Aramex BCRs?

Several internal and external procedures have been set up to make sure that the Aramex BCRs are understood and followed by all persons and organisations authorised by the Aramex Group to Process Personal Data, including employees, contractors and Processors.

8(1) Training and awareness-raising

Employees (including new hires), contractors and other individuals authorised by the Aramex Group to Process Personal Data (including those involved in Personal Data collection, or in the development of IT Systems/Tools used to Process Personal Data) must attend and complete appropriate and up-to-date training courses on privacy, data protection and information security. These courses cover the GDPR’s data protection principles and main rules, the relevant components of the Aramex G-DPCF – including the Aramex BCRs, specifically (including rules and procedures on managing requests for access to Personal Data by public authorities) – and the risks which may arise (for Data Subjects and for the Aramex Group) if Personal Data is mishandled.

These training courses are provided in coordination between the Aramex Privacy Team and local Privacy Contacts, and are provided at least on an annual basis. Attendance to these courses is mandatory and documented. Each course includes assessment questions, to test whether its contents were properly understood.

As an additional awareness-raising initiative, the Aramex Information Security Team sends out weekly awareness tips to employees on privacy, data protection and data security-related matters – these also include references to employees’ obligations under the Aramex G-DPCF (and the Aramex BCRs).

The Authorisation to Process Personal Data (included within the Policy on Acceptable Use of Aramex Information Resources, which all employees must accept – see Data protection by design and by default, above) lists and emphasises employees’ duties regarding the use of Personal Data. These include, among others, the need to follow the rules laid down in the Aramex G-DPCF – including those within the Aramex BCRs.

8(2) Aramex Privacy Network

The Aramex Privacy Network is spearheaded by the Aramex Privacy Team – which includes the Aramex Group DPO, the Aramex Global Information Security Director and the Aramex Global Legal Director – and supported by local Privacy Contacts, appointed for each Aramex Group member.

The Aramex Group DPO provides Aramex with expert advice on the implementation of the Aramex G-DPCF and Aramex BCRs, as well as on compliance with the principles and rules set out in the GDPR and other data protection laws of relevance. The Aramex Group DPO was appointed as such for the Aramex Group by a resolution taken by the Board of Directors of the Aramex Group parent company, and reports directly to that Board upon request, to guarantee its independence.

The Aramex Privacy Team members aside from the Aramex Group DPO occupy global Director-level positions within the Aramex Group, providing their support to the Aramex Group worldwide.

Each Aramex Group member has a Privacy Contact assigned to it (though some Privacy Contacts may be assigned to more than one Aramex Group member). Privacy Contacts are generally Aramex Group employees, appointed internally to assist the Aramex Privacy Team in managing privacy and data protection-related issues for a given Aramex Group member. These Privacy Contacts are generally tasked with cooperating with the Aramex Privacy Team in order to ensure that the Aramex Group’s data protection governance is managed in a consistent manner worldwide and, in particular, monitoring the compliance of the Aramex BCRs within the Aramex Group member(s) assigned to them. This includes tasks such as:

investigating and addressing requests and complaints received locally;
reporting on and assisting in compliance with relevant local data protection requirements (e.g., related to human resource management and delivery service provision);
ensuring that their assigned Aramex Group members abide by the rules and principles within the Aramex G-DPCF and Aramex BCRs, as well as monitoring training efforts made to this effect;
cooperating with the Aramex Privacy Team in the management of any Aramex Group-level data protection matters, as needed from time to time (including the assessment of Processors to be engaged, the performance of DPIAs and LIAs and the management of interactions with Supervisory Authorities);
reporting any relevant security incidents to the Aramex Privacy Team, as well as cooperating with the Aramex Privacy Team in incident investigation, remediation, notification and recording activities; and
cooperating with the Aramex Privacy Team and Aramex Internal Audit Team in the performance of audits and the implementation of corrective measures and action plans arising as a result (see Audit programme & cooperation with Supervisory Authorities, below).

All Privacy Contacts are supported, in the performance of their tasks, by the highest levels of management within the Aramex Group, and within the Aramex Group member(s) assigned to them. They may further be supported in these activities by external service providers (such as law firms or specialised legal consultants), on the basis of a service contract.

The Aramex Privacy Team coordinates and supports the Privacy Contacts’ activities, in order to ensure the correct implementation and compliance with the Aramex G-DPCF and Aramex BCRs throughout the Aramex Group. This includes:

the creation and updating the policies, procedures, guidelines and templates which make up the Aramex G-DPCF (including the Aramex BCRs);
the coordination of data protection compliance efforts and measures taken by the various Aramex Group members, in order to ensure alignment with the Aramex G-DPCF (including the Aramex BCRs) and applicable local requirements;
the coordination of investigation, remediation, notification and recording of relevant security incidents, as well as management of Data Subject requests and communications from local Supervisory Authorities;
the coordination of Aramex Group-level data protection matters (including the assessment of Processors to be engaged on behalf of the Aramex Group, the performance of DPIAs and LIAs and the management of interactions with Supervisory Authorities);
coordinating with the Aramex Internal Audit Team and relevant Privacy Contacts for the performance of audits and the implementation of corrective measures and action plans arising as a result (see Audit programme & cooperation with Supervisory Authorities, below); and
reporting to the highest level of management within the Aramex Group on privacy and data protection-related matters, and informing that highest level of management if any questions or problems arise during the performance of their duties.

Aside from the relevant local Privacy Contacts, the Aramex Group DPO can be directly contacted by Data Subjects – contact details are provided in the different privacy policies and information notices made available to Data Subjects by the Aramex Group (see Transparency, above).

8(3) Audit programme & cooperation with Supervisory Authorities

The Aramex Group carries out a yearly data protection audit, through the coordinated efforts of local Privacy Contacts, the Aramex Privacy Team, and the Aramex Internal Audit Team (a central team at the Aramex Group global headquarters, in charge of internal audit management for the Aramex Group).

Both the Aramex Privacy Team and the Aramex Internal Audit Team are guaranteed independence as to the performance of their duties related to these audits – in particular, they are not subject to instructions given by any other team or function within the Aramex Group, nor by the Aramex Group’s highest levels of management (without prejudice to the reporting duties mentioned), and cannot be penalised or dismissed simply for performing these duties.

Every year, the Aramex Privacy Team and Aramex Internal Audit Team will select a sample of Aramex Group members, whose data protection practices are to be audited for that year:

The Aramex Privacy Team will create the checklist/controls to be used (focusing on compliance with the Aramex G-DPCF and Aramex BCRs, as well as any relevant local requirements) – these checklists/controls will transversally assess the Processing activities performed by the target Aramex Group members against all aspects of the Aramex BCRs (e.g., rules on transfers of Personal Data, management of legal requirements/requests in conflict with the Aramex BCRs, contractual terms in place with third-party Recipients…).From a technical standpoint, the audit checklist/controls must be designed to cover all BCR-relevant Processing tools, including Aramex’s databases, IT Systems and IT Tools (as noted also below).
The Aramex Internal Audit Team will define the methodology to be followed, which should cover the databases, IT Systems and IT Tools used by the target Aramex Group members to Process Personal Data, the measures put in place by the target Aramex Group members to ensure compliance with the Aramex G-DPCF and Aramex BCRs (including their Records of Processing Activities, Consent requests, information notices and privacy policies, registers of Personal Data Breaches and Data Subject requests, and agreements entered into with third parties), and any relevant local requirements applicable to the target Aramex Group members.

Following this, audits of the target Aramex Group members will be carried out, in coordination with the relevant Privacy Contacts. Information will be gathered on each target Aramex Group member’s Processing activities, so as to assess their compliance with the relevant Aramex G-DPCF and Aramex BCRs (by crossing that information with the checklist/controls developed by the Aramex Privacy Team).

Results will be reported by the Privacy Contact to the Aramex Privacy Team and Aramex Internal Audit Team for review and validation. Further exchanges of information related to the target Aramex Group members’ practices may be necessary to clarify the reported findings. The reviewed and validated results will also be made available to the Aramex Group Representative’s board, as well as to requesting EEA Supervisory Authorities with jurisdiction over an Aramex Group member (upon request, and – where the requesting Supervisory Authority is not the BCR Lead – to the extent the audit results concern that Aramex Group member).

If, as a result of an audit, nonconformities are detected, the Aramex Privacy Team will liaise with the Privacy Contact and the target Aramex Group member’s management, in order to define corrective measures and an action plan to restore compliance with the Aramex G-DPCF and Aramex BCRs. This action plan will include a follow-up audit to determine the progress and effectiveness of the established corrective measures.

Carrying out these general audits on a yearly basis was decided by the Aramex Group in consideration of the different Processing activities which the Aramex Group carries out and, in particular, the risks those activities may pose to the rights and freedoms of Data Subjects. However, to ensure consistent enforcement of the Aramex BCRs across the Aramex Group over time, specific and focused audits can also be carried out on any given Aramex Group member (regarding all or some of their Processing activities), whenever deemed appropriate by the Aramex Privacy Team – including upon a Privacy Contact’s request – as well as whenever relevant indications of an Aramex Group member’s non-compliance with the Aramex BCRs are detected.

The Aramex Privacy Team issues an annual report to the Aramex Group Representative’s board and to the Aramex Group’s highest levels of management, which includes a summary of audit activities performed and corrective measures implemented.

The Aramex Group has also implemented internal procedures to ensure full cooperation with any Supervisory Authorities wishing to carry out Inspections on Aramex Group members. In this respect:

All Aramex Group members will take into account advice provided, and will abide fully by any decisions made, by competent Supervisory Authorities regarding the interpretation and implementation of the Aramex BCRs, or any other issues related to the Aramex BCRs;
All Aramex Group members will provide competent Supervisory Authorities, upon request, with any information about the Processing activities they may carry out under the scope of the Aramex BCRs, and will otherwise cooperate with competent Supervisory Authorities (including by accepting to be audited and to be inspected, including – where necessary – on-site, by competent Supervisory Authorities);
All Aramex Group members accept that any disputes related to the exercise of supervisory powers by competent Supervisory Authorities will be resolved by the courts of the Member State of the Supervisory Authority in question, in accordance with that Member State’s procedural law, and agree to submit themselves to the jurisdiction of those courts.

8(4) How are conflicts between the Aramex BCRs and local applicable legislation managed?

8(4)(1) General rules

The Aramex Group includes members located in various different countries and continents (see Annex I, below). In some of those jurisdictions, local laws and/or practices may impose requirements on Aramex Group members which conflict with the principles and rules of the GDPR, or with the Aramex G-DPCF or Aramex BCRs.

These conflicts may create restrictions on an Aramex Group member’s ability to fully comply with the Aramex BCRs, or may otherwise create substantial limitations to the safeguards provided to Data Subjects by the Aramex BCRs. This is not the case, however, where such a conflict results from third country laws and practices which seek to protect an important objective of public interest (for example, national security, the investigation of criminal offences, or the protection of Data Subjects/other individuals), provided that those laws/practices respect the essence of Data Subjects’ fundamental rights and freedoms, and do not exceed what is necessary and proportionate in a democratic society. This will be judged by the Aramex Group using EU standards as a referential – in particular, the EU Charter of Fundamental Rights and the European Data Protection Board’s Recommendations 02/2020 on the European Essential Guarantees for surveillance measures.

The Aramex BCRs cannot be relied on to transfer Personal Data to an Aramex Group member located outside of the EEA, in a country which has not been the subject of an adequacy decision from the European Commission, unless an assessment has been carried out showing that the laws and practices of that country which apply to the Processing of Personal Data by that Aramex Group member do not create such conflicts. These assessments (Data Transfer Impact Assessment) must take due account, in particular, of the following elements:

The specific circumstances of the transfer, or set of transfers, and of any envisaged onward transfers within the same third country or to another third country, including:
- The purposes for which the Personal Data are to be transferred and Processed (for example, centralised HR, marketing or service management);
- The types of entities involved in the Processing (notably the Aramex Group member receiving the Personal Data, and any other entities to which that Aramex Group member may transfer the Personal Data onwards);
- The economic sector in which the transfer(s) occur;
- The categories and format of the transferred Personal Data;
- The locations where the transferred Personal Data will be Processed (including storage locations and locations from which the stored Personal Data may be remotely accessed);
- The transmission channels used; and
- Any other relevant factual circumstances pertaining to the transfer(s) and intended Processing by the receiving Aramex Group member.
All laws and practices of the country which have been deemed relevant, in light of the specific circumstances of the transfer(s), including their scope, limitations and safeguards. This includes any legal or practical requirements to disclose Personal Data to public authorities upon request, or otherwise allow access to Personal Data by those authorities (whether during transit or after storage);
The practical experience the receiving Aramex Group member has with instances (or the absence) of requests for disclosure of, or access to, Personal Data by public authorities, provided that this experience is relevant, documented, covers a sufficiently representative time-frame, certified at the senior management level of the relevant Aramex Group member and can be corroborated (and is not contradicted) by relevant and objective elements, including any publicly available/accessible and reliable information regarding such requests in the country of reference; and

The relevant contractual, technical and/or organisational safeguards which have been, or can be, implemented to supplement the safeguards provided by the Aramex BCRs (see Transfers of Personal Data from within the EEA to outside of the EEA, above, for examples).

Where a Data Transfer Impact Assessment shows a relevant conflict which should be addressed by supplementary contractual, technical and/or organisational safeguards, the definition and implementation of those safeguards should be carried out with the involvement of the Aramex Group Representative and Aramex Privacy Team.

Data Transfer Impact Assessments must be appropriately documented, including the supplementary safeguards which may have been defined for each particular case, and made available to Supervisory Authorities upon request. They will also be shared with all Aramex Group members where relevant, to ensure appropriate assessment and supplementary safeguard consistency across the Aramex Group (in other words, to ensure that similar transfers are safeguarded similarly).

If an Aramex Group member identifies such a conflict (including where it has reason to believe that it, or another Aramex Group member, is, or has become, subject to laws and practices, in particular where a specific request for Personal Data disclosure/access is received. Which create such a conflict), they must inform the Aramex Privacy Team and Aramex Group Representative without undue delay, unless they are forbidden to do so by local law or a local law enforcement authority (such as where local criminal law forbids this in order to safeguard the confidentiality of ongoing investigations).

Without prejudice to the above, the Aramex Privacy Team and Aramex Group Representative should monitor, on an ongoing basis and in collaboration with Aramex Group members, developments in countries outside of the EEA which may create relevant conflicts under the Aramex BCRs, or affect the outcome of previously completed Data Transfer Impact Assessments.

Should the Aramex Privacy Team, in coordination with the Aramex Group Representative, consider that an Aramex Group member (1) is not able to fully comply with their obligations under the Aramex BCRs, or that (2) the laws/practices applicable to that Aramex Group member may impact the guarantees given by the Aramex BCRs, regarding Personal Data Processed by that Aramex Group member, to a substantial degree:

The Aramex Group must suspend transfers of Personal Data from within the EEA to that Aramex Group member, under the Aramex BCRs (to the extent that such transfers fall under the scope of the detected conflict); and
The Aramex Group must implement technical, organisational and/or contractual supplementary measures to address the detected conflict and safeguard compliance with the Aramex BCRs, after which the suspension may be lifted (see Transfers of Personal Data from within the EEA to outside of the EEA).

If this is not possible or feasible, or if suspension lasts over 1 month without adequate supplementary measures having been implemented, transfers of Personal Data from within the EEA to that Aramex Group member, under the Aramex BCRs, must be promptly terminated. As a result, the Aramex Group member in question must:

Either destroy the transferred Personal Data or return it to the Aramex Group member(s) which transferred the Personal Data, at their choice (this applies also to any copies made);
In the event that Personal Data is to be destroyed, certify to the Aramex Privacy Team that those Personal Data have been fully deleted – the Aramex Privacy Team will relay these certifications to the concerned Aramex Group member(s);
Continue to ensure compliance with the Aramex BCRs to the greatest extent feasible until destruction or return is fully completed and, where local laws prevent the full destruction or return of the transferred Personal Data and its copies, only further Process such Personal Data to the extent and for as long as required under those laws.

Decisions to suspend a transfer, implement further supplementary measures or terminate a transfer will also be shared with all Aramex Group members, to ensure consistency across the Aramex Group (in other words, to ensure that similar transfers are suspended, subjected to further supplementary measures, or terminated).

8(4)(2) Personal Data disclosure/access requests

If an Aramex Group member receives a request from a public authority for the disclosure of Personal Data transferred to it under the Aramex BCRs, or becomes aware that a public authority has directly accessed such Personal Data, that Aramex Group member must promptly notify the Aramex Group Representative and Aramex Privacy Team, of the request:

In the case of a request for disclosure, the notification should include information about the requested Personal Data, the requesting authority, the legal basis invoked by the authority for the request, and the response which has been given (or which is to be given) to the request.
In the case of a detected instance of direct access, all relevant information at the Aramex Group member’s disposal must be included.

The Aramex Privacy Team will relay any such notifications to the Aramex Group member(s) which transferred those Personal Data.

Where possible, the affected Data Subjects should also be notified. This notification can be carried out with the support of the transferring Aramex Group member(s) and/or the Aramex Group Representative and Aramex Privacy team.

If local law does not allow an Aramex Group member to issue these notifications, that Aramex Group member must employ its best efforts to waive the prohibition, so that the notifications can be carried out. The Aramex Group member must aim to communicate as much information as possible and as soon as possible, and further must be able to demonstrate the efforts employed to meet this goal.

When faced with a request for disclosure, Aramex Group members must:

Review the request’s legality – in particular, whether the request has been issued in accordance with the powers granted to the requesting public authority.
Challenge and/or appeal these requests (including by seeking interim measures to suspend the requests’ effects, where available and appropriate) if they consider that there are reasonable grounds to do so under the applicable laws, including international laws, and/or principles of international comity.
Not disclose any Personal Data until required to do so under applicable procedural rules, and disclose only the minimum amount of Personal Data permissible when responding, based on a reasonable interpretation of the request.
Document legal assessments carried out and challenges/appeals raised, and make this documentation available to the Aramex Group Representative and Aramex Privacy Team.

The Aramex Privacy Team will relay any documentation received regarding requests for disclosure, or detected instances of direct access, to the Aramex Group member(s) which transferred those Personal Data. The Aramex Privacy Team and Aramex Group Representative will further make this information available to requesting Supervisory Authorities.

Aramex Group members which receive Personal Data under the Aramex BCRs must provide general information to the Aramex Group Representative and Aramex Privacy Team on such requests for disclosure or detected instances of direct access on an annual basis (including, for example, the number of requests received and instances detected, the types of Personal Data requested or accessed, the identity of the requesters or accessors, whether requests have been challenged or detected access has been reacted to, and the outcome of these challenges and reactions, etc.). This information must be stored by each Aramex Group member for as long as the Aramex BCRs continue to apply to Personal Data Processed by that Aramex Group member. If any Aramex Group member is, or becomes, partially or fully forbidden from providing this information, it must inform the Aramex Group Representative and Aramex Privacy Team of this without undue delay.

The Aramex Privacy Team will relay this information to the relevant transferring Aramex Group member(s). The Aramex Privacy Team and Aramex Group Representative will further make this information available to requesting Supervisory Authorities.

In any case, transfers of Personal Data carried out by Aramex Group members to public authorities, as required by local laws, cannot be massive, disproportionate and/or indiscriminate, in a manner which would go beyond what is necessary in a democratic society. A failure to abide by this rule will create a relevant conflict (see General rules, above).

If local laws applicable to an Aramex Group member (including those within the EU) require a higher level of protection for Personal Data than the Aramex BCRs, they will prevail over the Aramex BCRs within their territorial scope. As a rule, the Aramex Group will always Process Personal Data in a manner which maximises the alignment of its practices with the rules and principles within the GDPR and other relevant local laws.

How will any relevant changes to the Aramex BCRs be reported?

The Aramex Privacy Team is in charge of developing and maintaining the Aramex G-DPCF. Any relevant updates to Aramex G-DPCF components (including the Aramex BCRs) are communicated to all Aramex Group members via the Aramex Group intranet, in coordination between the Aramex Privacy Team and the Aramex Group Representative.

The Aramex BCRs will be published on the Aramex Group’s main websites, and kept up-to-date to reflect the current factual and legal circumstances applicable to the transfers of Personal Data which fall under their scope from time to time, including changes to applicable laws and practices, guidance from Supervisory Authorities and to the transfers and underlying Processing activities themselves. To this end, the Aramex Group has implemented a versioning mechanism for the Aramex G-DPCF components (including the Aramex BCRs), in order to allow updates to be tracked. To ensure that Data Subjects are able to remain informed of any updates to the Aramex BCRs or the list of Aramex Group members bound by the BCRs (see Annex I), any such updates will be published on the Aramex Group’s main websites without undue delay, after becoming effective.

The Aramex Privacy Team, in coordination with the Aramex Group Representative, is responsible for:

Maintaining a fully updated list of Aramex Group members bound by the Aramex BCRs;
Tracking and recording any changes to the Aramex BCRs;
Promptly notifying any changes to the Aramex BCRs to all Aramex Group members;
In coordination with each Aramex Group member, updating information on the Aramex BCRs provided to Data Subjects, where necessary;

Providing information on any changes to the Aramex BCRs (including further detail on the rationale for such changes) to requesting Supervisory Authorities.

Substantial changes to the Aramex BCRs (those which might possibly affect the level of protection offered by the Aramex BCRs, or otherwise significantly affect the Aramex BCRs) will be communicated by the Aramex Privacy Team, in coordination with the Aramex Group Representative, to the BCR Lead in advance (including further detail on the rationale for such changes). Aramex will further, whenever feasible, notify relevant data subjects directly of such changes (e.g., by publishing them in its corporate Intranet for the benefit of Aramex Group employees, by e-mailing customers/suppliers where electronic contact details are available…).

All other changes to the Aramex BCRs, including changes to the list of Aramex Group members bound by the Aramex BCRs (see How are Aramex Group members and employees bound to the Aramex BCRs?) will be reported to Supervisory Authorities (via the BCR Lead) by the Aramex Privacy Team, in coordination with the Aramex Group Representative, at least once a year. A brief explanation of the rationale for any changes made will be included in notifications/reports made to the BCR Lead. If no changes have been made to the Aramex BCRs in the year of reference, this will be confirmed to the BCR Lead.

Annex I

Country	Name	Registered Offices	Registration No.
Algeria	SARL Aramex Algérie	Lot n199, Industrial Zone, Oued Smar, Algiers, Algeria	08B 1002047
Australia	Contract Freight Management Aust Pty Ltd	Level 12, 680 George Street, Sydney NSW 2000, Australia	ACN: 169839481
	Australian Couriers Pty Limited	Level 9, 491 Kent Street, Sydney NSW 2000, Australia	057389769
	Aramex Fastway Holdings Pty Ltd	Level 12, 680 George Street, Sydney NSW 2000, Australia	609 553 513
Bahrain	Aramex Bahrain WLL	Diplomatic Area, Block 317, Road 1705 Building 407, Manama, Bahrain	20472-1
Bangladesh	Aramex Dhaka Limited	Colloid Center, 206/A Tejgaon I/A, Dhaka-1208, Bangladesh	C-86341
Canada	Aramex Canada Inc.	5810 Ambler Drive, Units 14-15, Mississauga, ON L4W4J5, Canada	665271-9
China	Aramex Sinotrans Express Co. Ltd.	Room No. 801-806, 8F Building 1, 448 Hongcao Road, Shanghai, China	913100005886880000
Czech Republic	Aramex CZ s.r.o.	Praha 6 - Ruzyne, Laglerové 1075/4, PSC 16008	27158152
Egypt	Aramex International Egypt for Air and Local Services	31 Mossadak St. Dokki, P.O Box 12611, Giza	7571
Egypt	Aramex Egypt Logistics	IDG-Engineering Square, 4th Industrial Zone, 6th of October City	109057
Georgia	Aramex Georgia Limited	12A Bochorma St., Tbilisi	406109955
Ghana	Aramex (Ghana) Limited Company	Plot No. 118 Spintex Road, Accra	CS096992017
Hong Kong	Aramex Hong Kong, Limited	17/F., Leighton Centre, 77 Leighton Road, Causeway Bay	165224
Hong Kong	Aramex International, Limited	17/F., Leighton Centre, 77 Leighton Road, Causeway Bay	165223
India	Aramex India Private Ltd.	Ascot Centre, Sahar Road, Andheri East, Mumbai	101311
India	Global Transportations Services Pvt Ltd.	Ascot Centre, Sahar Road, Andheri East, Mumbai	U63090MH2013FTC250959
Indonesia	P.T. Global Distribution Alliance	Jl. Blora No 18, Jakarta	9120108242164
Indonesia	P.T. Aramex Indonesia International Freight Services	Jalan Penjernihan 1 No.1A, Central Jakarta	1201230070834
Iran	Armak International Air Cargo Services	No.224 Mollasadra Ave., Tehran	201080
Iraq	Aramex Co. For Post, Cargo & Distribution Services	Ain Kawa, Erbil	02000003686
Ireland	Aramex Ireland Limited	Ballyboughal, Co. Dublin	222639
Jordan	Aramex Jordan Limited	Al Quds Street, Amman	989
	Arab American Clearance and Transport Co.	Al Quds Street, Amman	5418
	Jordan Distribution Agency	Al Quds Street, Amman	1898
	Aramex International Limited (GSO)	King Hussein Business Park, Amman	344
	Aramex Jordan Limited (Free Zone)	Khalda, Amman	2823
	Aramex International Services LLC	Mecca St, Amman	58504
Kenya	Aramex Kenya Limited	L.R. No 209/8305 Dunga Close, off Dunga Road, Industrial Area, P.O. Box 10438-00100 Nairobi, Kenya	C. 94362
Kingdom of Saudi Arabia	Aramex Saudi Limited Company	Jeddah, Albawadi, Almadenah Road, Aramex Building, Floor 1, PO Box 15802, Jeddah, Saudi Arabia	1010069619
Kuwait	Aramex International Limited	Ardiya, Block 1, Yacoub Yousef Alyousfi Complex, Building No. 96, Kuwait	322226
Lebanon	Aramex Lebanon SAL	Dekwaneh, Mar Roukoz Dahr EL Hosn, BPC Center, 2nd Floor, Lebanon	38501
Libya	Aramex Libya for Express Services	Industrial Area, Alsawani Road, PO Box 93350, Tripoli, Libya	5737
Malaysia	Aramex (Malaysia) SDN BHD	Unit C-12-4, Level 12, Block C, Megan Avenue II, No. 12, Jalan Yap Kwan Seng, Kuala Lumpur, Malaysia	562198-D
Morocco	Aramex International Morocco SA	193 Bvd de la Résistance, Casablanca, Morocco	857
Morocco	Aramex Morocco Logistics SARL	193 BD De la Resistance, Casablanca, Morocco	5575
Netherlands	Aramex Nederland B.V.	Fokkerweg 300, 1438 AN, Oude-Meer, P.O. Box 728, 2130 AS Hoofddorp, The Netherlands	812484502
New Zealand	Aramex New Zealand Holdings Ltd	48 Shortland Street, Auckland Central, Auckland, New Zealand	5831428
New Zealand	Fastway Global Limited	Level 1, Shed 5, Lever Street, Ahuriri, Napier, New Zealand	601837
Nigeria	Aramex Delivery Services Ltd	283 Ajose Adeogun Street, Victoria Island, Lagos, Nigeria	RC 1283282
Nigeria	Aramex Nigeria NMMIA FZE	NAHCO Free Zone, Ikeja, Nigeria	01253
Oman	Aramex Logistics LLC	Albatinah Region, Barka, Ash Shakhakhit, Oman	1088820
Oman	Aramex Muscat LLC	South Alkhuwair, Bousher, Muscat, Oman	1800981
Qatar	Aramex Doha WLL	Rayan Municipality, Ain Khaled, Zone 56, Building 154, Qatar	52034
Singapore	Aramex International Logistics Private Ltd.	3 Changi South Street 1 #01-01 & #04-02, Singapore 486795	200702688M
South Africa	Aramex South Africa (Pty) Ltd	3 Platinum Crescent, Montague Gardens 7441, South Africa	1998/011447/07
	PostNet Holdings (Pty) Ltd	Office Level 1 and 2, Rosebank Towers, 15 Biermann Avenue Rosebank, Gauteng 2196, South Africa	1997/020327/07
	PostNet Advertising (Proprietary) Limited	Rosebank Towers, Gauteng, South Africa	1996/003081/07
	PostNet Southern Africa (Proprietary) Limited	Rosebank Towers, Gauteng, South Africa	1993/006964/07
Sri Lanka	Aramex Freight Corporation Lanka (Private) Ltd.	Colombo 9, Sri Lanka	PV 5394
Sri Lanka	Aramex Lanka Pvt. Ltd.	Negombo Road, Peliyagoda, Sri Lanka	PV 7321
Sudan	Aramex International for Services Co. Ltd.	Khartoum 2, Sudan	24800
Tanzania	Aramex Tanzania Limited	The Palm Residency, Dar es Salaam, Tanzania	79297
Thailand	Aramex (Thailand) Co., Ltd.	Sukhumvit 71 Road, Bangkok, Thailand	105557079725
Tunisia	Aramex Tunisie SARL	Rue du Lac Ontario, Tunis, Tunisia	B24106532011
	Aramex Tunisia Logistics LLC	Rue du Lac Ontario, Tunis, Tunisia	B01234802014
	Aramex Logistics Zarzis	Zarzis Economic Zone, Tunisia	B20144392015
Turkey	Aramex International Hava Kargo ve Keye A.Ş.	Bağcılar, Istanbul, Turkey	0710094760
Uganda	Aramex Uganda Limited	Plot 1, UBRA Building, Kampala, Uganda	131456
United Arab Emirates	Aramex PJSC	Um Ramool, Dubai	10826227
	Aramex International LLC	Dubai	10859904
	Aramex Regional LLC	Dubai	10860341
	Aramex Ventures LLC	Dubai	10860523
	Aramex Express LLC	Dubai	10861154
	Aramex Special Logistics LLC	Dubai	10857525
	Aramex International Services LLC	Dubai	11496085
	Aramex Emirates LLC	Dubai	10791677
	Aramex Abu Dhabi LLC	Abu Dhabi	11078577
	R M X Shipping LLC	Jebel Ali, Dubai	12276961
	Thoory Global Investments Limited	Abu Dhabi	000000314
United States of America	Aramex USA Ltd.	New York	5122277
	Aramex New York Ltd.	New York	1047643
	Aramex California Ltd.	Los Angeles	5129998
	Shop and Ship USA Limited	New York	5524770
	Aramex Illinois Ltd	Illinois	5826668
	Aramex Customhouse Brokerage Ltd.	New York	5130001
	Priority Air Freight NY Ltd.	New York	716185
	Access USA C2C, LLC	Florida	5923337
	Access USA Shipping, LLC	Florida	5176128

New to Aramex?