Purpose
The purpose of this Privacy Notice (the “Notice”) is to inform you of GXO’s practices regarding the processing of your Personal Data for HR and Business purposes in accordance with Applicable Laws. In the context of your working relationship with GXO (the “Company”, “we” or “us”), the Company (also known as a Data Controller), will process information about you and your dependents, in both paper and electronic format. We refer to such information as “Personal Data”. This processing may also be carried GXO Logistics, Inc., registered at Two American Lane, Greenwich, CT 06831, USA, and other affiliates in the GXO group of companies (collectively, the “GXO Group”). If you have any questions regarding which GXO company you are working for or which is the Data Controller in relation to your Personal Data, please contact us (for contact details, see Section 8 below). The GXO Company which you are working for may be jointly responsible with GXO Logistics, Inc. and its affiliated entities and group companies for the lawfulness of the processing of your Personal Data. This Notice may be complemented by additional notices and policies which provide more detailed information about particular processing activities. In addition to words defined elsewhere in this Notice, the key terms used in this Notice are defined in Annex I.
WHAT INFORMATION (PERSONAL DATA) DO WE COLLECT AND PROCESS?
GXO processes different categories of Personal Data about you, for the purposes described in Section 3. These categories of Personal Data include the following
Ordinary Personal Data
• Identification data: civil/marital status, first and last name, date and place of birth, nationality, gender, photograph;
• National identifiers: national identification or passport number; driver’s license; social security number (as may be appropriate and permitted by applicable laws and except where prohibited by applicable laws); work permit;
• Contact details: postal or email address, telephone number (fixed and mobile), fax numbers (both business and private);
• Family members’, dependents’ and beneficiaries’ and emergency contact data: name, address, date and place of birth, telephone number, age and number of children;
• Academic and professional qualifications: degrees, titles, skills, language proficiency, training information, employment history, CV/resume, past employment references;
• Information gathered as part of routine identification and background checks (as may be appropriate and permitted by applicable laws and except where prohibited by applicable laws);
• Financial details: bank account number, bank details, salary and compensation/benefits data, bonuses, pension qualification information, travelling expenses;
• Employment data: job title, function, level, supervisor and other job relationships, grade, business unit, department, dates and conditions of employment; disciplinary sanctions; performance review and job appraisals, dates and results of tests and training, promotions, succession/career planning, changes in role, absence records (holiday and other);
• IT related data: computer ID, user ID and password, domain name, IP address, log files, use of the Internet, e-mail, IT systems and applications;
• CCTV footage, dash cam and other recordings (as per our CCTV Policy) and other information from electronic systems, including on some sites fingerprint recognition.
• Communication data: email and electronic messages, voicemail, files and other correspondence material transmitted using systems of Company or for Company purposes
and stored on servers or Company or on Company’s behalf (as may be appropriate and permitted by applicable laws and except where prohibited by applicable laws); and
• Personal characteristics: hobbies, interests (as you may have defined on your CV for example).
Special Categories of Personal Data
Some of the Personal Data that we process are deemed sensitive and are referred to as “Special Categories of Personal Data”. For example, where necessary and authorized by Applicable Laws, data relating to your health, including short and long-term disability and medical care, as well as to your trade union membership or religion (for example, for tax law compliance or to accommodate religious holidays). We also process data relating to driving offences, information contained in whistleblowing reports and misconduct which may amount to criminal behavior or criminal offences for HR and Administrative as well as Compliance purposes, as may be appropriate and permitted by applicable laws
Sources of the Personal Data
Personal Data Directly from You: We collect Personal Data directly from you (electronically, in writing, or verbal). We may, for example, ask you for information when you begin your employment with the Company. You may also provide new, updated or corrected data to the Company from time-to- time.
Personal Data That We Generate: We may also receive Personal Data from your colleagues or supervisors, for example, from sources generated by us in the normal course of your work, such as annual job performance reviews, pay rise history, disciplinary action, and promotion history. Information on your use of the Internet, e-mail, Company systems and applications is automatically generated.
Personal Data from Third Parties: We may also receive Personal Data from third parties who provide services to the Company, such as companies that provide benefits including share option/ equity awards, payroll, corporate purchasing cards, or other services. For example, if you have been hired through a third-party staffing or recruiting firm, we will receive Personal Details and information on your experience and qualifications from them. Where permitted or otherwise authorized by law, information received from third parties may include the results of background checks.
FOR WHICH PURPOSES AND ON WHICH LEGAL BASES DO WE PROCESS YOUR PERSONAL DATA
We process Personal Data for the following Purposes. For each purpose, the legal basis of the processing is specified, in accordance with Articles 6 and 9 of the GDPR.
HR Management and Administration
We process Personal Data to establish and perform the employment contract between you and us or to manage the working relationship between you and us; for appointments and approvals; to determine eligibility for initial employment (including the verification of references and qualifications); to manage working time and absences; to assess qualifications for a particular job or task; to administer payroll and healthcare and other benefits and equity-related awards; to gather evidence for disciplinary action or termination; to conduct performance reviews and determine performance requirements; to manage talent; to provide training and learning services; for disciplinary matters; to manage accidents and incidents at work; or to manage legal or other disputes involving you, other workers or contractors or customers (or other individuals/members of the public). Legal Basis. This processing is justified based on:
• The necessity for the performance of the employment contract;
• Our legitimate interests; or
• The necessity to comply with legal obligations.
We process the Special Categories of Personal Data and data related to suspected compliance violations to comply with legal and statutory requirements (for example, to confirm whether an employee is fit or not to perform his/her role or as part of our annual or new starter examination or in order to allow the employees to discount their membership for trade union membership in the payroll). Legal Basis. This processing is justified based on:
• Your explicit consent;
• The necessity for the purposes of carrying out the obligations and exercising specific rights of
the controller or of the data subject in the field of employment and social data protection law;
• The necessity to protect the vital interests of data subjects; or
• The necessity for the establishment, exercise or defence of legal claims.
Business Operations
We process Personal Data to manage our projects, orders and accounts, work organisation, provide, supply or acquire products and services, product management, business development, and customer relationship management, employee travel, expense tracking and reimbursement, management reporting and analysis, to determine and review salaries; employee career development and talent management. Legal Basis. This processing is justified based on:
• The necessity for the performance of a contract;
• The necessity for the purposes of carrying out the obligations and exercising specific rights of
the controller or of the data subject in the field of employment and social data protection law;
or
• Our legitimate interests as specified above.
Physical and Network Security, Communications and IT
We process Personal Data to manage and maintain the functioning and security of our IT systems, applications and network; to enable internal contacts and communication; to protect our intellectual property, trade or business secrets and company-held information; and to provide IT support to employees. Legal Basis. This processing is justified based on:
• Our legitimate interests as specified above.
Compliance
We process Personal Data to ensure compliance with GXO policies and applicable legal and other statutory obligations and for the purpose of facilitating audits, investigations and enquiries or allegations of employee misconduct or criminal behavior. Legal Basis. This processing is justified based on:
• The necessity for the establishment, exercise or defence of legal claims;
• Our legitimate interests as specified above;
• The necessity for reasons of substantial public interest.
We will process information on criminal behavior only to the extent permitted by Applicable Law.
3.5 Sale of Group Companies or businesses
We process Personal Data for the purpose of sale of Group Companies or businesses. Legal Basis. This processing is justified based on:
• The necessity for the establishment, exercise or defence of legal claims;
• The necessity for the performance of a contract;
• The necessity for the purposes of carrying out the obligations and exercising specific rights of
the controller or of the data subject in the field of employment and social data protection law;
and
• Our legitimate interests as specified above.
WITH WHOM DO WE SHARE YOUR PERSONAL DATA
GXO takes care when sharing Personal Data with other GXO Group companies (i.e., Intra-Group) or with Third Parties as described below.
Intra-Group
We share your Personal Data with other GXO Group companies and departments (HR, IT, Compliance, Finance,), for all the purposes specified in Section 3 of this Notice.
4.2 Third Parties
We share Personal Data with service providers that have been selected by GXO to perform specific activities on our behalf (such as payroll providers, providers of HR and finance systems/solutions, operators of whistleblowing hotlines or technology companies which provide software and computing services (e.g., e-mail, calendar, telecommunications and information management services). Any service providers engaged by GXO will have access to Personal Data solely to the extent necessary to enable them to perform services on GXO’ behalf and GXO will endeavour to ensure that service providers are contractually prohibited from using Personal Data for any other purpose. GXO will obtain assurances from these Third Parties that they will safeguard Personal Data consistently with this Notice. We share Personal Data with other companies, vendors and business partners to perform functions for us, where these companies are themselves responsible to determine the purposes and/or means of the processing and for the lawfulness of the processing. This includes financial institutions such as banks involved in processing direct deposits of paychecks or administering corporate credit cards, and health, insurance & benefits providers that handle our benefits programs for our employees. We also share Personal Data with governmental and public authorities when required by law, including with the police (or other law enforcement or regulatory bodies) where relevant and necessary for criminal investigations.
We share Personal Data with our customers where it is relevant to your role; where relevant for the performance of GXO’s legal and contractual obligations to its customers; or where it is necessary in relation to criminal or other investigations (including disciplinary and/or grievance investigations).
INTERNATIONAL TRANSFER OF PERSONAL DATA
Given that GXO Group companies are located and provide services all over the world, we need to transfer your Personal Data internationally. In particular, Personal Data collected by us may be transferred to and processed in countries outside the United Kingdom (“UK”) and the European Economic Area (“EEA”). Those countries may not have the same level of protection for Personal Data as in the UK and EEA. Please write to privacy@gxo.com if you want to receive further information or, where available, a copy of the relevant data transfer mechanism.
Intra-Group
International transfers are to the United States of America and India. The transfer of your Personal Data outside the UK and EEA takes place on the basis of our Intra-Group Data Sharing Agreement, which is based on the standard contractual clauses adopted by the European Commission on 4 June 2021, Commission Implementing Decision (EU) 2021/914 (“the Standard Contractual Clauses”) and the UK addendum to the Standard Contractual Clauses, as amended or updated by the UK Information Commissioner’s Office from time to time, and in accordance with Applicable Laws.
Third Parties
Some of the third parties with whom we share Personal Data are also located outside the UK and EEA. Certain third countries, such as Canada and Switzerland, have been officially recognized by the European Commission as providing an adequate level of protection. Transfers to third parties located in other third countries outside the UK and EEA take place using an acceptable data transfer mechanism, such as the Standard Contractual Clauses for data transfers and the UK addendum to the Standard Contractual Clauses, Binding Corporate Rules, approved Codes of Conduct and certifications, or in exceptional circumstances on the basis of permissible statutory exceptions.
HOW LONG WE KEEP YOUR PERSONAL DATA
We keep your Personal Data for no longer than is reasonably necessary for the purpose for which it was collected, being specified in our GXO Group records retention policies. In certain cases, Personal Data may be kept for an extended period of time in order to comply with legal obligations, or for the establishment, exercise or defence of a legal claim, in accordance with Applicable Laws. Our Data Retention Policy may be found at https://ethics.gxo.com/
If you have further questions regarding our retention of your Personal Data, you can contact us (see Section 8 below).
Add Your Heading Text Here
YOUR RIGHTS WITH RESPECT TO YOUR PERSONAL DATA
In relation to the processing of your personal information by GXO, you have the following rights:
Request Access to Your Personal Data
In certain circumstances, you have the right the request the Company to rectify (i.e., correct) any inaccurate Personal Data and to have incomplete Personal Data completed.
Objection to Processing
In certain circumstances, you have the right to object to the processing of your Personal Data on grounds relating to your particular situation.
Request the Portability of your Personal Data
You may receive your Personal Data that you have provided to us in a structured, commonly used and machine-readable format and have the right to transmit it to other data controllers without hindrance. This right only exists if the processing is based on your consent or a contract and the processing is carried out by automated means.
Request Restriction of Processing of your Personal Data
You may request to restrict processing of your Personal Data in certain cases permitted under the Applicable Laws. This enables you to ask us to suspend the processing of your Personal Data, for example, if you contest its accuracy.
Request Erasure of your Personal Data
You may request us to erase your Personal Data if there is no good reason for us continuing to process it. In these cases, we will delete, destroy or anonymize the Personal Data.
Right to lodge a complaint
You also have the right to lodge a complaint with a Supervisory Authority, in particular in the EU Member State of your residence, place of employment, or the location where the issue that is the subject of the complaint occurred. For the UK this is the Information Commissioner’s Office (“ICO”)
Right to refuse or withdraw consent
In a situation where we have asked for your consent to processing, you are free to refuse to give consent and you can withdraw your consent at any time. Please keep in mind that withdrawing your consent does not have retroactive effect. This means that the withdrawal does not affect the lawfulness of past processing based on consent before its withdrawal. The Company is therefore not required to undo these past processing following the withdrawal of your consent.
CONTACT
If you wish to exercise any of the afore-mentioned rights (see Section 7) or if you have any questions regarding this Notice or other questions, comments or concerns about our privacy practices, please contact your HR manager or the Privacy Office at privacy@gxo.com .
UPDATES TO THIS NOTICE
GXO may from time to time make changes to this Notice to reflect changes in our legal or regulatory obligations. We will communicate any revised version of this Notice by posting it on the company intranet site and through other suitable means of communications. This Notice was last updated on 24th January 2023.
