Privacy

1 - OBJECTIVE
This Policy establishes general guidelines for the protection of personal data within West Cargo's corporate environment and all its Partners in Brazil and abroad (“West Cargo” or “Partners”), as in the execution of its operations it collects, handles, and stores information that may be related to identified and/or identifiable individuals (“Personal Data”), aiming to:
• Comply with applicable personal data protection laws and regulations and follow best practices;
• Protect the rights of Members, clients, suppliers, and partners against the risks of personal data breaches;
• Be transparent regarding West Cargo's Personal Data Processing procedures; and
• Raise awareness across West Cargo regarding personal data protection and privacy issues.
In particular, this policy requires that the team ensures the DPO (Data Protection Officer) is consulted before any new significant data processing activity is initiated to ensure relevant compliance steps are addressed.
West Cargo is fully committed to ensuring the ongoing and effective implementation of this policy and expects all West Cargo employees to share this commitment.
Any breach of this policy will be taken seriously and may result in disciplinary action.
These TERMS OF USE were approved by the Chief Financial and Administrative Officer.


2 - SCOPE
This Policy applies to West Cargo and all its Partners, both in Brazil and abroad, and to all Members who have access to any Personal Data held by West Cargo or on its behalf.
Additional procedures may be created according to local legislation requirements.
Any applicable legislation in the regions where West Cargo operates shall prevail in case of conflict with this Policy.


3 - REFERENCES
• West Cargo Code of Conduct
• Information Security Policy
• General Data Protection Law (“LGPD”) in Brazil


4 - DEFINITIONS
Below are the definitions of terms used in this Policy beginning with capital letters.
“Anonymization”: Process and technique by which data lose the possibility of being associated, directly or indirectly, with an individual. Anonymized data are not considered Personal Data.
“West Cargo” or “Partners”: West Cargo and all its Controlled Partners in Brazil and abroad.
“CTA” or “Council” or “Technical and Administrative Council”: West Cargo's Technical Administration Council.
“Compliance Committee”: Committee supporting the Technical and Administrative Council of West Cargo.
“Privacy Committee”: A global multidisciplinary advisory committee formed by Leaders from Legal, Compliance, Risk Management, Information Security, and P&O areas, as well as representatives from each relevant regional area, to discuss relevant and critical topics on Information Security and Data Privacy.
“Compliance” or “Compliance Area”: The local person responsible for Compliance and its members.
“Consent”: A free, informed, and unequivocal expression by which the Data Subject agrees to the processing of their Personal Data for a specific purpose.
“Controller”: Legal entity, public or private, responsible for decisions regarding the Processing of Personal Data.
“Personal Data”: Any information relating to an identified or identifiable natural person, who can be identified directly or indirectly, by reference to an identifier such as a name, identification number, location data, online identifier, or one or more specific factors of physical, physiological, genetic, mental, economic, cultural, or social identity.
“Sensitive Personal Data”: Any Personal Data that may result in any type of discrimination, such as data on racial or ethnic origin, religious belief, political opinion, union membership, or membership of a religious, philosophical or political organization, health or sexual life data, genetic or biometric data.
“Data Protection Expert (DPE)”: Local/regional data protection specialist, with the responsibilities of a DPO, but with little or no decision-making power.
“Data Protection Officer (DPO)”: Professional responsible for data protection at the local or regional level, acting in accordance with organizational guidelines and applicable regulations. Has formal responsibilities related to privacy and information security, including acting as a liaison between the company, data subjects, and regulatory authorities. However, their decision-making power may be limited depending on corporate structure.
"Information Security Policy": West Cargo's global corporate guidelines on Information Security, which may be periodically updated.
“Guiding Documentation”: West Cargo’s formal document(s) that provide content on decisions, rules, and corporate guidelines that are essential to direct West Cargo’s work with legitimacy, traceability, and applicability and must be observed and practiced by a defined group of Members.
“Data Protection Officer” or “DPO”: The individual formally designated as responsible for data protection, as provided for in data protection laws such as GDPR and LGPD, for a specific territory. The DPO may be an employee or a third party.
“GDPR”: Regulation (EU) 2016/679 of the European Parliament of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, repealing Directive 95/46/EC (General Data Protection Regulation).
“Privacy Influencer(s)”: Key contact points in Business or Support areas or areas requiring specific attention to facilitate communication with the Corporate Privacy Leader and/or DPE, also acting as facilitators for privacy training and communication in areas with greater access to Personal Data, without decision-making power.
“Member(s)”: Employees working at West Cargo at all levels, including executives, board members, directors, interns, and apprentices (as applicable by region).
“Legal”: Area responsible for managing contracts between West Cargo and third parties.
“LFPDPPP”: Mexican law passed in 2010. Federal Law on the Protection of Personal Data Held by Private Parties, applicable to all individuals or entities that process Personal Data in the course of their activities.
“LGPD”: Brazilian legislation No. 13.709/2018, known as the General Data Protection Law, which regulates the processing of personal data and amends Articles 7 and 16 of the Internet Civil Framework.
“Leader(s)”: Any Member who leads a team.
“Corporate Privacy Leader”: A Leader independent of West Cargo's Board to ensure impartial safeguarding of Data Subjects’ rights related to the processing of their Personal Data.
“LT West Cargo”: West Cargo’s global technical leader, known in Brazil as LT West Cargo and abroad as Chief Information Security Officer ("CISO") of West Cargo.
"Policy": This West Cargo Data Protection Policy.
"Global Compliance System Policy": West Cargo's Global Corporate Compliance Policy, which may be updated periodically.
“Processor” or “Operator”: Natural or legal person, public or private, who processes Personal Data on behalf of the Controller.
“Action Plan (PA)”: Agreement between Leader and Team Member that defines the Member’s responsibilities and the Leader’s commitment to monitoring, evaluating, and deciding based on the Member’s performance.
“Pseudonymization”: Process and techniques by which data association is made difficult. Pseudonymized data are considered Personal Data due to the possibility of association with a natural person.
“R-Compliance”: The senior executive leading West Cargo’s Compliance function, known in Brazil as R-Compliance and abroad as Chief Compliance Officer ("CCO") of West Cargo.
“Information Security” or “IS”: Area responsible for protecting the integrity, availability, and confidentiality of IT systems and for implementing appropriate measures to achieve this objective. It provides technical support to the Corporate Privacy Leader and is responsible for technical and administrative measures.
“Controlled Company(ies)”: Companies in which West Cargo, directly or through other Controlled Companies, holds rights that ensure it has prevailing decision-making power and the ability to elect most of the administrators or board members.
“Third Party(ies)” or “Partner(s)”: Any person, natural or legal, acting on behalf of, in the interest of, or for the benefit of West Cargo, providing services or other goods, including business partners who provide services directly related to business acquisition, retention, or facilitation, or to conducting West Cargo affairs, including, but not limited to, distributors, agents, brokers, freight forwarders, intermediaries, supply chain partners, consultants, resellers, contractors, and other professional service providers.
“Data Subject(s)”: Identified or identifiable natural person to whom specific Personal Data refers.
“Personal Data Processing” or “Processing”: Any operation or set of operations performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.


5 - ATTRIBUTIONS AND RESPONSIBILITIES

Technical Administrative Council (“CTA” or “Council”)

  • Approve this Policy and its future amendments; and
  • Ensure the proper use of Personal Data in its activities.

Leaders

  • Be responsible for the proper use of Personal Data in the activities of their respective areas;
  • Ensure compliance with applicable laws and regulations in the country of operation, as well as ensure that their subordinates act in accordance with this Policy;
  • Review and maintain an up-to-date mapping of Personal Data at least once a year (or whenever there are significant changes), in conjunction with the responsible Compliance Area;
  • Ensure that when Consent is used for the Processing of Personal Data, it is collected and managed in a way that respects the choice made by the Data Subject and generates necessary evidence to be presented to authorities or the Data Subject when required.

Data Protection Officer (DPO)

  • Act as a communication channel between the company, data subjects, and the National Data Protection Authority (ANPD);
  • Respond to requests from data subjects regarding access, correction, and deletion of their data;
  • Supervise the application of the LGPD standards within the organization;
  • Assist in implementing data protection policies;
  • Train employees and partners on the importance of data protection;
  • Promote a culture of information security and privacy within the company;
  • Monitor and minimize risks related to the processing of personal data;
  • Evaluate contracts with suppliers and third parties to ensure compliance with data protection obligations.


6 - DATA PROTECTION AND PRIVACY POLICY

6.1 Personal Data Protection Principles:

This section outlines the principles that must be followed when collecting, handling, storing, disclosing, and Processing “Personal Data” by West Cargo to meet data protection standards in the corporate environment and comply with applicable laws and regulations in the respective countries where it operates or conducts business activities.

6.1.1 Legality, Transparency, and Non-Discrimination

West Cargo processes Personal Data fairly, transparently, and in accordance with applicable laws and regulations. West Cargo only processes Personal Data when the purpose of processing falls under one of the following legal grounds:

  • Necessity for the performance of a contract to which the Data Subject is a party;
  • Requirement under law or regulation to which West Cargo is subject;
  • Legitimate interest for processing, where such legitimate interest is communicated in advance;
  • Necessity to allow the Data Subject to exercise a regular right in judicial, administrative, or arbitral proceedings.

If the processing does not fall under any of the above conditions, West Cargo must obtain Consent from the Data Subject for processing their Personal Data and ensure that this Consent is obtained in a specific, free, unequivocal, and informed manner.

West Cargo must collect, store, and manage all Consent responses in an organized and accessible way, so that proof of Consent can be provided when necessary. Similarly, the Data Subject should have the ability to withdraw their Consent at any time as easily as it was given.

6.1.2 Limitation and Adequacy of Purpose

The processing of Personal Data must be done in a way that is consistent with the original purpose for which the data was collected. It cannot be collected for one purpose and used for another.

Any other purposes must be compatible with the original reason for which the Personal Data was collected.

6.1.3 Necessity Principle (Data Minimization)

West Cargo may only process Personal Data to the extent necessary to achieve a specific purpose. This is the principle of data minimization.

The sharing of Personal Data with another area or company must consider this principle, and data may only be shared if there is adequate legal support.

6.1.4 Accuracy (Data Quality)

West Cargo must take reasonable measures to ensure that any Personal Data it holds is kept accurate and up-to-date for the purposes for which it was collected. The Data Subject must have the option to request the deletion or correction of inaccurate or outdated data.

6.1.5 Retention and Limitation of Data Storage

West Cargo must be aware of its processing activities, retention periods, and periodic review processes. It cannot keep Personal Data longer than necessary to fulfill the intended purposes.

6.1.6 Integrity and Confidentiality (Free Access, Prevention, and Security)

West Cargo must ensure that appropriate technical and administrative measures are applied to Personal Data to protect it against unauthorized or unlawful processing, as well as against accidental loss, destruction, or damage.

The processing of Personal Data must also ensure confidentiality. Some common technical measures include: Anonymization, meaning that Personal Data is made anonymous such that it no longer relates to an identifiable person. Anonymization must be irreversible. Pseudo-anonymization is a process where Personal Data no longer directly relates to an identifiable person but can still be linked back to an individual if additional information is kept separately.

6.1.7 Accountability and Accountability

West Cargo is responsible for demonstrating compliance with this Policy and must implement various measures including, but not limited to:

  • Ensuring that Data Subjects can exercise their rights as described in Section 5.5 of this Document;
  • Recording Personal Data activities, including: ◦ Records of Personal Data processing activities, describing the purposes of such processing, the recipients of the shared Personal Data, and retention periods;
  • Registering Personal Data incidents and breaches;
  • Ensuring that Third Parties who are Data Processors are also acting in accordance with this Policy and applicable laws and regulations;
  • Ensuring that West Cargo registers a Data Protection Officer (DPO) with the relevant Supervisory Authority when required;
  • Ensuring compliance with all demands and requests from any Supervisory Authority to which West Cargo is subject.

6.2 Security Standards

6.2.1 Importance of Personal Data Protection

West Cargo is committed to implementing Information Security standards and protecting Personal Data to ensure the fundamental right of the individual to informational self-determination.

6.2.2 Ensure the Security of Personal Data

Confidentiality, integrity, availability, as well as authenticity, accountability, and non-repudiation are objectives to be pursued for the security of Personal Data.

6.2.3 Obligation of Data Confidentiality

All employees with access to Personal Data are bound by confidentiality obligations regarding Personal Data, as agreed upon in the West Cargo Code of Conduct and Terms of Use when joining the company, and periodically when necessary.

6.2.4 Data Privacy by Design and by Default

When implementing new processes, procedures, or systems involving the processing of Personal Data, West Cargo must adopt measures to ensure that Privacy and Data Protection rules are adopted from the design phase to the launch/implementation of these projects.

6.3 Data Controller-Processor Relationship

Each West Cargo Partner is the Data Controller in their respective region or company, and it is necessary to appoint a responsible party to ensure that Personal Data is being processed correctly and in accordance with applicable laws and regulations in that region. In certain circumstances, a Data Controller Partner may act as a Processor for another.

6.4 International Personal Data Transfer Policy

When Personal Data is processed in countries other than where it was collected, the applicable laws and regulations regarding international data transfer of each country must be observed.

West Cargo must ensure the existence and updating of contracts for the international transfer of Personal Data.

6.5 Rights of Data Subjects

West Cargo is committed to the rights of Data Subjects, which include:

  • Information, when Personal Data is provided, about how their Personal Data will be processed;
  • Information about the processing of their Personal Data and access to the Personal Data that West Cargo holds about them;
  • Correction of their Personal Data if it is inaccurate, incorrect, or incomplete;
  • Deletion, blocking, and/or anonymization of their Personal Data in certain circumstances ("right to be forgotten"). This may include, but is not limited to, circumstances where it is no longer necessary for West Cargo to retain their Personal Data for the purposes for which it was collected;
  • Restriction of the processing of their Personal Data in certain circumstances;
  • Opposition to processing if the processing is based on legitimate interest;
  • The withdrawal of consent at any time, if the processing of Personal Data is based on the individual's consent for a specific purpose;
  • Portability of Personal Data to another service or product provider upon express request in certain circumstances;
  • Review of decisions made solely based on automated processing of Personal Data;
  • Filing a complaint with West Cargo or the applicable Data Protection Authority if the Data Subject believes that any of their Personal Data protection rights have been violated.

6.6 Third-Party Service Providers

Third-party service providers who process Personal Data under the instructions of West Cargo are subject to the obligations imposed on Data Processors according to the applicable data protection laws and regulations.

West Cargo must ensure that the service provision contract includes privacy clauses that require the Data Processor to implement security measures, as well as appropriate technical and administrative controls to ensure the confidentiality and security of Personal Data. The contract must also specify that the Data Processor is only authorized to process Personal Data when formally requested by West Cargo.

If the service provider is located outside the country where the Personal Data was collected, standard contractual clauses must be included in the Personal Data protection contract as an annex to ensure that the required safeguards under the applicable data protection laws and regulations are implemented.

6.7 Data Breach Management

All incidents and potential data breaches must be reported to the DPO, and all employees must be aware of their personal responsibility to report and escalate potential issues, as well as report any breaches or suspicions of Personal Data breaches as soon as they identify them.

When a real incident or breach is discovered, it is essential that the incidents are reported and formalized in a timely manner. Data breaches include, but are not limited to, any loss, deletion, theft, or unauthorized access to Personal Data controlled or processed by West Cargo.

6.8 Data Protection Audits

West Cargo must ensure that periodic reviews are conducted to confirm that Privacy initiatives, systems, measures, processes, precautions, and other activities, including Personal Data protection management, are effectively implemented and maintained and are in compliance with applicable laws and regulations.

Additionally, and as provided in the Internal Audit Guidelines, the subject must be evaluated periodically according to existing risks.

If the risks are significant, the Internal Audit must include a specific independent review in the annual internal audit plan.

7 - GENERAL PROVISIONS

Employees are responsible for knowing and understanding all the Guiding Documents that apply to them. Similarly, Leaders are responsible for ensuring that all employees on their team understand and follow the Guiding Documents applicable to West Cargo.

Employees who have questions or doubts regarding this Policy, including its scope, terms, or obligations, should seek clarification from their respective Leaders and, if necessary, from the West Cargo Risk Management/Compliance area.

Violations of any of West Cargo's Guiding Documents may result in serious consequences for both West Cargo and the employees involved.

Therefore, failure to comply with this Policy or report knowledge of a violation of this Policy may result in disciplinary action for any employee involved.

If any employee and/or third party becomes aware of potential illegal or unethical conduct, including potential violations of applicable Anti-Corruption Laws and/or West Cargo's Guiding Documents, including this Document, they must immediately report the potential violation to the Ethics Line or West Cargo's Compliance area.

All Leaders must continuously encourage their subordinates to report violations to the Ethics Line. No rule set out in West Cargo's Guiding Documents, including this Document, will prevent employees or third parties from reporting concerns or illegal activities to the corresponding regulatory authorities.