iMile Delivery Services L.L.C.

Page 1 of 6

. IMILE DELIVERY SERVICES L.L.C.

IMILE POLICY DOCUMENT

IMILE DELIVERY SERVICES L.L.C. PL

【

2023

】

No.00015 Issued by: Rita Huang

Data Protection Policy

1. Purpose:

To ensure that iMile has adequate level of Data protection as prescribed by relevant legal frameworks which is

including but not limited to the General Data Protection Regulation (GDPR). This Policy aims to guide iMile

personnel towards this purpose to ensure compliance with Data protection laws applicable to iMile business.

2. Scope:

This policy applies to all iMile full and part time employees, agency employees, and all suppliers, vendors, and

clients who receive Personal Data from iMile, have access to Personal Data collected or Processed by the iMile, or

who provide information to iMile, regardless of geographic location. iMile will not process Personal Data without a

recognized legal basis for such Processing. To ensure compliance with Data Protection Laws, iMile will correctly

establish its status for all Data Processing as either a Data Controller, or Data Processor acting for another Data

Controller.

3. Definition:

1. “Personal Data” any information relating to an identified or identifiable natural person (Data Subject).

2. “Data Subject” an identifiable natural person is one who can be identified, directly or indirectly, by reference to

an identifier such as a name, an identification number, location Data, an online identifier or to one or more factors

specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

3. “Processing” any operation or set of operations which is performed on Personal Data or on sets of Personal Data,

whether by automated means, such as collection, recording, organization, structuring, storage, adaptation or

alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available,

alignment or combination, restriction, erasure, or destruction.

4. “Data Controller” the natural or legal person, public authority, agency, or other body which, alone or jointly

with others, determines the purposes and means of the processing of Personal Data; where the purposes and means

of such processing are determined by Union or Member State law, the controller or the specific criteria for its

nomination may be provided for by Union or Member State law.

5. “Data Processor” a natural or legal person, public authority, agency, or other body which processes Personal

Data on behalf of the controller.

iMile Delivery Services L.L.C.

Page 2 of 6

6. “Personal Data Breach” a breach of security leading to the accidental or unlawful destruction, loss, alteration,

unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed.

7. ‘Pseudonymisation’ the processing of Personal Data in such a manner that the Personal Data can no longer be

attributed to a specific Data Subject without the use of additional information, provided that such additional

information is kept separately and is subject to technical and organizational measures to ensure that the Personal

Data are not attributed to an identified or identifiable natural person.

4. Principles

iMile will process Personal Data in accordance with the principles set forth by GDPR for the lawful Processing of

Personal Data. Processing includes collection, organization, structuring, storage, alteration, consultation, use,

communication, combination, restriction, erasure, or destruction of Personal Data. Broadly, the principles are:

4.1 Fairness, Lawfulness, and Transparency: Personal Data may only be collected and processed for specified,

explicit and legitimate purposes in a fair and transparent manner and in compliance with the applicable law. The

Data Subject must be informed of how his/her Data is being handled. In general, Personal Data must be collected

directly from the individual concerned. When the Data is collected, the Data Subject must either be aware of, or

informed of a) the identity of the Data controller b) the purpose of Data Processing and c) third parties or

categories of third parties to whom the Data might be transmitted.

4.2 Purpose Limitation: Personal Data may only be collected and processed for the purpose that was defined

before the collection, limited to what is necessary in relation to the purposes for which they are processed and may

not be further processed in a way incompatible with those purposes. processing for archiving purposes as required

by the local laws shall not be considered to be incompatible with the initial purposes.

4.3 Data Minimization: Personal Data must be restricted to the adequate, necessary, and relevant extent to

achieve the purpose for its processing. Personal Data must not be collected in advance and stored for potential

future purposes unless the Data Subject has given consent or is required or permitted by national law.

4.4 Accuracy: Personal Data on file must be correct, complete, and – if necessary – kept up to date. Suitable steps

must be taken to ensure that inaccurate or incomplete Data are deleted, corrected, supplemented, or updated.

4.5 Storage Limitation and Deletion: Personal Data must be maintained in a manner only as long as this is

required to achieve the intended purposes of collection and processing. After the expiration of legal or business

process-related periods, Personal Data that is no longer needed must be securely deleted. Personal data may be

stored for longer periods insofar as the personal data will be processed solely for archiving purposes according to

the local laws subject to implementation of the appropriate technical and organizational measures required by

iMile to safeguard the rights and freedoms of individuals; and

4.6 Integrity and Confidentiality, Data Security: Personal Data must be processed in a manner that a) ensures

adequate security of the Data against unauthorized or unlawful processing and against accidental loss, destruction,

or damage; b) Data is stored securely using suitable, modern systems and software that is kept-up to date.

iMile Delivery Services L.L.C.

Page 3 of 6

5. Accountability

Data Controllers must be responsible for and be able to demonstrate compliance with the principles outlined above.

To comply with these principles, iMile if as Controller must take appropriate technical and organizational measures

(e.g., ensuring Data security, implementing Data protection policies, and recording processing activities) so that the

processing of Personal Data is safeguarded and protects the rights of the Data Subjects (“Accountability”) The

Accountability Principle states that the Controller is responsible for demonstrating compliance with the Data

protection principles. Data protection by design and by default is key to keeping to the accountability principle.

6. Lawfulness of Processing

iMile must ensure Processing is lawful and document the lawful grounds of Processing. For Personal Data to be

processed lawfully, it must be processed based on one of the following legal grounds:

1. the Data Subject has given consent to the Processing of his or her Personal Data for one or more specific

purposes.

2. Processing is necessary for the performance of a contract to which the Data Subject is party or to take steps at the

request of the Data Subject prior to entering a contract.

3. Processing is necessary for compliance with a legal obligation to which the Controller is subject.

4. Processing is necessary to protect the vital interests of the Data Subject or of another natural person.

5. Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official

authority vested in the Controller.

6. Processing is necessary for the purposes of the legitimate interests pursued by the Controller or by a third party,

except where such interests are overridden by the interests or fundamental rights and freedoms of the Data Subject

which require protection of Personal Data, where the Data Subject is a child.

7. Data Security

Security must be appropriate to the likely risks to individuals if Data was lost, stolen, or disclosed to unauthorized

people. Taking into account the state of art, costs and the nature, scope and context of processing in order to

determine what is appropriate to the risks involved, the security covers organizational (i.e., people, processes) and

technical measures.

The following factors are to ensure Data Security:

1. Pseudonymisation of Personal Data

2. Encryption of Personal Data

iMile Delivery Services L.L.C.

Page 4 of 6

3. Ensuring ongoing integrity and confidentiality of data and systems that use or generate Personal Data

4. Availability and Resiliency

5. The ability to restore data in a timely manner after a physical or technical incident

6. Processes for testing security

7. Anonymity of Personal Data as required by Data Protection

8. Data protection by design and by default

iMile as a Controller shall, both at the time of the determination of the means for processing and at the time of the

processing itself, implement appropriate technical and organizational measures, such as Pseudonymisation, which

are designed to implement Data-protection principles, such as Data minimization, in an effective manner and to

integrate the necessary safeguards into the processing to meet the requirements of this Regulation and protect the

rights of Data Subjects.

Privacy and data protection should be a key consideration in the early stages of any project, and then throughout its

lifecycle. A few examples for the sake of clarity are as follows:

▪ Building new IT systems for storing or accessing personal data

▪ Developing legislation, policy or strategies that have privacy implications

▪ Using data for new purposes

9. Data Subjects Rights

Upon a Data Subject’s request, iMile must inform them of the collected Personal Data within the scope of the

applicable laws. In general, Data Subjects may:

1. request access to any Personal Data held about them by a Data Controller

2. prevent, object, or restrict the processing of their Personal Data, e.g., for direct marketing purposes.

3. ask to have inaccurate Personal Data amended

4. request information on the identity of the recipient or the categories of recipients if their Personal Data have

been transmitted to third parties (e.g., sub-contracted Data processors)

5. request their Data to be deleted if the processing of such Data has no legal basis, or if the legal basis no longer

applies. The same applies if the purpose behind the Data processing has lapsed or ceased to be applicable for other

reasons. Legal retention periods might override this right and must be closely monitored.

10. Obligations as Data Processor

iMile as Data Processor:

10.1 must have adequate security measures in place for processing Personal Data.

10.2 must only act on the documented instruction of the Data Controller unless required by law to act without such

instruction.

10.3 must ensure that the people processing the Data are subject to a duty of confidence.

10.4 will only engage a sub-processor with the prior consent of the Data Controller and a written contract.

iMile Delivery Services L.L.C.

Page 5 of 6

10.5 will assist the Data Controller in meeting their GDPR obligations in relation to the security of processing, the

notification of personal Data breaches and Data protection impact assessments.

10.6 must maintain records of personal Data and Data processing activities.

10.7 must inform the Data Controller if it becomes aware of any breach of Personal Data.

10.8 must assist the Data Controller in providing subject access and allowing Data subjects to exercise their rights

under the GDPR.

11. Disclosure to Third Parties

Whenever iMile uses a third-party supplier or business partner to process Personal Data on its behalf, iMile must

ensure that this processor will provide security measures to safeguard Personal Data that are appropriate to the

associated risks. iMile must contractually require the supplier or business partner to provide the same level of Data

protection. The supplier or business partner must only process Personal Data to carry out its contractual obligations

towards iMile or upon the instructions of iMile and not for any other purposes. When iMile processes Personal Data

jointly with an independent third party, iMile must explicitly specify its respective responsibilities of and the third

party in the relevant contract or any other legal binding document.

12. Cross-border transfer of Personal Data

Cross-border transfer of Personal Data, Adequate safeguards must be used by iMile, including the signing of a Data

Transfer Agreement as required by the European Union and, if required, authorization from the relevant data

protection authority must be obtained. The entity receiving the personal data must comply with the principles of

personal data processing.

13. Record Keeping

iMile must maintain records of processing of the following:

(a) the name and contact details of the Controller and the Data Protection Officer (if one is appointed);

(b) the purposes of the processing.

(d) the categories of recipients to whom the Personal Data has been or will be disclosed including recipients in third

countries or international organizations.

(e) transfers of Personal Data to a third country or an international organization, including the name of the country or

international organization and, the documentation of the safeguards for the transfer (i.e., based on consent, necessary

to perform a contract, public interest).

(f) where possible, the envisaged time limits for erasure of the different categories of Data.

(g) where possible, a general description of the technical and organizational security measures

14. Data Retention

Data can only be retained for as long as necessary for the purpose for which it was obtained. The company needs to

determine how long Data can be kept before it is either deleted or anonymized.

A procedure must be placed to ensure that Personal Data is retained for as long as necessary for the purpose for

which it was obtained.

iMile Delivery Services L.L.C.

Page 6 of 6

15. Data Breach Notification Procedure

iMile must have procedures in place to enable it to report a breach to the regulator within 72 hours of becoming

aware of it. The breach must be investigated, and details provided to the regulator about the nature of the breach,

likely consequences and mitigations are being taken to address it. This investigation may require assistance from

processors, so operational processes should factor this in.

16. Right to Modify and Interpret

16.1 The Legal Affairs Department has all modification and interpretation rights.

This announcement takes effect from the date of publication.

Submitted : iMile Legal Affairs Department

Mail to : All

Copy : None

Version : 1

IMIE DELIVERY SERVICES L.L.C. May 8, 2023