© 2021 GXO Logistics, Inc. All Rights Reserved.
(d)
the risks of varying likelihood and severity for rights and freedoms of Data Subjects posed by the
Processing.
Data Controllers must also conduct Data Privacy Impact Assessments (DPIA) in respect to high risk
Processing and when implementing major system or business change programs involving the Processing
of Personal Data. You should contact the Privacy Office in order to determine whether a DPIA is required
if you are carrying out these activities.
Details of a DPIA are at Appendix 4.
10.
Data Sharing and Transfer Limitations
Personal Data should only be shared with third parties if safeguards and contractual arrangements have
been put in place.
10.1.
Data Sharing within the GXO Group of Companies
You may only share the Personal Data that We hold with another employee, agent or representative of
the GXO Group (which includes our subsidiaries and our ultimate holding company along with its
subsidiaries) if the recipient has a job-related need to know the information.
For transfers of Personal Data within the GXO Group We have an inter group data sharing agreement
that governs these transfers even if they are outside of the EU to GXO companies in the United States
of America. If you are asked to transfer information outside of the EU to a country other than the United
States of America, you must contact the Privacy Office.
10.2.
Data Sharing with Third Parties
You may only share the Personal Data We hold with third parties (outside of GXO), such as our service
providers if they have a need to know the information for the purposes of providing the services and have
a fully executed written contract that contains GDPR approved third party clauses.
10.3.
Data Transfers Outside of the EU
The GDPR restricts data transfers to countries outside the EEA in order to ensure that the level of data
protection afforded to individuals by the GDPR is not undermined. A transfer occurs when Personal Data
is sent from a country inside the EU to a country which is not part of the EU.
You may only transfer Personal Data outside the EEA if one of the following conditions applies:
(a)
the transfer is to an GXO company in the United States of America and the recipient has a job related
need to have the Personal Data, or
(b)
the transfer is to a third party and you have confirmation from the Privacy Office that appropriate
safeguards are in place and that the Data Subject has provided Consent to the proposed transfer after
being informed of any potential risks. Or the transfer is necessary for one of the other reasons set out in
the GDPR including the performance of a contract between us and the Data Subject, reasons of public
interest, to establish, exercise or defend legal claims or to protect the vital interests of the Data Subject
where the Data Subject is physically or legally incapable of giving Consent and, in some limited cases,
for our legitimate interest.