Personal Data Processing Update

The policy of the company "ACS Air Courier Services (Cyprus) Ltd" is to offer high-quality services to its customers while ensuring full satisfaction of the requirements of its customers and other interested parties concerning the quality and security of its services. To achieve these objectives, the company’s management has adopted an operational system in accordance with ISO9001:2015 and ISO27001:2013 standards, which it implements throughout the company and in all activities impacting the quality of services and the security of the services provided. The scope of the company refers to "DOMESTIC AND INTERNATIONAL COURIER AND POSTAL SERVICES." The ambition and commitment of the management is the continuous improvement of the effectiveness of the integrated Management System, focusing on:

• The review and continuous improvement of the Quality Management and Information Security Management System, its effectiveness, and its performance in ensuring the integrity, confidentiality, and availability of information for the benefit of the company, its employees, customers, and partners.
• The establishment of measurable objectives for the quality and security of information at the corporate level, at the functional level of Departments and/or Processes, and regarding services and customer relationships. The evaluation of these objectives in terms of achievement during the system review by senior management, and the implementation of corrective actions if some objectives are not met or problems are identified.
• The identification of external and internal factors that define the operational framework of the organization, which is updated and reviewed to address business risks and exploit opportunities, taking necessary actions where deemed appropriate.
• The allocation of resources to ensure the appropriate and secure infrastructure for smooth, efficient, and effective operations in every department of the company.
• The full satisfaction of customers, respecting the legal framework.
• The safeguarding of confidentiality, integrity, and availability (Confidentiality, Integrity, Availability) of the information processed, transmitted, or stored by electronic or physical means by the staff and information systems of the company.
• The establishment of mechanisms to support the early and quick recognition and prevention of information threats, as well as an effective response when these threats materialize.
• The protection of the company’s investment in information and communication technology.
• Raising awareness of the risks to which the company's information and information systems are exposed.
• Encouraging continuous training, updating, and education of staff to promote quality and information security in every activity and to foster a culture of appropriate behavior regarding health, safety, and security matters.
• Continuous updating and effort to meet the requirements of applicable laws, regulations, and applied standards.
• Compliance with the requirements of Cypriot and European law on personal data management, communication confidentiality, intellectual property rights, etc.
• The provision of secure and high-quality services.
• The evaluation of security risks to identify and minimize risks, ensuring continuous operation even in case of significant problems for business continuity, and reviewing security measures. The company regularly assesses risks related to information security and takes necessary actions to address them. It implements a framework for evaluating the effectiveness of processes, which determines indicators, describes measurement methodologies, and generates periodic reports that are reviewed by the management to ensure continuous improvement.

This policy is reviewed periodically and is available to all interested parties.

Data Controller – Data Protection Officer (DPO)

ACS Air Courier Services (Cyprus) Ltd, located at 14 Varkizas Street, Industrial Area Strovolos, Nicosia, email: helpdesk@acscyprus.com, phone: 7777 7373, website: https://cyp.acscourier.net, informs that, for the purpose of conducting its business activities, it processes personal data of natural persons in accordance with the applicable national legislation and the European Regulation 2016/679 on the protection of natural persons concerning the processing of personal data and the free movement of such data (hereinafter referred to as the "Regulation"), as applicable.

For any matters related to the processing of personal data, please contact the Data Protection Department directly at the following contact details: Ms. Evanthia Symeou, phone: +357 22 273131, email: dataprotection@acscyprus.com.

Principles We Adhere To

Our company is committed to adhering to the following principles of personal data processing, in accordance with Article 5 of the Regulation:

1. Lawfulness, fairness, and transparency – Personal data is processed lawfully, fairly, and in a transparent manner.
2. Purpose limitation – Personal data is collected for specified, legitimate purposes and is not further processed in a manner that is incompatible with those purposes.
3. Data minimization – Personal data is adequate, relevant, and limited to what is necessary for the purposes for which it is processed.
4. Accuracy – Personal data is accurate and kept up to date; any inaccuracies are corrected promptly.
5. Storage limitation – Personal data is not kept for longer than necessary for the purposes for which it is processed.
6. Integrity and confidentiality – ACS Air Courier Services (Cyprus) Ltd has implemented reasonable technical and organizational measures, adhering to international standards and practices, to ensure the security of your data to the best of our ability, particularly protection from unauthorized or unlawful processing, accidental destruction, or damage.
7. Accountability – With this policy, made available to all interested parties, our company demonstrates that it adheres to the principle of accountability.

What Is the Purpose of Data Processing and How We Use Your Personal Data

Personal data that you provide to us, such as the following depending on the case: full name, address, email, mobile/landline phone, VAT number, ID or passport number, bank account number, signature with digital media, etc., is processed only when we have a legitimate reason to do so.

Legitimate grounds for processing your personal data include:

1. Providing the services you request and wish to receive from us, such as document delivery, small parcels, large parcels, collections on behalf of third parties, money transfers, packaging sales, energy services, etc.
2. Protecting the legitimate interests of both your interests and ours. For example, we use: i. Closed-circuit television (CCTV) and security cameras to protect the security of individuals, material assets, and facilities at all sorting centers, transshipment points, and certain stores. ii. Electronic devices to record and visualize the time and location of receipt or delivery points, including related photographs and additional location identifiers. iii. Electronic traces (e.g., IP address) on the website or mobile applications.
3. Compliance with legal obligations, such as employment and social security laws, financial record-keeping, telecommunications, and postal regulations.
4. Consent provided by you, under specific conditions set by legal frameworks, to receive updates on products, services, offers, etc.

Who Has Access to the Data

ACS Air Courier Services (Cyprus) Ltd shares personal data with third parties, to whom the company entrusts the processing of personal data on its behalf (data processors), such as agents, subcontractors, postal service providers, and collaborating companies. Personal data may also be shared with cooperating banks for the minimal necessary data to complete transactions. The company allows access to your personal data (as applicable) to its IT support company, auditors, legal advisors, and regulatory authorities for their audit functions. In such cases, ACS remains responsible for processing your personal data, defining the details of the processing, and signing a specific contract with third parties to ensure that the processing is carried out in accordance with the legal framework and that individuals can freely exercise their rights.

Retention Period

The retention period for data is determined based on the following criteria, depending on the case:

• When processing is required by applicable legal provisions, personal data is kept for the period required by the relevant laws.
• When processing is based on a contract, personal data is kept for as long as necessary for the performance of the contract and to establish, exercise, or support legal claims related to the contract.
• For personal data collected based on consent, it is kept until you withdraw your consent. You may withdraw consent at any time, and such withdrawal does not affect the legality of processing based on consent prior to its withdrawal.

For withdrawing your consent or exercising your rights, please contact the Data Protection Department of ACS Air Courier Services (Cyprus) Ltd, Ms. Evanthia Symeou, via email: dataprotection@acscyprus.com or phone: +357 22 273131.

Your Rights Regarding Your Personal Data

Every individual whose personal data is processed by ACS Air Courier Services (Cyprus) Ltd enjoys the following rights:

1. Right of access: You have the right to be informed and verify the lawfulness of the processing. You have the right to access your data and obtain supplementary information regarding its processing.
2. Right to rectification: You have the right to review, correct, update, or modify your personal data by contacting the data protection department at the contact details above.
3. Right to erasure: You have the right to request the deletion of your personal data when it is processed based on your consent or to protect our legitimate interests. In other cases, such as when there is a contract, legal obligation, or public interest, this right may be restricted or may not apply.
4. Right to restriction of processing: You have the right to request a restriction on the processing of your personal data in the following cases: a) When the accuracy of personal data is disputed and pending verification. b) When you oppose the erasure of personal data and request the restriction of its use instead. c) When personal data is no longer required for processing purposes but is necessary for establishing, exercising, or supporting legal claims. d) When you object to processing pending verification of whether our legitimate grounds override your objections.
5. Right to object to processing: You have the right to object at any time to the processing of your personal data for purposes of legitimate interests, as well as to objection-based processing for direct marketing and profiling purposes.
6. Right to data portability: You have the right to receive your personal data in a format that allows access, use, and processing with commonly used processing methods. You may also request that we transmit the data directly to another data controller if technically feasible.

To exercise any of the above rights, please contact the Data Protection Department at the contact details provided.

Right to lodge a complaint with the Commissioner for Personal Data Protection

You have the right to lodge a complaint with the Commissioner for Personal Data Protection (www.dataprotection.gov.cy):

• Phone: +357 22 818456
• Fax: +357 22 304565
• Email: commissioner@dataprotection.gov.cy

Security of Personal Data

ACS Air Courier Services (Cyprus) Ltd implements appropriate technical and organizational measures to ensure the secure processing of personal data and to prevent accidental loss, destruction, or unauthorized access, use, modification, or disclosure. However, the nature of the internet, which is open to anyone, does not guarantee that unauthorized third parties will never be able to circumvent the applied security measures and access personal data for unauthorized or unlawful purposes.

Additional Information

Personal data is shared with cooperating external courier companies for the completion of services, including the sender's and recipient’s name, delivery address, phone number, and email.

Additional Details When Data is Collected from Third Parties and Not Directly from the Data Subject

ACS collects details of recipients or senders from third parties (senders or customers) in relation to the mail items it processes. These details may include:

• Full name
• Address
• Phone number
• Email
• Geographic coordinates of address
• Additional address identification comments

These details may be obtained from ACS’s computer systems or third-party networks, client systems provided to customers, or from handwritten