Brink : Sustainability Report

TABLE OF CONTENTS

This European Data Protection Policy is intended to supplement Brink's Global Data Protection Policy in light of the specific requirements of the General Data Protection Regulation (EU) 2016/679 ("GDPR").

In case of conflict between Brink's Global Data Protection Policy and the European Data Protection Policy, the European Data Protection Policy will prevail for any of Brink's Personal Data Processing that is subject to GDPR.

1. PURPOSE……………………………………. 3
2. POLICY STATEMENT………………………. 3
3. SCOPE……………………………….……..... 4
4. COMPLIANCE…………………….…………. 4
5. TERMS/ROLES & DEFINITIONS…….……. 5
6. DATA PROTECTION OFFICER………..…. 6
7. DATA PROTECTION PRINCIPLES………. 7

G.1. LAWFULNESS, FAIRNESS, AND TRANSPARENCY…... 8

G.2. CONSENT………………………………………. 10

G.3. PURPOSE LIMITATION……………………………. 11

G.4. DATA MINIMIZATION……………………………... 11

G.5. ACCURACY………………….……….…………. 11

G.6. STORAGE LIMITATION………………………........ 11

A.

PURPOSE

As stated in the Brink's Code of Ethics, The Brink's Company, including its affiliates and subsidiaries, is committed to protecting the privacy and security of its customers, suppliers, employees, workers and other third parties.

This European Data Protection Policy exists to affirm

Brink's commitment to comply with European privacy standards in terms of the collection and Processing of Personal Data, and to set forth how Brink's protects such data.

Capitalized terms or acronyms used in this Policy have the meanings set out in the "Terms/Roles and Definitions" page.

B.

POLICY STATEMENT

In the context of its business activities, including the provision of products or services or employment of Brink's Personnel, Brink's may Process, be exposed to or come into possession of Personal Data.

As the Data Controller of all Personal Data relating to Brink's Personnel and Personal Data used for commercial purposes, Brink's commits to restrict and monitor access to Personal Data, train employees in applicable privacy and security measures, maintain established procedures for reporting Personal Data Breaches, and establish data protection practices as may be practical and/or required under the circumstances.

All lines of business, Brink's Entities, and Brink's Personnel are responsible for ensuring all Personal Data is obtained and/or Processed in compliance with this European Data Protection Policy and will implement appropriate practices, processes, controls, and attend training to ensure compliance.

BELGIUM

C.

SCOPE

This European Data Protection Policy applies to all lines of Brink's business and Brink's Entities operating in the European Economic Area and the United Kingdom ("Europe"). It covers all Personal Data Processed by those Brink's Entities, regardless of the media in which the data is maintained, and may relate to prospective, past or present employees, workers, customers, clients or supplier contacts, shareholders, website users or any other Data Subjects.

This European Data Protection Policy is intended to supplement Brink's Global Data Protection Policy in light of the specific requirements of the General Data Protection Regulation (EU) 2016/679 ("GDPR"). In case of conflict between Brink's Global Data Protection Policy and the European Data Protection Policy, the European Data Protection Policy will prevail for any of Brink's Personal Data Processing that is subject to GDPR.

D.

COMPLIANCE

All Brink's Personnel in Europe must read,

understand, and comply with this European Data Protection Policy when Processing Personal Data on Brink's behalf. This European Data Protection Policy sets out what is expected in order for Brink's to comply with applicable law.

Compliance with this European Data Protection Policy and all Implementing Documentation is mandatory.

Any breach of this European Data Protection Policy may result in disciplinary action for Brink's Personnel in accordance with applicable law and

in substantial financial penalties for Brink's (e.g.,

GDPR sets forth fines up to EUR 20 million or 4% of annual turnover, whichever is higher).

GREECE

E.

TERMS/ROLES & DEFINITIONS

3rd Party Mechanism: allows EU individuals to submit certain residual claims to arbitration to determine whether a Data Privacy Framework (DPF) certified organization violated its obligations under the DPF principles as to that EU individual, and whether any such violation remains fully or partially unremedied.

Automated Decision-Making (ADM): when a decision is made which is based solely on automated Processing, including Profiling, which produces legal effects or significantly affects an individual.

Profiling: any form of automated Processing of Personal Data consisting of the use of Personal Data to evaluate certain personal aspects relating to an individual, in particular to analyze or predict aspects concerning that individual's performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements.

Brink's Entity: The Brink's Company or any of its subsidiaries.

Brink's Personnel: all Brink's employees, contractors, directors and members.

Consent: any freely given, specific, informed and unambiguous indication of an individual's wishes by which he or she, by a statement or by a clear positive action, signifies agreement to the Processing of Personal Data relating to him or her.

Data Controller: the person or organization that determines why and how to Process Personal Data.

Data Privacy Impact Assessment (DPIA): tools and assessments used to identify and reduce risks of a data Processing activity.

Data Protection Officer (DPO): the person or team with responsibility for monitoring Brink's data protection compliance and formally appointed as such.

Data Subject: an identified or identifiable individual about whom we Process Personal Data. Data Subjects may be nationals or residents of any country and may have legal rights regarding their Personal Data.

EEA: the 27 countries in the EU, and Iceland, Liechtenstein and Norway.

EU Standard Contractual Clauses: the European Commission's standard data protection clauses for the Transfer of Personal Data to third countries which do not ensure an adequate level of data protection, as described in Article 46 of the GDPR.

Explicit Consent: consent which requires a clear and specific consent statement (that is, not just an action).

GDPR: the General Data Protection Regulation (EU) 2016/679.

Implementing Documentation: Brink's policies, operating procedures, processes or guidelines related to this Policy and designed to protect Personal Data.

JAMS: alternative dispute resolution (ADR) provider based in the United States.

Personal Data: any information (1) relating to an identified or identifiable individual or (2) that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual or household. This includes information relating to an individual that we can identify (directly or indirectly) from that data alone or in combination with other identifiers we possess or can reasonably access, in particular identifiers such as a name, an identification number, location data, an online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that Data Subject. Personal Data excludes anonymous data or data from which the identity of an individual has been permanently removed.

Personal Data Breach: any actual or reasonably suspected unauthorized or accidental access to or loss, use, alteration, destruction, acquisition, or disclosure of, Personal Data transmitted,

stored or otherwise Processed by Brink's or its service providers.

Privacy by Design: integrating Personal Data Processing procedures in the technology when created so as to ensure data privacy compliance.

Privacy Notices (also referred to as Fair Processing Notices) or Privacy Policies: separate notices setting out information that may be provided to Data Subjects when Brink's collects Personal Data about them.

Processing or Process: any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission or transfer to third parties, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Pseudonymization or Pseudonymized: replacing information that directly or indirectly identifies an individual with one or more artificial identifiers or pseudonyms so that the person, to whom the data relates, cannot be identified without the use of additional information which is meant to be kept separately and secure.

Sensitive Personal Data: Personal Data which are, by their nature, particularly sensitive in relation to fundamental rights and freedoms of the Data Subject, e.g., data revealing racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health conditions, sexual life, sexual orientation, biometric or genetic data, and Personal Data relating to criminal offences and convictions.

Transfer: any operation or set of operations which support the communication, copy or movement of Personal Data by using a network or any other medium, to the extent that such Personal Data is intended to be Processed by the third party who receives it. Remote access to Personal Data is an example of a Transfer.

IRELAND

•

•

•

•

•

•

•

•

•

•

•

If you are unsure of the lawful basis which you are relying on to Process Personal Data (including the legitimate interests used by Brink's);

If you need to rely on Consent and/or need to capture Explicit Consent;

If you need to draft a Privacy Notice;

If you are unsure about the retention period for the Personal Data being Processed;

If you are unsure about what security or other measures you need to implement to protect Personal Data;

If there has been a Personal Data Breach;

If you are unsure on what basis to use for a Transfer of Personal Data outside the EEA or the United Kingdom, as applicable;

If you need any assistance dealing with any rights invoked by a Data Subject;

Whenever you are engaging in a new, or change in an existing, Processing activity which is likely to require a DPIA or you are planning to use Personal Data for purposes other than that for which it was collected;

If you plan to undertake any activities involving Profiling or Automated Decision-making;

If you need help complying with applicable privacy laws when carrying out direct marketing activities; or

Fair and Transparent Processing

Personal Data shall not be collected or obtained by deception or without the Data Subjects' knowledge.

When acting as a Data Controller, Brink's will provide detailed, specific information to Data Subjects depending on whether the Personal Data was collected directly from Data Subjects or from elsewhere. Such information must be provided through appropriate Privacy Notices which must be concise, transparent, intelligible, easily accessible, and in clear and plain language so that a Data Subject can easily understand them.

Whenever Brink's collects Personal Data directly from Data Subjects, including for human resources or employment purposes, the Data Subject must be provided with a Privacy Notice containing all elements listed in Article 13 of the GDPR, including:

• the identity of the Data Controller and DPO,
• how and why Brink's will use, Process, disclose, protect and retain that Personal Data, and
• the rights available to the Data Subject in relation to his or her Personal Data and how the Data Subject may exercise these rights.

Such Privacy Notice must be presented when the Data Subject first provides the Personal Data.

When Personal Data is collected indirectly (for example, from a third party or publicly available source), Brink's must provide the Data Subject with all the information required under Article 14 of the GDPR as soon as possible after collecting/receiving the data and at the latest within one month.

Notwithstanding the foregoing, the Privacy Notice must be provided:

• if the Personal Data is used to communicate with the Data Subject, at the latest at the time of the first communication; and
• if the Personal Data is disclosed to another recipient, at the latest at the time of the first disclosure.

Brink's must also check that the Personal Data was collected by the third party on a basis which contemplates proposed Processing of that Personal Data.

LITHUANIA