Trust Center

At Netto, we are committed to maintaining the highest level of integrity, security, and regulatory compliance across all aspects of our business. Our team of experts has developed comprehensive compliance strategies to ensure we meet all legal and ethical obligations.

On this page, you will find relevant documents and policies that are aligned with Netto values and way of working.

• GDPR Statement
• Supplier Code of Conduct
• Human Rights Policy
• Transparency Act

Questions, feedback, and further information

Please speak to your contact or contact our compliance team at trust@netto.eco if you have any additional questions. Our privacy policy is located here: Privacy Policy and additional security information can be found here: Security.

The EU General Data Protection Regulation (GDPR) is a privacy and data protection regulation in the European Union effective from May 25, 2018.

The GDPR imposes new obligations on organizations that control or process Personal Data and introduces new rights and protections for EU citizens.

We are committed to ensuring that your privacy is protected, and we strictly adhere to the provisions of all relevant Data Protection Legislations, including GDPR, ensuring all Personal Data is handled in line with the principles outlined in the regulation.

Personal Data shall be:

• Processed lawfully, fairly and in a transparent manner in relation to the data subject.
• Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
• Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
• Accurate and, where necessary, kept up to date.
• Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the Personal Data are processed.
• Processed in a manner that ensures appropriate security of the Personal Data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.

We respect our customers and our customers’ customers, our employees and contractors’ rights to data privacy and protection and meet the requirements of the GDPR. Our policies regarding data ownership and protection are focused on providing you with confidence that your data remains secure, and under your control. We have established a number of measures to ensure that customers and their data are treated in a manner consistent with privacy principles and the new GDPR requirements.

 

We place a high priority on protecting and managing data in accordance with accepted standards and helping our customers utilize our products and services to the same end. Our focus with regards to GDPR is that in our solution you should be able to quickly identify End User data; quickly delete data when requested by the End User; be sure that your data is safe and secure according to the new regulations; and easily collect and document the approvals given to you from End Users calling your service.

 

Questions, feedback, and further information

Please speak to your contact or contact our compliance team at trust@netto.eco if you have any additional questions. Our privacy policy is located here: Privacy Policy and additional security information can be found here: Security.

This Supplier Code of Conduct applies to Netto’s suppliers and their subsidiaries, affiliates, and subcontractors (each a “Supplier”) providing goods or services to Netto or for use in or with Netto products. It sets out legal and social responsibility requirements for our Suppliers. These requirements are in addition to any requirements imposed by contract. References to Netto in this Code also include Netto subsidiaries and affiliates, to the extent a Supplier does business with them.

General Rules

Supplier will fully conform with the laws, rules, and regulations (collectively, “laws”) of the countries where it operates, will conform to the requirements of this Supplier Code of Conduct, and will ensure these requirements are fulfilled by its own suppliers and subcontractors. Suppliers must be able to demonstrate compliance with the Supplier Code of Conduct on request. Netto will assess conformance to these requirements and will consider a Supplier’s conformance in making sourcing and procurement decisions.

Social Responsibility Standards

Our Social Responsibility Standards are drawn from industry codes of conduct, International Labour Organization Conventions, the Universal Declaration of Human Rights, and the UN Guiding Principles on Business and Human Rights. They require all Suppliers to ensure that working conditions in their operations and supply chains are safe, that all workers are treated with respect and dignity, and that operations are environmentally responsible and conducted ethically.

Labour & Human Rights

Suppliers must uphold the human rights of workers and treat them with dignity and respect. This applies to all workers, including without limitation temporary, migrant, student, and juvenile contract, and dispatch workers, as well as direct employees.

No Forced Labour

Suppliers will not use forced, bonded (including debt bondage), indentured, or involuntary prison labor, and will not engage in slavery or trafficking of any person. Suppliers will ensure that workers have access to their personal documentation (e.g., government-issued identification, passports, or work permits).

No Child Labour

Suppliers will not use child labour. We consider child labour to be anyone under 15, unless local law sets a higher threshold. Suppliers agrees that workers under 18 will not work overtime or perform night work or physically demanding labor.

Working Hours

Suppliers will comply with applicable work hours and overtime laws.

Wages & Benefits

Suppliers will comply with all applicable wages and benefits laws, including those relating to minimum wages, overtime hours, and legally mandated benefits.

No Abuse

Suppliers will comply with all applicable laws on abuse of employees. Suppliers will not engage in any harsh or inhumane treatment, including but not limited to sexual harassment, sexual abuse, corporal punishment, mental or physical coercion, or verbal abuse. Disciplinary policies and procedures in support of these requirements shall be clearly defined and communicated to workers.

No Discrimination

In its hiring and employment practices, Suppliers will not discriminate based on race, color, age, gender, sexual orientation, gender identity and expression, ethnicity, disability, pregnancy, religion, political affiliation, union membership, covered veteran status, protected genetic information, marital status, or any other category protected under applicable law. Workers or potential workers should not be subjected to medical tests or physical exams that could be used in a discriminatory way.

Freedom of Association

Suppliers will comply with all applicable laws on freedom of association and collective bargaining. Workers’ right to associate freely, seek representation, and join worker councils will be respected.

Health & Safety

Suppliers recognize that a safe and healthy work environment minimizes work-related injury and illness, enhances the quality of products and services, and boosts consistency of production and worker retention and morale.

Environment

Suppliers shall manage their operations responsibly in relation to environmental risks and impacts and adopt a precautionary approach in their business operations. Resources such as water and energy shall be used efficiently.

Waste management and pollution prevention

Suppliers shall endeavor to avoid or reduce any waste and emissions to air, water and soil as a result of their business activities. Efficient technologies should be used which aim to reduce the environmental impact as much as possible.

Ethic Requirements

Ethics and business integrity

Suppliers shall conduct their business in compliance with legal requirements and to adhere to internationally agreed standards of business ethics.

Legal compliance

Suppliers must comply with all applicable laws, rules and regulations in the countries where they carry out their business activities. In particular the supplier shall abide by all applicable regulations aiming at preventing, detecting and remedying economic crime and, in particular, fraud, extortion, money laundering and other related crimes.

Anti-corruption

Suppliers shall work against all forms of anti-corruption. The suppliers must not engage in or tolerate any form of corruption, bribery, extortion or embezzlement. Suppliers must not offer or accept any benefits or other means to obtain any undue or improper advantage. Such improper benefits may comprise cash, non-monetary gifts, pleasure trips or services and amenities of any other nature.

Protection of third-party rights and information

Suppliers must protect all Netto information, electronic data and intellectual property and Netto technologies and standards with appropriate safeguards. Suppliers shall comply with its obligations to not disclose the confidential information, to not use the information except as permitted by the agreement or by law and protect the information by safeguarding it against misuse, theft, fraud or improper disclosure.

Fair competition

Suppliers are always expected to compete as forcefully and constructively as possible while complying with international and national competition laws and regulations regarding fair competition.

Reporting Questionable Conduct

Suppliers and its employees should report possible violations of the Supplier Code of Conduct or other questionable behavior. Report by email at trust@netto.eco

Our Commitment

At Netto, we believe businesses can play a critical role in promoting, respecting, and advancing human rights. Guided by our company values as well as the UN Guiding Principles on Business and Human Rights, we are committed to upholding human rights in our workforce, in our business practices, and within our broader global communities. Our community of employees, customers, investors, partners, and vendors include a diversity of race, ethnicity, language, religion, political affiliation, sexual identity, sexual orientation and more. We celebrate the diversity of our people and are committed to practices and policies that support dignity and respect for all.

Respect for Human Rights

Netto’s business operations and policies uphold the principles of internationally recognized human rights. We respect human rights in the workforce, in our business operations, and in our supply chain. In line with our commitment to the highest standards of legal and ethical business conduct, we support the elimination of modern slavery and human trafficking as set forth in the United Nations Declaration of Human Rights. Our Code of Business Conduct and Ethics (the “Code”) reflects these values and prohibits any unlawful or unethical activity by any of our directors, officers, employees, or consultants. We require completion of training on our Code for every employee. Through our employee volunteering, company donations, and products, we regularly support organizations which align with our mission to promote dignity, inclusion, and respect for all people. Our global policy applies to all the jurisdictions in which we operate.

Governance and Stakeholder Input

We review our Human Rights Policy annually. This statement is approved by our Board of Directors. We take the input of our stakeholders seriously. We have incorporated and will incorporate feedback we receive in engagements with our investors and customers regarding human rights in the development and implementation of this policy. As we build upon and monitor the effectiveness of our policies, our commitment is to continue to be transparent regarding that process with that stakeholder community.

Reporting and Grievance Processes

For any suspected violations of this policy by a member of our community (employee or an employee of our supplier) please report your concerns by emailing privacy@netto.eco

In our workforce:

• We prohibit the use of any forms of forced labor, modern slavery, and any form of human trafficking.
• Following all applicable local government regulations in the markets we operate in, we prohibit the hiring of individuals under the age of 18.
• We support the protection of the human rights of underrepresented communities and women’s rights. We strictly prohibit discrimination or harassment of any kind on the basis of race, color, religion, creed, sex or gender, gender identity, gender expression, sexual orientation, marital status, medical condition, national origin, ancestry, mental or physical disability, genetic information, request for leave, age or any other characteristics protected by law.
• We support employees with a safe, healthy, inclusive, and equitable workplace.
• We are committed to a fair wage for all employees.
• We believe that our global diversity equity and inclusion efforts start with our people knowing that they are valued where they work. Netto supports and encourages our employees to engage in work against social in-justice and social discrimination.
• Pay equity is a priority. We commit to reviewing, no less than annually, our pay practices and parity in markets where we have a significant presence and making adjustments where needed. We offer market competitive and relevant benefits globally in each market. Our goal is to consistently build an equitable and inclusive workplace experience for all our employees globally, offering all our employees opportunities to thrive—from parental leave to mental health support to opportunities to volunteer and develop their professional skills.
• We respect the rights of our employees to associate, bargain collectively, join or not join trade unions, seek representation, and join workers’ councils in accordance with local laws, free from intimidation or retaliation.

In our business operations:

• We respect each individual’s right to privacy with all of our data sources: the personal data of customers, candidates or employees, and ticket content.
• All information related to our business and customers is considered proprietary and confidential unless it has been publicly released.
• We prioritize customer trust. We know that the security and integrity of customer data is important to our customers’ values and operations. That is why we keep it private and safe.
• We inform and seek approval from the Data Controller (customers) about any requests for personal information. No information is shared with any third party without written consent from the Data Controller.
• We have developed security protections and control processes to help our customers ensure a secure environment for their information.
• We maintain an internal risk assessment process, which is updated on an annual basis. Risks related to cybersecurity, privacy and quality are also revised annually.
• To protect the interests of companies that use Netto and their customers, our Terms and Conditions (link to..) make it clear that engaging in or supporting objectionable or harmful activity and content is prohibited on our products, and anyone can report a suspected violation.

In our supplier and vendor process:

• We believe in respecting human rights beyond our own business practices and expect the same level of effort in our suppliers.
• Per our Supplier Code of Conduct, suppliers must share and confirm they will adhere to Netto’s commitment to human rights and equal opportunity in the workplace and must conduct their employment practices in full compliance with all applicable laws and regulations.

Netto complies with all data protection and privacy laws generally applicable to Netto’s provision of Netto System and is committed to safeguarding the privacy of all our business processes. This policy sets out how we will treat your personal information.

Scope and acceptance

This Privacy Policy applies to all business processes in Netto and to all Netto websites, domains, mobile solutions, cloud services and communities as well as Netto- branded websites and third-party social networks (e.g. Facebook) (Netto Sites). Any specific appendices for Netto System will be found in the Terms of Service or equivalent for the service in question.

The Privacy Policy provides information about data processing carried out by Netto when Netto determines the purpose and means of the processing (Netto as data controller), and data processing we do on behalf of our Customers based on their instructions (the Customer as data controller and Netto as data processor).

Personal Data is any information that can directly or indirectly identify a living individual, such as an email address, street address, phone number or IP-address. Processing your Personal Data is necessary for us to serve you or our Customers. By providing us with your Personal Data, you accept the practices and terms described in this Privacy Policy. Please do not use Netto Sites or provide your Personal Data if you do not agree.

Whose data we process

Netto processes data about contact persons and software users among our Customers, including persons representing potentially new Customers that approach us via Netto Sites or other channels. Our policy in these regards is to be found in the data controller section.

We also process data about our Customers’ employees and other persons’ data of which the Customer controls. Our policy in these regards is to be found in the data processor section. In this policy data subjects may also be referred to as persons or you.

Netto as a data controller

When Netto determines the purpose and means of data processing we act as a data controller. Netto controls Personal Data that we collect in the context of you being employed by a Customer that has or may have a business relation to Netto, or you declare that you want to receive information from us based on your own or your employer’s interests. When you represent a Customer of Netto, your rights are the same as if you were a private person only representing yourself.

Why do we collect and use personal data?

To manage our Customer relations in general and to meet our Customer commitments, Netto requires some information about you in your role as Customer contact person or user of a Netto System. We also collect data about suppliers and partners for the following purposes:

1. Perform deliveries in accordance with a customer agreement.
2. Offer support to users of our services.
3. Improve the quality of Netto System and Netto Sites.
4. Detect and prevent security threats and perform maintenance and debugging.
5. Prevent abuse of our software and services.
6. Communicate information that is relevant for our deliveries and our customer relations in general.
7. Process orders, invoicing, payments and other financial follow up of Customers.
8. Payment of services purchased through Netto Sites.

Processing according to the above listed purposes (1 to 8) is necessary for us to manage our customer relations. Therefore, Netto does not, as additional ground ask for your consent to process your Personal Data. We do not consider that the processing disadvantages you in any way. We will also collect information about you as a contact person or user of a service. We collect and use Personal Data mainly to perform direct sales, direct marketing and customer service, including:

1. To manage your access to our web-based services (Netto System).
2. Send you marketing communications which you have requested. These may include information about our products and services, events, activities, and promotions of our associated partners’ products and services. This communication is subscription based and requires your consent.
3. Send you information about the products and services that you have purchased from us or are related to the services you are already using.
4. Perform direct sales activities in cases where legitimate and mutual interest is established.
5. Provide you content and venue details on a webinar or event you signed up for.
6. Reply to a “Contact me” or other web forms you have completed on one of our Netto websites (e.g. to download a whitepaper).

The basis for Netto’s processing of Personal Data for the above purposes (I) is necessary for the performance of a contract to which you are a party or in order to take steps at your request prior to entering into a contract. Your consent may be given freely on Netto Sites when applicable. Please note that the collection of individual Personal Data is required to gain user access to many of our programs and services and to access the information you have requested.

To protect your security and ours we will also store information about you when you visit our premises. You will be informed of your rights in this context when you register in our electronic visitor system.

When do we collect your personal data?

In general, Netto collects data directly from you or other persons linked to the Customer company where you are employed. These persons may be a manager or colleague. If the Customer you work for purchases Netto System via a Netto partner company, we may collect information about you from the partner company.

We collect your Personal Data when you interact with us in person, through correspondence, by phone, by social media, or through our websites.

We will also, with your consent, use cookies and other tracking technology when you use Netto Sites to optimize your experience of these. Please see the paragraph describing automatic data collection tools for more information about these technologies and your rights in this context.

In some cases, we may also collect information about you from other legitimate sources if you have given your consent that the party collecting the Personal Data may share this with others. These sources may be third-party data aggregators, Netto’s marketing partners, public sources or third-party social networks. Netto will be able to combine Personal Data about you obtained from one source with data obtained from another source. This gives us a more complete picture of you as a contact person, which also gives us the possibility of serving you in a more relevant way with a greater degree of personalization.

Automatic data collection tools

This section is only applicable to the Netto website www.netto.eco and country specific versions of the website. Digital marketing software cookies (incl. Google) are never used for any services provided to customers where Netto is a processor of personal data.

Netto uses a variety of technologies to collect information about your movements on the web as well as interest and preferences you freely have made available.

Netto uses digital marketing software that uses cookies in order to recognize a return visitor as a unique user. The cookies placed by this software are readable only by the vendor of the software, and cookies cannot access, read or modify any other data on your computer. We do link the information we store in cookies to any personally identifiable information you submit while on our site.

Google

Google Analytics: This cookie allows us to see information on user Website activities including, but not limited to page views, source and time spent on a Website. The information is depersonalized and is displayed as numbers, meaning it cannot be tracked back to individuals. This will help to protect your privacy. Using Google Analytics, we can see what content is popular on our Website, and strive to give you more of the things you enjoy reading and watching.

Google Analytics Remarketing: Places cookies on your computer which means that after you leave our website, Google can show you advertisements about Netto that you might be interested in, based on your previous behavior on our website. This information is not personally identifiable.

Google AdWords: By using Google AdWords code, we can see which pages helped lead to contact form submissions. This allows us to make better use of our paid search budget. This information is not personally identifiable.

Google AdWords Remarketing: Places cookies on your computer which means that after you leave our website Google can show you advertisements about Netto that you might be interested in, based on your previous behavior on our website. This information is not personally identifiable.

You can prevent the information generated by the Google cookie about your use of our Sites from being collected and processed by Google in the future by downloading and installing Google Analytics Opt-out Browser Add-on for your current web browser. This Add-on is available at https://tools.google.com/dlpage/gaoptout

How to accept or reject cookies

There are several different ways in which you can accept or reject some or all cookies on our site. Some of the most common methods of doing so are described below.

You are welcome to block the use of some or all the cookies we use on our website. However, please be aware that doing so may have an impact on our site’s performance and its functionality or may even render some or all of it unusable.

You should also know that clearing all cookies from your browser will also delete any cookies that are storing your preferences, for example, whether you have accepted cookies on a website or any cookies that are blocking other cookies.

You can find more detailed information about cookies and changing your browser settings by visiting www.allaboutcookies.org

Accepting or rejecting cookies

Browser settings

You can accept or reject some or all cookies (for example, blocking all third-party cookies) by changing your browser settings. If you need assistance to do this, the links below provide information on how to adjust your browser settings for some of the most commonly used web browsers:

• Google Chrome: https://support.google.com/chrome/answer/95647?hl=en-GB
• Mozilla Firefox: https://support.mozilla.org/en-US/kb/delete-browsing-search-download-history-firefox?redirectlocale=en-US&redirectslug=Clear+Recent+History
• Microsoft Internet Explorer: https://support.microsoft.com/en-us/help/278835/how-to-delete-cookie-files-in-internet-explorer
• Apple Safari: https://support.apple.com/kb/PH5042?locale=en_US

Some browsers, such as Chrome and Firefox, allow you to adjust your settings to browse in ‘incognito’ mode, limiting the amount of data placed on your machine and automatically deleting any persistent cookies placed on your device when you finish your browsing session. There are also many third-party applications which you can add to your browser to block or manage cookies.

Clearing existing cookies

To clear cookies that have already been placed on your browser, you should select the option to clear your browsing history and ensure that the option to delete or clear cookies is included when you do so.

Google Ad settings

You can manage and opt out of personalization of advertisements by Google by visiting Google’s ad settings page here and by:

• unticking the button entitled ‘Also use Google Account activity and information to personalize ads on these websites and apps and store that data in your Google Account’; and
• switching the ‘Ads Personalization’ setting off (i.e. by ensuring the switch at the top of the page is set to the left/gray and not the right/blue).

Alternatively, you can install a free browser plugin here: https://support.google.com/ads/answer/7395996

Google Analytics Opt-out Browser Add-on

You can opt out of Google Analytics tracking by installing the browser add-on which is available here: https://tools.google.com/dlpage/gaoptout

What personal data we process

The type of data that Netto processes about you may be:

• Your own and the Customer’s contact details such as name, telephone number and email.
• Employment information about you at the customer company such as job title, position including preferences and interests in professional context.
• Feedback, comments or questions about Netto as a supplier, or concerning our services.
• Photos or video of you recorded at our premises.
• Content you have uploaded such as photos and videos.
• Unique user information such as login ID, username, password and email.
• Financial information such as credit card information.
• Traffic information as provided by your web browser such as browser type, language and the address of the website from which you arrived and other traffic information such as IP address.
• Clickstream behavior such as which links you click and when.
• Other Personal Data contained in your profile on third-party social networks (Facebook etc.).

We may also in some cases compare a collected IP address with a geographic map service to derive your general location.

If you make a post, comment or similar on any public forum or Netto Site, such information can be read and used by anyone with access to the site and used for purposes over which neither Netto nor you have control. Netto is not responsible for any information you submit on such forums or Netto Sites. Netto will not post any comment, testimonial or similar made by you without your prior consent.

How we share your personal data

• Netto shares your personal data within the organization to better serve you as a customer or interested party of us.
• Netto does not share your personal data with third parties who intend to use the data for marketing purposes if you have not given your consent to this.
• Netto may share your personal data with third parties for other purposes but only in the following contexts:

Business partners

Netto may share your personal information with our partners in the event this is legitimate from a business perspective. For example, if you purchase a service on behalf of your employer that we provide through one of our certified partners.

Public Authorities

The police and other authorities may demand the handover of personal information from Netto. In these cases, Netto will only hand over the data if there is a court order to do so.

M&A

In connection with mergers, acquisitions, investments or divestiture of all or parts of Netto’s business, the acquiring entity as well as its consultants will obtain access to data managed by Netto. The acquiring entity and its consultants will enter into a NDA with Netto, which will also cover potential disclosure of Personal Data.

Your rights

Access and rectification

You have the right to request a copy of your Personal Data. You may send us a request for this. You also have the right to request that Netto corrects any inaccuracies in your Personal Data. If you have an account with Netto for a Netto Site, this can usually be done through the appropriate “your account” or “your profile” section(s) on the Netto Site (if available) or inside your Netto System. To manage subscription settings for Netto Newsletters, please click the “Manage my subscription” link at the bottom of the emails you receive. Alternatively, you can send us a request to rectify your data.

Right to erasure (‘right to be forgotten’)

If you no longer have any business with Netto, you can send us a request to delete your data.

Right to opt-out of marketing communications

You have the right to opt-out of receiving marketing communications from Netto and can do so by:

• following the instructions for opt-out in the relevant marketing communication, or
• contacting us via email at trust@netto.eco.

Please note that even if you opt-out from receiving marketing communications, you may still receive administrative communications from Netto, such as order confirmations and notifications about your activities (e.g. account confirmations and password changes).

Data security and retention

Netto takes the trust you place in us seriously. Netto is committed to prevent unauthorized access, disclosure or other deviant processing of your data. Further, Netto is committed to ensure proper use of the information, to maintain data integrity and to secure data availability. As part of our commitment, we utilize reasonable and appropriate physical, technical, and administrative procedures and measures to safeguard the information we collect and process.

More information around security can be found here.

Please note that these protections do not apply to the Personal Data that you choose to share in public areas such as community websites.

How long we store your personal data

Netto will only retain your Personal Data for as long as necessary for the stated purpose, while also considering our need to answer queries or resolve problems and to comply with legal requirements under applicable laws.

This means that we may retain your Personal Data for a reasonable period after your last interaction with us. When the Personal Data that we collect is no longer required in this way, we destroy or delete it in a secure manner. We may process data for statistical purposes, but in such cases, data will be anonymised.

Netto as a data processor

Netto provides different services to our Customers. These services involve processing of the Customers’ data and may include processing of Personal Data. The purpose of this processing is determined by our Customers and not by Netto. The Customer is then the data controller for the data subject’s data. Netto does in such cases act as data processor and process the data on behalf of and according to instructions given by the Customer. When acting as data processor, Netto is in accordance with General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) committed to enter into a data processing agreement (DPA) with the Customer. The Customer has agreed and guaranteed that:

 

• The Customer is the owner of or otherwise has the right to transfer the data to Netto for processing and has the responsibility for the accuracy, integrity, content, reliability and legality of the Personal Data.
• It is the Customer’s duty as data controller to notify, to the extent required by applicable law, the relevant supervisory authorities and/or the data subject in the event of any breach or unauthorized disclosure of Personal Data.
• Customer complies with applicable legal requirements for privacy, data protection, and confidentiality of communications related to its use of Netto System.

Customer Data Processing

When acting as a data processor, Netto is responsible for providing technical and organizational security measures to safeguard your privacy on behalf of our Customer – the data controller.

As data processor, Netto will not process Personal Data in any other manner or for any other purpose than authorized in the agreement with the data controller. Customer Data will be used only to provide Customer the Netto System. This may include troubleshooting aimed at preventing, detecting and repairing problems affecting the operation of the Netto System and the improvement of features that involve the detection of, and protection against, emerging and evolving threats to End-Users (such as malware or spam).

Data subjects having questions, comments, claims or any other issues regarding their Personal Data that Netto is data processor for, must submit these to the data controller. As a data processor, Netto will not give any data subjects access to their Personal Data without instructions given by the data controller to do so.

If governmental authorities or the police request disclosure of Personal Data, Netto will redirect the request to the data controller. As part of this effort, Netto may provide Customer’s basic contact information to the contacting agency. Netto will provide non-public information about internal systems and routines for data processing to Customers and collaboration partners upon request and NDA.

Customer Data Processing Locations

Netto uses Amazon Web Services EU based Data Centres in Ireland.

Customer Data – Individuals’ Rights

The GDPR provides the following rights for individuals:

• The right to be informed.
• The right of access.
• The right to rectification.
• The right to erasure.
• The right to restrict processing.
• The right to data portability.
• The right to object.
• Rights in relation to automated decision making and profiling.

For the Term of the Agreement for the Netto System, Netto will, as necessary under General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679), either:

1. provide Customer with the ability to safely access, correct, delete, or download Customer Data, or
2. make such access, corrections, deletions, or download on Customer’s behalf.

Sub-Processors

Netto may hire other companies to provide limited services on its behalf, such as providing specific modules or extensions to the Services. Any such Sub-Processor will be permitted to obtain Customer Data only to deliver the Services Netto has retained them to provide, and they are prohibited from using Customer Data for any other purpose. Netto remains responsible for its Sub-Processors compliance with the obligations of the Agreement. Any Sub-Processors to whom Netto transfers Customer Data will have entered into written agreements with Netto requiring that the Sub-Processor provides at least the same level of privacy protection with respect to Personal Data received from Netto as is required by the relevant General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) principles.

Transfer of Customer Data

Customer Data that Netto processes on Customer’s behalf may be transferred to and stored and processed in Norway or any other country within EU/EEA or approved country in which Netto or its Affiliates or Sub-Processors maintain facilities. Customer appoints Netto to perform any such transfer of Customer Data to any such country and to store and process Customer Data in order to provide the Netto System.

Netto will not transfer to any third-party (not even for storage purposes) Personal Data Customer provides to Netto through the use of the Netto System unless agreed upon in the Agreement between Customer and Netto.

Netto Personnel

Netto personnel will not process Customer Data without authorization. Netto personnel are obligated to maintain the confidentiality of any Customer Data and this obligation continues even after their engagement ends.

Netto stores your data in secure operating environments that are only accessible to Netto employees and Sub-Processors on a need-to-know basis. Netto also follows generally accepted industry standards in this respect.

Introduction

Netto offers cloud solutions and we have established policies, processes, methods, technologies and embraced proven standards to meet our Customers availability and security requirements.

It is important to Netto to be recognized as a trusted partner for all Customers. Netto has implemented and will maintain appropriate technical and organizational measures intended to protect Customer Data against accidental loss, destruction, or alteration; unauthorized disclosure or access; or unlawful destruction.

The nature of threats is constantly changing; thus, security is a natural part of Netto’s development and operational processes.

This document is a high-level overview of Netto’s technical and organizational measures and controls implemented to protect Personal Data and ensure the ongoing confidentiality, integrity and availability of Netto System.

Netto may change these measures from time to time. As a result, individual measures may be replaced by new measures that serve the same purpose or deal with the same risks without materially diminishing the security level.

Definitions

Within this document, the following definitions apply:

• Customer means any purchaser of the Netto System.
• Customer Data means any information provided or submitted by the Customer or Customers’ End User in the creation, use, participation or reporting of the Netto System that Netto processes on behalf of the Customer.
• Personal Data means any information provided or submitted by the Customer or End User in the creation, use, participation or reporting of the Netto System relating to any identified or identifiable natural person that Netto processes on behalf of the Customer.
• Personnel means Netto employees and authorized individual contractors.
• Netto or Netto Group means Netto AS and its subsidiaries. When Netto Personnel or systems are referred to, this includes Netto AS and all its subsidiaries.
• Information Security Management System “ISMS” is a set of policies and procedures for systematically managing an organization’s sensitive data. The goal of an ISMS is to minimize risk and ensure business continuity by pro-actively limiting the impact of a security breach.
• Board of Management means senior management in Netto.
• Controller is the entity that determines the purposes and means of the processing of Personal Data. The Customer is the Controller and Netto the Processor.
• Processor is the entity that process Personal Data on behalf of the Controller. Netto process Personal Data on behalf of its Customers.
• Subcontractor is a person or a business that is engaged by Netto to support specific parts of, or extensions to, the Netto System. A Subcontractor does not process Customer Data.
• Service or Services means services delivered by Netto.
• Data subject is any person whose personal data is being collected, held or processed.
• End User means a data subject contacting and communicating through one of the Services provided by Netto.

Organization of Information Security

Objective

Netto has a security organization that covers all relevant areas of the business. Netto has appointed one or more security officers responsible for coordinating and monitoring the security policies and procedures. Netto ensures that its Personnel are competent in information security.

Measures include

• Netto has a comprehensive set of information security policies, approved by the Board of Management and disseminated to all Personnel.
• Netto security policies are reviewed at least annually and updated whenever needed.
• All Netto Personnel have signed legally reviewed confidentiality agreements that apply during and post-engagement.
• Failure of Personnel to follow information security policies can be treated as a disciplinary matter and lead to sanctions, including dismissal.
• Data Protection by design and default is a basic principle for the Netto System.
• Netto is committed to continual improvement of its security.

System Access

Objective

Netto data processing systems are used only by approved, authenticated users.

Measures Include

• Access to Netto internal systems is granted only to Netto Personnel and/or to permitted employees of Netto’s Sub-Processors and access is strictly limited as required for those persons to fulfill their function.
• All users access Netto Systems with a unique identifier (user ID).
• Netto has established a password policy that prohibits the sharing of passwords and requires passwords to be changed on a regular basis and default passwords to be altered. All passwords must fulfill the defined minimum.
• A second factor of authentication is required for access to online systems containing Personal Data.
• Only secure protocols are in use for remote administration (e.g. SSH v2, RDP and HTTPS).
• Remote administration of Netto System use industry standard VPN technology where applicable.
• Netto has a thorough offboarding process to deactivate users, their access and data when a user leaves the company or a function.
• An Intrusion Detection System (IDS) or Intrusion Prevention System (IPS) is deployed at the production data center to help identify potential inappropriate access.
• For Customer access to the system, Netto provides a wide range of authentication capabilities.
• Netto maintains a responsibility matrix linking assets and technology to responsibility owners.
• Netto maintains an asset register containing all parts of the Netto System.

Data Access

Objective

Persons entitled to use data processing systems gain access only to the Personal Data that they are authorized to access.

Measures Include

• Netto restricts Personnel access to files and programs on a “need-to-know” basis
• Personnel training covers access rights to and general guidelines on definition and use of Personal Data.
• Where appropriate and practical, Netto employs data minimization and pseudonymization to reduce the likelihood of inappropriate access to Personal Data.
• The production environment for the Netto System is separate from the development and testing environment, and development Personnel do not have access to the production environment other than under troubleshooting scenarios.
• Netto uses up-to-date anti-malware software on all appropriate computers and servers.
• Netto uses well-configured firewalls for the Netto System.
• The Netto System contains versatile capabilities to set roles and permissions to let Customers manage authorizations so that Personal Data is only made available to appropriate users when needed.
• Netto ensures that appropriate Personnel receive alerts and notifications from system software vendors and other sources of security advisories and installs system software patches regularly and efficiently.

Data Transmission

Objective

Prevent Personal Data from being read, copied, altered or deleted by unauthorized parties during transfer.

Measures Include

• Customer access to the Netto System is protected by encrypted protocols.
• Netto configures TLS for security, for an up-to-date report on our configuration, see https://www.ssllabs.com/ssltest/analyze.html?d=netto.eco
• Netto uses encryption for all other transmissions of Personal Data outside the production data center.
• Netto web servers only use certificates issued from recognized 3rd party certificate vendors.
• Any Personal Data stored outside the production data center is protected by encryption at rest.

The Customer is responsible for the security of Personal Data once it has been transmitted from Netto to the Customer including when downloaded or accessed by Customer users.

Confidentiality and Integrity

Objective

Personal Data remains confidential throughout processing and remains intact, complete and current during processing activities.

Measures Include

Netto has a defense in depth approach to ensuring confidentiality and integrity and many of the measures in other sections of this document safeguard confidentiality and integrity. Some other measures that contribute include:

• Netto has a background check procedure and carries out background checks on all new Personnel with access to Personal Data.
• All Netto Personnel are obligated to sign confidentiality agreements and must adhere to business & ethics conduct policies.
• Netto has a central, secured repository of product source code, which is accessible only to authorized Personnel.
• Security testing includes code review and employing static code analysis tools on a periodic basis to identify flaws.
• Netto does not use Customer Data in training.
• Netto has a procedure for vulnerability management to ensure confidentiality, integrity and availability.

Availability

Objective

Personal Data is protected from accidental destruction or loss, and there is timely access, restoration or availability to Personal Data in the event of an incident.

Measures Include

• Netto uses a high level of redundancy at the production Data Centers so that an availability failure of a single system or component is unlikely to impact general availability.
• The production Data Centers have multiple power supplies, generators on-site and with battery backup to safeguard power availability to the Data Centers.
• The production Data Centers have multiple access points to the Internet to safeguard connectivity.
• The production Data Centers are monitored for power, network, environmental and technical issues.
• Netto uses commercially reasonable efforts to create frequent backup copies of Personal Data and these are duplicated (cross-site) between the production Data Centers.
• Netto has a system in place to ensure that any failures of backup to operate correctly are flagged and dealt with.
• Netto performs restore tests from those backups at least quarterly.
• Netto has a business continuity plan in place which is regularly updated.
• Netto tests elements of its business continuity plan regularly and learns from the results of such tests.
• DDoS protection is installed and protects internet perimeters. DDoS protection from ISPs are in place to mitigate high-volume attacks and in the Netto perimeters to mitigate more advanced attacks.
• Patching, security upgrades, equipment replacements, capacity addons and other infrastructure changes are carefully planned and executed. Standard maintenance work will normally not disturb the Netto System.

Job Control

Objective

Personal Data processed on a Customer’s behalf is processed solely in accordance with the relevant agreement and related instructions of the Customer including the use of Sub-Processors.

Measures Include

• Netto acts as a Processor with respect to Personal Data and stores and processes Personal Data in order to operate the Netto System under the instructions of the Customer, who is the Controller.
• Netto does not access Customer Personal Data, except to provide services to the Customer which Netto is obligated to perform in support of the Customer experience including for general operation and monitoring of the Netto System, troubleshooting and maintenance purposes, for security reasons, as required by law, or on request by the Customer.
• In some specific Customer setups Netto will use a limited number of Sub-Processors to help it provide the Netto System. In this case this will be specified in the data processing agreement between the Customer and Netto.
• External parties such as Subcontractors and others with access to any of Netto’s assets are required to sign a NDA.
• Netto has data protection agreements in place directly or via affiliates with all Sub-Processors that process Personal Data. Personal Data are not processed outside of the European Economic Area (EEA) other than if requested by a Customer.

Data Separation

Objective

Personal Data collected for different purposes is processed separately.

Measures

• Netto uses a multi-tenant architecture to achieve logical separation of Personal Data originating from multiple Customers.
• In each step of the processing, Personal Data received from different Customers can be identified so data is always physically or logically separated.
• Customers have access only to their own Personal Data.
• Netto networks are segregated according to system use and data sensitivity.
• Production systems are physically and logically separated from development and test systems.

Incident Management

Objective

In the event of a security incident or Personal Data breach, the effect of the breach is minimized, and the Customer is promptly informed.

Measures Include

• Netto maintains an up-to-date incident response plan that includes responsibilities, how information security events are assessed and classified, and response plans and procedures.
• Netto logs administrator and user activities at the production Data Centers to provide evidence in the event of an incident.
• The clocks of all systems at the production Data Centers are synchronized to a single reference time source to aid investigation in the event of an incident.
• System administrator activities, exceptions, faults and information security events are logged in a central monitoring tool.
• Netto regularly tests its incident response plan with “table-top” exercises and learns from tests and potential incidents to improve the plan.
• In the event of a security incident or data breach, Netto will notify Customers without undue delay after becoming aware of the security incident or data breach.
• Netto maintains a record of security breaches with a description of the breach, the time period, the consequences of the breach, the name of the reporter, to whom the breach was reported and the procedure for recovering data.

Compliance

Objective

Netto tests, assesses and evaluates the effectiveness of these technical and organizational measures. Netto is compliant with legal and contractual requirements.

Measures Include

• Netto works with compliance to ensure that Netto complies with relevant laws and regulations.
• Netto conducts regular internal and external audits of its security.
• Netto performs risk assessments to protect services and Customer Data.
• Netto has a formal policy for managing suppliers who have access to Personal Data and this includes criteria for reviewing and approving suppliers and procedures for monitoring and reviewing their performance.
• Netto takes reasonable steps to ensure that Personnel are aware of and comply with the technical and organizational measures set forth in this document.
• Netto conducts at least annual 3rd party network and application vulnerability scanning and or penetration tests on the Netto System to identify vulnerabilities and to demonstrate security compliance.
• Netto uses industry standard processes to delete Customer Data when it is no longer needed.
• Audit rights given to Customers always exclude the right or ability to look at the data of other Netto Customers.
• Netto maintains a register of all Personal Data processing activities in the organization.

Netto System Infrastructure Overview

The Netto System is built on secure state-of-the-art components. All services are produced and delivered from AWS Data Centers. Data processing takes place in Europe (EU/EEA) and follows European regulations and requirements regarding data protection and data privacy.

Data Centres

Netto stores and processes Customer Data at the following Data Centres:

• Amazon Web Services, region Ireland
  https://aws.amazon.com/compliance/iso-certified/

Infrastructure & resilience

All components in Netto’s infrastructure are redundant by design. There are three levels of redundancy built into the infrastructure;

• Component resilience: Every component in the infrastructure has built in resilience within the unit. This might be redundant power adaptors, network cards, mirrored disks etc.
• Load balancing & redundancy: All critical infrastructure such as web servers and application servers are load balanced allowing operational systems even if components/servers fail completely. For components not suited for load-balancing such as databases is an advanced synchronization mechanism used between the active server and passive servers. This prevents data loss and minimal disruption during failover.
• Geo redundancy: All services are built so they can run with full capacity in all Data Centers that the services are hosted, allowing a full outage of either of the Data Centers.
• Backup: Separate backup systems do cross-site backup of Data Centers and are duplicated.

Systems

• Network, Firewalls & Backbone: Internal networks (core switches, firewalls, routers, MUX’es, panels, intercompany connections) are redundant by design.
• Application and Web servers: Application Servers provide the services and functionality for the Netto System such as user management, configuration, billing, statistics etc. Application servers are load balanced and redundant across the Data Centers.

Database servers & File Storage: The databases are the primary storage of the Application- and Customer Data. Examples of data are users, statistics, configurations and billing information. Databases are either redundant across the Data Centers or run Active/Passive configurations with synchronous synchronization of data between the Data Centers.

A Sub-Processor is a third-party data processor engaged by Netto, including entities from within the Netto Group, who has or potentially will have access to or process Customer Data (which may contain Personal Data). Netto engages different types of Sub-Processors to perform various functions as explained in the tables below. Netto refers to third-parties that do not have access to or process Customer Data but who are otherwise used to provide the Services as “Subcontractors” and not Sub-Processors.

Due Diligence

Netto undertakes to use a commercially reasonable selection process by which it evaluates the security, privacy and confidentiality practices of proposed Sub-Processors that will or may have access to or process Customer Data.

Contractual Safeguards

Netto requires its Sub-Processors to satisfy equivalent obligations as those required from Netto (as a Data Processor) as set forth in Netto’s Data Processing Agreement (“DPA”), including but not limited to the requirements to:

• Process Personal Data in accordance with data controllers (i.e. Customers) documented instructions (as communicated in writing to the relevant Sub-Processor by Netto);
• In connection with their sub-processing activities, use only personnel who are reliable and subject to a contractually binding obligation to observe data privacy and security, to the extent applicable, pursuant to applicable data protection laws;
• Provide regular training in security and data protection to personnel to whom they grant access to Personal Data;
• Implement and maintain appropriate technical and organizational measures (including measures consistent with those to which Netto is contractually committed to adhere to insofar as they are equally relevant to the Sub-Processor’s processing of Personal Data on Netto’s behalf) and provide an annual certification that evidences compliance with this obligation. In the absence of such certification Netto reserves the right to audit the Sub-Processor;
• Promptly inform Netto about any actual or potential security breach; and
• Cooperate with Netto in order to deal with requests from data controllers, data subjects or data protection authorities, as applicable.

This policy does not give Customers any additional rights or remedies and should not be construed as a binding agreement. The information herein is only provided to illustrate Netto’s engagement process for Sub-Processors as well as to provide the actual list of third-party Sub-Processors and Subcontractors used by Netto as of the date of this policy (which Netto may use in the delivery and support of its Services).

If you are a Netto Customer and wish to enter into our DPA, please email us at trust@netto.eco.

Process to Engage New Sub-Processors

Netto will provide notice to customers of updates to the list of Sub-Processors that are utilized or which Netto proposes to utilize to deliver its Services. Netto undertakes to keep this list updated regularly to enable its Customers to stay informed of the scope of sub-processing associated with the Netto System.

Pursuant to the DPA, a Customer may object in writing to the processing of its Personal Data by a new Sub-Processor within thirty (30) days following the update of this policy and such objection shall describe Customer’s legitimate reason(s) for objection. If the Customer does not object during such time period, the new Sub-Processor(s) shall be deemed accepted.

If a Customer objects to the use of a new Sub-Processor pursuant to the process provided under the DPA, Netto shall have the right to cure the objection through one of the following options (to be selected at Netto’s sole discretion):

• Netto will cease to use the new Sub-Processor with regard to Personal Data;
• Netto will take the corrective steps requested by Customer in its objection (which remove Customer’s objection) and proceed to use the Sub-Processor to process Personal Data; or
• Netto may cease to provide or Customer may agree not to use (temporarily or permanently) the particular aspect of a Netto System that would involve use of the Sub-Processor to process Personal Data.

Termination rights, as applicable and agreed, are set forth exclusively in the DPA.

Third-party Sub-Processors

Netto works with certain third-parties to provide specific functionality within the Services. These providers are the Sub-Processors set forth below. In order to provide the relevant functionality these Sub-Processors access Customer Data. The following table describes the legal entities engaged by Netto in the processing of Customer Data and their respective processing locations. Their use and access are limited to the applicable Services.

Currently, the systems used for hosting Customer Data for the Services for the Sub-Processors listed below.

Amazon Web Service EMEA SARLs

Location: Ireland

Purpose: Netto delivers the Netto System from AWS as a hosting provider to Netto.

Timescale Inc

Location: Ireland

Purpose: Timescale provides database services for the Netto System

Introduction

In order to build a strong business culture and be a trustworthy company, Netto will continuously work in an ethical and responsible manner and have an open and transparent dialogue with our stakeholders.

Netto’s Code of Business Conduct and Ethics (“the Code”) specifies the main business principles that apply when we work together in the Group or with external parties. The Code shall guide our daily business activities and be integrated into critical processes, practices, activities and decision making across Netto Group companies.

The Code applies to all employees, in-house consultants, managers and board members, and others acting on behalf of Netto or the Group’s subsidiaries. We also expect our suppliers, sub-suppliers, manufacturers and all other business partners engaged in the product, services and solutions of Netto, to align the operations in accordance with the principles in the Code.

Immediate managers are responsible for ensuring that everybody is aware of and complies with these guidelines, as well as with applicable laws, rules and regulations. All employees, or persons associated with Netto, are personally responsible to read and comply with the Code.

Any questions about how this Code shall be interpreted or applied shall be addressed to your immediate leader, or if necessary the Board of Management. Any changes to or waivers of the Code may only be made by the Board of Directors.

Our business principles

Good working environment

Netto shall provide a good and safe workplace, promoting a healthy lifestyle that enhances employees’ wellbeing and work-life balance. Together we shall create an inclusive working environment, and are all expected to show respect, integrity, consideration and general politeness in our relations towards colleagues, as well as customers, partners, competitors and others. In Netto we do not accept any form of discrimination, harassment or degrading treatment by or towards employees. In respect of sexual harassment of any kind or harassment based on any other legally protected characteristic is expressly prohibited in Netto. We define sexual harassment as unwelcome sexual advances, requests for sexual favors and/or other verbal, visual or physical conduct of a sexual nature when:

• Submission to such conduct is explicitly or implicitly made a condition of an individual's employment or advancement;
• The response to such conduct is used as a basis for employment decisions; or
• The conduct has the purpose or effect of unreasonably interfering with an individual's work performance or creating an intimidating, hostile or offensive working environment.

Diversity, inclusion and equality

In Netto diversity and inclusion is an integrated strategic priority we embrace diversity to build an equal and inclusive culture built on collaboration, trust and mutual respect. We welcome different perspectives and utilize our collective expertise in our teams. We combat unconscious discrimination in word and deed through awareness-raising, and practise zero tolerance for any form of harassment or degrading treatment by or towards employees. All employees shall enjoy equal rights, opportunities and obligations.

When hiring, we run fair, unbiased processes based on valid and objective selection processes. We select the best candidate for the relevant position independent of age, gender, religion, nationality, ethnic origin, sexual orientation, disability or way of life.

Training and development

We believe in challenging people, and together we set clear goals that will ensure personal and professional development of our employees, in line with Netto’s business objectives.

All employees shall receive relevant training and development to ensure quality customer offering and improve personal and collective skills to align and achieve strategic objectives. Managers are responsible for supporting employees in their professional role and will be provided with relevant competence, resources and authority to work for a stimulating and sustainable work environment.

Respect for human and labor rights

In Netto we respect, support, and acknowledge international human rights, as outlined by the UN Global Compact, and related conventions. We comply with employees’ basic human rights, as outlined in the International Labour Organization’s (ILO) fundamental conventions, and with current laws and regulations in general. We do not accept any use of child labour, bonded workers or forced labour. All employees are also expected to act responsibly with regards to content services, including illegal content such as child pornography and racism.

Care for the environment

Working in Netto, we are committed to conduct our business in an environmentally responsible way, to minimize direct and indirect negative effects on the external environment. We shall promote development and diffusion of environmentally friendly technologies, and we share the responsibility for achieving these goals.

Responsible Partnership

In Netto we work to assure that our partners and suppliers act responsibly and comply with laws and regulations regarding environment, conflict minerals, labor and human rights, anti-corruption and anti-bribery. Netto also acknowledges the importance of supply chain control when it comes to production of IT equipment by assessing manufacturing country risks in relation to what has been mentioned above.

Protection of confidential information

All employees have a duty of confidentiality by law and/or written agreement. As a general principle, we do not share confidential information with third parties, to avoid misuse or unauthorized disclosure. We share information on a “need-to-know” basis, and must show caution when discussing internal matters, to ensure the conversation is not overheard by persons not concerned. The duty of confidentiality also applies after the termination of employment or contractual relationship with Netto.

Protection of critical information and personal data

Netto manages critical data for its customers and their customers. Thus, we have established strict guidelines, procedures and solutions to protect these data from unauthorized access and theft. As employees, we are responsible for actively ensuring, or helping ensure, that all critical information and personal data is handled with care and in compliance with applicable laws and regulations, and with the necessary security measures in place.

Safeguarding of property and assets

Netto’s property and assets must be safeguarded in an appropriate manner, and should only be used for legitimate business purposes, and by authorized employees only. This applies to tangible assets, e.g. equipment, as well as intangible assets, such as intellectual property (know-how, methodology, concepts and ideas) and confidential information. Information produced and stored on Netto’s IT systems is regarded as the property of the company. Private use is only permitted to a limited extent, and information that may be considered illegal or inappropriate must under no circumstances be processed or downloaded. Business secrets or other important information shall not be made available to unauthorized persons without authorisation from a superior.

Personal gain shall never precede Netto’s best interests

We shall always act in the best interest of Netto and avoid any activities that might lead to or suggest a conflict between the personal interest of an employee and Netto’s business. Neither shall we take part in or attempt to influence a decision or settlement, if there is a conflict of interest or other circumstances that could give grounds to question the impartiality. If you become aware of a potential conflict of interest, or have questions related to a potential conflict of interest, you should consult your immediate manager.

There are many forms of conflicts of interest. Conflicts of interest can be related to family members or close friends (a family member includes your spouse, romantic partner, parents, children, siblings, cousins, nephews, nieces, aunts, uncles, grandparents, grandchildren, and in-laws). The following are some situations in which actual, potential, or perceived conflicts of interest commonly arise:

• If you manage or recruit family members or close friends.
• If there is intended to be a segregation of duties between you and a family member or close friend. A segregation of duty exists when a task has been split between two or more people to increase control. For instance, where one person authorizes a payment, and another makes the payment.
• If your family members or close friends work or perform services for one of Netto's business partners or competitors.
• If your family members or close friends own, or have a financial interest, whether directly or indirectly, in any of Netto's business partners or competitors.
• If you serve on the board of directors of a for-profit company without Netto's written approval.
• If you hold outside employment in which the interests of that job interfere with your ability to perform your professional duties for Netto.

You have the right and responsibility to obtain guidance on conflicts of interest, and your first point of contact should always be your immediate manager.

Any agreements between Netto and its employees/board members or their related persons shall be approved by the CEO.

Fair competition

In Netto, we compete in a fair and honest manner. We do not under any circumstances cause or contribute to breaches of general or specific competition regulations, whether illegal cooperation on pricing, illegal market sharing, or any other behavior in violation of prevailing competition laws.

Zero tolerance to corruption and money laundering

In Netto we are opposed to all forms of corruption and all forms of money laundering. We do not - directly or through middlemen – offer, give, ask for or accept any form of bribe or improper benefits to gain business or personal advantage for ourselves or others. We are also obliged to ensure that all business activities are legitimate and not used by others to launder money.

Caution with gifts and business courtesies

We must show great caution with respect to offering or accept gifts or other benefits to or from customers or suppliers. We do not accept or offer gifts or other remuneration that can be reasonably perceived to be given with the purpose of influencing business decisions or negotiations. Neither Netto’s motives, nor the integrity of the recipient must be placed in doubt. If you are uncertain about the situation, consult your immediate manager for guidance.

Transparent communication

Netto is committed to transparency, and all communication with employees and shareholders shall be correct, relevant, clear and fact-based, to give a correct picture of the company’s situation as well as future risks and opportunities. All shareholders shall be treated equally, and the communication shall be in accordance with applicable legislation and regulations. Public information about the Group shall only be provided by Netto’s Board of Management, unless otherwise agreed.

Reporting (Whistleblowing)

Netto believes that openness and good communication across the Group companies promotes a better work culture. We have therefore established a Whistleblower Channel that makes it possible for employees and external parties to report concerns about possible illegal actions and breaches of the Code.

What information should be reported?

Netto encourages everyone to report issues of concern that may threaten Netto’s finances, operations or reputation, including violations of the Code. Examples of breaches include, but are not limited to:

• Harassment, including sexual harassment, or bullying, discrimination and racism.
• Poor working environment.
• Suspicion of fraud, corruption and accounting offenses.
• Error reporting or manipulation of information.
• Damage to the environment.

Failure to report is considered a breach of the Code. Violation of the Code will not be tolerated, and may lead to internal disciplinary action, dismissal and/or legal proceedings.

There will be no retaliations against you, nor any impact on your professional career, for reporting violations in good faith.

How to report a concern

All employees are encouraged to report and discuss issues of concern with your immediate manager or the company’s Board of Management. If this is considered difficult or not possible, you may report directly to Netto’s independent Whistleblower Channel managed by a dedicated lawyer at XXXX:

Name

Title

Telephone

E-mail

All notifications will be treated confidentially

All notifications will be treated confidentially, and you may also report anonymously. Note that it will then be difficult to give you feedback. Furthermore, proper investigation may prove difficult if the information provided cannot be tested or verified and the investigator is unable to obtain further information from the whistleblower.

How concerns are handled

The appointed manager for Netto’s Whistleblowing Channel is responsible to ensure that all cases are properly investigated and followed-up. Based on a severity assessment, an investigation team will be established. Non-anonymous whistleblowers will get timely feedback and information about the process and outcomes.

Protection of sources

The identity of the whistleblower will not be disclosed, unless permission in writing has been received from the notifying party. All investigations will be conducted in a confidential manner, so that information will be disclosed only as needed to facilitate review of the investigation or otherwise as required by law.

Purpose

The purpose of this policy is to prevent any form of corruption or bribery in Netto’s business activities and help ensure that business is conducted ethically and in compliance with applicable rules.

Scope

This policy applies to all employees and representatives of Netto and its subsidiaries. Netto’s Board of Management has the responsibility for integrating the principles into day-to-day operations. We also expect our business partners to abide by the same principles in their own operations.

Our Approach

Corruption is illegal, often with far-reaching consequences with penalties such as large fines to imprisonment of involved individuals. It can also severely damage Netto’s reputation. At Netto, we want to build integrity, trust and respect. We have zero-tolerance for any form of corruption, fraud and bribery.

We consider it corruption if a person promises, offers or gives, or requests, receives or accepts an improper benefit by virtue of his or her position. A benefit is considered improper if it can influence, or be perceived to influence, the receiver’s ability to make sound and objective business decisions. Improper benefits may include cash, kickbacks, expensive gifts, hospitality/entertainment and travel. Other examples may be more indirect, such as loans with low interest terms, internships or job offers.

Breaches of this policy or violation of applicable laws may result in disciplinary actions, including dismissal and reports to the relevant authorities.

Our Commitments

• Comply with applicable laws and regulations.
• We act in the best interest of Netto, and never compromise ethics or integrity when doing business.
• We do not offer, give, authorize, pay or accept bribes, kickbacks or facilitation payments to or from anyone.
• If corruption is a necessary condition for doing business, we refrain from participating.
• All commercial transactions entered into by Netto must be clearly specified in the group accounts and be compliant with international standards.
• Employees and consultants are hired based on their merits, and not to benefit others.
• Any sponsorships or donations are made to support a legitimate charitable cause, not as an exchange of favors.
• We are transparent, share and discuss dilemmas, and seek guidance when in doubt.
• We speak up and report anything that is likely to constitute a breach.

It may not always be a simple matter to determine whether a possible course of action is appropriate. If you are in any doubt, the matter should be referred to your immediate manager or the Board of Management. Please also refer to Netto’s Code of Business Conduct and Ethics and Whistleblower routines.

1 the Norwegian Criminal Act Section 387

Introduction

This document defines the information security policy of Netto.

As a modern, forward-looking business, Netto recognises at senior levels the need to ensure that its business operates smoothly and without interruption for the benefit of its customers, shareholders and other stakeholders.

In order to provide such a level of continuous operation, Netto has implemented an integrated management system, referred to as the Netto Management System (NMS) in line with the International Standard for Information Security. This standard defines the requirements for an information security management system based on internationally recognised best practice.

The operation of the NMS has many benefits for the business, including:

• Protection of revenue streams and company profitability.
• Ensuring the supply of goods and services to customers.
• Maintenance and enhancement of shareholder value.
• Compliance with legal and regulatory requirements.

This policy applies to all systems, people and processes that constitute the organization’s information systems, including board members, directors, employees, suppliers and other third parties who have access to Netto systems.

Information security requirements

A clear definition of the requirements for information security within Netto will be agreed and maintained with the internal business so that all NMS activity is focussed on the fulfillment of those requirements. Statutory, regulatory and contractual requirements will also be documented and input to the planning process. Specific requirements about the security of new or changed systems or services will be captured as part of the design stage of each project.

It is a fundamental principle of the NMS that the controls implemented are driven by business needs and this will be regularly communicated to all staff through team meetings, briefing documents and intranet posts.

Framework for setting objectives

A regular cycle will be used for the setting of objectives for information security, to coincide with the yearly planning cycle. This will ensure that adequate funding is obtained for the improvement activities identified. These objectives will be based upon a clear understanding of the business requirements, informed by the management review process during which the views of relevant interested parties may be obtained.

Information security objectives will be documented for an agreed time period, together with details of how they will be achieved. These will be evaluated and monitored as part of management reviews to ensure that they remain valid. If amendments are required, these will be managed through the change management process. In addition, enhanced and additional controls will be adopted and implemented where appropriate. The adoption of these controls will provide additional assurance to our customers and help further with our compliance with international data protection legislation.

Continual improvement of the NMS

Netto policy regarding continual improvement is to:

• Continually improve the effectiveness of the NMS and information security controls.
• Enhance current processes to bring them into line with good practice.
• Increase the level of proactivity (and the stakeholder perception of proactivity) with regard to information security.
• Make information security processes and controls more measurable in order to provide a sound basis for informed decisions.
• Review relevant metrics on an annual basis to assess whether it is appropriate to change them, based on collected historical data.
• Obtain ideas for improvement via regular meetings and other forms of communication with interested parties.
• Review ideas for improvement at regular management meetings in order to prioritize and assess timescales and benefits.

Ideas for improvements may be obtained from any source including employees, customers, suppliers, risk assessments and service reports. Once identified they will be recorded and evaluated as part of management reviews.

Application of information security policies

The policy statements have been reviewed and approved by the Board of Management of Netto and must be complied with. Failure by an employee to comply with these policies may result in disciplinary action being taken in accordance with the organization’s employee disciplinary process.

Questions regarding any Netto policy should be addressed in the first instance to your immediate manager.

Purpose

The purpose of environmental management in Netto is to ensure that Netto’s environmental and climate impact are kept as low as possible, as well as raise awareness among customers, suppliers and partners, and actively incite them to reduce theirs.

Scope

This policy applies to all employees and representatives of Netto and its subsidiaries. Netto’s Board of Management has the responsibility for integrating the principles into day-to-day operations.

Our Approach

Reducing greenhouse gas emissions is one of the most important measures we can take to slow down global warming and combat climate change. Netto aims to be a positive agent for change in society by actively promoting solutions that enable businesses to work more sustainably. Our environmental objectives, procedures and activities are defined in our Netto Management System.

Our Commitments

At Netto, we take a precautionary approach to environmental challenges, and take action to keep our own direct and indirect emissions as low as possible. We promote greater environmental responsibility internally and with our customers and partners. We will comply with all relevant laws and regulations, and we require our suppliers to do the same. To us, an environmentally sustainable and responsible way of conducting business operations means that we:

• Through customer offering, design innovative software solutions that enable our customers to reduce their footprint.
• Through suppliers and partners, challenge partners on adopting more eco-friendly methods and prioritize suppliers that work actively with environmental management, and actively assist suppliers and partners with their adjustment to a climate-neutral society.
• Through general procurement, minimize the use of consumables, and select more eco-friendly products when possible.
• Through waste and waste handling, sort and dispose waste according to local recycling guidelines. Recycle electronic waste and ensure that hazardous waste shall be sorted and disposed at source as far as practically possible.
• Through chemical products, minimize the use of any chemical products, and handle them in compliance.
• Through energy- and water consumption, are mindful on data consumption and storage, using energy efficient cloud services partners that utilize renewable energy sources. Prioritize energy efficient equipment, and switch off equipment and lights not being used. Only use green certified buildings (LEED, BREEAM or equivalent) when upgrading facilities.
• Through business travels, prioritize virtual meetings over business travels. Choose low-emission transport alternatives where possible.
• Through management systems and reporting, educate employees to promote sustainable insights, solutions and results. Monitor environmental impact and strive for continuous improvement in own operations. Report in accordance with the internationally recognised standard Greenhouse Gas Protocol.

Purpose

The purpose of this policy is to reflect Netto’s commitment to responsible business practices with respect to people, environment and society.

Scope

Sustainability in Netto is about creating business value to the benefit of key stakeholders such as customers, shareholders and employees, the environment and society. ESG is focusing on the way Netto is doing business, disclosing the company’s impact (risk and opportunities) on the environment and society, as well as its management practices for ensuring sound governance.

Roles and Responsibilities

The board of directors has the overall responsibility for aligning Netto’s strategy and ESG considerations. Operationalising the principles into day-to-day operations lies with the Board of Management.

The Board of Management sets overall goals and measures for their respective business units, which are anchored in the board. Each member in the Board of Management is responsible for communicating these to everyone in their respective business units and ensuring compliance with this policy.

Approach

Netto adheres to the United Nations Global Compact's 10 principles with respect to human rights, labor relations, anti-corruption and the environment. Netto supports the UNs 17 sustainable development goals and ambitions for 2030, and will contribute where possible to make a difference. Netto’s work with social responsibility and sustainability is based on applicable laws, regulations and internationally recognised frameworks, the company’s strategy and risk profile.

Commitments

Netto’s commitment to responsible business means that Netto is committed to:

• Integrate sustainability into the business models, through the Netto Management System and document handling, and ensure this is reflected in investments, purchases, competence development and stakeholder relations.
• Work systematically to minimize negative environmental or social impact from own operations, and seize opportunities for contributing to sustainable development.
• Operate in line with fundamental human rights as laid down in the UN Guiding principles on Business and Human Rights, and promote the principles to business partners.
• Observe the International Labour Organization’s (ILO) fundamental conventions and attend to workers’ rights through working with trade unions and by setting clear requirements for and monitoring suppliers.
• Provide a safe, healthy, and inclusive working environment.
• Offer equal opportunities irrespective of gender, age, sexual orientation, or cultural or religious background.
• Treat all employees with understanding and respect, and encourage them to use their abilities in a way that contributes positively to their own and Netto’s development.
• Apply high ethical standards and oppose all forms of corruption and financial malpractice within own operations and in contact with partners and suppliers.
• Carry out due diligence of own operations and its supply chain in accordance with the concepts and principles set forth in the UN Guiding Principles for Business and Human Rights and the OECD Due Diligence Guidance for Responsible Business Conduct.
• Communicate truthfully on Netto’s real impact on climate, the environment and human beings and avoid greenwashing.
• Conduct materiality assessment to ensure efforts and resources are focused on ESG topics that have the greatest impact on the business or its stakeholders. The material topics shall be subject to frequent review, as what is considered material may change over time as the company develops or new regulations and requirements are introduced.

Description of the company and operations

Netto AS (the “Company”) has chosen to carry out due diligence in accordance with the Transparency Act (åpenhetsloven § 3), the OECD Guidelines for Multinational Enterprises and to report on this according to § 5 of the Transparency Act.

Product development and maintenance of the Netto System is performed by the Company. The Company is the IP owner and owns the intellectual property rights associated with the Netto System, including all know-how and all technical knowledge, and performs all maintenance of the solution. Our business and our products by their inherent nature have a low risk of contributing to actual and potential adverse impacts on fundamental human rights and decent working conditions.

Procurement in the Company is governed by our Code of Conduct. The Procurement process in line with our policies is managed by the individual departments. These policies require employees to respect and obey laws, rules and regulations where we operate, and not to engage in unethical or illegal business practices. Supplier selection must be done based on required performance (including safety), cost, and quality.

Risk assessment

In general, the Company vendors are primarily located in Scandinavia or Europe and are subject to the same or similar strict requirements with respect to fundamental human rights and decent working conditions. Further, the Company purchases goods and services from vendors in industries that are not typically identified with challenges in this area. The overall risk for the Company in relation to adverse impacts on fundamental human rights and decent working conditions through our supply chain or business partners is assessed to be low.

The Company has initially identified risk parameters for potential negative impact on human rights and decent working conditions. The key risk parameters identified are industry, geographical region, and volume of purchases.

The Company uses a scale from 1 to 5 to assess risk, with the most influential parameters considered to be region and industry. The risk grading in the parameters is dependent upon various sources of information on work conditions, public reports on human rights, understanding of regulatory requirements in key locations etc. In addition, as part of the risk assessment, a qualitative review was made of various purchases to ensure these are properly understood.

Dependent on the initial risk score, vendors have been categorized into risk categories Low (score 1-2), Medium (score 2-3) High (score 3-4) and Very high (4-5).

From the initial risk assessment, the vendors are categorized as low risk vendors. This reflects that the company primarily procures goods and services in Scandinavia and Europe which have strict laws and regulations regarding human rights and decent working conditions. Further, the number of low-risk vendors reflects that the company mainly procures IT goods & services as well as professional services. No actual violation or high / very high risk for violation of the Transparency were identified through the initial risk assessment.

Implemented and planned implemented measures related procurement

The Company has reviewed its guidelines, policies and procedures for procurement in conjunction with implementing the requirements in the Transparency Act and is in process of formalizing updates from this process.

The Company has determined as a policy that we will not engage with suppliers that would constitute a high or very high risk for actual and potential adverse impacts on fundamental human rights and decent working conditions. For vendors identified as medium risk, a further review of the vendor will be performed including a detailed risk assessment followed on by a business review or a vendor due diligence. Outcome of this process will be reviewed by the Board of Management which will make the decision to terminate or continue with the vendor.

The Company has reviewed the Supplier Code of Conduct to ensure this reflects the Company’s position and attitude towards ethical procurement, human rights and decent working conditions. The Supplier Code of Conduct is made publicly available on our website. For existing vendors with low risk, the Company have sent the Supplier Code of Conduct requesting a negative confirmation in case they are not able to comply with our Supplier Code of Conduct. No replies have been received as of this report. Any negative confirmations received will be investigated and remediating actions conducted on a case-by-case basis.

As part of the process, the guidelines and requirements for procurement and vendor selection have been reviewed and updated to require a risk assessment violation of human rights and decent working conditions. In addition, when signing new vendor contracts, our Supplier Code of Conduct or similar Supplier Code of Conduct is required to be incorporated or separately signed as part of the contract.

Based on the initial risk assessment and the nature and context of our operations, the Company has determined that no further actions are required for low-risk vendors. The Company will continue to monitor, update and refine our risk assessment and procedures on a regular basis to identify, prevent and mitigate any potential or adverse impacts on human rights and decent working conditions that our operations could cause or contribute towards.