Business conduct and integrity

We are committed to sound business conduct. We therefore manage our business according to applicable laws and regulations and according to the PostNL Business Principles, which provide guidance on interaction with colleagues, customers, business partners and society in general. A company-wide integrity programme ensures that the Business Principles are applied consistently throughout the organisation.

Integrity Committee

The Integrity Committee advises and assists the Board of Management in developing, implementing, and monitoring Group policies and procedures aimed at enhancing integrity and ethical behaviour as well as preventing fraud, corruption and bribery. The Integrity Committee is composed of the director Audit & Security, the manager Integrity Office, the Corporate Security Officer, the director Legal, the manager People Development, the director Communication & Investor Relations, the director Strategy Mail in the Netherlands, and the director E-commerce Operations.

The Integrity Committee oversees investigations based on reports of possible breaches filed under the PostNL Business Principles, the PostNL Group procedure on whistleblowing and the PostNL Group procedure on fraud prevention, anti-bribery, and anti-corruption.

Business conduct and integrity approach 2022

The focus of our integrity approach is to regularly ensure our employees are familiar with and are working in accordance with the PostNL Business Principles.

Our Business Principles inform how we act and make our decisions. As early as 2012, PostNL signed up to the ten principles of the United Nations Global Compact on such issues as human rights, labour, climate and anticorruption. We further endorse the OECDguidelines for multinational enterprises on responsible business conduct, while our sustainability strategy aligns us with the United Nations’ Sustainable Development Goals (SDGs).

In accordance with the requirements of the Corporate Governance Code, we performed an assessment connected to the organisational awareness with our business principles. The ‘Employee engagement monitor 2022’ addressed employees' familiarity with the PostNL Business Principles, and their perception as to whether we work according to the PostNL Business Principles.

The main outcome of this assessment in 2022 showed that 98% of the responders are (partly) familiar with the PostNL Business Principles. Of this 98%, in total 57.6% perceive that PostNL mostly works according to the PostNL Business Principles and 17.2% perceive this as continuously. In terms of familiarity this outcome represents a strong improvement compared to 2021. The other outcomes are comparable to prior years.

We use the outcome of the monitor as input for continuous improvement of our integrity approach and our activities at the PostNL Group companies.

Through our e-learning module on integrity we aim to educate management and employees about our Business Principles, and the desired behaviour based on these principles. This mandatory module is part of our regular onboarding programme and will be updated in the first quarter of 2023.

During the year we started 660 investigations in response to integrity-related issues. These investigations covered issues such as theft of mail or parcels, bribery and corruption, or failure to follow workplace practices. The investigations resulted in 181 discontinued work relationships. At year-end 2022, 60 investigations were ongoing.

The integrity-related investigations include cases of alleged (sexual) harassment and discrimination, and in 2022 we investigated 279 reported incidents connected to (sexual) harassment and discrimination allegations. Triggered by the attention across society on the issue of sexual harassment, we have seen an increase in the number of reported sexual offense and harassment incidents.

We are continuously working to improve awareness on these issues, such as by supporting employee communication on the issue of inappropriate conduct, dialogue with line management and HR representatives, and following upon reported integrity related incidents. In 2022, we made it clearer in our Business Principles that (sexual) harassment is part of inappropriate conduct. We work continually to create an environment across the company where people feel safe and empowered to speak up.

In addition to case-specific investigations, we apply trend analysis on all reported incidents to identify structural issues that require further preventive actions. To the best of our knowledge, in 2022 we had no cases of bribery or corruption that had a significant impact on our business.

The Integrity Office has developed a digital ethics framework and risk management process to assess that the logic in artificial intelligence and machine learning leads to ethical results. A section has been added to the Business Principles to incorporate our digital ethics principles. As of 2022 we are a member of the Business Integrity Forum of Transparency International. Furthermore, in 2022 we joined the stakeholder initiative ‘De week van de Integriteit’. These initiatives aim to stimulate the exchange of knowledge on the subject of integrity.

Asset protection and loss prevention

In order to prevent any threat which could adversely affect the business of PostNL and its stakeholders, PostNL is committed to ensuring its operations are secure. The Group Policy on Security outlines the mandate of the Security function within PostNL and to define the responsibilities relating to security matters. In other words, to ensure that adequate measures, procedures, checks and balances are in place, regarding asset protection, loss prevention and security information management.

Protecting data and privacy

PostNL believes that it is vital to handle the personal data of its customers and consumers with due care and adheres to all applicable laws and regulations. The most notable of these is the General Data Protection Regulation (GDPR), which is further elaborated on in the General Data Protection Regulation Implementation Act.

We have established a Group Policy on Privacy which outlines the fundamental principles we adhere to as a company regarding the use of personal data. These principles are in line with PostNL's Business Principles. We strive to provide high quality services, in which reliability is an important factor. We therefore view the protection and careful handling of personal data as an important precondition for further innovation and development of our services. To help achieve this, we have set up governance, processes and procedures to adequately implement 'accountability' in the field of the protection of personal data. This includes a processing register, a reporting process for data breaches, process for handling the rights of the person concerned, implementation of data privacy impact assessments, and the application of the Privacy by Design principle in development of new processes and systems. PostNL also established a data governance board to provide oversight on how we use and protect data. The Board discussed different data-related topics, including, for example, digital ethics. To the best of our knowledge, there were no substantiated complaints received from customers in relation to breaches of their privacy.

Prevention of fraud, bribery and corruption

PostNL recognises the need to have detailed fraud prevention and anti-bribery and anti-corruption policies, procedures and reporting mechanisms in place to protect our business integrity and to comply with all applicable laws and regulations. Antibribery and anti-corruption legislation, both in our home country and the countries we operate in, is very important for PostNL to conduct its business globally. All reported incidents of actual or suspected corruption or bribery will be promptly and thoroughly investigated and dealt with appropriately.

The Integrity Committee advises the Board of Management and line management on the mitigation of fraud risks and on ethical, anti-bribery and anti-corruption matters. The Integrity Committee reports quarterly to the Board of Management and every six months to the Supervisory Board.

Cyber security

As we become more dependent on systems and data, cyber security is becoming increasingly important. We manage our digital information and processes across the organisation by ensuring that we secure the data, systems and applications that PostNL uses within its business processes. We have a Cyber Security policy in place to guide the business on how to effectively implement cyber security. To help manage our cyber security risks, we first acquire a complete understanding of the systems, data and capabilities we operate across the business. We then develop and implement appropriate protective measures, such as controlling access to digital and physical assets, providing awareness, implementing processes to secure data, maintaining baseline network configurations and operations to repair components quickly and deploy technology to ensure cyber resilience.

We regularly perform internal control testing of IT general controls including identity & access management, change management and incident management and we have centralised processes in place to mitigate cyber security threats such as single sign-on and multi-factor authentication, patch management, firewall management and back-up and recovery management.

In 2022, we continued to explicitly address cyber security in our review of internal controls performed by our suppliers since most of our critical applications are implemented based on SaaS and Cloud principles. This assessment will be continued in 2023.

Improvements were made to our Detection and Response capabilities by adding endpoint detection for our critical endpoints and OT environments, while we added controls and monitoring to our critical DevSecOps environments. In 2022, a total of eight incidents were classified as high, three of which involved a data breach. One of those three which involved a data breach proved false positive and the other had a low impact.

Security awareness remains an important aspect of our security strategy, with the aim of moving towards a continually growing and commonly understood security norm across the organisation. In 2022 we added a third, more advanced training level to our online training programme. We have also intensified our Phishing simulations with direct feedback leading to lower click rates and a growing percentage of reporting by employees.