This General Privacy Statement is effective from October 25, 2018.
The Protection of your Personal Data is important to us.
Your privacy is important and we want you to understand our practices with respect to gathering and handling of Personal Data.
This Privacy Statement may be further complemented by other data privacy notices provided by ExxonMobil for specific uses of certain Personal Data.
This Privacy Statement, describes the Processing of Personal Data received from service providers through this Request for Quotation (“RFQ”), by ExxonMobil affiliates (collectively, “ExxonMobil”) established in the member states of the European Economic Area (EEA) or in Switzerland.
In this Privacy Statement, we use certain defined terms. In order to understand the meaning of the defined terms, we refer you to Section 14, Defined Terms.
1. IDENTITY OF THE EXXONMOBIL AFFILIATE COLLECTING THE PERSONAL DATA AS DATA CONTROLLER
The Data Controller(s) in respect of Personal Data collected is the ExxonMobil affiliate in EEA with whom you have, or seek to have (for prospective business associates) a contractual relationship. For more information contact the ExxonMobil Data Privacy Office.
The ExxonMobil affiliate(s) identified above as the Data Controller of the Personal Data, may transfer all or some of the Personal Data received to ExxonMobil affiliates worldwide which are located outside the EEA and Switzerland, in third countries that may not be regarded as providing an adequate level of protection to the Personal Data. The transfers take place in accordance with Section 6 below.
For the purposes stated below, and on a need to know basis, your Personal data will be accessible to ExxonMobil Procurement personnel which can be located in any country where ExxonMobil is active. See Sections 5 and 6 for more information about these transfers.
2. INDIVIDUALS TO WHOM THIS PRIVACY STATEMENT IS ADDRESSED
This Privacy Statement is addressed to the service providers (and their personnel and contractors) who provide Personal Data pursuant to or in connection with a RFQ from or on behalf of the Data Controller(s) identified in Section 1 above.
3. EXXONMOBIL’S COMPLIANCE WITH DATA PROTECTION LAWS
ExxonMobil is committed to collecting and using Personal Data in a lawful manner.
ExxonMobil will ensure that, when it Processes personal data, the Processing is allowed under applicable data protection law. In EEA and Switzerland, this means amongst others that ExxonMobil shall assess whether and which justification (legal basis) it has for the Processing of Personal Data, as stipulated in the EU General Data Protection Regulation and applicable law. Depending on the situation, ExxonMobil can justify the Processing of Personal Data on various legal bases, which include:
- ExxonMobil’s legitimate business interest to Processing the Personal Data, unless such interests are overridden by the interests or fundamental rights and freedoms of the Individual, and/or
- The Processing is necessary for the performance of a contract to which the Individual is a party, and/or
- The Processing is necessary for compliance with a legal obligation to which ExxonMobil is subject, and/or
- The Processing is necessary in order to protect the vital interests of the Individual, and/or
- The Individual has given consent to the Processing of his or her Personal Data for one or more specific purposes. When ExxonMobil obtains consent from the Individual to the processing of Personal Data, the consent can be withdrawn at any time for the future.
For more information on the particular data processing activities, the purposes sought and a description of the specific categories of personal data concerned, please make sure to review the table in Section 4.
ExxonMobil offers the opportunity for the Individuals to object to the Processing of his/her personal data and will consider such objections carefully where required by law. For more information about your rights in respect of how ExxonMobil processes your Personal Data, please refer to Section 9 and/or contact the ExxonMobil Data Privacy Office via firstname.lastname@example.org.
4. CATEGORIES OF PERSONAL DATA AND PURPOSES FOR DATA COLLECTION
In this table we describe the categories of information that we gather from service providers who receive a RFQ, the purpose for which we use the information and the legal basis which justifies each processing operation.
|Purpose of Processing
||Legal basis of Processing
||Categories of Personal Data
||How long we keep your Personal Data
|Due diligence of third parties on the basis of information publicly available or provided by the third party via Prospective Business Associate Questionnaire (PBAQ).
||Necessity for compliance with a legal obligation to which ExxonMobil is subject, in particular anti-bribery laws, trade sanctions, import/export controls, and anti-money laundering laws.
Exxon Mobil’s legitimate interest to evaluate and minimize potential legal risk which ExxonMobil may be exposed to under certain laws, such as the U.S. Foreign Corrupt Practices Act and other anti-bribery laws, trade sanctions, import/export controls, and anti-money laundering laws, as a result of entering into a commercial relationship with you, your company or associated third parties.
ExxonMobil’s legitimate interest to maintain standards and integrity of its operations, to ensure compliance with its ethics policy, and protect against reputational harm.
|All Personal Data collected in the PBAQ, including, but not limited to name and business contact details, principal lines of business and length of time in each line of business, locations of business activities, citizenship, country of residence, details regarding whether the individual has been charged with or investigated for certain criminal offenses, shareholdership and/or ownership interest.
|Due diligence of third parties in accordance with our legal or regulatory obligations and risk management procedures, including with respect to trade sanctions, including through Thomson Reuters World-Check or other tools.
||Necessity for compliance with a legal obligation to which ExxonMobil is subject, in particular UN, US and other countries’ trade sanctions laws.
Exxon Mobil’s legitimate interest to minimize ExxonMobil’s risk of liability under applicable law resulting from doing business with vendors who are subject to trade sanctions, and ExxonMobil’s legitimate interest to maintain the standards and integrity of its operations, to ensure compliance with its ethics policy, and protect against reputational harm.
ExxonMobil’s legitimate interest to leverage centralized, functional support and stewardship available within the ExxonMobil group, to benefit of economies of scale, and to ensure that transactions with prospective business partners can be operationalized through ExxonMobil networks and systems.
|Name, citizenship, contact details, country of residence; details regarding whether the individual is subject to trade sanctions regulations, e.g. has been designated a Specially Designated National (SDN) or is a citizen of a country subject to comprehensive sanctions.
When ExxonMobil relies on its legitimate interest as a legal basis to Process the Personal Data, ExxonMobil will ensure that its legitimate business interests to pursue the purposes stated in the table above (generally its interest to promote the ExxonMobil products and services), do not disproportionately and adversely impact the relevant Individual’s rights and freedoms.
When ExxonMobil relies on the Individual’s consent as a legal basis to Process the Personal Data, the Individual can withdraw their consent at any time, for the future. Individuals who wish to withdraw their consent, should notify us at email@example.com and we will take steps to stop the Processing of your Personal Data as soon as reasonably possible.
5. DISCLOSURE OF PERSONAL DATA TO THIRD PARTIES
We employ other companies and persons to perform functions on our behalf. They have access to Personal Data needed to perform their functions, but may not use it for other purposes.
Furthermore, we use third party screening tools to perform due diligence and other screening activities in accordance with our legal or regulatory obligations and risk management procedures, in particular Thomson Reuters World-Check and Thomson Reuters Enhanced Due Diligence tools, where permitted by law, to do integrity and advanced background checks that provide us with information that help us to identify and protect against any regulatory, and/or reputational risk.
For more detailed information about Thomson Reuters privacy practices with respect to gathering and handling of Personal Data within World-Check and EDD, please see the World-Check Privacy Statement and Thomson Reuters Privacy Statement.
Before any Personal Data is shared with service providers, we enter into a written agreement which requires them: (1) not to make any unauthorized further disclosures of the Personal Data; (2) to use the Personal Data only for the specified purposes and only according to the instructions received from ExxonMobil; (3) to retain the Personal Data only as long as necessary to carry out these purposes or to protect company interests (e.g. until the end of statute of limitations periods); and (4) to have in place adequate and appropriate security measures.
ExxonMobil will have to disclose Personal Data to other third parties, including competent authorities, legal advisors and other business partners who process the Personal Data on their own behalf, for instance if such transfer is required by law or legal process, in order to defend ExxonMobil’s rights or to adequately handle individuals’ complaints and requests.
If Personal Data is shared with a third party or an ExxonMobil affiliate outside the EEA, the conditions regarding data transfers, see Section 6 below, apply in addition to the requirements of this section.
6. INTERNATIONAL TRANSFERS OF PERSONAL DATA
6.1 Transfers between affiliates
The relevant ExxonMobil affiliate who is the Data Controller may transfer some or all of the Personal Data to servers of ExxonMobil located worldwide and will make that Personal Data accessible to other ExxonMobil affiliates, some of which are located in third countries that may not be regarded as providing an adequate level of protection of the Personal Data, in accordance with applicable law.
The transfer of Personal Data from the EEA to recipients located outside the EEA is subject to restrictions. ExxonMobil has taken steps so that Personal Data receives an adequate level of data protection at all ExxonMobil locations. These steps include ExxonMobil affiliates entering into Inter Affiliate Agreements containing the EU “Standard Contractual Clauses”. The EU Standard Contractual Clauses have been approved by the European Commission and relevant European authorities as offering adequate protection for transfers of Personal Data outside the EEA.
6.2 Transfers to third parties
When transferring Personal Data to third parties, ExxonMobil puts in place safeguards to ensure that the third party adequately protects the Personal Data. ExxonMobil has put in place contractual safeguards in its agreements with software providers and due diligence tool providers, which contains EU Model Clauses for Processors and/or are Privacy Shield certified.
For more information about specific transfer mechanisms used for transfers between affiliates and transfers to third parties, including information on and a copy of any of the existing safeguards implemented by ExxonMobil in order to ensure that Personal Data is Processed within an adequate framework across all ExxonMobil locations, please contact firstname.lastname@example.org.
7. ACCURACY OF PERSONAL DATA
ExxonMobil endeavors to keep Personal Data that it collects as accurate, complete and current taking into account the purposes for which it was collected and is being used. ExxonMobil relies on Data Subjects to maintain the accuracy and completeness of the Personal Data and so the Data Subjects should inform ExxonMobil if their personal details change.
8. SECURITY AND CONFIDENTIALITY
ExxonMobil maintains appropriate administrative, technical and physical safeguards designed to protect Personal Data against accidental or unlawful destruction, accidental loss, alteration, unauthorized disclosure or access, use, and all other unlawful forms of Processing of Personal Data in our possession.
9. RIGHTS TO ACCESS, RECTIFICATION AND ERASURE OF PERSONAL DATA, TO DATA PORTABILITY, TO THE RESTRICTION OF AND OBJECTION TO THE PROCESSING OF PERSONAL DATA
Applicable law may give Data Subjects the right to know how ExxonMobil Processes their Personal Data, and to access their Personal Data held by ExxonMobil. Such rights exist under data privacy laws in EEA. Furthermore in EEA, Data Subjects also have the right to: have inaccurate or incomplete Personal Data rectified; to restrict the Processing of their Personal Data, under certain circumstances; to object to the Processing operations, having regard to the given circumstances and for reasons related to their particular situation; or to have Personal Data erased when such data is no longer necessary for the purposes for which it has been collected, in accordance with applicable law.
In some circumstances, the Data Subjects also have a right to request the portability of their Personal Data, which will allow them to obtain and reuse their Personal Data for their own purposes across different services without hindrance to usability.
For more information about the specific mechanism available in order to exercise the aforementioned rights, please contact the email@example.com.
To facilitate our efforts to meet your request, it would be helpful if you could let us know the context in which you initially provided ExxonMobil with your Personal Data, e.g. in connection with promotion of a specific product or service.
10. PROCESSING OF SENSITIVE PERSONAL DATA
Certain categories of Personal Data are considered sensitive under data privacy laws and, as such, are subject to a higher level of protection and security. Data privacy law considers as sensitive the following categories of Personal Data: (1) race or ethnic origin; (2) political opinions; (3) religious and philosophical beliefs; (4) trade union membership; (5) sex life or sexual orientation; (6) physical or mental health or conditions; and (7) genetic data and biometric data for the purpose of uniquely defining a natural person.
We kindly ask you to refrain from providing ExxonMobil with any sensitive information of the abovementioned nature, under any circumstance. However, if you do provide such information, ExxonMobil accepts your explicit consent to use that data in accordance with this Privacy Statement or in the ways described at the point where such information is disclosed.
11. AUTOMATED DECISION-MAKING
ExxonMobil does not use automated decision-making unless this is (i.) necessary for entering into, or performance of, a contract between the Individual and ExxonMobil and its affiliates, (ii.) permitted or required by law, or (iii.) based on the Individual’s explicit consent.
Automated decision-making means a decision that produces legal effects concerning an Individual or significantly affects the Individual and which is based solely on automated Processing (i.e. no human intervention in the process of decision-making) of Personal Data intended to evaluate certain personal aspects relating to the Individual. Moreover, ExxonMobil shall implement suitable measures to safeguard the Individual’s rights and freedoms and legitimate interests.
12. RECORDS RETENTION
ExxonMobil retains Personal Data to meet the purposes for which the data was collected or in order to ensure compliance with applicable law or to protect legitimate company interests (e.g. statute of limitations periods). ExxonMobil will keep the Personal data for the period stated in Section 4.
13. QUESTIONS AND COMPLAINTS
ExxonMobil is committed to protecting your Personal Data as described in this Privacy Statement and as required by applicable national laws. If you have any questions about this notice or about ExxonMobil’s handling of your Personal Data, or if you would like to request additional information on the Personal Data ExxonMobil holds about you or learn about and exercise your rights with respect to your Personal Data, you can contact:
- Data Privacy Office
c/o ExxonMobil Business Support Center Hungary Ltd.
Váci út 81-85
- The Data Protection Officer in countries identified in Section 1, as applicable
You also have a right to lodge a complaint to the data protection supervisory authority in your country.
14. DEFINED TERMS
The term “Data Controller” means the natural or legal person (in the case of ExxonMobil, the relevant ExxonMobil affiliate) which determines the purposes and means of the Processing of Personal Data.
“ExxonMobil” and/or “ExxonMobil affiliates” mean (a) Exxon Mobil Corporation or any parent of Exxon Mobil Corporation, (b) any company or partnership in which Exxon Mobil Corporation or any parent of Exxon Mobil Corporation now or hereafter, directly or indirectly (1) owns or (2) controls, more than fifty per cent (50%) of the ownership interest having the right to vote or appoint its directors or functional equivalents (“Affiliated Company”) and (c) any joint venture in which Exxon Mobil Corporations, any parent of Exxon Mobil Corporation or an Affiliated Company has day to day operational control.
By “Processed” or “Processing” we mean any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
The term “Personal Data” means any information relating to an identified or identifiable natural person (“Data Subject” or “Individual”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
15. CHANGES TO THIS PRIVACY STATEMENT
We reserve the right to change this Privacy Statement at any time without notice. When we make material changes to this Privacy Statement, we will post the changes on this page and update the revision date at the top of the Privacy Statement. We encourage you to review our Privacy Statement regularly for updates.