This General Privacy Statement is effective from December 12, 2018.
The Protection of your Personal Data is important to us.
This Privacy Statement, describes the Processing by ExxonMobil of Personal Data received from bidders/suppliers with regard to ExxonMobil procurement activities such as electronic bidding (e.g. SMART) or otherwise (e.g. Request for Quotation, “RFQ”), agreement administration and repository, catalogs and supplier management.
Where bids are submitted electronically, ExxonMobil collects information through the SMART by GEP site (collectively, “Site”) of ExxonMobil, which serves as the global Procurement Platform for ExxonMobil Procurement activities.
Your privacy is important and we want you to understand our practices with respect to gathering and handling of Personal Data.
This Privacy Statement may be further complemented by other data privacy notices provided by ExxonMobil for specific uses of certain Personal Data in specific features of the Site. As an example, when certain features of the Site request additional information from you, we may provide an additional notice to inform you about the way in which we process such additional information.
To the extent the Personal Data provided through this Site is handled by an ExxonMobil affiliate established in the EEA, we refer you to the EU Privacy Statement.
1. PERSONAL INFORMATION AND PURPOSES
In this table we describe the categories of information that we gather from bidders/suppliers who submit a bid via the Site or through an RFQ, the purpose for which we use the information.
|Purpose of Processing
||Categories of Personal Data
||How long we keep your Personal Data
|For bids submitted via SMART, to identify you as an authorized user and grant you access to the global Procurement Platform for Procurement activities: electronic bidding, agreement administration and repository, catalogs and supplier management.
||Access permissions, vendor’s banking details, logon/system ID, user name (first and last name), system activity log, vendor’s contact details (including business contact details of vendor staff involved in negotiating and performing the contract), vendor classification status, vendor performance scorecards and vendor bidding evaluations.
|Due diligence of third parties on the basis of information publicly available or provided by the third party via Prospective Business Associate Questionnaire (PBAQ).
||All Personal Data collected in the PBAQ, including, but not limited to name and business contact details, principal lines of business and length of time in each line of business, locations of business activities, citizenship, country of residence, details regarding whether the individual has been charged with or investigated for certain criminal offenses, shareholdership and/or ownership interest.
|Due diligence of third parties through third party service providers.
||All Personal Data collected, including, but not limited to name and business contact details, principal lines of business and length of time in each line of business, locations of business activities, citizenship, country of residence, details regarding whether the individual has been charged with or investigated for certain criminal offenses.
|Due diligence of third parties in accordance with our legal or regulatory obligations and risk management procedures, including with respect to trade sanctions, through Thomson Reuters World-Check or other tools.
||Name, citizenship, contact details, country of residence; details regarding whether the individual is subject to trade sanctions regulations, e.g. has been designated a Specially Designated National (SDN) or is a citizen of a country subject to comprehensive sanctions.
Note that some of the services may not be available if you fail to provide the Personal Data necessary to deliver them.
We employ other companies and persons to perform functions on our behalf. They have access to Personal Data needed to perform their functions, but may not use it for other purposes. Communicating via the Internet and sending information, products, and services to you by other means necessarily involves your Personal Data passing through or being handled by third-parties.
For the purpose of the administration of the Site and the Personal Data collected through the Site, ExxonMobil shares your Personal Data with GEP, which provides and supports SMART, the global Procurement Platform, on behalf of ExxonMobil.
Furthermore, we use third party screening tools to perform due diligence and other screening activities in accordance with our legal or regulatory obligations and risk management procedures, in particular Thomson Reuters World-Check and Thomson Reuters Enhanced Due Diligence tools, where permitted by law, to do integrity and advanced background checks that provide us with information that help us to identify and protect against any regulatory, and/or reputational risk.
For more detailed information about Thomson Reuters privacy practices with respect to gathering and handling of Personal Data within World-Check and EDD, please see the World-Check Privacy Statement and Thomson Reuters Privacy Statement.
Before any Personal Data is shared with service providers, we enter into a written agreement which requires them: (1) not to make any unauthorized further disclosures of the Personal Data; (2) to use the Personal Data only for the specified purposes and only according to the instructions received from ExxonMobil; (3) to retain the Personal Data only as long as necessary to carry out these purposes or to protect company interests (e.g. until the end of statute of limitations periods); and (4) to have in place adequate and appropriate security measures.
In some circumstances, ExxonMobil will have to disclose Personal Data to other third parties, including competent authorities, legal advisors and other business partners who process the Personal Data on their own behalf, for instance if such transfer is required by law or legal process, in order to defend ExxonMobil’s rights or to adequately handle individuals’ complaints and requests.
3. YOUR CHOICES
The relevant ExxonMobil affiliates may transfer some or all of the Personal Data to servers of ExxonMobil located worldwide and will make that Personal Data accessible to other ExxonMobil affiliates, some of which are located in third countries that may not be regarded as providing an adequate level of protection of the Personal Data, in accordance with applicable law.
By accepting this Data Privacy Notice you consent to the processing as described above accepting that such collection, storing or other processing may be conducted by a third party or may occur in a country that may not have been deemed by your country to provide adequate data privacy protection.
4. YOUR RIGHTS
When living in a country with comprehensive data privacy laws, certain rights in relation to the information collected may apply, including:
- the right to know and see what personal information is processed;
- the right to have inaccurate personal information corrected or deleted;
- the right to withdraw consent to the processing of the personal information.
Contact ExxonMobil’s Data Privacy Office to find out more about these rights, and how to exercise them.
5. RECORDS RETENTION
ExxonMobil retains Personal Data to meet the purposes for which the data was collected or in order to ensure compliance with applicable law or to protect legitimate company interests (e.g. statute of limitations periods). ExxonMobil will keep the Personal data for the period state in Section 1.
ExxonMobil is committed to protecting your Personal Data as described in this Privacy Statement and as required by applicable national laws. If you have any questions about this notice or about ExxonMobil’s handling of your Personal Data, or if you would like to request additional information on the Personal Data ExxonMobil holds about you or learn about and exercise your rights with respect to your Personal Data, you can contact: