Privacy Statement

Article Jan. 14, 2019

Privacy Statement

This General Privacy Statement is effective from January 14, 2019.

The Protection of your Personal Data is important to us.

This Privacy Statement describes the Processing by ExxonMobil of Personal Data received from or about prospective and existing suppliers (suppliers) in the context of ExxonMobil’s procurement activities. The procurement activities include the handling and evaluation of bids and quotations, agreement administration and supplier management.

ExxonMobil collects information through  the SMART by GEP site , which serves as the global Procurement Platform for ExxonMobil Procurement activities, and through other forms, systems, sites and  applications which refer to this Privacy Statement (collectively, “Site”).

Your privacy is important and we want you to understand our practices with respect to gathering and handling of Personal Data.

This Privacy Statement may be further complemented by other data privacy notices provided by ExxonMobil for specific uses of certain Personal Data in specific features of the Site. As an example, when certain features of the Site request additional information from you, we may provide an additional notice to inform you about the way in which we process such additional information.  

This Privacy Statement, describes the Processing of Personal Data for procurement activities by ExxonMobil affiliates (collectively, “ExxonMobil”) established in the member states of the European Economic Area (EEA), UK or in Switzerland

In this Privacy Statement, we use certain defined terms. In order to understand the meaning of the defined terms, we refer you to Section 14Defined Terms.


The Data Controller(s) in respect of Personal Data collected is the ExxonMobil affiliate in EEA, UK or Switzerland with whom you have, or seek to have (for prospective business associates) a contractual relationship.  For more information you can contact the ExxonMobil Data Privacy Office.

The ExxonMobil affiliate(s) identified above as the Data Controller of the Personal Data, may transfer all or some of the Personal Data received, to ExxonMobil affiliates worldwide which are located outside the EEA, UK and Switzerland, in third countries that may not be regarded as providing an adequate level of protection to the Personal Data. The transfers take place in accordance with Section 6 below.

For the purposes stated below, and on a need to know basis, your Personal data will be accessible to ExxonMobil Procurement personnel and other staff which can be located in any country where ExxonMobil is active. See Sections 5 and 6 for more information about these transfers.


This Privacy Statement is addressed to the suppliers (including their subcontractors) and their representatives, whose Personal Data is collected by the Data Controller(s) listed in Section 1 above through the Site(s).


ExxonMobil is committed to collecting and using Personal Data in a lawful manner.

ExxonMobil will ensure that, when it Processes personal data, the Processing is allowed under applicable data protection law. In EEA, UK and Switzerland, this means amongst others that ExxonMobil shall assess whether and which justification (legal basis) it has for the Processing of Personal Data, as stipulated in the EU General Data Protection Regulation and applicable law. Depending on the situation, ExxonMobil can justify the Processing of Personal Data on various legal bases, which include:

  • ExxonMobil’s legitimate business interest to Processing the Personal Data, unless such interests are overridden by the interests or fundamental rights and freedoms of the Individual, and/or 
  • The Processing is necessary for the performance of a contract to which the Individual is a party, and/or
  • The Processing is necessary for compliance with a legal obligation to which ExxonMobil is subject, and/or
  • The Processing is necessary in order to protect the vital interests of the Individual, and/or
  • The Individual has given consent to the Processing of his or her Personal Data for one or more specific purposes. When ExxonMobil obtains consent from the Individual to the processing of Personal Data, the consent can be withdrawn at any time for the future.

For more information on the particular data processing activities, the purposes sought and a description of the specific categories of personal data concerned, please make sure to review the table in Section 4.

ExxonMobil offers the opportunity for the Individuals to object to the Processing of his/her personal data and will consider such objections carefully where required by law. For more information about your rights in respect of how ExxonMobil processes your Personal Data, please refer to Section 9 and/or contact the ExxonMobil Data Privacy Office via


In this table we describe the categories of information that we gather in the context of the procurement activities, the purpose for which we use the information and the legal basis which justifies each processing operation. 

Purpose of Processing Legal basis of Processing Categories of Personal Data How long we keep your Personal Data
For bids submitted electronically, to identify you as an authorized user and grant you access to the procurement platform in order to permit electronic bidding. The Processing is a contractual requirement under the procurement contract with ExxonMobil, and/or the Processing is necessary to enter into a procurement contract with ExxonMobil.
ExxonMobil’s legitimate business interest to validate your identity and access permission to the Site.
ExxonMobil’s legitimate business interest to operate efficiently and manage the eventual commercial relationship between you and ExxonMobil and/or ExxonMobil affiliates by facilitating and accelerating the Source to Pay process and the collaboration between ExxonMobil and supplier.
Access permissions, supplier’s banking details, logon/system ID, user name (first and last name), system activity log, supplier’s contact details (including business contact details of its staff involved in the procurement process). 10 years

Bid evaluation, administration of the agreement, document repository and supplier management.

The Processing is necessary for (i) the evaluation of bids; (ii) obtaining references; (iii) checking for any conflicts of interest; (iv) enabling ExxonMobil to administer and manage any contract that may be awarded; (v) audit of performance under the agreement, (vi) complying with applicable law and (vii) preserve and defend ExxonMobil’s legal rights. All Personal Data related to individuals involved in the performance of the contract and/or in the procurement procedures either as supplier or subcontractor. The information includes: image, name and surname, address, telephone, e-mail address, signature, academic and professional training, qualifications and accreditations, work experience, education and membership of professional bodies, as incorporated in CVs, copy of various documents submitted as supporting documents, or in forms pre-established by ExxonMobil. Vendor classification status, vendor performance scorecards and vendor bidding evaluations. 10 years
Due diligence of suppliers and third parties Necessity for compliance with a legal obligation to which ExxonMobil is subject , in particular anti-bribery laws, trade sanctions, import/export controls, and anti-money laundering laws.
ExxonMobil’s legitimate interest to evaluate and minimize potential legal risk which ExxonMobil may be exposed to under certain laws, such as the U.S. Foreign Corrupt Practices Act and other anti-bribery laws, trade sanctions, import/export controls, and anti-money laundering laws, as a result of entering into a commercial relationship with Supplier or associated third parties.
ExxonMobil’s legitimate interest to maintain standards and integrity of its operations, to ensure compliance with its ethics policy, and protect against reputational harm.
ExxonMobil’s legitimate interest to leverage centralized, functional support and stewardship available within the ExxonMobil group and to ensure that transactions with prospective business partners can be operationalized through ExxonMobil networks and systems.
By providing information about third parties, you confirm that you have received the permission of the person(s), to provide to ExxonMobil the personal data for processing in accordance with the Privacy Statement.
Name and business contact details, positions held, principal lines of business and length of time in each line of business, locations of business activities, citizenship, country of residence, shareholdership and ownership interests, relationships with government officials and public international organizations, position as a government official, details regarding whether the individual is subject to trade sanctions regulations, details regarding certain investigations or offenses if permitted under applicable law, and other information on the basis of (i.) publicly available sources, and/or (ii.) information provided by the supplier for instance via the ExxonMobil Prospective Business Associate Questionnaire (PBAQ) and/or (iii.) information obtained through Thomson Reuters World-Check or other tools or service providers. 10 years
For statistical purposes to help us design and administer the Site and to improve our procurement process. ExxonMobil’s legitimate business interest to improve the functionality of the Site and to improve our procurement process. Number of visits to the site; which parts of the Site visitors select and any other personal data referred to in this notice, provided the information is appropriately pseudonimyzed or anonymized, as required under applicable law. 10 years

When ExxonMobil relies on its legitimate interest as a legal basis to Process the Personal Data, ExxonMobil will ensure that its legitimate business interests to pursue the purposes stated in the table above do not disproportionately and adversely impact the Individual’s rights and freedoms.

When ExxonMobil relies on the Individual’s consent as a legal basis to Process the Personal Data, the Individual can withdraw their consent at any time, for the future. Suppliers who wish to inform us about withdrawal of consent, should notify us at and we will take steps to stop the Processing of Personal Data as soon as reasonably possible.

Note that some of the services or procurement activities may not be available if you fail to provide the Personal Data needed to deliver them.

For bids submitted via SMART or via other online sites, systems and applications, we use cookies and other files which we store on your computer or mobile device when you visit the Site, in order to collect one or more of the categories of information listed in the table above. The cookies and files stored on your computer or mobile device facilitates customizing your use of the Site and helps to avoid the need for you to re-enter your details every time you visit it. You can erase or block this information from your computer if you want to.  For more information about the cookies and files we place on your computer or mobile device, and how to erase or block them, see the Cookie Statement of the Site.


We employ other companies and persons to perform functions on our behalf. They have access to Personal Data needed to perform their functions, but may not use it for other purposes. Communicating via the Internet and sending information, products, and services to you by other means necessarily involves your Personal Data passing through or being handled by third-parties.

For the purpose of the administration of the Site and the Personal Data collected through the Site, your Personal Data may be processed by IT service providers (e.g. GEP) which host and support the Site on behalf of ExxonMobil.

Before any Personal Data is shared with service providers who are processors, we enter into a written agreement which requires them: (1) not to make any unauthorized further disclosures of the Personal Data; (2) to use the Personal Data only for the specified purposes and only according to the instructions received from ExxonMobil; (3) to retain the Personal Data only as long as necessary to carry out these purposes or to protect company interests (e.g. until the end of statute of limitations periods); and (4) to have in place adequate and appropriate security measures.

In some circumstances, ExxonMobil will have to disclose Personal Data to other third parties, including competent authorities, legal advisors and other business partners who process the Personal Data on their own behalf, for instance if such transfer is required by law or legal process, in order to defend ExxonMobil’s rights or to adequately handle individuals’ complaints and requests. 

Furthermore, we use third party screening tools to perform due diligence and other screening activities in accordance with our legal or regulatory obligations and risk management procedures, in particular Thomson Reuters World-Check and Thomson Reuters Enhanced Due Diligence tools, where permitted by law, to do integrity and advanced background checks that provide us with information that help us to identify and protect against any regulatory, and/or reputational risk.

For more detailed information about Thomson Reuters privacy practices with respect to gathering and handling of Personal Data within World-Check and EDD, please see the World-Check Privacy Statement and Thomson Reuters Privacy Statement. These statements reflect the privacy policy and practices of a third party Thomson Reuters acting as an independent data controller. We recommend that you review the privacy policy of such operator and contact the operator if you have concerns or questions.

If Personal Data is shared with a third party or an ExxonMobil affiliate outside the EEA, UK and Switzerland the conditions regarding data transfers, see Section 6 below, apply in addition to the requirements of this section.


6.1 Transfers between affiliates

The relevant ExxonMobil affiliate who is the Data Controller may transfer some or all of the Personal Data to servers of ExxonMobil located worldwide and will make that Personal Data accessible to other ExxonMobil affiliates, some of which are located in third countries that may not be regarded as providing an adequate level of protection of the Personal Data, in accordance with applicable law.

The transfer of Personal Data from the EEA/UK/Switzerland to recipients located outside such territories is subject to restrictions. ExxonMobil has taken steps so that Personal Data receives an adequate level of data protection at all ExxonMobil locations. These steps include ExxonMobil affiliates entering into Inter Affiliate Agreements containing the EU “Standard Contractual Clauses”. 

6.2 Transfers to third parties

When transferring Personal Data to third parties, ExxonMobil puts in place safeguards to ensure that the third party adequately protects the Personal Data.  ExxonMobil has put in place contractual safeguards in its agreements with software providers and due diligence tool providers, which contain, where appropriate, EU Model Clauses for Processors and/or which are Privacy Shield certified. 

For more information about specific transfer mechanisms used for transfers between affiliates and transfers to third parties, including information on and a copy of any of the existing safeguards implemented by ExxonMobil in order to ensure that Personal Data is Processed within an adequate framework across all ExxonMobil locations, please contact


ExxonMobil endeavors to keep Personal Data that it collects as accurate, complete and current taking into account the purposes for which it was collected and is being used. ExxonMobil relies on Data Subjects to maintain the accuracy and completeness of the Personal Data and so the Data Subjects should inform ExxonMobil if their personal details change. 


ExxonMobil maintains appropriate administrative, technical and physical safeguards designed to protect Personal Data against accidental or unlawful destruction, accidental loss, alteration, unauthorized disclosure or access, use, and all other unlawful forms of Processing of Personal Data in our possession.


Applicable law may give Data Subjects the right to know how ExxonMobil Processes their Personal Data, and to access their Personal Data held by ExxonMobil. Such rights exist under data privacy laws in EEA, UK and Switzerland. Furthermore in such territories, Data Subjects also have the right to: have inaccurate or incomplete Personal Data rectified; to restrict the Processing of their Personal Data, under certain circumstances; to object to the Processing operations, having regard to the given circumstances and for reasons related to their particular situation; or to have Personal Data erased when such data is no longer necessary for the purposes for which it has been collected, in accordance with applicable law.

In some circumstances, the Data Subjects also have a right to request the portability of their Personal Data, which will allow them to obtain and reuse their Personal Data for their own purposes across different services without hindrance to usability.

Individuals may also withdraw their consent when the Processing is based on their consent.

For more information about the specific mechanism available in order to exercise the aforementioned rights, please contact the

To facilitate our efforts to meet your request, it would be helpful if you could let us know the context in which you initially provided ExxonMobil with your Personal Data.


Certain categories of Personal Data are considered sensitive under data privacy laws and, as such, are subject to a higher level of protection and security. Data privacy law considers as sensitive the following categories of Personal Data: (1) race or ethnic origin; (2) political opinions; (3) religious and philosophical beliefs; (4) trade union membership; (5) sex life or sexual orientation; (6) physical or mental health or conditions; and (7) genetic data and biometric data for the purpose of uniquely defining a natural person.

We kindly ask you to refrain from providing ExxonMobil with any sensitive information of the abovementioned nature, under any circumstance. However, if you do provide such information, ExxonMobil accepts your explicit consent to use that data in accordance with this Privacy Statement or in the ways described at the point where such information is disclosed.


ExxonMobil does not use automated decision-making unless this is (i.) necessary for entering into, or performance of, a contract between the Individual and ExxonMobil and its affiliates, (ii.) permitted or required by law, or (iii.) based on the Individual’s explicit consent.

Automated decision-making means a decision that produces legal effects concerning an Individual or significantly affects the Individual and which is based solely on automated Processing (i.e. no human intervention in the process of decision-making) of Personal Data intended to evaluate certain personal aspects relating to the Individual.  Moreover, ExxonMobil shall implement suitable measures to safeguard the Individual’s rights and freedoms and legitimate interests.


ExxonMobil retains Personal Data to meet the purposes for which the data was collected or in order to ensure compliance with applicable law or to protect legitimate company interests (e.g. statute of limitations periods).  ExxonMobil will keep the Personal data for the period state in Section 4.


ExxonMobil is committed to protecting your Personal Data as described in this Privacy Statement and as required by applicable national laws. If you have any questions about this notice or about ExxonMobil’s handling of your Personal Data, or if you would like to request additional information on the Personal Data ExxonMobil holds about you or learn about and exercise your rights with respect to your Personal Data, you can contact:

You also have a right to lodge a complaint to the data protection supervisory authority in your country.


The term “Data Controller” means the natural or legal person (in the case of ExxonMobil, the relevant ExxonMobil affiliate) which determines the purposes and means of the Processing of Personal Data.

“ExxonMobil” and/or “ExxonMobil affiliates” mean (a) Exxon Mobil Corporation or any parent of Exxon Mobil Corporation, (b) any company or partnership in which Exxon Mobil Corporation or any parent of Exxon Mobil Corporation now or hereafter, directly or indirectly (1) owns or (2) controls, more than fifty per cent (50%) of the ownership interest having the right to vote or appoint its directors or functional equivalents (“Affiliated Company”) and (c) any joint venture in which Exxon Mobil Corporations, any parent of Exxon Mobil Corporation or an Affiliated Company has day to day operational control.

By “Processed” or “Processing” we mean any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

The term “Personal Data” means any information relating to an identified or identifiable natural person (“Data Subject” or “Individual”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. 


We reserve the right to change this Privacy Statement at any time without notice. When we make material changes to this Privacy Statement, we will post the changes on this page and update the revision date at the top of the Privacy Statement. We encourage you to review our Privacy Statement regularly for updates.