Article
July 1, 2024
Privacy Statement
Article
July 1, 2024
This General Privacy Statement is effective from May 25, 2018.
Last updated on July 1, 2024.
The protection of your personal data is important to us.
Your privacy is important to us and we want you to understand our practices with respect to the gathering and handling of your personal data.
This Privacy Statement describes how we Process the personal data which we receive from you:
- Through the SMART by GEP site, which serves as the global Procurement Platform for ExxonMobil Procurement activities, and through other related forms, systems and applications, all of which refer to this Privacy Statement. Collectively, these sites, applications and systems are referred to as the “Site”; and
- by other means in the course of our business relationship, for instance if you are a customer of ExxonMobil or another external stakeholder.
ExxonMobil provides additional privacy notices for specific uses of certain personal data. For example, we provide additional notices to visitors to our facilities, to our suppliers, to job applicants, to users of specific mobile Apps, and to participants of our loyalty card programs. The relevant ExxonMobil affiliates will Process the personal data in accordance with the privacy notices they provide for such specific uses. When these notices apply to you, we recommend that you read them carefully. You can find links to relevant notices and more information about ExxonMobil’s privacy program here.
In this Privacy Statement, we use certain defined terms. In order to understand the meaning of the defined terms, we refer you to Section 13, Defined Terms.
This Privacy Statement is addressed to:
- ·visitors of the Site;
- recipients of electronic or other communications which contain or refer to this Privacy Statement; and
- individuals with whom the Data Controller(s), listed in Section 2 below, have a business relationship, such as customers, and external stakeholders and their representatives.
Information from Children
ExxonMobil does not seek through the Site to gather personal data from or about persons under the age of 17.
ExxonMobil does not sell or share the personal information of minors under 16 years of age without affirmative authorization.
The ExxonMobil affiliate which operates the Site pertaining to its business activities is the Data Controller of the personal data collected through the Site. If you have a contractual or other business relationship with an ExxonMobil affiliate, such affiliate is the Data Controller of the personal data that it collects from you in the context of that relationship.
In case you have questions, please contact the data.privacy.office@exxonmobil.com.
The ExxonMobil affiliate(s) acting as the Data Controller of the personal data, may transfer all or some of the personal data to ExxonMobil affiliates worldwide which may be located in third countries that are not regarded as providing an adequate level of protection to the personal data. The transfers take place in accordance with Section 7 below.
ExxonMobil is committed to collecting and using personal data in a lawful manner.
ExxonMobil will ensure that, when it collects or uses personal data, such collection or use is allowed under applicable data protection law, including, for example, the EU General Data Protection Regulation (GDPR), the Virginia Consumer Data Protection Act, Colorado Privacy Act, or California Consumer Protection Act, where such laws govern.
In the EEA, UK and Switzerland, this means that in particular ExxonMobil shall assess whether and which justification (legal basis) it has for the Processing of personal data, as stipulated in the EU General Data Protection Regulation and applicable law. Justification for processing can, depending on the situation, include:
- ExxonMobil’s legitimate business interest, unless such interests are overridden by the interests or fundamental rights and freedoms of the Individual, and/or
- The performance of a contract to which the Individual is a party, and/or
- Compliance with a legal obligation to which ExxonMobil is subject, and/or
- In order to protect the vital interests of the Individual, and/or
- Your consent to the Processing of your personal data for one or more specific purposes. In that case, you may withdraw your consent at any time.
For more information on particular data processing activities, the purposes of this processing, and a description of the specific personal data, please review the table in Section 4.
Individuals may object to the Processing of their personal data and we will consider such objections carefully where required by law. For more information about your rights with respect to how we process your personal data, please refer to Section 9 and/or contact the ExxonMobil Data Privacy Office via data.privacy.office@exxonmobil.com.
In this table we describe the categories of information that we gather via the Site and in connection with our business relationship with you. We also describe the purpose and legal basis, where applicable, for using and processing the information.
When ExxonMobil relies on its legitimate interest as a legal basis to Process personal data, ExxonMobil will ensure that these interests do not disproportionately and adversely impact an individual’s rights and freedoms.
When ExxonMobil relies on an individual’s consent as a legal basis to Process personal data, individuals can withdraw their consent at any time. Visitors wishing to withdraw their consent should notify us at data.privacy.office@exxonmobil.com and we will stop the Processing of your personal data as soon as reasonably possible.
| Categories of Personal Data | Business Purpose of Processing of personal data | Legal basis, where applicable, of Processing | Categories of Sources | Categories of Third Parties to whom information is disclosed, if applicable |
|
Identifiers: like Access permissions, supplier’s banking details, logon/system ID, user name (first and last name), system activity log, and supplier’s contact details (including business contact details of its staff involved in the procurement process). |
For bids submitted electronically, to identify you as an authorized user and grant you access to the procurement platform in order to permit electronic bidding. |
The Processing is a contractual requirement under the procurement contract with ExxonMobil, and/or the Processing is necessary to enter into a procurement contract with ExxonMobil. ExxonMobil’s legitimate business interest in validating your identity and access permissions to ensure only approved users have access to the Site. ExxonMobil’s legitimate business interest to operate efficiently and manage the eventual commercial relationship between you and ExxonMobil and/or ExxonMobil affiliates by facilitating and accelerating the Source to Pay process and the collaboration between ExxonMobil and supplier. |
We collect this information directly from you. |
We may share this information with our system administration vendor who assists us for support purposes. |
|
All Personal Data related to individuals involved in the performance of the contract and/or in the procurement procedures either as supplier or subcontractor. Personal data including the image, name and surname, address, telephone, e-mail address, signature Education and employment related information: like academic and professional training, qualifications and accreditations, work experience, education and membership of professional bodies, as incorporated in CVs, copy of various documents submitted as supporting documents, or in forms pre-established by ExxonMobil. Vendor classification status, vendor performance scorecards and vendor bidding evaluations. |
Bid evaluation, administration of the agreement, document repository and supplier management. |
The Processing is necessary for (i) the evaluation of bids; (ii) obtaining references; (iii) checking for any conflicts of interest; (iv) enabling ExxonMobil to administer and manage any contract that may be awarded; (v) audit of performance under the agreement, (vi) complying with applicable law and (vii) preserve and defend ExxonMobil’s legal rights. |
We collect this information directly from you. |
We may share this information with our system administration vendor who assists us for support purposes. |
|
Identifiers and professional or employment-related information: like personal data including name and business contact details, positions held, principal lines of business, locations of business activities, citizenship, country of residence, shareholdership and ownership interests, relationships with government officials and public international organizations, position as a government official, details regarding whether the individual is subject to trade sanctions regulations, details regarding certain investigations or offenses if permitted under applicable law, and other information on the basis of publicly available sources, and/or information provided by the prospective business partner and/or information obtained through Thomson Reuters World-Check or other tools or service providers. |
Due diligence of suppliers and third parties. |
Compliance with legal obligations to which ExxonMobil is subject, in particular anti-bribery laws, trade sanctions, import/export controls, and anti-money laundering laws. ExxonMobil’s legitimate business interest to minimize legal risks under certain laws, such as the U.S. Foreign Corrupt Practices Act, trade sanctions, import/export controls, and anti-money laundering laws. ExxonMobil’s legitimate business interest in maintaining standards and integrity of its operations, to ensure compliance with its ethics policy, and protect against reputational harm. ExxonMobil’s interest in leveraging centralized, functional support available within the ExxonMobil group and to ensure that transactions with prospective business partners can be operationalized through ExxonMobil networks and systems. By providing information about third parties, you confirm that you have received the permission of the person(s), to provide to ExxonMobil the personal data for processing in accordance with the Privacy Statement. |
We collect this information directly from you. | We share this information with due diligence vendors. |
| Identifiers: like access permissions, authentication information, business contact details, login/system ID, name, preferred language, title, and IP address. | To identify you as an authorized user of the Site for the purposes of account and Site information management. | ExxonMobil’s legitimate business interest in validating your identity and access permissions to ensure only approved users have access to the Site. | We collect this information automatically and directly from you. |
We may share this information with our system administration vendor who assists us for support purposes. |
| Any of the personal data referred to in this notice, provided the information is appropriately pseudonymized or anonymized, as required under applicable law. | For analytical and statistical purposes. | ExxonMobil’s legitimate business interest to ensure the relevance of the Site, to improve the functionality of the Site and to improve our procurement process. | We collect this information automatically and directly from you. |
We may share this information with our system administration vendor who assists us for support purposes. |
Information placed on your computer when visiting the Site
We use cookies and other local storage technologies or files such as pixels, tags, web beacons and Local Shared Objects (sometimes called “flash cookies”) which we store on your computer or mobile device when you visit the Site. The cookies and files stored on your computer or mobile device facilitate customizing your use of the Site and help to avoid the need to re-enter your details every time you visit. You can erase or block this information from your computer. Flash cookies may use parts of your device other than your browser, which means that you may not be able to control their use using browser tools and settings. For more information about managing Flash cookies, please visit the Adobe Flash Player website. Note: you will be taken to a third-party website.
To learn more about how to opt-out from cookies please click here (note: you will be taken to a third-party website).
We use vendors to monitor usage of our site and to provide site usage analytics. These vendors may use such information for business purposes in accordance with our contracts with them.
For more information about the use of analytics, and about the cookies and files we place on your computer or mobile device, and how to erase or block them or opt-out from processing them, see the “Your Privacy” or the relevant cookies section in the Privacy Center in the footer link on the relevant Site.
Note that some goods or services may not be available if you choose not to provide the necessary personal data.
Targeted advertising, and our use of social media sites
We may use the information we collect through the Site to help manage our on-line advertising. For example, we may use information collected from the Site, to show you ads for our products and services when you visit other websites, e.g. third-party social media sites, news sites and (video) search engines. We use third-party advertising technology for this purpose. To learn more about third-party ad-serving technology and how to "opt-out" from such technology, please visit YourOnlineChoices.Com. Note: you will be taken to a third-party website.
Our Site also provides links to others’ websites. This may include social plug-ins to Facebook, Twitter, YouTube and other social media. In case we receive certain statistical information regarding the click-through via these links or social plug-in, we will treat such statistical information in accordance with applicable laws. By clicking on such links or social plug-ins, an online connection will be established between your browser and the servers of the relevant websites and as a result certain personal data may be collected by these websites. ExxonMobil does not own, control or maintain these websites. We recommend that you review the privacy policy of these other sites carefully and contact the operator if you have concerns or questions. ExxonMobil is not responsible for the way other handle personal data and makes no representations or warranties about the privacy practices and accuracy of the content of those sites.
Similarly, ExxonMobil is not responsible for the policies and practices of any website from which you linked to our Site.
We may use information collected through the Site to analyze links between your usage of the Site and your usage of other applications (e.g. our mobile payment App) across the different types of devices you use to access the Site or applications, in order to improve your cross-application experiences. In doing so, we use cookie files and other storage technologies on our Site in accordance with this Privacy Statement and the cookie statement on the Site.
In doing so, we use cookie files and other storage technologies on our Site in accordance with this Privacy Policy and the “Your Privacy” or the relevant cookies section in the Privacy Center in the footer link on the relevant site.
If you visit one of our websites and you wish to opt-out from targeted advertising via cookies, you can do so by following the cookie-banner instructions or by accessing the Privacy center”/ “Privacy Center (Do not sell or share my personal data)” link at the bottom of our websites.
Do-Not-Track Signals and Similar Mechanisms, such as Global Privacy Control on ExxonMobil US websites: Some web browsers transmit "do-not-track" signals. We take action in response to these signals: If the browser has Do Not Track enabled, cookies in this group will be disabled until explicit consent is received. We detect and honour your Global Privacy Control signal if the website browser add-in or extension is enabled at your end. Please see further information about the Global Privacy Control mechanism here.
We contract with other companies and persons to perform functions on our behalf. They have access to personal data needed to perform these business purposes , but may not use it for other purposes..
For example, ExxonMobil may share the personal data it collects automatically, directly from you, or from vendors with (other) vendors in order to allow ExxonMobil to fulfill orders and make deliveries, to send postal mail, and e-mail, to manage customer lists, analyze data, provide marketing assistance, host websites, process card payments, and provide and improve customer service. Furthermore, communicating via the Internet and sending information, products, and services to you by other means necessarily involves your personal data passing through or being handled by third-parties.
These service providers have access to your personal data needed to perform their business purposes, but may not use it for other purposes.
Before any personal data is shared with service providers, we enter into a written agreement which requires them: (1) not to make any unauthorized disclosures of the personal data; (2) to use the personal data only for the specified purposes and only according to the instructions received from ExxonMobil; (3) to retain the personal data only as long as necessary or to protect company interests; and (4) to have in place adequate and appropriate security measures.
In some circumstances, ExxonMobil may disclose any of the categories of personal data it collects to vendors, including competent authorities, legal advisors, Exxon, Mobil, or Esso-branded fuel station operators, payment and loyalty card issuers, and other contracted parties. These vendors process the personal data on their own behalf, for instance: if required by law, in order to defend ExxonMobil’s rights, or to handle individuals’ complaints and requests. We may also share your information in connection with a transfer of assets, or if we are otherwise involved in a merger or transfer. Only when permitted by applicable law and with your consent as required, will we distribute personal data to vendors, such as ExxonMobil distributors, for the purpose of allowing them to market their products and services to you.
ExxonMobil does not, and will not, sell personal information collected within the scope of procurement activities to third parties. ExxonMobil does permit third parties to collect information through our Sites (for example via cookies) in order to show advertisements for our products and services when the user visits other websites. Where required by law, we will seek your prior consent before such information is collected via our Sites, or we will provide opt-out from this activity. The third parties may also use the information for interest-based advertisement of other products and services. The advertisements are based on the users’ online activities over time and across different sites, services, and devices (“interest-based advertising”).
In the past twelve months since this Privacy Policy took effect, for commercial purposes, we have processed or shared for cross-context behavioral advertising (targeted advertising) the following categories of personal information to web and data analytics service providers, search engine and social media platform providers: [IP address, web and app usages information, interaction with our sites and applications.]. Please see further details in section 4. about cookies and similar technologies.
Furthermore, we use vendor’s screening tools to perform due diligence and other screening activities in accordance with our legal or regulatory obligations, and in particular Thomson Reuters World Check and Thomson Reuters Enhanced Due Diligence tools (EDD), where permitted by law, to do integrity and advanced background checks that provide us with information that help us to identify and protect against any regulatory, and/or reputational risk.
For more detailed information about Thomson Reuters privacy practices with respect to gathering and handling of personal data within World-Check and EDD, please see the World-Check Privacy Statement and Thomson Reuters Privacy Statement. These statements reflect the privacy policy and practices of Thomson Reuters acting as an independent data controller. We recommend that you review the privacy policy of such operator and contact the operator if you have concerns or questions.
7.1 Transfers between affiliates
The relevant ExxonMobil affiliate who is the Data Controller may make personal data available to other ExxonMobil affiliates and may transfer some or all of the personal data to ExxonMobil servers located worldwide in accordance with applicable law.
The transfer of personal data from the EEA, UK and Switzerland to recipients located outside such territories is subject to restrictions. ExxonMobil has taken steps so that personal data receives an adequate level of data protection at all ExxonMobil locations. These steps include ExxonMobil affiliates entering into Binding Corporate Rules (“BCR”) which were approved in accordance with the EU General Data Protection Regulation (please visit the link here to read our BCR).
The EU Standard Contractual Clauses have been approved by the European Commission and relevant European authorities as offering adequate protection for transfers of personal data outside the EEA, UK and Switzerland.
7.2 Transfers to third parties
When transferring personal data, ExxonMobil puts in place safeguards to ensure that the recipient adequately protects the personal data. With respect to the transfer of personal data from the EEA, UK and Switzerland to outside such territories, ExxonMobil relies on (1.) EU “Standard Contractual Clauses”, (2.) contractual safeguards imposed on the recipient which is contracted by ExxonMobil affiliates outside of EEA, UK or Switzerland (so-called onward transfers), and (3.) protections available under local law for the recipient established in a country deemed adequate by the EU Commission. Where permitted, and as applicable, we will rely on the individual’s consent.
For more information about specific transfer mechanisms, including information on existing safeguards implemented by ExxonMobil, please contact data.privacy.office@exxonmobil.com.
ExxonMobil endeavors to keep personal data that it collects accurate and complete. ExxonMobil relies on the individuals to maintain the accuracy and completeness of the personal data. Please inform ExxonMobil if your personal details change, including the context in which the personal data was provided, e.g. in connection with a specific product or service.
Where it is permitted by applicable law you may have the right to request:
- Deletion of your personal data when such data is no longer necessary for the purposes for which it has been collected.
- Access to specific pieces of information ExxonMobil has about you or more information about our data processing practices.
- Correction of any inaccurate personal data we maintain about you.
- Restrict the processing of your personal data under certain circumstances.
- Object to the processing operations, having regard to the given circumstances and for reasons related to their particular situation.
- Opt-out from sale or sharing your data for cross-context behavioral advertising, targeted advertising (US data subjects) by providing your choices related to cookies through the Privacy Center - Do not sell or share my personal data link of the relevant site or via the Global Privacy Control, which is operated by a third party (browser add on)and is explained here. Please note that because the Global Privacy Control is a browser-based mechanism, your opt-out preference will apply only to the browser from which you exercised that choice.
- Right to Opt-Out for the Purposes of Profiling: you may have the right to opt-out of processing of personal data for purposes of profiling in furtherance of decisions that produce legal or similarly significant effects.
- In some circumstances in EU/EEA/UK, you also have a right to request a portable extract of your personal data, which will allow you to reuse your personal data for your own purposes.
To appeal our decision on your data subject requests, you may contact us at data.privacy.office@exxonmobil.com. Please enclose a copy of or otherwise specifically reference the decision you want to appeal. We will respond to your appeal in accordance with applicable law.
ExxonMobil will not discriminate against you for exercising your data subject rights, although some of the functionality and features available on the Service may change or no longer be available to you. Any difference in the Services are related to the value provided.
How to submit a data subject request
You may submit a verifiable consumer request from the US, EEA, UK- or from countries where it is permitted by applicable law - to exercise your right to know about, delete, or correct your personal information, please visit ExxonMobil’s privacy program landing page where you may submit your request via email, web form.
US California data subject also can submit their privacy request via the 833-835-2644 toll free number. Please note, all the calls through the 833-835-2644 phone number will be recorded and your participation is voluntary. If you call us, you consent to the recording of the conversation, which includes voice, your name, contact details and the details of your specific request. You may withdraw your consent to participate in the recording by exiting from the call at anytime with no adverse consequence. If you do not want to participate in the recorded call, you will have the opportunity submit your request via our Data Subject Request webform, which is available here.
When you submit a data privacy request, ExxonMobil will verify your identity by requesting you to provide your name, email address or other contact information, ExxonMobil account information ( if applicable), and the company brand with which you have a relationship. Use of an authorized agent: You may be entitled, in accordance with applicable law, to submit a request through an authorized agent. To designate an authorized agent to exercise your rights and choices on your behalf, please provide your authorized agent with signed, written permission demonstrating that they have been authorized by you to act on your behalf. You may be required to:
(1) Verify your own identity directly with us; or
(2) Directly confirm with us that you provided the authorized agent permission to submit the request.
You also have a right to lodge a complaint to the data protection supervisory authority in your country.
For more information about the specific mechanisms available to exercise these rights, please submit a data privacy request on our landing page or contact the data.privacy.office@exxonmobil.com.
To facilitate our efforts to address your request, please let us know the circumstances in which you initially provided ExxonMobil with your personal data, e.g., in connection with a specific product or service.
ExxonMobil does not use automated decision-making unless it is (i.) necessary for entering into, or performance of, a contract between the Individual and ExxonMobil and its affiliates, (ii.) permitted or required by law, or (iii.) based on the Individual’s explicit consent.
Automated decision-making refers to decisions that produce legal effects concerning an Individual or significantly affect the Individual and which are based solely on automated Processing (i.e. no human intervention) of personal data. ExxonMobil shall implement suitable measures to safeguard the Individual’s rights and freedoms and legitimate interests when automated decision-making is used.
ExxonMobil retains personal data as long as necessary to meet the purposes for which the data was collected, to exercise its legal rights and to ensure compliance with applicable law. ExxonMobil applies the following criteria in order to determine when to retain or delete the personal data: Personal data will be retained for 10 years.
ExxonMobil is committed to protecting your personal data as described in this Privacy Statement and as required by applicable laws. If you have any questions about this notice or our handling of your personal data, or if you would like additional information, please contact:
- Data Privacy Office
c/o ExxonMobil Hungary Limited Liability Company
Registered seat: H-1134 Budapest, Dózsa György út 61-63
Budapest
H-1134
Hungary - Data.privacy.office@exxonmobil.com
The term “Data Controller” means the natural or legal person (in the case of ExxonMobil, the relevant ExxonMobil affiliate) which determines the purposes and means of the Processing of personal data.
“ExxonMobil” and/or “ExxonMobil affiliates” mean (a) Exxon Mobil Corporation or any parent of Exxon Mobil Corporation, (b) any company or partnership in which Exxon Mobil Corporation or any parent of Exxon Mobil Corporation now or hereafter, directly or indirectly (1) owns or (2) controls, more than fifty per cent (50%) of the ownership interest having the right to vote or appoint its directors or functional equivalents (“Affiliated Company”) and (c) any joint venture in which Exxon Mobil Corporations, any parent of Exxon Mobil Corporation or an Affiliated Company has day to day operational control.
By “Processed” or “Processing” we mean any operation(s) which is performed on personal data, whether or not by automated means, such as collection, recording, organizing, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
We reserve the right to change this Privacy Statement at any time without notice. When we make material changes to this Privacy Statement, we will post the changes on this page and update the revision date at the top of the Privacy Statement. We encourage you to review our Privacy Statement regularly for updates.