Fair Processing Notice for Third Parties

1. This Notice sets out how Phillips 66 (We or Us) handles the Personal Data of third parties that We have contact with in the course of our business operations, including our current, past and prospective:
   
   
   1. customers and their representatives, employees or agents;
   2. suppliers and their representatives, employees or agents;
   3. counterparties and their representatives, employees or agents;
   4. contractors and their representatives, employees or agents;
   5. officers and beneficial owners of the above;
   6. visitors to our premises;
   7. customers of Jet branded service stations;
   8. prospective employees and apprentices, work experience students and other job applicants;
   9. advisors, consultants and other professional experts;
   10. those with whom we work in the context of our Community Initiatives.
       
       
2. The Controller of third party Personal Data will be the Phillips 66 legal entity with which you have contact. If you have any questions about this Notice or the use of your Personal Data, please contact the Privacy Coordinator at Privacy@P66.com or InformationManagementUK@p66.com.
   
   
3. We may collect Personal Data relating to you when you contact Us by email, post, telephone or by using our websites or platforms operated by our service providers, by operating security policies and procedures on our premises (for example by gate access data or image data from CCTV and other surveillance technology such as Automatic Number Plate Recognition, bodycams and dashcams recorded by Us or, where applicable, our landlord), or when you or your employer or employer’s affiliated companies otherwise have contact with our employees, representatives or agents during the course of us operating our business including where business is required to be conducted on recorded telephone lines or other electronic devices. The Personal Data collected will include some or all of the following:
   
   
   1. name, telephone number, postal address and other contact details;
   2. employer organization, job title, unit/department, location;
   3. in certain circumstances your date of birth, national insurance or other personal identification details and signature;
   4. in certain circumstances, gate log data regarding hours worked and worksite location;
   5. in certain circumstances usage of equipment, systems and benefits provided by Us.
   6. employment and job application details e.g. education, employment history and qualifications.
   7. in certain circumstances, information derived from security and employment background checks (including where applicable, international sanctions list checks, credit and Disclosure and Barring Service criminal convictions checks);
   8. goods or services provided to or received by Us; banking or financial information required to administer our relationship;
   9. photographic identification and image data from surveillance technology such as CCTV, dashcams, bodycams and Automatic Number Plate Recognition footage;
   10. in certain circumstances, locational data collected via lone worker tracking devices;
   11. driver’s name and further data may be derived from tracking devices such as, but not limited to, GPS used for monitoring and tracking of Company vehicles’ movements.
       
       
4. We may also collect Special Categories of Data relating to you, including data relating to heath (e.g. medical, sickness, accident or disability records), race or ethnic origin, sexual orientation, religious or political beliefs, trade union membership and criminal background data. This data will only be Processed with your explicit consent or where required or permitted by applicable laws.
   
   
5. We will use the Personal Data that We collect about you for a number of purposes, including to:
   
   
   1. respond to any query that you may submit to Us and send you relevant information on our goods and services that may be of interest to you using the contact details you have provided;
   2. carry out anti-money laundering and sanctions checks and otherwise comply with our legal and regulatory obligations;
   3. support our assets and/or the environment;
   4. manage our relationship with you and administer any agreement that We have in place with you or your employer or affiliated company;
   5. Process any job, student placement or scholarship application, you (or your representative) have submitted;
   6. allow you to access our premises;
   7. provide safe and respectful premises as required by law and our policies;
   8. record your entry to and departure from our premises for invoicing purposes in respect of any services agreement we have in place with your employer;
   9. conduct our operations and to manage and protect our assets and systems, including intranet and internet usage, voice recording and CCTV and other surveillance technology such as ANPR, bodycams and dashcams ;
   10. administer and customize our websites and Apps and as part of our efforts to keep our websites and Apps secure;
   11. prevent illegal activity or to protect our legitimate interests, as we consider is necessary.
       
       
6. For the purpose of Data Protection Laws and Regulations, except where your consent is required and obtained or where Processing of Special Categories of Data is necessary in the context of the establishment, exercise or defence of claims, to protect the vital interests of the Data Subject or another person where the Data Subject is incapable of giving consent or for the purposes of preventative or occupational medicine, for the assessment of your working capacity, medical diagnosis or the provision of treatment, for reasons of public interest in the area of public health; the legal bases on which We Processes Personal Data about you are that the Processing is necessary (a) for performance of or entry of a contract to which you are party or in order to take steps at your request prior to entering into a contract; (b) compliance with a legal obligation to which We are subject; or (c) in order to protect your vital interests or those of another natural person; (d) for the purpose of our legitimate interest in running our business.
   
   
7. The Personal Data that We collect about you may be disclosed to Recipients including:
   
   
   1. other companies in our group;
   2. suppliers that provide business services to Us, such as security, online job application providers and cloud service providers;
   3. financial institutions and our insurers and brokers;
   4. professional advisors including accountants, auditors and lawyers;
   5. governmental and regulatory bodies, such as tax authorities.
      
      
8. We will only disclose your Personal Data to other Recipients where it is necessary (a) to enable the Recipient to provide services for or on behalf of or transact with Us, (b) to comply with applicable legal requirements, (c) to protect or defend our rights or property, or (d) to protect the health, safety and well-being of you, our employees, contractors, visitors or members of the public. Some of these Recipients may Process your Personal Data in accordance with their privacy policies.
   
   
9. Automated decision-making. In our recruitment process, we may use a system that has an element of automated decision making, but we do not carry out solely automated decision making. When you submit an application for an open role we have posted, the system extracts information you provide on your application regarding your qualifications to compare it to the role requisition required qualifications and provides a grade. This means that your application may be scored by the system based on the extracted information. Depending on the grade allocated to your application, our recruitment personnel may decide not to review your application. Ultimately, the decision on whether to progress your application will be made by a member of our recruitment team, not as a result of the automated process. 
   
   
10. You may be entitled to request access to Personal Data We hold about you, or to request that your Personal Data is erased, that its Processing is restricted, or that any inaccurate Personal Data is rectified. When Processing of your Personal Data is based on consent, you have the right to withdraw your consent at any time. This will not affect the validity of the Processing prior to the withdrawal of the consent. You also have the right to object to the Processing of your Personal Data and, in some circumstances, you may have the right to receive a copy of your Personal Data in a machine-readable format. If you wish to make such a request or withdraw your consent, please contact the Privacy Coordinator at Privacy@P66.com or InformationManagementUK@p66.com.  
    
    
11. You have the right to complain to the Supervisory Authority (which in the UK is the Information Commissioner’s Office) about our use of your Personal Data if you believe that We have breached our obligations under the Data Protection Laws and Regulations. Please visit www.ico.org.uk for further information.
    
    
12. We only collect your Personal Data for the specific purposes set out at Section 5. We will only retain your Personal Data for as long as is necessary to fulfil these purposes, and for the purposes of legal and regulatory compliance.
    
    
13. We centralise the management of certain IT systems and business support services in the United States, and as such your Personal Data may be transferred and stored outside of the United Kingdom. We have implemented safeguards to ensure that this transfer of Personal Data complies with the Data Protection Laws and Regulations, including by entering into appropriate Data Transfer Agreements. If you would like more information about the transfer of your Personal Data, please contact the Privacy Coordinator at Privacy@P66.com or InformationManagementUK@p66.com.
    
    
14. In this notice, Personal Data, Controller, Processing and Data Protection Laws have the following meanings:
    
    
    • Controller means, as defined by the Data Protection Laws and Regulations, the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.
      
    • Data Protection Laws and Regulations means all laws and regulations, including laws and regulations applicable to the Processing of Personal Data, including the United Kingdom retained EU law version of the General Data Protection Regulation (EU 2016/679), Data Protection Act 2018 (and regulations made thereunder), and the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426); as they may be amended, modified, or replaced from time to time.
      
    • Personal Data means any information relating to (i) an identified or identifiable natural person that are within the scope of protection as “personal data” under the applicable Data Protection Laws and Regulations and, (ii) an identified or identifiable legal entity (where protected under applicable Data Protection Laws and Regulations).
      
    • Processing of Personal Data means, as defined by the Data Protection Laws and Regulations, any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
      
    • Recipient means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not.
      
    • Special Categories of Data means, ‘special categories of personal data’ as referred to in the Data Protection Laws and Regulations which include any Personal Data revealing a Data Subject’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, criminal background data, sex life or sexual orientation, genetic information, biometric information or health information.