Fair Processing Notice

1.1. This Notice sets out how Phillips 66 (“We” or “Us”) handles the Personal Data of
third parties that We have contact with in the course of our business operations,
including our current, past and prospective:

(a) customers and their representatives, employees or agents;
(b) suppliers and their representatives, employees or agents;
(c) counterparties and their representatives, employees or agents;
(d) contractors and their representatives, employees or agents;
(e) officers and beneficial owners of the above;
(f) visitors to our premises;
(g) customers of Jet branded service stations;
(h) prospective employees and apprentices, work experience students and other
job applicants;
(i) advisors, consultants and other professional experts;
(j) those with whom we work in the context of our Community Initiatives.

1.2. The Controller of third party Personal Data will be the Phillips 66 legal entity with
which you have contact. If you have any questions about this Notice or the use of
your Personal Data, please contact the UK Data Privacy Network Coordinator at

1.3. We may collect Personal Data relating to you when you contact Us by email or by
telephone, by operating security policies and procedures on our premises (for
example by gate access data or access to CCTV footage recorded by Us or, where
applicable, our landlord), or when you or your employer or employer’s affiliated
companies otherwise have contact with our employees, representatives or agents
during the course of us operating our business including where business is required
to be conducted on recorded telephone lines or other electronic devices. The
Personal Data collected will include some or all of the following:
(a) name, telephone number, postal address and other contact details;
(b) employer organization, job title, unit/department, location;
(c) in certain circumstances your date of birth, national insurance or other
personal identification details and signature;
(d) in certain circumstances, gate log data regarding hours worked and worksite
(e) employment and job application details e.g. education, employment history
and qualifications;
(f) goods or services provided to or received by Us; banking or financial
information required to administer our relationship;
(g) photographic identification and video/CCTV footage.

1.4. In certain circumstances, we may also collect Special Categories of Data relating to
you, including data relating to heath (e.g. medical, sickness, accident or disability
records), race or ethnic origin, sexual orientation, religious or political beliefs, trade
union membership and criminal background data. This data will only be Processed
where required or permitted by applicable laws.

1.5. We will use the Personal Data that We collect about you for a number of purposes,
including to:

(a) respond to any query that you may submit to us and send you relevant
information on our goods and services that may be of interest to you using
the contact details you have provided;
(b) carry out anti-money laundering and sanctions checks and otherwise comply
with our legal and regulatory obligations;
(c) support our assets and/or the environment;
(d) manage our relationship with you and administer any agreement that We
have in place with you or your employer or affiliated company;
(e) Process any job, student placement or scholarship application, you (or your
representative) have submitted;
(f) allow you to access our premises;
(g) record your entry to and departure from our premises for invoicing purposes
in respect of any services agreement we have in place with your employer;
(h) conduct our operations and to manage and protect our assets and systems,
including intranet and internet usage, voice recording and CCTV/video
(i) administer and customize our websites and Apps and as part of our efforts
to keep our websites and Apps secure;
(j) prevent illegal activity or to protect our legitimate interests, as we consider
is necessary.

1.6. For the purpose of Data Protection Laws and Regulations, except where your
consent is required and obtained or where Processing of Special Categories of Data
is necessary in the context of the establishment, exercise or defence of claims, to
protect the vital interests of the Data Subject or another person where the Data
Subject is incapable of giving consent or for the purposes of preventative or
occupational medicine, for the assessment of your working capacity, medical
diagnosis or the provision of treatment; the legal bases on which We Processes
Personal Data about you are that the Processing is necessary (i) for the purpose of
our legitimate interest in running our business; (ii) for performance of or entry of a
contract (iii) compliance with a legal obligation to which we are subject; or (iv) in
order to protect your vital interests or those of another natural person.

1.7. The Personal Data that We collect about you may be disclosed to other
organizations, including:

(a) other companies in our group;
(b) suppliers that provide business services to Us, such as security, online job
application providers and cloud service providers;
(c) financial institutions and our insurers;
(d) professional advisors including accountants, auditors and lawyers;
(e) governmental and regulatory bodies, such as tax authorities.
1.8. We will only disclose your Personal Data to other organizations where it is necessary
(i) to enable the organization to provide services for or on behalf of Us, (ii) to comply
with applicable legal requirements, (iii) to protect or defend our rights or property,
or (iv) to protect the health, safety and well-being of our employees, contractors,
visitors or members of the public.

1.9. You may be entitled to request access to Personal Data We hold about you, or to
request that your Personal Data is erased, that its Processing is restricted, or that
any inaccurate Personal Data is rectified. You also have the right to object to the
Processing of your Personal Data and, in some circumstances, you may have the
right to receive a copy of your Personal Data in a machine-readable format. If you
wish to make such a request, please contact the UK Data Privacy Network
Coordinator at InformationManagementUK@p66.com.

1.10. You have the right to complain to the Supervisory Authority (which in the UK is the
Information Commissioner’s Office) about our use of your Personal Data if you
believe that We have breached our obligations under the Data Protection Laws and
Regulations. Please visit www.ico.org.uk for further information.

1.11. We only collect your Personal Data for the specific purposes set out at Section 1.5.
We will only retain your Personal Data for as long as is necessary to fulfil these
purposes, and for the purposes of legal and regulatory compliance.

1.12. We centralise the management of certain IT systems and business support services
in the United States, and as such your Personal Data may be transferred and stored
outside of the European Economic Area. We have implemented safeguards to
ensure that this transfer of Personal Data complies with the Data Protection Laws
and Regulations, including by entering into appropriate Data Transfer Agreements. If
you would like more information about the transfer of your Personal Data, please
contact the UK Data Privacy Network Coordinator at

1.13. In this notice, Personal Data, Controller, Processing and Data Protection Laws have
the following meanings:

“Data Controller” means, as defined by the Data Protection Laws and Regulations,
the person or organisation which, alone or jointly with others, determines the
purposes and means of the Processing of Personal Data.

“Data Protection Laws and Regulations” means all laws and regulations, including
laws and regulations of the United Kingdom, European Union, the European
Economic Area and their member states, applicable to the Processing of Personal
Data, including the Data Protection Act 2018 and the General Data Protection
Regulation ((EU) 2016/679).

“Personal Data” means any information relating to (i) an identified or identifiable
natural person that are within the scope of protection as “personal data” under the
applicable Data Protection Laws and Regulations and, (ii) an identified or identifiable
legal entity (where protected under applicable Data Protection Laws).

“Processing” of Personal Data means, as defined by the Data Protection Laws and
Regulations, any operation or set of operations which is performed upon Personal
Data, whether or not by automatic means, such as collection, recording,
organization, structuring, storage, adaptation or alteration, retrieval, consultation,
use, disclosure by transmission, dissemination or otherwise making available,
alignment or combination, restriction, erasure or destruction.

“Special Categories of Data” means, ‘special categories of personal data’ as referred
to in the Data Protection Laws and Regulations.