Fair Processing Notice for Third Parties

1.1. This Notice sets out how Phillips 66 (“We” or “Us”) handles the Personal Data of third parties that We have contact with in the course of our business operations, including our current, past and prospective:

(a) customers and their representatives, employees or agents;

(b) suppliers and their representatives, employees or agents;

(c) counterparties and their representatives, employees or agents;

(d) contractors and their representatives, employees or agents;

(e) officers and beneficial owners of the above;

(f) visitors to our premises;

(g) customers of Jet branded service stations;

(h) prospective employees and apprentices, work experience students and other job applicants;

(i) advisors, consultants and other professional experts;

(j) those with whom we work in the context of our Community Initiatives.

1.2. The Controller of third party Personal Data will be the Phillips 66 legal entity with which you have contact. If you have any questions about this Notice or the use of your Personal Data, please contact the UK Privacy Network Coordinator at InformationManagementUK@p66.com.

1.3. We may collect Personal Data relating to you when you contact Us by email or by telephone, by operating security policies and procedures on our premises (for example by access to CCTV footage recorded by Us or, where applicable, our landlord), or when you or your employer or employer’s affiliated companies otherwise have contact with our employees, representatives or agents during the course of us operating our business including where business is required to be conducted on recorded telephone lines or other electronic devices. The Personal Data collected will include some or all of the following:

(a) name, telephone number, postal address and other contact details;

(b) employer organization, job title, unit/department, location;

(c) in certain circumstances your date of birth, national insurance or other personal identification details and signature;

(d) employment and job application details e.g. education, employment history and qualifications;

(e) goods or services provided to or received by Us; banking or financial information required to administer our relationship;

(f) photographic identification and video/CCTV footage.

1.4. In certain circumstances, We may also collect Special Categories of Data relating to you, including data relating to heath (e.g. medical, sickness, accident or disability records), race or ethnic origin, sexual orientation, religious or political beliefs, trade union membership and criminal background data. This data will only be Processed where required or permitted by applicable laws.

1.5. We will use the Personal Data that We collect about you for a number of purposes, including to:

(a) respond to any query that you may submit to us and send you relevant information on our goods and services that may be of interest to you using the contact details you have provided;

(b) carry out anti-money laundering and sanctions checks and otherwise comply with our legal and regulatory obligations;

(c) support our assets and/or the environment;

(d) manage our relationship with you and administer any agreement that We have in place with you or your employer or affiliated company;

(e) Process any job, student placement or scholarship application, you (or your representative) have submitted;

(f) allow you to access our premises;

(g) record your entry to and departure from our premises for invoicing purposes in respect of any services agreement we have in place with your employer;

(h) conduct our operations and to manage and protect our assets and systems, including intranet and internet usage, voice recording and CCTV/video surveillance;

(i) administer and customize our websites and Apps and as part of our efforts to keep our websites and Apps secure;

(j) prevent illegal activity or to protect our legitimate interests, as we consider is necessary.

1.6. For the purpose of Data Protection Laws and Regulations, except where your consent is required and obtained or where Processing of Special Categories of Data is necessary in the context of the establishment, exercise or defence of claims, the legal bases on which We Processes Personal Data about you are that the Processing is necessary (i) for the purpose of our legitimate interest in running our business; (ii) for performance of or entry of a contract or (iii) compliance with a legal obligation to which we are subject.

1.7. The Personal Data that We collect about you may be disclosed to other organizations, including:

(a) other companies in our group;

(b) suppliers that provide business services to Us, such as security, online job application providers and cloud service providers;

(c) financial institutions and our insurers;

(d) professional advisors including accountants, auditors and lawyers;

(e) governmental and regulatory bodies, such as tax authorities.

1.8. We will only disclose your Personal Data to other organizations where it is necessary (i) to enable the organization to provide services for or on behalf of Us, (ii) to comply with applicable legal requirements, (iii) to protect or defend our rights or property, or (iv) to protect the health, safety and well-being of our employees, contractors, visitors or members of the public.

1.9. You may be entitled to request access to Personal Data We hold about you, or to request that your Personal Data is erased, that its Processing is restricted, or that any inaccurate Personal Data is rectified. You also have the right to object to the Processing of your Personal Data and, in some circumstances, you may have the right to receive a copy of your Personal Data in a machine-readable format. If you wish to make such a request, please contact the UK Privacy Network Coordinator at InformationManagementUK@p66.com.

1.10. You have the right to complain to the Supervisory Authority (which in the UK is the Information Commissioner’s Office) about our use of your Personal Data if you believe that We have breached our obligations under the Data Protection Laws and Regulations. Please visit www.ico.org.uk for further information.

1.11. We only collect your Personal Data for the specific purposes set out at Section ‎1.5. We will only retain your Personal Data for as long as is necessary to fulfil these purposes, and for the purposes of legal and regulatory compliance.

1.12. We centralise the management of certain IT systems and business support services in the United States, and as such your Personal Data may be transferred and stored outside of the European Economic Area. We have implemented safeguards to ensure that this transfer of Personal Data complies with the Data Protection Laws and Regulations, including by entering into appropriate Data Transfer Agreements. If you would like more information about the transfer of your Personal Data, please contact the UK Privacy Network Coordinator at InformationManagementUK@p66.com.

1.13. In this notice, Personal Data, Controller, Processing and Data Protection Laws have the following meanings:

“Data Controller” means, as defined by the Data Protection Laws and Regulations, the person or organisation which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.

“Data Protection Laws and Regulations” means all laws and regulations, including laws and regulations of the United Kingdom, European Union, the European Economic Area and their member states, applicable to the Processing of Personal Data under the Agreement, including the General Data Protection Regulation ((EU) 2016/679).

“Personal Data” means any information relating to (i) an identified or identifiable natural person that are within the scope of protection as “personal data” under the applicable Data Protection Laws and Regulations and, (ii) an identified or identifiable legal entity (where protected under applicable Data Protection Laws).

“Processing” of Personal Data means, as defined by the Data Protection Laws and Regulations, any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

“Special Categories of Data” means, ‘special categories of personal data’ as referred to in the Data Protection Laws and Regulations.