2. Equinor’s processing of Personal Data
Equinor processes personal data about employees and external consultants working from Equinor premises or in Equinor systems. Equinor also processes personal data about data subjects who are not employed or engaged by Equinor (see more information below).
Equinor will always process personal data fairly and lawfully, and only for a specified, explicit and legitimate purpose or as required by law. Equinor will therefore only process personal data when such processing is necessary for us to manage our operations, provide services or other legitimate business interests, comply with legal or contractual obligations or after receiving consent (the latter which can be withdrawn at any time).
Equinor will ensure appropriate information security related to confidentiality, integrity and availability. Personal data will be retained only for the period that is required to serve the legitimate purpose.
Third party service providers may process personal data on behalf of Equinor within various areas. Equinor will implement adequate safeguards in accordance with applicable law to protect your personal data processed by third party service providers.
Equinor also processes personal data about data subjects that are not employed or engaged by Equinor for these purposes:
2.2. Procurement Related Matters
Equinor processes personal data necessary in order to procure goods and services from suppliers and contractors.
2.3. Integrity Due Diligence
Equinor has established an extensive Integrity Due Diligence (IDD) process. The IDD process includes collecting information to help us understand who our counterparties are, their values and how their business is conducted. In some instances, the IDD may also include the processing of personal data. More information about IDD can be found here.
2.4. Ethics Helpline
Equinor has set up an Ethics Helpline where employees and external third parties interacting with us can raise concerns or report any suspected or potential breaches of law or company policies. More information about the Ethics Helpline can be found here.
2.5. Local Grievance Mechanisms
In some countries, Equinor has established local grievance mechanisms in order to receive, investigate and respond to grievances from individuals, communities, or their representatives about Equinor or its contractors’ activities adverse impact on communities or individuals.
To ensure regulatory compliance with Norwegian and international regulations on sanctions, as well as ensuring compliance with anti-money-laundering regulation, Equinor may perform a screening of external third parties with whom Equinor has relations.
Equinor communicates externally and internally with the general public, specific target groups and individual persons. Examples of communication activities performed by Equinor or third parties are distribution of newsletters, press releases, company reports, optimising websites, organising events, handling user-initiated dialogue, providing information to public authorities, conducting surveys, and communicating in social media networks. Please see our Guidlines for social media.
Equinor processes personal data for recruitment purposes to ensure that Equinor recruits qualified candidates. The legal basis Equinor rely on for processing your personal data relates to processing necessary to perform a contract or to take steps at your request, before entering a contract. You will receive more detailed information about this processing when entering the recruitment process.
3. Collection of personal data
The personal data Equinor may collect and hold about data subjects includes:
- contact information such as names and addresses, telephone numbers and email addresses;
- details about an individual’s work experience and qualifications, date of birth, driver’s licence details;
- screening-related information;
- business details, including the names of relevant office holders of a company and business numbers; and
- details for preferences related to marketing and other types of events.
Personal data may be collected in a number of ways, including:
- directly by Equinor staff when establishing a business relationship or through operational dealings;
- from a third-party service provider or agent, from a source of publicly available information (e.g. websites) or from an employer (e.g. where a supplier or contractor provides personal data about their employees);
- through use of Equinor's website; or
- data provided directly by you.
4. Transfer of Personal Data
Equinor has established Binding Corporate rules (BCR) to provide Equinor with a legal basis for transfer of personal data within the Equinor group to Equinor companies outside of EU/EEA. The BCRs will apply to all personal data, within the Equinor group, which are protected by applicable EU data protection law. You can find a summary of the BCRs here.
Equinor will ensure that the European rules on trans-border data flows are complied with when personal data are transferred to external processors (outside of the Equinor group) located outside of EU/EEA or located in a country that is not recognised by the EU Commission as ensuring an adequate level of protection. Examples of such safeguards are Binding Corporate Rules, EU Standard Contractual Clauses or if the receiving party is certified under the EU-US Privacy Shield.
5. How to exercise your rights as a data subject.
National and international data protection gives rights to data subjects. The data subjects have, under some circumstances, the right to request access, rectification, erasure and/or restriction to processing of their data.
If you have questions or want to exercise your rights as a data subject, please contact the Data Protection Officer in Equinor (email address: firstname.lastname@example.org ). You have a right to complain to the Norwegian Data Protection Authority if you consider that we have breached the data protection legislation, but we encourage you to first contact our Data Protection Officer, before filing such complaint.
Published: 10 July 2018