Privacy and Data Protection in Equinor

1. Introduction
2. Equinor’s processing of personal data
2.1 General
2.2 Procurement and other business relation purposes
2.3 Integrity Due Diligence
2.4 Ethics helpline
2.5 Local grievance mechanisms
2.6 Screening
2.7 Communication

2.8 Recruitment and onboarding
2.9 Security and emergency response
2.10 Recordings of certain trading activities
2.11 Equinor Pension
2.12 Website and cookies
3. Categories and collection of personal data
4. Transfer of personal data
5. How to exercise your rights as a data subject
6.. Notice to California Residents
7. Changes to this privacy policy

1. Introduction
Privacy and data protection laws protect the integrity and confidentiality of a person’s private information. Equinor is committed to protecting the privacy rights of our employees and everyone with whom we do business. We will only use personal data for appropriate purposes, and personal data will be processed in accordance with applicable data protection regulation and Equinor's Binding Corporate Rules.

Within the Equinor Group, the data controller will be Equinor ASA and/or the Equinor company(ies) you have your relationship with. Equinor ASA operates equinor.com and is the controller for the processing of personal data generated from using the site, as well as a number of the processes described in clause 2 below. The local Equinor entities are the controller of personal data processed to provide local processes and local websites.

2. Equinor’s processing of personal data
2.1. General
Equinor processes personal data about employees and external consultants working from Equinor premises or in Equinor systems. Equinor also processes personal data about data subjects who are not employed or engaged by Equinor, to whom this privacy policy is primarily aimed. The main categories of personal data processed is described in section 3 below.

Equinor will always process personal data fairly and lawfully, and only for a specified, explicit and legitimate purpose or as required by law. Equinor will therefore only process personal data when such processing is necessary for us to manage our operations, provide services or other legitimate business interests, comply with legal or contractual obligations or after receiving consent (the latter which can be withdrawn at any time). Withdrawing consent will not affect the lawfulness of the processing based on the consent prior to withdrawing it. Further information on specific legal basis is provided below.

Equinor will ensure appropriate information security related to confidentiality, integrity and availability. Personal data will be retained only for the period that is required to serve the legitimate purpose.

Third party service providers may process personal data on behalf of Equinor within various areas. Equinor has implemented adequate safeguards in accordance with applicable law to protect your personal data processed by third party service providers.

Equinor processes personal data about data subjects that are not employed or engaged by Equinor for these various purposes:

2.2 Procurement and other business relation purposes
Equinor processes personal data necessary to procure goods and services from suppliers and contractors, for contract management and for human rights verifications. The data processed for such purposes include contact information and human resources information. The legal basis is Equinor’s legitimate interest in ensuring good management of and support of our suppliers, partners and customers.

2.3. Integrity Due Diligence
Equinor has established an extensive Integrity Due Diligence (IDD) process. The IDD process includes collecting information to help us understand who our counterparties are, their values and how their business is conducted. In some instances, the IDD may also include the processing of personal data. More information about IDD can be found here. The personal data processed for this purpose may include contact information and IDD specific necessary information, such as position, possible political position and roles, possible sanction listings, personal relations, contracts, relevant memberships, references, legal claims and reputational issues. The legal basis is to comply with legal obligations, pursue our legitimate interests and to establish, exercise or defend legal claims.

2.4. Ethics Helpline
Equinor has set up an Ethics Helpline where employees and external third parties interacting with us can raise concerns or report any suspected or potential breaches of law or the Equinor Code of Conduct. More information about the Ethics Helpline can be found here. Due to the nature of the Ethics Helpline, the processing may include all categories of personal data, also special categories. The legal basis is legitimate interest or processing necessary for the purposes of performing the obligations and exercising the rights of Equinor in the field of employment, social security and social protection law, or for the establishment, exercise or defense of legal claims.

2.5. Local grievance mechanisms
In some countries, Equinor has established local grievance mechanisms in order to receive, investigate and respond to grievances from individuals, communities, or their representatives about Equinor or its contractors’ activities adverse impact on communities or individuals. The personal data processed includes contact information and other data necessary for performing the grievance-processes. The legal basis is performance of a task carried out in the public interest or legitimate interest.

2.6. Screening
To ensure regulatory compliance with Norwegian and international regulations on sanctions, as well as ensuring compliance with anti-money-laundering regulation, Equinor may perform a screening of external third parties with whom Equinor has relations. More information about sanctions can be found here. The personal data processed is contact information, position and results from the screening activity. The legal basis is legitimate interest, legal obligation or performing the obligations and exercising the rights of Equinor in the field of employment, social security and social protection law.

2.7. Communication
Equinor communicates externally and internally with the general public, specific target groups and individual persons. Examples of communication activities performed by Equinor or third parties are distribution of newsletters, press releases, company reports, optimising websites, organising events, handling user-initiated dialogue, providing information to public authorities, conducting surveys, and communicating in social media networks. The personal data processed includes contact information and communication-related information. Please see our Guidelines for social media. The legal basis is legitimate interest in providing information and ensuring good management of and support for our customers, suppliers and partners, or your consent.

2.8 Recruitment and onboarding
Equinor processes personal data for recruitment purposes to ensure that Equinor recruits qualified candidates. The personal data processed include contact information, recruitment and human resources information. The legal basis Equinor rely on for processing your personal data relates to processing necessary to perform a contract or to take steps at your request, before entering a contract, or your consent to being included in the CV-database.

Equinor also processes personal data to cater for onboarding of external personnel into the Equinor organization based on mergers and/or acquisitions and/or transfer of an undertaking. The personal data processed include contact information, recruitment and human resources information. The legal basis Equinor relies on in these circumstances is legal obligation or legitimate interest.

You will receive more detailed information about the two types of processing and the legal basis when entering the recruitment process or you are being part of the onboarding process.

2.9 Security and emergency response
Equinor has implemented various security measures that requires processing of personal data. This is to safeguard against illegal or unauthorized access to areas, buildings, rooms, systems, processes or equipment. For example, Equinor premises can have activity logs, camera surveillance, controls of delivery vehicles, the drivers, visitor and employee access control. The categories of personal data we collect and use, depend on the security measures in question. It includes a variety of images and videos, contact information and place of employment, date and time of access to premises and information about vehicles.

Equinor’s operations entail a certain level of risk, both for Norwegian and international operations. The purpose of the processing is to secure personnel support during an emergency response situation (ensure personnel emergency preparedness). The personal data processed may include all relevant data about the personnel in an emergency incident; contact information, date of birth, next-of-kin, contact person for employer and contractor. The purpose is to comply with legal obligations within different jurisdictions concerning emergency preparedness. The legal basis for such processing of personal data is our legitimate interests in safeguarding of our business and any applicable legal requirements relating to this.

2.10 Recordings of certain trading activities
For certain trading activities, Equinor processes contact information and the full content of commercial conversations on telephone and IM to document negotiations, trading and agreements as well as to ensure compliance to regulatory requirements for documentation. The legal basis is to comply with legal obligations and our legitimate interest.

2.11 Equinor Pension
Equinor processes personal data for handling pension. For further information related to your Equinor-pension rights, contact pensjon@equinor.com.

2.12 Website and cookies
Please see our Cookie Policy.

3. Categories and collection of personal data
For easier understanding of this privacy policy we have set up the following categories. This does not mean or entail that the processing will always entail all the examples of personal information included in the categories.

The categories of personal data Equinor may collect and hold about data subjects include:

Contact information, such as names and addresses, telephone numbers and email addresses, titles etc.
Recruitment information, such as application, CV, references, background checks, interviews and assessments, immigration and relocation information, exit surveys
Human resources information such as details about an individual’s work experience and qualifications, date of birth, identification documentation, driver’s license details; national identity, social security number, employee number, position, organization, bank account, next of kin, union membership, location, salary and leader
Communication-related information, such as public political relations, positions, preferences related to marketing and events (including allergies/diets restrictions when provided by participants), and information related to user behavior in own communication-channels (including IP-addresses).

Personal data may be collected in several ways, including:

directly by Equinor staff when establishing a business relationship or through operational dealings;
from a third-party service provider or agent, from a source of publicly available information (e.g. websites) or from an employer (e.g. where a supplier or contractor provides personal data about their employees);
through use of Equinor's website; or
data provided directly by you.

4. Transfer of personal data
Equinor has established Binding Corporate rules (BCR) to provide Equinor with a legal basis for transfer of personal data within the Equinor group to Equinor companies outside of EU/EEA. The BCRs will apply to all personal data, within the Equinor group, which are protected by applicable EU data protection law. You can find a summary of the BCRs here and a list of members of the BCR here.

Equinor will ensure that the European rules on trans-border data flows are complied with when personal data are transferred to external processors (outside of the Equinor group) located outside of EU/EEA or located in a country that is not recognised by the EU Commission as ensuring an adequate level of protection. Examples of such safeguards are Binding Corporate Rules, EU Standard Contractual Clauses or if the receiving party is certified under the EU-US Privacy Shield.

5. How to exercise your rights as a data subject
National and international data protection gives rights to data subjects. The data subjects have, under some circumstances and subject to the laws of the particular jurisdiction, the right to request access, rectification, erasure and/or restriction to processing of their data.

If you have questions or want to exercise your rights as a data subject, please contact the Data Protection Officer in Equinor (email address: gm_dataprotection@equinor.com ). You have a right to complain to the Norwegian or local Data Protection Authority if you consider that we have breached the data protection legislation, but we encourage you to first contact our Data Protection Officer, before filing such complaint.

6. Notice to California Residents
If you are a California resident, California law may provide you with additional rights regarding our use of your personal information. To learn more about your California privacy rights, visit our Privacy Notice for California Residents.

7. Changes to this privacy policy
We may update this privacy policy from time to time. If such updates are not material, we may make such alterations without posting a specific notice on our website. If the changes are material and affects your rights or the way we process personal data, we will provide a specific notice on our website. Please review this privacy policy from time to time.

Published: 23 December 2019

Privacy and Data Protection in Equinor

Site:

Language: