Privacy policy and data protection in Equinor

Privacy and data protection laws protect the integrity and confidentiality of a person’s private information. Equinor is committed to protecting the privacy rights of our employees and everyone with whom we do business or cooperate with. We will only use personal data for appropriate purposes, and personal data will be processed in accordance with applicable data protection regulation and Equinor's Binding Corporate Rules.

Within the Equinor Group, the data controller will be Equinor ASA and/or the Equinor company(ies) you have your relationship with. You will find a list of Equinor legal entities processing personal data here. Equinor ASA operates equinor.com and is the controller for the processing of personal data generated from using the site, as well as a number of the processes described in clause 2 below. The local Equinor entities are the controller of personal data processed to provide local processes and local websites.

2.1. General

Equinor processes personal data about employees and external consultants working from Equinor premises or in Equinor systems. Equinor also processes personal data about data subjects who are not employed or engaged by Equinor, to whom this privacy policy is primarily aimed. The main categories of personal data processed is described in section 3 below.

Equinor will always process personal data fairly and lawfully, and only for a specified, explicit and legitimate purpose or as required by law. Equinor will therefore only process personal data when such processing is necessary for us to manage our operations, provide services or other legitimate business interests, comply with legal or contractual obligations or after receiving consent (the latter which can be withdrawn at any time). Withdrawing consent will not affect the lawfulness of the processing based on the consent prior to withdrawing it. Further information on specific legal basis is provided below.

Equinor will ensure appropriate information security related to confidentiality, integrity and availability. Personal data will be retained only for the period that is required to serve the legitimate purpose or as required by law. If you want more detailed information on specific retention time, please contact Equinor’s DPO on the address provided in section 5.

Third party service providers may process personal data on behalf of Equinor within various areas. Equinor has implemented adequate safeguards in accordance with applicable law to protect your personal data processed by third party service providers.

Equinor processes personal data about data subjects that are not employed or engaged by Equinor for these various purposes:

2.2 Procurement and other business relation purposes

Equinor processes personal data necessary to procure goods and services from suppliers and contractors, including purchase and sale of products, for contract management and for human rights verifications. The data processed for such purposes include contact information and human resources information. The legal basis is based on the execution of the agreement with such third -parties and Equinor’s legitimate interest in ensuring good management of and support of our suppliers, partners and customers.

Equinor may also disclose personal data to a third party for a specific business purpose. In such situations, Equinor will in general sign a contract describing the purpose and requiring the recipient to both keep the personal data confidential and not use it for any other purpose. Equinor may share personal data with the third parties such as service providers, public authorities and partners.

As an example, Equinor may share personal data in connection with a possible operations of corporate reorganization, mergers, acquisitions, incorporations, and similar corporate transactions, as well as to comply with any court order and/or legal obligations to which Equinor is subject.

2.3. Integrity Due Diligence

Equinor has established an extensive Integrity Due Diligence (IDD) process. The IDD process includes collecting information to help us understand who our counterparties are, their values and how their business is conducted. In some instances, the IDD may also include the processing of personal data. More information about IDD can be found here. The personal data processed for this purpose may include contact information and IDD specific necessary information, such as position, possible political position and roles, possible sanction listings, personal relations, contracts, relevant memberships, references, legal claims and reputational issues. The legal basis is to comply with legal obligations, pursue our legitimate interests and to establish, exercise or defend legal claims.

2.4. Ethics Helpline

Equinor has set up an Ethics Helpline where employees and external third parties interacting with us can raise concerns or report any suspected or potential breaches of law or the Equinor Code of Conduct. More information about the Ethics Helpline can be found here. Due to the nature of the Ethics Helpline, the processing may include all categories of personal data, also special categories. The legal basis is legitimate interest or processing necessary for the purposes of performing the obligations and exercising the rights of Equinor in the field of employment, social security and social protection law, or for the establishment, exercise or defense of legal claims.

2.5. Local grievance mechanisms

In some countries, Equinor has established local grievance mechanisms in order to receive, investigate and respond to grievances from individuals, communities, or their representatives about Equinor or its contractors’ activities adverse impact on communities or individuals. The personal data processed includes contact information and other data necessary for performing the grievance-processes. The legal basis is performance of a task carried out in the public interest, legitimate interest, or our obligations under the Norwegian Transparency Act.

2.6. The Norwegian Transparency Act

To ensure compliance with Equinor's duty of disclosure pursuant to the Transparency Act, Equinor will process personal data relating to those requesting information. The personal data processed will primarily be contact information, as well as other information necessary to carry out Equinor's processing of the information disclosure. The legal basis is our obligation under the Transparency Act, as well as to safeguard our legitimate interests and establish, enforce or defend legal claims.

2.7. Screening

To ensure regulatory compliance with Norwegian and international regulations on sanctions, as well as ensuring compliance with anti-money-laundering regulation, Equinor may perform a screening of external third parties with whom Equinor has or will establish relations. More information about sanctions can be found here. The personal data processed is contact information, position and results from the screening activity. The legal basis is legitimate interest, legal obligation or performing the obligations and exercising the rights of Equinor in the field of employment, social security and social protection law.

2.8. Communication

Equinor communicates externally and internally with the general public, specific target groups and individual persons. Examples of communication activities performed by Equinor or third parties are distribution of newsletters, press releases, company reports, optimising websites, organising events, handling user-initiated dialogue, providing information to public authorities, conducting surveys, and communicating in social media networks. The personal data processed includes contact information and communication-related information. Please see our Guidelines for social media. The legal basis is legitimate interest in providing information and ensuring good management of and support for our customers, suppliers and partners, or your consent.

2.9. Recruitment and onboarding

Equinor processes personal data for recruitment purposes to ensure that Equinor recruits qualified candidates. The personal data processed include contact information, recruitment and human resources information. The legal basis Equinor rely on for processing your personal data relates to processing necessary to perform a contract or to take steps at your request, before entering a contract, or your consent to being included in the CV-database.

Equinor also processes personal data to cater for onboarding of external personnel into the Equinor organization based on mergers and/or acquisitions and/or transfer of an undertaking. The personal data processed include contact information, recruitment and human resources information. The legal basis Equinor relies on in these circumstances is legal obligation or legitimate interest.

You will receive more detailed information about the two types of processing and the legal basis when entering the recruitment process or you are being part of the onboarding process.

2.10 Security and emergency response

Equinor has implemented various security measures that requires processing of personal data. This is to safeguard against illegal or unauthorized access to areas, buildings, rooms, systems, processes or equipment. For example, Equinor premises can have activity logs, camera surveillance (CCTV), controls of delivery vehicles, the drivers, visitor and employee access control. The categories of personal data we collect and use, depend on the security measures in question. It includes a variety of images and videos, contact information and place of employment, date and time of access to premises and information about vehicles.

Equinor’s operations entail a certain level of risk, both for Norwegian and international operations. The purpose of the processing is to secure personnel support during an emergency response situation (ensure personnel emergency preparedness). The personal data processed may include all relevant data about the personnel in an emergency incident; contact information, date of birth, next-of-kin, contact person for employer and contractor. The purpose is to comply with legal obligations within different jurisdictions concerning emergency preparedness. The legal basis for such processing of personal data is our legitimate interests in safeguarding of our business and any applicable legal requirements relating to this.

2.11 Recordings of certain trading activities

For certain trading activities, Equinor processes contact information and the full content of commercial conversations on telephone and IM to document negotiations, trading and agreements as well as to ensure compliance to regulatory requirements for documentation. The legal basis is to comply with legal obligations and our legitimate interest.

2.12 Equinor Pension

Equinor processes personal data for handling pension. For further information related to your Equinor-pension rights, contact pensjon@equinor.com for former Equinor ASA employees. For former employees in subsidiaries, contact your local pension scheme provider or your local PO for more information.

2.13 Asset Management in Equinor

Equinor Asset Management AS processes personal data related to the company's management of securities such as contact information, national identity, and social security number etc to ensure compliance with applicable rules regarding asset management, market securities funds and fulfil disclosure obligations. See the General business terms and conditions of the management company (available under “Våre retningslinjer” ("Guidelines", currently only available in Norwegian) for more information about the processing of personal data related to investment management.

2.14 Website and cookies

Please see our global Cookie Policy. Local Cookie Policies are available in the footer of each site.

For easier understanding of this privacy policy we have set up the following categories. This does not mean or entail that the processing will always entail all the examples of personal information included in the categories.

The categories of personal data Equinor may collect and hold about data subjects include:

• Contact information, such as names and addresses, telephone numbers and email addresses, titles etc.
• Recruitment information, such as application, CV, references, background checks, interviews and assessments, immigration and relocation information, exit surveys
• Human resources information such as details about an individual’s work experience and qualifications, date of birth, identification documentation, driver’s license details; national identity, social security number, employee number, position, organization, bank account, next of kin, union membership, location, salary and leader
• Communication-related information, such as public political relations, positions, preferences related to marketing and events (including allergies/diets restrictions when provided by participants), and information related to user behavior in own communication-channels (including IP-addresses).

Personal data may be collected in several ways, including:

• directly by Equinor staff when establishing a business relationship or through operational dealings;
• from a third-party service provider or agent, from a source of publicly available information (e.g. websites) or from an employer (e.g. where a supplier or contractor provides personal data about their employees);
• through use of Equinor's website; or
• data provided directly by you.

Equinor has established Binding Corporate rules (BCR) to provide Equinor with a legal basis for transfer of personal data within the Equinor group to Equinor companies outside of EU/EEA. The BCRs will apply to all personal data, within the Equinor group, which are protected by applicable EU data protection law. You can find a summary of the BCRs here and a list of members of the BCR here.

Equinor uses best efforts to ensure that the European rules on trans-border data flows are complied with when personal data are transferred to external processors (outside of the Equinor group) located outside of EU/EEA or located in a country that is not recognised by the EU Commission as ensuring an adequate level of protection. Examples of such safeguards are Binding Corporate Rules, EU Standard Contractual Clauses or other applicable legal mechanisms.

National and international data protection gives rights to data subjects. The data subjects have, under some circumstances and subject to the laws of the particular jurisdiction, the right to request access, rectification, erasure and/or restriction to processing of their data.

If you have questions or want to exercise your rights as a data subject, please contact the Data Protection Officer in Equinor (email address: gm_dataprotection@equinor.com ). You have a right to complain to the Norwegian or local Data Protection Authority if you consider that we have breached the data protection legislation, but we encourage you to first contact our Data Protection Officer, before filing such complaint.

If you are a California resident, California law may provide you with additional rights regarding our use of your personal information. To learn more about your California privacy rights, visit our Privacy Notice for California Residents.

Equinor New Energy, Japan branch may, transfer personal data to Equinor ASA for their processing (kyodo-riyo) of personal data for the purposes described in this privacy policy. In such cases, Equinor New Energy, Japan branch is the party responsible for dealing with your exercise of rights as data subjects and other management of the personal data under Japanese law.

If you are a Brazilian resident, Brazilian law may provide you with additional rights regarding our use of your personal information. To learn more about your Brazilian privacy rights, visit our Privacy Notice for Brazilian Residents.

We may update this privacy policy from time to time. If such updates are not material, we may make such alterations without posting a specific notice on our website. If the changes are material and affects your rights or the way we process personal data, we will provide a specific notice on our website. Please review this privacy policy from time to time.

Last updated: 02.01.2023