1. This Notice setsout how Phillips 66 (We or Us) handles the Personal Data of thirdparties that We have contact with in the course of our business operations,including our current, past and prospective:

‍

(a)        customers andtheir representatives, employees or agents;

(b)       suppliers and theirrepresentatives, employees or agents;

(c)        counterparties andtheir representatives, employees or agents;

(d)       contractors and their representatives, employees or agents;

(e)        officers and beneficial owners of the above;

(f)        visitors to our premises;

(g)       customers of JET branded service stations;

(h)       prospective employees and apprentices, work experience students and other job applicants;

(i)         advisors,consultants and other professional experts;

(j)         those with whomwe work in the context of our Community Initiatives.

‍

2.  The Controller ofthird party Personal Data will be the Phillips 66 legal entity with which youhave contact. If you have any questions about this Notice or the use of yourPersonal Data, please contact the Privacy Coordinator at Privacy@P66.com or InformationManagementUK@p66.com.

‍

3.  We may collectPersonal Data relating to you when you contact Us by email, post, telephone orby using our websites or platforms operated by our service providers, byoperating security policies and procedures on our premises (for example by gateaccess data or image data from CCTV and other surveillance technology such asAutomatic Number Plate Recognition, bodycams and dashcams recorded by Us or,where applicable, our landlord), or when you or your employer or employer’saffiliated companies otherwise have contact with our employees, representativesor agents during the course of us operating our business including wherebusiness is required to be conducted on recorded telephone lines or otherelectronic devices. The Personal Data collected will include some or all of thefollowing:

‍

·                    name, telephonenumber, postal address and other contact details;

·                    employerorganization, job title, unit/department, location;

·                    in certaincircumstances your date of birth, national insurance or other personalidentification details and signature;

·                    in certaincircumstances, gate log data regarding hours worked and worksite location;

·                    in certaincircumstances usage of equipment, systems and benefits provided by Us.

·                    employment andjob application details e.g. education, employment history and qualifications.

·                    in certain circumstances,information derived from security and employment background checks (includingwhere applicable, international sanctions list checks, credit and Disclosureand Barring Service criminal convictions checks);

·                    goods or servicesprovided to or received by Us; banking or financial information required toadminister our relationship;

·                    photographicidentification and image data from surveillance technology such as CCTV, dashcams,bodycams and Automatic Number Plate Recognition footage;

·                    in certaincircumstances, locational data collected via lone worker tracking devices;

·                    driver’s name and further data may be derived from tracking devices such as, but not limited to, GPS used for monitoring and tracking of Company vehicles’ movements.

‍

4.  We may also collect Special Categories of Data relating to you, including data relating to heath (e.g. medical, sickness, accident or disability records), race or ethnic origin, sexual orientation, religious or political beliefs, trade union membership and criminal background data. This data will only be Processed with your explicit consent or where required or permitted by applicable laws.

‍

5.   We will use the Personal Data that We collect about you for a number of purposes, including to:

· respond to anyquery that you may submit to Us and send you relevant information on our goodsand services that may be of interest to you using the contact details you haveprovided;

· carry outanti-money laundering and sanctions checks and otherwise comply with our legaland regulatory obligations;

· support our assets and/or the environment;

· manage our relationship with you and administer any agreement that We have in place with you or your employer or affiliated company;

· Process any job,student placement or scholarship application, you (or your representative) havesubmitted;

· allow you to access our premises;

· provide safe and respectful premises as required by law and our policies;

· record your entry to and departure from our premises for invoicing purposes in respect of any services agreement we have in place with your employer;

· conduct our operationsand to manage and protect our assets and systems, including intranet andinternet usage, voice recording and image data collected via video or surveillancetechnology (including CCTV, ANPR, bodycams and dashcams;

· administer andcustomize our websites and Apps and as part of our efforts to keep our websitesand Apps secure;

· prevent illegalactivity or to protect our legitimate interests, as we consider isnecessary.

‍

6.  For the purposeof Data Protection Laws and Regulations, except where your consent is requiredand obtained or where Processing of Special Categories of Data is necessary inthe context of the establishment, exercise or defence of claims, to protect the vital interests of the Data Subject or another personwhere the Data Subject is incapable of giving consent or for the purposes ofpreventative or occupational medicine, for the assessment of your workingcapacity, medical diagnosis or the provision of treatment, for reasons ofpublic interest in the area of public health; the legal bases on which WeProcesses Personal Data about you are that the Processing is necessary (a) forperformance of or entry of a contract to which you are party or in order totake steps at your request prior to entering into a contract; (b) compliancewith a legal obligation to which We are subject; or (c) in order to protectyour vital interests or those of another natural person; (d) for the purpose of our legitimate interest inrunning our business.

‍

7.           The Personal Data that We collect about you may be disclosed to Recipients including:

‍

(a) other companies in our group;

(b) suppliers that provide business services to Us, such as security, online job application providers, IT support (e.g. cloud service providers) or telecommunication services;

(c) financialinstitutions and our insurers and brokers;

(d) professional advisors including accountants, auditors and lawyers;

(e) governmental and regulatory bodies, such as tax authorities.

‍

8.           We will only disclose your Personal Data to other Recipients where it is necessary (a) to enable the Recipient to provide services for or on behalf of or transact with Us, (b) to comply with applicable legal requirements,(c) to protect or defend our rights or property, or (d) to protect the health, safety and well-being of you, our employees, contractors, visitors or members of the public. Some of these Recipients may Process your Personal Data in accordance with their privacy policies.

‍

9.           Automated decision-making. In our recruitment process, we may use a system that has an element of automated decision making, but we do not carry out solely automated decision making. When you submit an application for an open role we have posted, the system extracts information you provide on your application regarding your qualifications to compare it to the role requisition required qualifications and provides a grade. This means that your application may be scored by the system based on the extracted information. Depending on the grade allocated to your application, our recruitment personnel may decide not to review your application. Ultimately, the decision on whether to progress your application will be made by a member of our recruitment team, not as a result of the automated process.  

10.        You may be entitled to request access to Personal Data We hold about you, or to request that your Personal Data is erased, that its Processing is restricted, or that any inaccurate Personal Data is rectified. When Processing of your Personal Data is based on consent, you have the right to withdraw your consent at any time. This will not affect the validity of the Processing prior to the withdrawal of the consent. You also have the right to object to the Processing of your Personal Data and, in some circumstances, you may have the right to receive a copy of your Personal Data in a machine-readable format. If you wish to make such a request or withdraw your consent, please contact the Privacy Coordinator at Privacy@P66.com or InformationManagementUK@p66.com.  

11.        You have theright to complain to the Supervisory Authority (which in the UK is theInformation Commissioner’s Office) about our use of your Personal Data if youbelieve that We have breached our obligations under the Data Protection Lawsand Regulations. Please visit www.ico.org.ukfor further information.

12.        We only collectyour Personal Data for the specific purposes set out at Section 5. We will onlyretain your Personal Data for as long as is necessary to fulfil these purposes,and for the purposes of legal and regulatory compliance.

‍

13.        We centralise themanagement of certain IT systems and business support services in the UnitedStates, and as such your Personal Data may be transferred and stored outside ofthe United Kingdom. We have implemented safeguards to ensure that this transferof Personal Data complies with the Data Protection Laws and Regulations,including by entering into appropriate Data Transfer Agreements. If you wouldlike more information about the transfer of your Personal Data, please contactthe Privacy Coordinator at Privacy@P66.com or InformationManagementUK@p66.com.

‍

14.        In this notice,Personal Data, Controller, Processing and Data Protection Laws have the followingmeanings:

Controller means, as defined by the Data ProtectionLaws and Regulations, the natural or legal person, public authority, agency orother body which, alone or jointly with others, determines the purposes andmeans of the Processing of Personal Data.

Data Protection Laws and Regulations means alllaws and regulations, including laws and regulations applicable to theProcessing of Personal Data, including the United Kingdom retained EU lawversion of the General Data Protection Regulation (EU 2016/679), DataProtection Act 2018 (and regulations made thereunder), and the Privacy andElectronic Communications Regulations 2003 (SI 2003/2426); as they may beamended, modified, or replaced from time to time.

Personal Data means any information relating to (i) anidentified or identifiable natural person that are within the scope ofprotection as “personal data” under the applicable Data Protection Laws andRegulations and, (ii) an identified or identifiable legal entity (whereprotected under applicable Data Protection Laws and Regulations).

Processing of Personal Data means, as defined bythe Data Protection Laws and Regulations, any operation or set of operationswhich is performed upon Personal Data, whether or not by automatic means, suchas collection, recording, organization, structuring, storage, adaptation oralteration, retrieval, consultation, use, disclosure by transmission,dissemination or otherwise making available, alignment or combination, restriction,erasure or destruction.

Recipient means a natural or legal person, public authority, agency or anotherbody, to which the personal data are disclosed, whether a third party or not.

‍

Special Categories of Data means, ‘special categories of personal data’ as referred to in the DataProtection Laws and Regulations which include any Personal Data revealing aData Subject’s racial or ethnic origin, political opinions, religious orphilosophical beliefs, trade union membership, criminal background data, sexlife or sexual orientation, genetic information, biometric information orhealth information.

‍