Statoil’s processing of Personal Data
Statoil processes personal data about employees and external consultants working from Statoil premises or in Statoil systems. Statoil also processes personal data about data subjects who are not employed or engaged by Statoil (see more information below).
Statoil will always process personal data fairly and lawfully, and only for a specified, explicit and legitimate purpose or as required by law.
Statoil will ensure appropriate information security related to confidentiality, integrity and availability. Personal data will be retained only for the period that is required to serve the legitimate purpose.
Third party service providers may process personal data on behalf of Statoil within various areas. Statoil will implement adequate safeguards in accordance with applicable law to protect your personal data processed by third party service providers.
Statoil also processes personal data about data subjects that are not employed or engaged by Statoil, for these purposes:
- Procurement Related Matters
Statoil processes personal data necessary in order to procure goods and services from suppliers and contractors.
- Integrity Due Diligence
Statoil has established an extensive Integrity Due Diligence (IDD) process. The IDD process includes collecting information to help us understand who our counterparties are, their values and how their business is conducted. In some instances, the IDD may also include the processing of personal data. More information about IDD can be found here.
- Ethics Helpline
Statoil has set up an Ethics Helpline where employees and external third parties interacting with us can raise concerns or report any suspected or potential breaches of law or company policies. More information about the Ethics Helpline can be found here.
- Local Grievance Mechanisms
In some countries, Statoil has established local grievance mechanisms in order to receive, investigate and respond to grievances from individuals, communities, or their representatives about Statoil or its contractors’ activities adverse impact on communities or individuals.
To ensure regulatory compliance with Norwegian and international regulations on sanctions, as well as ensuring compliance with anti-money-laundering regulation, Statoil may perform a screening of external third parties with whom Statoil has relations.
COLLECTION OF PERSONAL DATA
The personal data Statoil may collect and hold about data subjects includes:
- contact information such as name and address, telephone numbers and email address;
- details about an individual’s work experience and qualifications, date of birth, driver’s licence details;
- screening-related information; and
- business details, including the names of relevant office holders of a company and business numbers.
Personal data may be collected in a number of ways, including:
- directly by Statoil staff when establishing a business relationship or through operational dealings;
- from a third party service provider or agent, from a source of publicly available information (e.g. websites) or from an employer (e.g. where a supplier or contractor provides personal data about their employees); or
- through use of Statoil's website
Transfer of Personal Data
Statoil has established Binding Corporate rules (BCR) to provide Statoil with a legal basis for transfer of personal data within the Statoil group to Statoil companies outside of EU/EEA. The BCRs will apply to all personal data, within the Statoil group, which are protected by applicable EU data protection law. You can find a summary of the BCRs here.
Statoil will ensure that the European rules on trans-border data flows are complied with when personal data are transferred to external processors (outside of the Statoil group) located outside of EU/EEA or located in a country that is not recognised by the EU Commission as ensuring an adequate level of protection.
How to exercise your rights as a data subject.
National and international data protection gives rights to data subjects. Please refer to these regulations for further information about your rights.
If you have questions or want to exercise your rights as a data subject, please contact the Data Protection Officer in Statoil (email address: firstname.lastname@example.org )