BP Raffinaderij Rotterdam B.V.
Declaration for the protection of personal data

Privacy statement for employment at BPRR

BP Refinery Rotterdam (hereinafter referred to as: BPRR) protects your privacy-sensitive data. Therefore, BPRR processes your personal data in accordance with the General Data Protection Regulation (GDPR). This privacy statement is about the use of your personal when you enter to the site of BPRR.

If you have any questions or would like to exercise one of your data subject rights, please contact our local privacy coordinator via: privacybprr@bp.com .

With this Privacy statement we also refer you to our Dutch general Privacy Statement (BP Privacy Statement), the 'BP Human Resources Declaration for the Protection of Personal Data for BP employees working in the EU' and the general security regulations that are available at our location.

Goals for which BPRR processes personal data
BPRR uses your data only for the specific purposes for which you or your employer provide the data, namely:

• HR
• Financial
• Security
• Inspection at the workplace
• Protection of society, own sector or organization
• Supplier management
• Delivering products and / or services
• Fighting internal fraud
• Quality management
• Public relations

Grounds on the basis of which personal data are processed
BPRR only uses your data if there is a legitimate basis for this, namely:

• Permission
• Contractual obligation
• Legal obligation
• Vital interest
• Legitimate interest

Types of personal data
If you are present at location BPRR, BPRR will process the following categories of personal data (if applicable):

• Identification data
• Occupation and employment (including attendance)
• Health data (only in case of a vital interest, for example in case of incidents) and risk behavior data
• Image recording (CCTV and photos)
• Education and training
• Electronic location data (only in case of a vital interest for individuals of HSSE, Fire & Security)
• Personal identification data, such as social security numbers (to comply with Dutch and European legislation and regulations, for example for work permits, immigration, social contributions, taxes etc.)

Retain and delete your personal data
BPRR will retain your personal data for as long as this is necessary for the performance of your work and after completion of the work for the legal retention obligations. Your personal data in the Registration Service form a whole, this means that no individual parts can be removed earlier. If no legal retention obligations apply, BP's 'File Retention Scheme' applies. After the retention period, your data will be deleted or de-personalized, e.g. if used for long-term statistical purposes.

Other parties
BPRR cooperates with external companies in the processing of personal data. BPRR has binding agreements with all external companies, about the protection of your personal data. BPRR does not give your details to third parties. Exceptions are made to comply with a legal requirement obligation, or after it has been submitted to you. In the latter case, there is a necessity for an agreement from you in writing, from the moment you have shared your personal data.

Security
We do not pass on your personal data to organizations / people without agreements located in countries outside the EU / EEA. Special categories of personal data (such as the data that can be derived from CCTV) that we may process, are extra protected. We work for example on specific network parts that are extra protected and s confidentiality obligation applies for all employees of Security.

To protect your data, BPRR has a General Practice (GP3060) on information security and privacy that is complied with. Based on this GP3060, we take effective technical and organizational measures. Among other things, we use ongoing procedures to increase resilience to cyber threats. We take, for example, measures in the context of data backup, system access, virus scanners, passwords and encryption.

Acces and rectification of your personal data
If you want to know which personal data we have about you, you can send us a written request via our local privacy coordinator, via the email address below. If certain information is incorrect, we can correct it for you, as long as this has no critical impact on the accountability of our actions in the past. In addition, you can request us to limit the processing of your personal data, delete or transfer your personal data.

To file a complaint
If you have a complaint about the way BPRR processes your personal data, or if you do object to the handling of your request, you can contact us via the e-mail address below. You can also file a complaint to the local supervisory authority, in the Netherlands the Data Protection Authority (in Dutch: Autoriteit Persoonsgegevens).

More information
This Privacy Statement is part of the statements and regulations of BP. For more information, consult the Dutch General Privacy Statement (BP Privacy Statement) and the general safety regulations available at the refinery. If you have any questions about this statement, about the processing of your personal data, or if you wish to access, modify or delete your personal data, please contact our local privacy coordinator via: privacybprr@bp.com.

BPRR responds in writing to you within 30 calendar days request.