Privacy Statement for customers and suppliers of Gunvor Petroleum Antwerpen NV, Scheldelaan 490, Haven 663, 2040 Antwerp, Belgium, Crossroads Bank for Enterprises no. 0844.457.749

Gunvor Antwerpen NV (abbreviated as GPA), a member of the Gunvor group, is committed to protecting the privacy and confidentiality of the Personal Data it processes in relation to the deliveries and services it receives from and performs for its partners. The company’s activities mainly consist of delivering various services linked to mineral oils. Our partners support our operations by supplying materials and maintenance services, miscellaneous support and advice enabling us to perform our refinery activities on the one hand and facilitating the distribution of semi-finished products and finished products on the other hand.

To clarify the terms used in this Privacy Statement, the roles of the main participants are defined below:
• Suppliers: persons and companies who perform services and deliver goods at the request of GPA.
• Customers: persons and companies who receive services or goods deliveries from GPA.

We may receive Personal Data concerning potential or actual Suppliers and Customers, their representatives, mandataries, agents, claimants and other parties involved in a purchase or sale throughout the entire purchase and sale cycle Any reference to ‘persons’ in this Privacy Statement includes natural persons, as listed above, for whom we receive Personal Data in relation to our activities. This Privacy Statement describes the ways in which we use this Personal Data and the extent to which we disclose this Personal Data to other group companies and third parties.

A glossary of the main terms used in this Privacy Statement is provided below:
• Cycle: the entire cycle of activities facilitating a purchase or sale and required to perform a purchase or sale.
• Purchase: the purchase of goods or services, including the acquisition or exchange of materials and services.
• Sale: the sale of goods or services, including the provision or exchange of materials and services.
• Safety Requirements: GPA is a Seveso company and is therefore required to store certain data before granting access to the site.
• Site: the entire premises on which GPA performs its activities as a refiner and warehouse keeper, including the administrative building.

IDENTITY OF THE DATA CONTROLLER AND CONTACT DETAILS
Gunvor Petroleum Antwerpen NV, Scheldelaan 490, Haven 663, 2040 Antwerp, Belgium, Crossroads Bank for Enterprises no. 0844.457.749 (GPA, we or us/our) is the Data Controller for the Personal Data we process in relation to our services.
In certain cases, we may have entered into an agreement with you in which we act as a processor for some services. When we act as a processor, we will comply with the obligations contained in the processing agreement we have made with you.

1. Personal Data that may be processed
We may gather and process the following Personal Data:
• Personal data: name, address, other contact details (such as e-mail and telephone details), employer, job role, relation to the Supplier or Customer.
• Financial information: account details and other financial information required to perform or recognise a financial transaction.
• Nature of goods or services: identification of potential goods or services you or the company on whose behalf you are acting may deliver.
• Presence: registration of the date and time at which you enter and leave the Site or registration of the date and time at which you access certain restricted areas of the Site.
If access to the Site is required, the provision of personal data and its processing to confirm presence is mandatory.

Personal Data sources
We gather Personal Data from various sources, including (depending on the country you are in):
• Provision by your employer;
• Provision through registration upon access to the Site;
• Spontaneous or formal exchange of your personal data between a concerned party and an employee of GPA.

2. How we use and disclose your personal data
In this section, we will explain the purposes for which we use Personal Data, how we share such data and the lawful grounds on which we process such data.
These ‘lawful grounds’ are described in the General Data Protection Regulation (GDPR); any processing is only permitted on the basis of the specific ‘lawful grounds’ referred to in this regulation.
We may process your data on the basis of the following grounds, which are expressly provided for by law:
– The processing of your Personal Data is required for the conclusion and/or performance of an agreement or to perform certain actions at your request with a view to the potential conclusion of an agreement
– The processing of your Personal Data is required by law
– We have your clear and unambiguous consent to certain processing actions
– We have a legitimate interest in processing your Personal Data

We may process your Personal Data for the following purposes:
– to seek potential partnerships and to conduct negotiations
– to prepare and conclude contracts
– to perform contracts, including the preparation and performance of deliveries
– to practically perform deliveries on the Site
– to comply with safety regulations GPA is obliged to observe by law or to which the parties are contractually bound
– to follow up payment transactions linked to the delivery of services and goods
– to collect invoices
– to comply with legal procedures and potential liability in relation to the delivery of services or goods
– to perform customer and supplier evaluations
– to comply with “Safety Requirements”
We would like to point out that, for the purposes specified in this Privacy Statement, we may disclose Personal Data to service providers and group companies who perform services on our behalf.

3. Protective measures
We have incorporated physical, electronic and procedural protective measures suited to the sensitivity of the information we store. These protective measures may differ depending on the sensitivity, classification, location, volume, distribution and storage of the Personal Data and include specific measures to protect Personal Data against unauthorised access. If applicable, these protective measures consist of SSL communications encryption, data encryption during storage, firewalls, access controls, the separation of duties and similar protection protocols. More specifically, access to Personal Data is limited to those employees and third parties that require access to such information for legitimate and relevant business purposes only.

4. Personal data gathering and storage limitations
We may gather, use, provide and process Personal Data as required for the purposes specified in this Privacy Statement or as permitted by law. If we require Personal Data for a purpose not in line with the purposes specified in this Privacy Statement, we will inform you in advance (if possible) about this new purpose, and if applicable, we will ask you and the persons concerned (or instruct other parties to do so on our behalf) for consent to process the Personal Data in question for such new purposes.
Our retention periods for Personal Data are based on our business needs and the statutory provisions. We will retain Personal Data for as long as necessary for the processing purpose(s) for which such data were gathered, for any other related permitted purpose or as required by law. For example, we may retain certain data and correspondence up to the time limits for damage claims pursuant to a transaction or to comply with the statutory provisions for the retention of such data. When Personal Data are no longer required, we will irreversibly anonymise the data (and continue to retain and use such anonymised data) or destroy the data in a secure manner.

5. International transfer of personal data
We will not transfer Personal Data to or will not allow access to Personal Data from countries outside of the European Economic Area (EEA) or Switzerland. We will in all instances protect Personal Data as described in this Privacy Statement.
Switzerland is situated outside of the EEA but is approved by the European Commission as a country that effectively offers the same protection for Personal Data as that provided for by the legislation applicable within the EEA in relation to data protection (the Adequacy Decision). On the grounds of EU legislation in relation to data protection, we are free to transfer Personal Data to Switzerland.
You may request additional information on the specific protective measures applicable to the transfer of your Personal Data by contacting the Data Protection Officer at the address given below.
ACCURACY, ACCOUNTABILITY, TRANSPARENCY AND YOUR RIGHTS
We are committed to storing Personal Data that are accurate, complete and up to date. To amend your data, please contact privacy@gunvor-belgie.be.
Any questions about our processing of Personal Data should in the first instance be addressed to our contact.

Subject to certain conditions, you have the right to ask us to:
• provide more information about how we use and process your Personal Data;
• provide a copy of the Personal Data we store in relation to you;
• correct any inaccuracies in the Personal Data we hold;
• delete any Personal Data we are no longer permitted to process;
• if processing is based on your consent, withdraw such consent;
• object to the processing of Personal Data we justify on the basis of lawful grounds in relation to ‘legitimate interest’, unless our reasons for performing such processing outweigh any breach of your rights to privacy;
• limit how we process Personal Data while we are dealing with your request; and
• submit a complaint to the competent authority that supervises compliance with data protection legislation. In case of the latter, we would appreciate it if you contact us first to see if we can resolve your complaint.
These rights are subject to certain exceptions to protect the public interest (e.g. the prevention and detection of crime) and our interests (e.g. the protection of our right to confidentiality). We will respond to most requests within 30 days.

QUESTIONS, REQUESTS OR COMPLAINTS
Any questions or requests in relation to this Privacy Statement or our data protection policy may be sent to our contact:
GPA
Dieter Marreel
Tel: +32 3 560 09 20
privacy@gunvor-belgie.be
If we were unable to resolve a query or complaint to your satisfaction, you may contact:
Data Protection Authority
Drukpersstraat 35
1000 Brussels, Belgium
Tel. +32 (0)2 274 48 00
Fax +32 (0)2 274 48 35
contact@apd-gba.be
www.gegevensbeschermingsautoriteit.be

CHANGES TO THIS PRIVACY STATEMENT
This Privacy Statement may be changed at any time. The most recent change was introduced on 03/12/2018. If we make any further changes to this Privacy Statement, we will amend the date on which the document was last changed. Any changes we introduce to this Privacy Statement will take effect immediately.

IMPORTANT TERMS IN RELATION TO DATA PROTECTION
• GDPR is the EU’s General Data Protection Regulation and the implementing laws applicable in the EU member state where GPA is established.
• Data controller is an entity that gathers and stores Personal Data. The data controller decided which of your Personal Data are gathered and how these Personal Data are used.
• Personal Data are all data on the basis of which you may be identified and that relate to you.
• Personal Data processing includes the gathering, use, storage, disclosure and deletion of your Personal Data.