Vitol is committed to protecting and respecting your privacy.
This policy sets out the basis on which any personal data we collect from you, or that you provide to us, will be processed by us. Please read the following carefully to understand our views and practices regarding your personal data and how we will treat it. By visiting www.vitol.com you are accepting and consenting to the practices described in this policy.
The terms “Vitol,” “Vitol Group”, “the Company,” or “the Group” may be used for convenience and refer to Vitol Netherlands Coöperatief U.A. and its direct and indirect subsidiaries and affiliates, each of which are separate and distinct legal entities. Further, the words “we,” “us,” “our,” and “ourselves” are used to refer generally to the companies of the Vitol Group.
When you visit our website, we may collect and process the following:
- Information you provide if you contact us;
- Details of visits made to our website including, but not limited to, the volume of traffic received, logs (including, where available, the IP address of the device connecting to the website) and the resources accessed; and
- If you apply online for a job you may need to provide information about your education, employment, region of interest and role you are applying for. Your application will constitute your express consent to our use of this information to assess your application and to allow us to carry out any monitoring activities, which may be required of us under applicable law as employer.
Vitol collects and uses limited personal data about individuals save for its employees. Where it does use such personal data, this will normally be incidental to a corporate relationship with a customer or supplier or where we work with nominated contacts at such organisations who hold relevant positions, such as a contract manager, counterparty contact or key decision makers in respect of our business relationship. In this case we will use work based contact information about you to liaise and keep in touch with you, as a representative of your employer or organisation in relation to our business relationship with them.
Vitol cannot identify you personally as a user of its website and save for dealing with any cyber security incident investigation, will not try to identify you from any online identifiers like your IP address.
Vitol may obtain personal data about you otherwise where:
- we grant you power of attorney
- you are a director or shareholder of a counterparty and your details are required for know your client/anti money laundering compliance;
- you are a director, shareholder or key person at a target which Vitol is considering buying or investing in;
- you wish to visit us (and if relevant your family members or work colleagues want to accompany you on that visit to us) and you have asked us to assist with obtaining your invitation letter or visas; or
- you make any request or enquiry to us.
The relationship we have with you will dictate what, if any, personal data we collect about you and why we use it.
We will sometimes obtain personal data from other sources, such as from your employer, other third parties or publicly available online sources or official records. Detailed information about the sources of your personal information are set out here.
We process your personal data for many different purposes when you visit our website (www.vitol.com), purchase goods or services from us, supply goods or services to us or otherwise communicate or engage with us.
We are required by law to always have a permitted reason or justification (called a “lawful basis”) for processing your personal data. You can read more about what we process your data for, and the lawful bases on which we rely for such processing, in the table below.
For some processing activities, we consider that more than one lawful basis may be relevant depending on the circumstances. Use on the basis of “legal obligation” means to comply with a legal obligation to which we are subject. Use on the basis of our legitimate interests means where we have a fair, proportionate and overriding lawful business reason to use your details. This will primarily be where by using the information, we learn about you or develop our relationship, so we can work together more closely and better, or make sound business decisions involving or affecting you.
We may convert your personal data into statistical or aggregated form, or de-identify it, to better protect your privacy, or so that you are not identified or identifiable from it. We may use it to conduct research and analysis, including to produce statistical research and reports.
We are required by law to treat certain categories of personal data with even more care than usual. These are called sensitive or special categories of personal data and additional different lawful bases apply to them. This is rarely relevant but unusually may arise where we handle your passport and visa details and they reveal information about your race or ethnicity, or where KYC/AML checks reveal any criminal issues, or where we learn health related information about you when organising events in which you wish to participate and where we need details to ensure you can take part.
Detailed information is available here.
We take our security obligations seriously and we take specific steps (as required by applicable data protection laws) to protect your personal data from unlawful or unauthorised processing and accidental loss, destruction or damage.
How long we keep your personal information
We will keep your personal data during the period of your relationship with us and then, after that period ends, for as long as is necessary in connection with both our and your legal rights and obligations. This may mean that we keep some types of personal data for longer than others but we will only retain your personal data for a limited period of time. This period will depend on a number of factors, including:
- any laws or regulations that we are required to follow;
- whether we are in a legal or other type of dispute with each other or any third party;
- the type of information that we hold about you; and
- whether we are asked by you or a regulatory authority to keep your personal data for a valid reason.
Inside the Vitol group
The Vitol Group includes companies and operations around the world. We may need to share your personal data with other companies in the Vitol group:
- where support and functions are provided by other group companies, such as in relation to our website hosting and operation, IT systems and support and maintenance;
- to meet our customer needs where providing services across offices/locations;
- for authorisations/approvals with relevant decision makers;
- for reporting purposes and/or
- where systems and services are provided on a shared basis, such as compliance and the arrangement of visas.
Access rights between members of the Vitol group are limited and granted only on a need to know basis, depending on job functions and roles.
Where any Vitol group companies process your personal data on our behalf (as our processor), we will make sure that they have appropriate security standards in place to protect your personal data. In addition, we will enter into a written contract imposing appropriate security standards on them and, if your personal data is transferred to a Vitol group company outside the EEA, we will put in place appropriate safeguards to ensure the protection of such data.
Outside the Vitol group
From time to time we may ask third parties to carry out certain business functions for us, such as helping to organise our events. These third parties will process your personal data on our behalf (as our processor). We will disclose your personal data to these parties so that they can perform those functions. Before we disclose your personal data to other people, we will make sure that they have appropriate security standards in place to make sure your personal data is protected and we will enter into a written contract imposing appropriate security standards on them. Examples of these third party service providers include service providers and/or sub-contractors, such as our IT support, back up and server hosting providers.
In certain circumstances, we will also disclose your personal data to third parties who will receive it as controllers of your personal data in their own right for the purposes set out above, in particular:
- services provided to you or us by a third party acting independently to Vitol but which has a relationship with Vitol, for example certain fraud checking services and our professional service advisors;
- if we transfer, purchase, reorganise, merge or sell any part of our business or the business of a third party, and we disclose or transfer your personal data to the prospective seller, buyer or other third party involved in a business transfer, reorganisation or merger arrangement (and their advisors); and
- if we need to disclose your personal data in order to comply with a legal obligation, to enforce a contract or to protect the rights, property or safety of our employees, customers or others.
We have set out below a list of the categories of recipients with whom we are likely to share your personal data:
- IT support, website and data hosting providers and administrators;
- analytics and search engine providers;
- banks and payment processors in relation to purchases you make with us;
- consultants and professional advisors including legal advisors and accountants;
- courts, court-appointed persons/entities, receivers and liquidators;
- business partners and joint ventures;
- insurers; and
- governmental departments, statutory and regulatory bodies.
We may also share your personal data with third parties, as directed by you.
If any of our processing activities require your personal data to be transferred outside the EEA, we will only make that transfer if:
- the country to which the personal data is to be transferred ensures an adequate level of protection for personal data;
- we have put in place appropriate safeguards to protect your personal data, such as an appropriate approved form of contract with the recipient;
- the transfer is necessary for one of the reasons specified in data protection legislation; or
- you explicitly consent to the transfer.
Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to our site; any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access.
You have certain legal rights, which are summarised in the table below, in relation to any personal data about you which we hold. Your ability to exercise these rights will naturally be limited where we incidentally use limited business-related personal data in business records and business communications which we need to retain.
Where our processing of your personal data is based on your consent, you have the right to withdraw your consent at any time. If you do decide to withdraw your consent we will stop processing your personal data for that purpose, unless there is another lawful basis we can rely on – in which case, we will let you know. Your withdrawal of your consent won’t impact any of our processing up to that point.
Where our processing of your personal data is necessary for our legitimate interests, you can object to this processing at any time. If you do this, we will need to show either a compelling reason why our processing should continue, which overrides your interests, rights and freedoms or that the processing is necessary for us to establish, exercise or defend a legal claim.
You can exercise these rights at any time by contacting us at firstname.lastname@example.org.
Detailed information regarding your rights can be found here.
If any of the personal information you give us changes, or something is incorrect (e.g. your contact details), please inform us without delay.
If you are based in the European Union, you also have the right to lodge a complaint with your local data protection regulator. We would, however, appreciate the chance to deal with your concerns before you approach them so please contact us in the first instance at email@example.com.
If you want more information about any of the subjects covered in this privacy notice or if you would like to discuss any issues or concerns with us, please contact us on firstname.lastname@example.org.