I. What does this Privacy Notice cover?
This privacy notice sets out what personal information we collect, for what purposes and your rights in this respect.
Every individual within MS Europe B.V. (hereinafter MS Europe B.V. or “we”) and within the Shell Group of Companies is responsible for protecting personal information about each other as well as that of our customers, business partners and suppliers.
This Privacy Notice provides information about personal data processed by MS Europe B.V. in relation to individuals who are current or former employees, interns or individual contractors as well as dependents listed as emergency contacts of MS Europe B.V. employees (staff).
This Privacy Notice explains what personal data is processed about you, why we are processing your personal information and for which purposes, how long we hold your personal information for, how to access and updateyour personal information as well as the options you have regarding your personal information and where to go for further information.
This Privacy Notice is subject to change and at all times is applicable to local laws.
II. What personal information do we process?
The categories of personal information we process
We process personal information necessary to manage the application process, employment relationships and to engage contractors and interns of MS Europe B.V.
This includes personal home contact information, date of birth, marital status, payroll and bank account information, wage and benefit information, social security number, driver’s license number, passport number, emergency contacts, work history, qualifications, work performance information, information required to ensure you have the right to work in the country/ies you are engaged in, as well as any other information necessary for managing the employment relationship and engaging contractors.
We may also process some special categories of personal information (’sensitive personal information’) such as data relating to an individual’s health, their racial or ethnic origin, religious or philosophical beliefs, sexual orientation, age, disabilities, citizenship status, political opinions, trade union membership and other characteristics of protected classifications under applicable law. We will only process such personal information where it is necessary for the purposes of complying with employment and social security laws, for the establishment, exercise or defense of claimsor where necessary for the purposes of providing occupational medical advice and support, to protect the vital interests of an individual (such as in an emergency), where necessary for reasons of public health or where the individual has provided their explicit consent.
We also process Internet or other electronic network activity information including browsing history, search history, and information regarding an individual’s interaction with an internet website or application, as well as physical and network access logs and other network activity information related to your use of any MS Europe B.V.’s device, network, or other information resource.
In addition, we process audio, electronic, visual, or similar information, such as CCTV footage and photographs.
III. For what purposes do we process your personal information
We only process your personal information where we have a lawful basis and purpose to do so.
We may process your personal data in the following cases:
· in order to satisfy our obligations to comply with local laws and regulations, including those relating to employment and social security;
· for legitimate business interests (for example performance management in order to ensure we have qualified and competent personnel or for health, safety and security purposes to ensure that only authorized personnel can access certain sites or assets, litigation and defense of claims); and
· where we have your explicit consent
Please note that as a general principle, we do not seek or rely on the consent of staff for processing personal information. However, there are limited circumstances when consent is required, such as if required by applicable local law.
Personal information requested from staff are the minimum required in order to fulfil legal and/or contractual requirements and to provide opportunities to take part in programs or to provide a benefit. Failure to provide us with the information requested may negatively affect your ability to remain in employment, internship or engagement as a contractor or from participating in a program or receiving a benefit.
In those cases where processing is based on consent, and subject to applicable local law which provides otherwise, you have the right to withdraw your consent at any time. This will not affect the validity of the processing prior to the withdrawal of consent. Withdrawal of consent may however impact your ability to remain employed or otherwise engaged or from participating in a program or receiving a benefit.
We process personal information covered by this Privacy Notice for the following purposes:
· Human Resources, personnel management, business process execution, internal management, management reporting, organisational analysis and development - including budgetary, financial and organisational planning, administration, compensation, performance management
· Health, safety and security - including protection of our staff’s life or health, occupational health and safety, protection of our assets and authentication of staff status and access rights; and
· Legal and/or regulatory compliance - including compliance with legal or regulatory requirements.
We may also process your personal information for a secondary purpose where it is closely related, such as:
· storing, deleting or anonymising your personal information
· fraud prevention, audits, investigations, dispute resolution or insurance purposes, litigation and defence of claims; and statistical, historical or scientific research
Monitoring
All activities on our equipment and/or when connected to our network may be monitored in line with relevant legislation and company policies for legitimate business purposes.
All staff receive an access badge which allows us to record the date, time and access points made by individuals within our premises and assets. The data from the access and security systems may be used:
· for health, safety and security purposes, to prevent fraud and specifically the protection of our assets, staff and visitors to our premises
· to comply with legal and regulatory requirements, specifically where there is a local legal requirement to provide information to government/regulatory authorities; and
· to monitor the number of individuals entering, exiting and working on our premises and for human resources and/or real estate planning purposes.
Most of our premises and assets are equipped with surveillance cameras (CCTV). Where we operate surveillance cameras, they will be identified. Surveillance cameras are used for health, safety and security and specifically for the protection of our assets, staff and visitors to our premises. All images are routinely deleted unless there has been a health, safety or security incident, suspected or actual criminal activity, in which case they may be viewed by internal investigation teams and externally by law enforcement or other government authority, if legally required or permitted.
Screening
In order to comply with legal and regulatory obligations, to protect our assets and employees/contractors and specifically to ensure that we can comply with trade control, anti-money laundering and/or bribery and corruption laws and other regulatory requirements, we carry out screening on all employees and contractors on a periodic basis. This screening takes place against publicly available, or government issued sanctions lists.
Any personal information collected through the screening will not involve profiling or automated decision-making regarding suitability for continued employment, internship or engagement as a contractor.
IV. Who is responsible for any personal data collected?
MS Europe B.V., a company registered in The Netherlands whose registered office is at Delftse Poort, 25th Floor Weena 505, 3013 AL Rotterdam The Netherlands will be responsible for processing your personal information, either solely or jointly with its affiliates within the Shell group of companies.
In the case of individual contractors, it is MS Europe B.V., which is a company within the Shell Group, that has contracted your services solely or jointly with its affiliates also within the Shell group of companies and your external contracting/employing company/agency.
V. Who will we share the personal data with?
Your personal data is exclusively processed for the purposes referred to above. It will be exclusively processed by MS Europe B.V. and will only be shared on a strict need to know basis with:
· Other companies within the MS Europe B.V. group, which includes our parent company Royal Dutch Shell Plc, including to those which may be located outside of your location and the Economic European Area (“EEA”) insofar and to the extent it is required to conduct the employment relationship and for the purpose of complying with legal or regulatory obligations;
· Authorised third party agents, service providers, external auditors and/or subcontractors of MS Europe B.V.; and
· A competent public authority, government, regulatory or fiscal agency where it is necessary to comply with a legal or regulatory obligation to which MS Europe B.V. or the relevant MS Europe B.V. company/companies is subject to or as permitted by applicable local law
· Any person to whom MS Europe B.V. proposes to transfer any of its rights and/or duties
VI. Transfers of personal data
Your personal information may be transferred outside of your country, subject to appropriate safeguards.
Where your personal information is transferred to companies within the Shell group and/or to authorized third party agents service providers, external auditors and/or subcontractors who may be located in or outside of your location we take organizational, contractual and legal measures to ensure that the personal information is exclusively processed for the purposes mentioned above and that adequate levels of protection have been implemented in order to safeguard the personal information.
These measures may include Binding Corporate Rules for transfers among the Shell Group or European Commission approved transfer mechanisms for transfers to third parties in countries which have not been deemed to provide an adequate level of data protection as well as any additional local legal requirements. You can find a copy of the Shell Binding Corporate Rules at www.shell.com/privacy.html
VII. Security of your personal data
We are committed to safeguarding your personal information.
We have implemented technology and policies with the objective of protecting your privacy from unauthorized access and improper use. We may use encryption for some of our services, we apply authentication and verification processes for access to Shell services and we regularly test, assess and evaluate the effectiveness of our security measures.
VIII. How long do you hold the personal data for?
We will only hold your personal information for a defined period
All information, including personal information, is managed in line with the Shell group standards for Information and Records Management and securely deleted once no longer required for a legitimate business purpose or for a legal/regulatory purpose.
With some exceptions required to comply with local legal requirements:
· information contained within personnel files is held for no longer than 10 years once your employment has terminated
· information relating to retirement benefits are held for no longer than 99 years from the commencement of employment
· any personal information gathered as part of the screening against publicly available or government issued sanctions lists and media sources are held for no longer than 15 years after they were first gathered
· the names, dates, times and access points for all individuals entering our premises are held for 3 years from each access; and
· where an individual has been dismissed or had their contract terminated due to serious misconduct, including breaching the Shell Life Saving Rules or breaching the Shell Code of Conduct, that information is held for up to 30 years post termination
In all cases information may be held for (a) a longer period of time where there is a lawful reason to do so (in which case it will be deleted once no longer required for that purpose) or (b) a shorter period where you object to the processing of the personal information and there is no longer a legitimate business purpose to retain it.
IX. Your rights in relation to your personal information
Your rights and how to exercise them.
We aim to keep our information about you as accurate as possible. You can request:
· access to your personal information
· correction or deletion of your personal information (in the case of deletion, only where it is no longer required for a legitimate business purpose)
· that the processing of your personal information is restricted; and
· that you receive personal information that you have provided to us, in a structured, digital form to be transmitted to another party, if this is technically feasible.
Please contact the HR team or email HR-MSTSTTOLLS@shell.com. If you are a contractor, you should speak with your external contracting / employing company/agency.
X. Who to contact if you have a query, concern or complaint about the processing of your personal information?
Please address your questions and claims in context of this privacy notice to MS Europe B.V. at MSEU-Privacy-MSTS-Tolls@mststolls.com. You may also contact your local HR adviser for further questions. If you are a contractor, you can get into contact with the controller and may as well contact your external contracting/employing company/agency.
Alternatively, you can also contact the Shell Group Chief Privacy Office at Shell International B.V. The Hague, The Netherlands - Trade Register No. 27155369 Correspondence: PO Box 162, 2501 AN, The Hague, or email the Shell Group Chief Privacy Office at privacy-office-SI@shell.com.
If you are unsatisfied with the handling of your personal data by MS Europe B.V., then you have the right to lodge a complaint to the Dutch Data Protection Authority whose address is Prins Clauslaan 60, 2595 AJ The Hague, The Netherlands. Please visit https://autoriteitpersoonsgegevens.nl/en for more information.
XI. Changes to this Privacy Notice
This Privacy Notice may be changed over time. The Privacy Notice is applicable in the respectively actual version in accordance with the applicable statutory law. This Privacy Notice was last updated on 29th March 2023.