Privacy

DATA PROTECTION AND PRIVACY POLICY

Irving Oil 

The purpose of our Data Protection & Privacy Policy is to outline how we deal with any personal data you provide to us throughout the course of various interactions before, after and during the course of your interaction, communication or business dealings with Irving Oil. 

By entering into an agreement with our Company you are accepting the terms of this Data Protection and Privacy Policy. If you are not happy with this policy you should inform the Privacy Officer immediately, as this may affect how we interact with you. Our Privacy Officer may be contacted at [email protected]

Throughout this Policy, the pronouns “we” or “us” or the term “the Company”, means Irving Oil Company, Limited of Saint John, New Brunswick, Canada and its group of companies including its affiliates, subsidiaries and related companies, wheresoever situate. The pronouns “you” or “your” means the person, organisation, or entity including customers, business contacts, suppliers and service providers to the Company which includes, as appropriate, their respective directors, officers, employees, agents, representatives, contractors and personnel. Terms such as “Data Controller” and “Data Processor” shall have the meaning assigned in the General Data Protection Regulation (EU) 2016/679 (“GDPR”). 

Depending on where you are located and/or the location from which you engage with us and/or the location from which you receive goods or services from us or provide goods and services to us, the Data Controller of your personal data controlled or processed by us under this policy may vary. If you have any questions about our use of your personal data, you should first contact us at [email protected].

We reserve the right to vary, change or update this Data Protection & Privacy Policy from time to time in the future. 

WEBSITE

This legal notice applies to the entire contents of any Company website / under the domain www.irvingoil.com. Any rights not expressly granted in these terms are reserved by the Company. By accessing or using this Website you accept these Terms of Use and we agree to abide by our Data Protection & Privacy Policy. If you are unwilling to accept these Terms, please exit our Website immediately. Irving Oil is not responsible for the content or the privacy policies of any external websites. Any external links to other websites within this website are clearly identifiable as such.
We do not collect any personal data about you from this website, apart from information that you volunteer (for example by e-mailing us or by completing any of our on-line forms or physical application form). Like most websites, we gather statistical and analytical information collected on an aggregate basis of all visitors to our website. This non-personal data comprises information that cannot be used to identify or contact you. Please also refer to our Cookies Policy

We reserve the right to change the content of our website and how we use cookies and consequently our Data Protection & Privacy Policy and Cookies Policy may change in the future. We therefore encourage you to review them when you visit the website to stay informed of how we are using personal data.

GENERAL STATEMENT 

For the purposes of this policy, data may include personal information, contracts and related documents between the Company and customers (whether or not Individuals), and between the Company and the service providers to the Company (“Service Providers”), and includes any information (whether or not it is sensitive or personal) which relates to an identified or (directly or indirectly) identifiable living Individual (“Personal Data”).  

The Company is obliged to adhere to applicable legal requirements in the various jurisdictions within which the Company operates. In addition, the Company has contractual confidentiality obligations which are owed to customers and Service Providers, amongst others.  
In obtaining and processing Personal Data in connection with customer, contractors and/or  Service Providers, the Company acts as the Data Controller.  

The Data may be held electronically, processed via automated processes, or held in general files, and where processed on the Company’s behalf by Service Providers, will be subject to written contracts governing that processing and setting out the security and confidentiality measures which the Service Providers have committed to implement.  

The Company may, in certain circumstances, act as a Data Processor on behalf of third parties, including members of the Irving Oil group of companies.  Where the Company acts as Data Processor, it will act in accordance with the instructions of the Data Controller and within the terms of the written contract with the Data Controller (where same is required to exist) and in all circumstances in compliance with this Policy and related Company policies.

The provisions of this policy relating to security of processing and international data transfers shall apply whether the Company acts as Data Controller or Data Processor.

For the avoidance of doubt and notwithstanding anything to the contrary in this policy, nothing in this policy shall prevent the Company from complying with any legal or regulatory obligation to disclose Data in accordance with applicable law.

1.    HOW WE COLLECT AND USE PERSONAL DATA.

Personal Data is data that identifies you or can be used to identify or contact you. For example, this might include your name, address or e-mail address, occupation and photograph. In certain circumstances you will provide us with your personal data directly or your data may be supplied by your organisation/business. We rarely collect any sensitive personal data by design, however in certain circumstances we will hold sensitive personal data about you by default where this information forms part of your personal contact details. 

Customers, Prospective Customers, Service Users and Service Providers.

Any Personal Data collected about our customers, prospective customers, service users, service providers and our legitimate business contacts is stored in appropriate data management systems which may be paper based or electronic. We process your Personal Data in accordance with the aims of the business i.e. the refining, supply, manufacture, marketing, storage, and transport of petroleum and related oil products i.e. to provide goods or services.

Your Personal Data may be processed for the following purposes:

(a)    for day to day operational and business purposes;
(b)     to communicate with you regarding your contract with us, enquiries regarding the  goods or services we provide to you or the goods and services you provide to us, before, during and after the duration of such contract;
(c)    to contact you in relation to communications from the Company deemed to be of possible interest to you, as an individual and/or company;
(d)    for marketing and/or advertising purposes where appropriate and where you have agreed or consented to such marketing/advertising, if required;
(e)     to contact you in response to communications you might send us; and
(f)     to provide you with the information / service you have requested.

We rely upon the following legal bases in controlling and processing your Personal Data:

(i)     where such processing is necessary to enter into or for the performance of your contract with us; 
(ii)     where such processing is in our legitimate interests in conducting our business in a responsible and commercially prudent manner;
(iii)    to investigate or process complaints and/or defend or bring legal claims or complaints;
(iii)    to comply with our legal and regulatory obligations; and
(iv)    in limited circumstances, your explicit consent (where we have sought it and you have provided it to us), and in which case, you can withdraw your consent at any time.

We will not process your Personal Data for any of these purposes if to do so would constitute an unwarranted interference with your interests, rights and freedoms. We will endeavour to only collect the minimum amount of Personal Data necessary.  

We do not use any Personal Data for the purpose of automated decision-making or profiling. 

CCTV, Photography & Video Recording
We operate CCTV at our company premises. Images and recordings collected through our CCTV will be collected for specified, explicit and legitimate purposes (e.g. security purposes, health and safety) and they will not be processed in a manner that is incompatible with those purposes. In accordance with the legitimate business of the Company your image if captured in our CCTV may be used if required for security, health and safety purposes. 

At any event or conference we may organise, photography and/or video recording may take place. In accordance with the legitimate business and promotional interests of our business your image may be used in our publications and website. If you do not consent to this use, please advise a member of staff prior to or on arrival at the meeting and/or event. You will be advised whether it is possible to accede to your request. If it is not possible for us to confirm that your image will not be used in our publications and/or website, even in an inadvertent manner, we will offer you a refund of any attendance fee. We strongly advise that you make any such enquiry at the time of booking.   

However, where our events and/or meetings are held in public venues and in accordance with the legitimate business and promotional interests of our business members of the press and press photographers/videographers are present, we do not control the publication of press photography and/or reporting. 

The Requirement to process Personal Data.  

 The provision of your Personal Data for the purposes described above is a contractual requirement. In addition, we may need to process your Personal Data to comply with statutory requirements, such as keeping proper records of financial transactions. We cannot continue to facilitate and administer your contract, service agreement or relationship with us, if you fail to provide your Personal Data for the purposes described above. 

2.    HOW IS YOUR INFORMATION SHARED?

Your information will be shared as required with relevant persons for legitimate and reasonable purposes. We may process and share your data with our accountant(s) and other professional advisors when required. Our service providers may only process the data of our customers for the purpose of providing us with their services, and no other purpose. We may also share certain parts of your data when we are required to do so with competent regulatory authorities and bodies as requested or required by law.

We reserve the right to transfer information (including your Personal Data) to a third party in the event of a restructuring of our organisation, provided that the third party has an equivalent privacy policy in place and all necessary legal requirements are complied with.
Your data may be shared within our Company i.e. Irving Oil Company, Limited of Saint John, New Brunswick, Canada and its group of companies including its affiliates, subsidiaries and related companies, wheresoever situate. 

Transfers of data outside the European Economic Area (“the EEA”) 

In some jurisdictions, the transfer and distribution of Personal Data, whether to an entity related to the Company or any of the Service Providers, or to a third party, is restricted and is only permitted in limited circumstances.  In the event that the Company or a Service Provider transfers Personal Data from within the EEA to a country outside the EEA, it will in general be necessary for the Company (as Data Controller) to have in place a written agreement with the third party to whom the Personal Data is transferred. 

We transfer data to Data Processors located outside the EEA. Your Personal Data may also be processed by staff operating outside the EEA who work for us or for one of our Service Providers. Particular restrictions and limitations apply to the transfer of Personal Data from within the EEA to countries outside of the EEA, where such countries do not have equivalent levels of data protection to that afforded to Personal Data within the EEA.  The safeguard we have put in place for transfers to such countries is to enter into European Commission approved contractual clauses with the relevant third party. The Company may, as Data Controller, appoint a Service Provider as its agent for the purposes of executing the European Commission’s approved contractual clauses.  However, in no case will Data be transferred from within the EEA to a country outside the EEA without the Company’s consent.

If you wish to receive more information relating to our Processors and/or transfers outside of the EEA, relevant to your Personal Data, please contact the Privacy Officer.

3.    WHAT ARE YOUR RIGHTS RELATING TO PERSONAL DATA?
Depending on where you are located and the location from which you engage with us and/or the location from which you receive goods or services from us or provide goods and services to us , the Data Controller of your personal data controlled or processed by us under this policy may vary and accordingly, your rights in relation to your Personal Data may also vary. To clarify your rights in relation to your Personal Data or if you have any questions about our use of your personal data, you should first contact us at [email protected].

In certain circumstances, you may have the right to request information regarding Personal Data relating to you, how it is stored, how the data was collected, and for what purpose. If Personal Data is incorrect or incomplete, you may have the right to request for it to be corrected or supplemented. You may have the right to request that your data is deleted if the processing of such data has no legal basis, or if the legal basis has ceased to apply. The same applies if the purpose behind the data processing activity has lapsed or ceased to be applicable for other reasons. However, certain operational, legal and/or statutory retention requirements must be observed. 

You may also have the right to data portability i.e. you may have the right to request us to provide you, or a third party, with a copy of your Personal Data in a structured, commonly used machine readable format. In the very limited circumstances where we may be processing Personal Data based on your consent, you may withdraw that consent at any time. This does not affect the lawfulness of processing which took place prior to its withdrawal. 

If you are unhappy with how we process Personal data, we ask you to contact us so that we can rectify the situation. You may also lodge a complaint with a supervisory authority. Please contact the Privacy Officer at [email protected] and we will advise you of the appropriate supervisory authority pertaining to your complaint or query.

You may also ask us not to process your personal data for marketing purposes. As indicated above, you can exercise your right to object to such processing at any time by using an unsubscribe facility or contacting us at [email protected]

In order to exercise any of the potential rights set out above, please contact the Privacy Officer at [email protected]

4.     HOW LONG DO WE KEEP YOUR PERSONAL DATA?

We will retain your Personal Data (including sensitive data) on an ongoing basis, for as long as we have a relationship with you, to observe certain operational, legal and/or statutory retention requirements and in order for us to:

(a)     comply with our records retention obligations and for any extended period reasonably determined necessary; and

(b)     to investigate or process complaints and/or defend or bring legal claims or complaints. 

5.     HOW DO WE KEEP YOUR PERSONAL DATA SAFE? 

We take steps through appropriate organisational and technical measures to ensure that the personal and sensitive information we hold about you is held securely and to protect against the loss or misuse of your information. 

Each of the Company and the Service Providers is obliged to implement appropriate technical and organisational measures to protect Personal Data against accidental or unlawful destruction, or accidental loss, alteration, unauthorised disclosure or access.  This applies particularly where such Personal Data will be transmitted over a network.

Generally, the Company shall, and where it appoints Service Providers and/or Data Processors, shall ensure that the Service Providers shall, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of Individuals, implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.  

Any breach of your Personal Data is notified and managed in accordance with our Privacy Breach Management Protocol.  

In accordance with applicable data protection laws, the Company may be obliged to notify the appropriate regulatory authority of any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to Personal Data (each a “personal data breach”), unless the Personal Data breach is unlikely to result in risks to Individuals.  Furthermore, the Company may be required notify any impacted Individuals without undue delay where a Personal Data breach is likely to result in a high risk to those Individuals.

The Company shall ensure that Service Providers notify the Company without delay of any security incident and shall provide all reasonable assistance to the Company to enable it to comply with its obligations under applicable data protection laws with regard to notification of Personal Data breaches.