PRIVACY NOTICE – PERSONNEL

General: In this Privacy Notice (“PN”), references to “we” or “us” or “Petrolink” are references to Petrolink International Limited, a company registered in the Isle of Man with registered number 009213V, whose registered office is at 1st Floor, 11 -– 13 Hill Street, Douglas, Isle of Man, IM1 1EF.

 

This PN is adopted by Petrolink for and on its own behalf, and for and on behalf of the Petrolink Group. “Petrolink Group” means affiliates of Petrolink (i.e. any entity that directly or indirectly controls, is controlled by, or under common control with Petrolink, where “control” means the ability to direct the management or policies of an entity, whether through ownership, voting rights, contractual arrangements, or otherwise).

About this PN: We are a “data controller” for any personal data (“PD”) you provide to us:

  • during the application and recruitment process,
  • during your employment with us, and/or
  • after your working relationship ends with us.

This means we have legal obligations to protect your PD.

 

This PN:

  • sets out how we ensure compliance with Data Protection obligations under various data protection laws (“DP Laws”),
  • sets out how we protect your PI, and
  • applies to PD of all employees (whether prospective or actual), contractors and consultants (regardless of their location).

 

Our PN will be reviewed on a regular basis to ensure compliance with DP Laws. Please check our website frequently to see recent changes.

 

What is PD? In this PN, PD includes all personally identifiable information (“PII”) (such as names, email addresses, phone numbers, and ID numbers) but also includes data like IP addresses, location data, and pseudonymized information. PII is a term used most commonly in the US for data protection matters, whereas PD is more commonly used in the UK and EU. As Petrolink is a global organisation, we have chosen to use the term PD for this PN as it covers broader types of personal information.

 

Petrolink’s Commitment to Your Privacy Petrolink respects the privacy of everyone who works for us and is committed to safeguarding your PD. Whenever you provide PD to us, we handle it in accordance with our internal data protection standards, which are aligned with relevant DP Laws in the countries in which we operate.

 

How do we collect PD? We collect PD in two ways:

 

  1. Information you give us: We receive and store PD that you provide for us when a) you apply for a role with us, ii) if successful, when you start your role with us and iii) during your employment with us. Examples of the PD that we receive from you include (but are not limited to) your name, address, date of birth, national insurance/social security number, bank details, compensation history, employment records, background checks, criminal record checks and email address. In most instances, we will also ask for a government issued ID and/or similar documents.
  2. Information we get from your use of our website and applications: We receive and store certain types of information whenever you interact with us. For example, we obtain certain types of information when carrying out testing on portals or the website, as part of your role.

 

How do we use PD? We may use the PD you give us to carry out various functions in relation to your role. This can include (but is not limited to):

  • Deciding about your recruitment, appointment, or employment terms.
  • Checking your legal entitlement to work in the country you will be based.
  • Carrying out payroll and finance functions.
  • Assessing and implementing education, training and development requirements.
  • Assessing your fitness-to-work and associated matters (such as monitoring sickness absence).
  • Monitoring business and personal use of our systems, equipment and/or assets, fair and necessary for legitimate business reasons (like security, compliance, or preventing misuse).

 

With respect to PD obtained from your use of our website and applications, we may also use the PD to help us create, develop, operate, deliver and improve our products, services and content, and for loss prevention and anti-fraud purposes.

 

Our Legal Grounds for Processing PD: As set out above, we may use your PD for several different purposes.  In each case, we must have a “legal basis” to do so. We will rely on the following legal bases when we process your PD:

  • We need to use your PD to manage the contractual relationship between us.
  • We need to use your PD provided in the course of carrying out testing on portals or the website for a legitimate interest of the business (e.g., improving services).

 

Special Categories of PD: There are also “special categories” of data, which are more sensitive personal data – these are provided a higher level of protection. When processing special categories of PI, we require to have a further justification for carrying out such processing. Such justifications include, for example:

  • carrying out our legal obligations as your employer (such as remitting payments to any relevant pension providers, advising next of kin of any incidents or sickness during your role) – (i.e. on the basis of employment, social security and social protection law)
  • complying with the law (such as making payments of tax and national insurance deductions);
  • safeguarding your well-being and/or mental health – (i.e. under occupational health and safety or the assessment of your working capacity)
  • Establishing, exercising, or defending legal claims

 

We do not need your consent to use special categories of PD where such use is justified under the bases set out in the DP Laws. Where none of these justifications apply, we may obtain your explicit consent. If we do, you are free to refuse or withdraw your consent at any time without detriment.

 

When might we share your PD? Petrolink shares PD only as described below:

  1. Prospective employees: In the event of an unsuccessful application, we will share personal information only to the extent required to process your application.

 

  1. Third Party Service Providers: We may employ other companies and individuals to perform functions on our behalf – for e.g., to conduct pre-employment screening checks or carry out administration of payroll functions. They will have access to PD to the extent that it is needed to perform their functions but may not use it for other purposes. They must also process the PD in accordance with this PN and relevant DP Laws.

 

  1. Petrolink Group Companies: We may share PD within the Petrolink Group, for the purposes of recruitment or human resources processes. Some members of the HR team, interviewers and/or managers may work in jurisdictions other than where you are based.

 

We may also share your data within the Petrolink Group for business performance and management purposes. For e.g., if you are applying for a senior management position with us, we may share your data with our investors and/or shareholders.

 

  1. Others: We may need to disclose your PD if required by law, legal process, litigation, and/or requests from public and governmental authorities. We may also disclose PD if we determine that:
  • disclosure is necessary or appropriate for purposes of national security, law enforcement, or other issues of public importance; and/or
  • such action is necessary to protect and/or defend our rights, property, or personal safety and those of our users/customers or other individuals.

 

International Transfers of PD: There may be some instances where your PD may be transferred outside the country where you are based (for e.g., to jurisdictions where the Petrolink Group operates, or where our trusted third-party service providers are located). This may occur when PD is shared with partners or HR teams supporting the recruitment or employee management process. Where such transfers take place, we implement safeguards to ensure that your PD remains protected in accordance with the DP Laws. These may include agreeing contractual protections with applicable parties, relying upon decisions of the courts as to which countries have high standards of DP laws comparable to those in the UK/EU, or applying other legally recognised safeguards.

 

Retention of PD: We will retain your PD for the period necessary to fulfil the purposes outlined in this PN, unless a longer retention period is required (for example, where there is a legal obligation to retain such PD). Petrolink has implemented Data Protection Guidelines, which specifies the PD retention periods in each country where we operate.

 

Storage and Protection of PD: Petrolink takes the security of your data seriously. We have internal policies and controls in place to ensure that your data is not lost, accidentally destroyed, misused, or disclosed, and is not accessed except by our personnel in the proper performance of their duties.

 

Cookies and Other Technologies: To enable our systems to recognise your device and to provide features to you, we use cookies (small pieces of information saved on your device via your web browser). The cookies record patterns of use and allow us to:

  • customise, control or regulate the use of our websites and
  • adapt the display or appearance according to your preferences or interests.

 

We use the following cookies:

 

  • Strictly necessary cookies: These are cookies that are required for the operation of our website (such as setting your privacy preferences, logging in or filling in forms).
  • Analytical or performance cookies: These cookies allow us to count page visits and traffic sources so we can measure and improve the performance of our site.
  • Functionality cookies: These are used to recognise you when you return to our website, enabling us to personalise our content for you.

 

Where required by law, we will seek your consent before placing non-essential cookies on your device.

 

You can find more information about the individual cookies we use and the purposes for which we use them in the table below:

 

Cookie Title/name Purpose Retention period
_pk_cvar short lived cookies used to temporarily store data for the visit 30 minutes
_pk_hsr short lived cookies used to temporarily store data for the visit 30 minutes
_pk_id used to store a few details about the user such as the unique visitor ID 13 months
_pk_ref used to store the attribution information, the referrer initially used to visit the website 6 months
_pk_ses short lived cookies used to temporarily store data for the visit 30 minutes
_pk_testcookie used to check whether the visitor’s browser supports cookies Cookies is created and should be then directly deleted
commId For window communication Valid until the browser is closed
Idp_id Used to store the IDP session id Valid until the browser is closed
matomo_ignore Used to opt out user by Matomo [13 months]
matomo_sessid Used to opt out user by Matomo for preventing CSRF [13 months]
MMAUTHTOKEN Mattermost Session ID Valid until the browser is closed
MMCSRF Mattermost cookie for preventing CSRF attack Valid until the browser is closed
MMUSERID Mattermost User ID Valid until the browser is closed
mtm_consent Used to remember that consent was given by the user [13 months]
mtm_consent_removed Used to remember that consent which was removed by the user [13 months]
mtm_cookie_consent Used to remember that consent for storing and using cookies was given by the user. [13 months]
petrovue cookie [GUID] Used to store the session id Valid until browser is closed
Pvu-connect.sid Session ID for Petrovue (name is configurable in modconfig session.key) Valid until the browser is closed

{PVU_MODULE_ROUTE}_

FeedbackTimestamp

 PVU Module last feedback check timestamp, e.g. for rtv would be rtv_FeedbackTimestamp Valid until the browser is closed

 

You may want to change the settings of your browser to notify you when a cookie is to be used or you can choose to reject cookies automatically. Please note that our website and applications may not function properly if your cookies are disabled.

 

Third Party Websites: Third party websites have their own privacy policies and use different types of cookies. We urge you to review their policies and notices before using their websites – we do not accept any responsibility or liability for the privacy practices of such third-party websites, and your use of such websites is at your own risk.

 

Your Rights: Under DP Laws you have certain rights in relation to your PD.

 

  1. The right to access your PD: You can obtain a copy of the PD we hold about you and certain details of how we use it.
  2. The right to rectification: If you believe that there are any inaccuracies, discrepancies, or gaps in the PD we hold about you, you can contact us and ask us to update or amend it.

 

  1. The right to restriction of processing: In certain circumstances, you are entitled to ask us to stop using your PD (for example, where you think that we no longer need to use your PD).
  2. The right to withdraw your consent: Where we rely on your consent to process your PD, you have the right to withdraw such consent.
  3. The right to erasure: This is sometimes known as the ‘right to be forgotten’. It entitles you, in certain circumstances, to request deletion of your PD.
  4. The right to object to direct marketing: You have a choice about whether you wish to receive marketing information from us. Please note that, even if you opt out of receiving marketing messages, we may still send you communications which are relevant to the nature of services we offer you.
  5. The right to object to processing: In certain cases, you have the right to object to our processing. This right arises where we process your PD based on our legitimate interests and you can object to such processing (unless our purpose outweighs any prejudice to your privacy rights).
  6. The right to data portability: In certain circumstances, you can request that we transfer PD that you have provided to us to a third party.
  7. Rights relating to automated decision-making: We do not carry out any automated decision making. If this changes in the future, we will provide you with an updated notice setting out our decision-making process.
  8. The right to make a complaint with the Regulator: If you believe that we have breached DP Laws when using your PD, you have the right to lodge a complaint with the relevant data protection authority. In the UK, this is the Information Commissioner’s Office, whose website can be found at ico.org.uk.

 

Please note that while we take your rights seriously, there may be circumstances where we are unable to comply with your request — for example, if doing so would prevent us from meeting our own legal or regulatory obligations. In such cases, we will explain the reasons for our decision.

 

Further queries: If you have any questions or concerns about:

  • the PD we hold in relation to you (including wishing to submit a request in line with your rights above), or
  • the privacy of our websites or applications, please contact us at privacy@petrolink.com.

 

 

Version: 1.0 – 09/Sep/2025