Privacy Notice for Suppliers, Clients, Counterparties & Prospects

1. PURPOSE OF THIS PRIVACY NOTICE  

This privacy notice describes how Gunvor Group Ltd and other companies in the Gunvor Group[1] may collect and use personal data about you pursuant to your working relationship with us, in accordance with applicable data protection law (including but not limited to the General Data Protection Regulation 2016/679 (EU GDPR), the UK GDPR as defined by s.3(10) of the UK Data Protection Act 2018 (UK GDPR), or the Swiss Federal Act on Data Protection (FADP). In particular, it applies to all suppliers, clients, counterparties and prospects.

It also describes your data protection rights, including the right to object to some of the processing which we carry out. More information about your rights, and how to exercise them, is set out in the “YOUR RIGHTS” section.

This notice may be updated at any time. It does not form part of any contract.

2. DATA PROTECTION PRINCIPLES  

We will comply with data protection law. This says that the personal data we hold about you must be:

• used lawfully, fairly and in a transparent way,
• collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes,
• relevant to the purposes we have told you about and limited only to those purposes,
• accurate and kept up to date,
• kept only as long as necessary for the purposes we have told you about, and
• kept securely.

3. PERSONAL DATA WE MAY COLLECT ABOUT YOU

Personal data, or personal information, means any information relating to an identified or identifiable natural person. However, it does not include data where the identity has been removed (anonymous data).

We may collect and process the following personal data about you:

Category	Details
Identification Information	Your name, job title and employer details
Contact Information	Your address, telephone number and email address
Financial Information	If you are a sole trader or unlimited liability partnership, your personal payment details or bank details
Communication records	The content of your communications with us (such as emails, letters or any other communication channels used)
Other Information	Other information we may require in order to administer our business relationship with you
Communications Preferences	Information regarding whether or not you wish to receive communications from us
Sensitive or Special Category Information	Information in relation to your criminal records for the purposes of conducting background checks (where relevant)
CCTV footage	If you visit our premises, we may collect CCTV footage of you (images only and no voice recordings)

Sometimes, we may receive information about you from third parties. In particular:

Third Party	Category
Background check providers	Contact Information, Identification Information, Sensitive or Special Category Information (criminal records, politically exposed persons check)
Credit reference agencies	Contact Information, Identification Information and, Financial information if you are a sole trader or unlimited liability partnership
Social media (e.g. LinkedIn)	Contact Information and Identification Information
Fraud prevention agencies	Contact Information, Identification Information, Financial Information

Where your personal data is required to perform our contractual obligations or to comply with our legal and regulatory obligations, its provision is mandatory: if relevant data is not provided, then we may not be able to provide you with the relevant products and services. The provision of all other information is optional.

4. PURPOSES

We may process your personal data for the following purposes:

• To take pre-contractual steps with you or to perform our contractual obligations towards you,
• To verify your identity and conduct due diligence in connection with our business relationship,
• To respond to your/your employer’s communications with us,
• To manage our relationship with you,
• To facilitate payment for services rendered,
• To prevent, investigate and/or report fraud, terrorism, misrepresentation, security incidents or crime, in accordance with applicable law,
• To comply with our legal and regulatory obligations and requests anywhere in the world, including reporting to and/or being audited by national and international regulatory bodies, and
• To comply with court orders and exercise and/or defend our legal rights.

5. LEGAL BASES

We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances:

• where we need to conclude a contract with you or perform a contract we have entered into with you[2],
• where we need to comply with a legal obligation (e.g. to comply with requests made by law enforcement authorities or court orders)[3], and
• where it is necessary for legitimate interests pursued by us or a third party and your interests and fundamental rights do not override those interests. (e.g. to control the performance of your obligations; organize our work; ensure quality of services; internal control; internal investigations; IT security; and to protect our staff, property and rights).

We may also use your personal data in the following situations, which are likely to be rare:

• where we need to protect your (or someone else’s) vital interests[4], and
• where it is needed in the public interest[5].

6. USE OF SENSITIVE OR SPECIAL CATEGORY DATA  

”Special categories” of particularly sensitive personal data, such as information about your criminal sanctions, require higher levels of protection. We need to have further justification for processing this type of personal data. We may process special categories of personal data in the following circumstances:

• in limited circumstances, with your explicit written consent,
• where we need to carry out our legal obligations (e.g. AML or antifraud obligations) or exercise rights in connection with our relation, and
• where it is needed in the public interest, such as for equal opportunities monitoring for instance.

Less commonly, we may process this type of information where it is needed in relation to legal claims or where it is needed to protect your (or someone else’s) vital interests and you are not capable of giving your consent, or where you have already made the information public.

7. DATA SHARING  

We may share your data with the following categories of recipients:

Category of Recipient	Why?
Gunvor Group Companies	To operate, improve, and develop our services
Third party service providers and suppliers	We employ other companies and individuals to perform functions on our behalf. Examples include: IT service providersCloud providers (e.g. Microsoft 365 and Microsoft Azure)Background check providers Security providersArchiving service providersPayment processing providers
Credit reference agencies, law enforcement, fraud prevention agencies and companies providing services for money laundering	To prevent, investigate and/or report fraud, terrorism, misrepresentation, security incidents or crime, in accordance with applicable law
Prospective Buyers/Sellers	In the event that the business is sold or integrated with another business, your details will be disclosed to our advisers and any prospective purchaser’s adviser and will be passed to the new owners of the business
Companies designated by you	To comply with your instructions in the event that you make a request for us to share your personal data with these companies
Third parties to whom we assign or novate any of our contractual rights or obligations	For the purposes set out in the relevant contract pursuant to which our rights are novated or assigned
Any government, regulatory agency, enforcement or exchange body or court where we are required to do so by applicable law or regulation or at their request	To comply with requests from these bodies

8. TRANSFER TO THIRD COUNTRIES

The companies belonging to the Gunvor group are located around the world (see https:// gunvorgroup.com) and Gunvor entities based in the European Union, Switzerland[6], Singapore[7] and the USA[8] may have access to your personal data. Our internal IT services providers are located in Estonia, Turkey, Switzerland and the USA, although external service providers may be located elsewhere. 

Guvnor’s Intragroup Data Transfer Agreement (IDTA) governs data sharing between Guvnor entities. Where information is transferred to third parties outside the UK, the EEA or Switzerland (as applicable) and where this is to a country that is not considered adequate under UK, EU or Swiss law, we ensure that safeguards are in place in order to ensure an adequate level of protection is afforded to your personal data.

9. DATA SECURITY  

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to access this data. They will only process your personal data on our instructions, and they are subject to a duty of confidentiality.

10. DATA HOSTING

We store your personal data in our data centres (that may be made available by external service providers, i.e. external data centres) and within specific cloud services (e.g. Microsoft). Our servers are located in our hubs based in Geneva (Switzerland), Houston (USA) and Singapore. We take all appropriate actions to ensure the personal data hosted via cloud solutions benefit from the level of protection required pursuant to applicable data protection law.

11. DATA RETENTION  

We will retain your personal data for no longer than it is necessary for the purposes for which we collected it, including for the purposes of satisfying any legal, accounting, or reporting requirements. Some of your personal data needs to be retained for the whole duration of the contractual relationship and we may retain some personal data longer provided it is necessary for the protection of our rights or the compliance with our legal obligations.

We may also retain your personal data until the expiration of claims related to relevant client contracts to protect our rights if your personal data is connected to client relationships or contracts. Generally, the retention period does not exceed ten years.

Where we collect CCTV footage, we retain this footage for ten days.

12. YOUR PRIVACY RIGHTS

It is important that the personal data we hold about you is accurate and up to date. Please keep us informed if your personal data changes during your working relationship with us.

You have the right to:

• Request access to your personal data (commonly known as a “data subject access request”). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
• Request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
• Request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have exercised your right to object to processing (see below).
• Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground.
• Request the restriction of processing of your personal data. This enables you to ask us to suspend the processing of personal data about you, for example if you want us to establish its accuracy or the reason for processing it.
• Request the transfer or port of your personal data to another party (commonly referred to as the right of “data portability”).
• Lodge a complaint with the data protection officer or the supervisory authority in the country that you reside in or, the country of your place of work or the country where the alleged infringement took place.

If you want to review, verify, correct or request erasure of your personal data, object to the processing of your personal data, or request that we transfer a copy of your personal data to another party, please contact [email protected].

You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.

We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal data is not disclosed to any person who has no right to receive it.

These rights may be limited, for example if fulfilling your request would reveal personal data about another person, or if you ask us to delete information which we are required by law or have compelling legitimate interests to keep.

13. RIGHT TO WITHDRAW CONSENT  

In the limited circumstances where you may have provided your consent to the collection, processing and transfer of your personal data for a specific purpose, you have the right to withdraw your consent for that specific processing at any time. To withdraw your consent, please contact [email protected]. Once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose or purposes you originally agreed to, unless we have another legitimate basis for doing so in law.

14. CONTACT US

We have explained above who the relevant data controller is for the processing of your personal data.

We have appointed a data protection officer (DPO) to oversee compliance with this privacy notice.

If you have any questions about this privacy notice or how we handle your personal data, please contact the DPO at [email protected].

15. CHANGES TO THIS PRIVACY NOTICE  

We reserve the right to update this privacy notice at any time, and we will provide you with a new privacy notice when we make any substantial updates. We may also notify you in other ways from time to time about the processing of your personal data.

---

[1] For further information in relation to the legal name and contact details of the data controller, please consult the contract entered into between you and the relevant Gunvor group entity. In the absence of a contract, the relevant controller is the Gunvor company that employs the Gunvor representative you are corresponding with.

[2] GDPR Article 6.1.(b)

[3] GDPR Article 6.1.(c)

[4] GDPR Article 6.1.(d)

[5] GDPR Article 6.1.(e)

[6] The European Commission and UK government have recognized Switzerland as providing adequate level of protection for personal data.

[7] We have implemented standard data protection clauses as adopted by the European Commission and the UK Government (as applicable) as a safeguard to protect your rights and freedoms.

[8] We have implemented standard data protection clauses as adopted by the European Commission and the UK Government (as applicable) as a safeguard to protect your rights and freedoms.