Bapco - Privacy Policy

1. INTRODUCTION

1.1. Purpose

The Company values the privacy and security of Personal Data and Sensitive Personal Data and is committed to protecting it in accordance with the PDPL as defined below. This Policy outlines our practices and procedures for the collection, storing, processing, transfer, and protection of Personal Data and Sensitive Personal Data in compliance with PDPL.

1.2. Scope

This Policy applies to all Personal Data and Sensitive Personal Data collected, stored, processed, and transferred by the Company while conducting its business activities including but not limited to Personal Data and Sensitive Personal Data collected from directors, employees, customers, suppliers, vendors, contractors, consultants, agents, third party service providers and other stakeholders.

2. DEFINITIONS

a) Authority

The Personal Data Protection Authority vested with the powers under the provisions of PDPL.

b) Company

Bapco Refining B.S.C. (c)

c) Data Subject

The natural person owning the data which includes, not limited to, the Company’s directors, employees, customers, suppliers, vendors, contractors, consultants, agents and other service providers.

d) Data Processor

A natural or legal person, other than an employee of the organization who processes personal data on the Company or Data Controller’s behalf.

e) Data Controller

A natural person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of processing of Personal Data and/or Sensitive Personal Data.

f) Data Protection Officer

A natural person who works for the Data Controller to perform the duties of a Data Protection Officer, as outlined in this Policy and enrolled in the data protection guardians register maintained by the Authority.

g) Employees

All employees of the Company which includes its officers, all direct hire employees, secondees, assignees and contract staff.

h) PDPL

Personal Data Protection Law No. 30 of 2018 as amended from time to time and the applicable Ministerial Orders and regulations.

i) Personal Data

Any information in any form, relating to an identified or identifiable person, directly or indirectly, i.e. social identity, passport number, license number, email address, credit card number etc.

j) Policy

This Data Privacy Policy.

k) Processing

Any operation or set of operations performed on Personal Data, whether or not by automated means, such as collection, storage, use, disclosure, or destruction, organization, classification, alteration and others.

l) Sensitive Personal Data

Personal Data that directly or indirectly discloses the race, ethnicity, political views, medical records, biometric data, religious beliefs, criminal records, union affiliations etc.

m) Third Party

A natural or legal person, public authority, agency or body other than the Data Subject, Data Controller, Data Processor, and persons who, under the direct authority of the Data Controller or Data Processor, are authorized to process Personal Data.

3. RESPONSIBILITIES

3.1 Data Protection Officer:

The Data Protection Officer’s responsibilities include but are not limited to:

a) Assist the Company in exercising its rights and fulfilling its obligations prescribed under PDPL;

b) Ensure that Personal Data and Sensitive Personal Data is collected, processed, stored, and maintained in a fair, lawful and secure manner consistent with the legal requirements;

c) Oversee the Company’s data privacy strategy and ensure compliance with PDPL and other relevant data protection laws;

d) Liaise between the Company and the Authority and act as point of contact for Data Subjects;

e) Work closely with Cybersecurity teams and concerned departments to ensure implementation of policies and procedures and technological controls for protection of data; and

f) Conduct due diligence on Third Parties that store or process personal data collected from the Company.

3.2 Departments:

All concerned departments shall work closely with the Data Protection Officer on data protection matters and ensure compliance with this Policy and their Divisional Data Protection and Privacy Procedure.

4. REFERENCES

• Personal Data Protection Law No. 30 of 2018, as amended from time to time and the applicable Ministerial Orders and regulations.

• ISO 27001:2022 Annex A 5.34 - Privacy and Protection of PII

• Ministry of Justice, Islamic Affairs and Waqf Order No. (42) of 2022 - Regarding the transfer of personal data outside the Kingdom of Bahrain

5. PERSONAL DATA MANAGEMENT

5.1. Collection, Processing and Retention of Personal Data and Sensitive Personal Data:

a) Clear identification of the purpose for which Personal Data and/or Sensitive Personal Data is collected and processed shall be carried out.

b) Personal Data shall only be used for the purpose it was originally collected for except for historical and statistical purposes obscuring Data Subject’s identity.

c) Data Subject's consent shall be obtained for the collection and processing of their Personal Data and/or Sensitive Personal Data, unless an exception under the PDPL applies, including but not limited to when the Processing is necessary for the performance of a contract, when data is made available to the public by the Data Subject, when Processing is necessary for preventive medicine, medical diagnosis, treatment and healthcare services, while carrying out the rights and obligations with respect to those working under the Company’s authority during the course of employment, compliance with a legal obligation, or for the protection of the vital interests of the Data Subject.

d) Minimum Personal Data and/or Sensitive Personal Data shall be collected that is necessary for the specified purpose.

e) Personal Data and/ or Sensitive Personal Data shall be kept accurate and up to date at all times.

f) Personal Data and/ or Sensitive Personal Data shall not be kept in a form that uniquely identifies the Data Subject after the purpose of data collection has been met.

g) Personal Data and Sensitive Personal Data shall be regularly reviewed and disposed of if it is no longer necessary for the purpose for which it was originally collected.

h) The Company may be required to disclose Personal Data and/or Sensitive Personal Data in response to legal requests by government authorities, including meeting national security or law enforcement requirements.

i) The following types of Personal Data shall be processed with prior written authorization of the Authority:

a) Automatic Processing of Sensitive Personal Data of Data Subjects who provide consent.

b) Automatic Processing of biometric data.

c) Automatic Processing of genetic data (unless by a licensed medical establishment); and

d) Processing of visual recording to be used for monitoring purposes.

j) Personal Data collected by the departments shall not be used for direct marketing purposes. However, in cases where it may be required to use Personal Data for direct marketing purposes to meet business requirements, the Data Subject shall be notified of such Processing and prior consent sought while notifying him of his additional rights pertaining to direct marketing.

5.2 Employees Personal Data and Sensitive Personal Data

The Company’s Employees acknowledge that the Processing Personal Data and/or Sensitive Personal Data by the Company is necessary for pursuing the legitimate interests of the Company, including, without limitation, performance of the employment contract, compliance with a legal obligation and carrying out the rights and obligations of the Data Controller.

All Employees must sign the Data Privacy Consent Form that is made available to the Employees for sign-off at the time of onboarding and for any subsequent revisions thereto.

The Employees Personal Data and/or Sensitive Personal Data shall be Processed for purposes including but not limited to employment contracts, records, training requests and records, payroll, permits, visas, LMRA, GOSI, health and life insurance, etc.

The Company may be required to disclose the Employees Personal Data and/or Sensitive Personal Data with third parties including, but not limited to, the Ministry of Labour, LMRA, regulatory or government authorities, Data Processors, auditors, group companies located in and out of Bahrain for legitimate and contractual purposes, or as may be required by law.

The Company may transfer or share Employees Personal Data and/or Sensitive Personal Data with third party service providers, including but not limited to cloud service providers, health and insurance service providers, and other third-party service providers covering administrative and security related services.

5.3 Transfer of Personal Data and/or Sensitive Personal Data outside the Kingdom of Bahrain

a) Personal Data may be shared with overseas recipients only if they provide an adequate level of protection for Personal Data, as listed in the Authority’s record of countries and territories.

b) The Authority shall be notified of any transfers of Personal Data to other countries that are not in the approved cross border data sharing list maintained by the Authority.

5.4 Data Sharing with Third Parties

The Company may transfer or share Personal Data and/or Sensitive Personal Data with third party service providers who perform services on the Company’s behalf. In all such cases, the Company shall enter into written agreements with the third-party service providers and require them to provide a comparable level of data protection and be able to demonstrate compliance when requested.

5.5 Data Controller

The Data Controller undertakes the processing of Personal Data and/or Sensitive Personal Data of the Data Subjects. If required by the Company, the Data Controller may outsource certain processing activities to third-party Data Processors subject to a written contract stipulating the following:

a) The Data Processor will only act pursuant to the Data Controller’s instructions; and

b) The Data Processor must comply with and enforce controls to meet Data Privacy and Security requirements and obligations equivalent to those imposed on the Data Controller under PDPL.

5.6 Data Subject’s Rights

a) Data Subjects shall be provided with information on their rights under PDPL, including the right to access their Personal Data, the right to be notified, to be aware of the purpose of collection of their Personal Data, request correction or deletion of their Personal Data, or object to the processing of their Personal Data.

b) Data Subject’s request shall be responded to in a timely and effective manner, in accordance with PDPL.

5.7 Record Keeping

a) Records of all processing activities shall be maintained, including the categories of Personal Data and/or Sensitive Personal Data processed, the purpose of the processing, the recipients of the Personal Data, and the measures taken to protect it.

b) Records shall be made available to the Authority upon request.

c) Personal Data shall be regularly reviewed, and records updated to ensure that they remain accurate and up to date.

5.8 Data Security and Compliance Monitoring

a) Periodic compliance assessment with PDPL and effectiveness review of technical and organizational measures in place for data protection shall be conducted.

b) Appropriate technical and organizational measures shall be implemented to protect Personal Data and/or Sensitive Personal Data from unauthorized access, modification or disclosure.

c) Reported breaches of Personal Data and/or Sensitive Personal Data shall be investigated, and appropriate corrective action(s) shall be taken.

5.9 Training and Awareness

a) All departments that process Personal Data and/or Sensitive Personal Data shall receive appropriate training on data protection and privacy. This shall include legal requirements, policies and procedures and how to handle Data Subject requests etc.

b) Third Parties working with the Company or processing Personal Data and/or Sensitive Personal Data collected from the Company shall be made aware of Company’s data privacy and security requirements that they need to always adhere to.

6. REVIEW AND INTERPRETATION OF THIS POLICY

a) This Policy shall be updated as necessary to ensure continued compliance with PDPL. Any material amendments to the Policy shall be approved by the Board of Directors.

b) The Company reserves the right to interpret this Policy at its sole discretion, amend or cancel all or any part of it with or without written notice.

7. CONFLICT RESOLUTION AND CONTACT INFORMATION

In cases where compliance with this Policy is not feasible, an exception shall be raised with the Data Protection Officer. The Data Protection Officer shall liaise with the Authority, if required to resolve all conflicts and deviations in a timely manner.

Data Protection Officer shall be reachable at email –

dataprivacy.ref@bapcoenergies.com

8. APPENDICES

None

9. SUPERSEDED DOCUMENTS

None

Bapco at a Glance

Corporate Governance

Core Business

Doing Business With Us

Products & Services

iReceivables Portal

People

Introduction

Facts & Figures

Technical Focus

Environment & Social

Careers Portal

BEWARE OF FAKE JOB OFFERS