Chevron Corporation (“Chevron”) respects all privacy laws. In processing personal data, Chevron complies with applicable local privacy laws and internal policies. This Notice explains how Chevron’s affiliate in Angola processes the personal. This Notice also summarizes the rights that the data subject have regarding the use of personal data, the measures taken to protect the security of that data, and who you can contact regarding data protection practices at Chevron.

For simplicity, throughout the rest of this Notice, Chevron’s affiliate in Angola will be referred to simply as “the Company”, or using the terms “we”, “us” or “our”.

“Processing” of personal data is defined very broadly under the law and means any use of personal data, whether or not by automated means, such as collection, recording, storage, alteration, retrieval, disclosure, sharing, deletion, or destruction.

This notice supersedes all previously issued personal data protection and data privacy notices that you may have received, which pertain to data privacy and data protection.

The Company is primarily responsible for meeting the requirements of local data privacy laws and other applicable data privacy laws of concern and is therefore considered to be the “Data Controller” under the data privacy laws. The Company headquarters in Angola has a registered office at Avenue Dr. Antonio Agostinho Neto S/N, Caixa Postal 2950 Luanda.

We will collect certain personal data. Personal data is collected and used for a variety of reasons including, but not limited to safety, health and welfare, and emergency contacts.

In order to protect your security and the security of our assets, we also use various surveillance systems such as cybersecurity monitoring software, which can therefore record technology-related personal data.

In broad terms, we collect your personal and use surveillance technology for one of three reasons:

• to meet our obligations under contracts;
• to fulfill a legal obligation; or
• to pursue our legitimate interests (for example, to utilize certain surveillance technologies to protect our assets).

In certain circumstances, we may ask for your consent to collect your personal data. This will typically be in relation to programs in which your participation is purely voluntary. In such cases, you will be provided with a supplementary notice and asked to confirm your consent by electronic signing of the supplementary notice.

We will only grant access to your personal data on a need-to-know basis, and such access will be limited to the personal data that is necessary to perform the business function for which such access is granted. Access may be granted to your supervisor, managers and higher-level Company managers, leaders and executives, and personnel in the HR, IT, Finance, Legal, Compliance teams. Additionally, we maintain an internal contact directory known as Identity and Access Management Portal (IDAMP).

Due to the global nature of our operations, we may disclose and transfer certain personal data to Chevron’s affiliate in Angola in locations outside the countries where we do business, for example to the United States. In line with the requirements of the Data Privacy Law, such transfers will always comply with local Data Privacy legal requirement, in terms of authorization or notification to the Data Privacy Agency, where applicable, and will also be based on a legally adequate transfer method. Most commonly within Chevron, legal adequacy is ensured by way of intercompany data transfer agreements between the Company and its other affiliates elsewhere in the world. These impose data protection obligations upon such affiliates based upon direction of Global Contracting, provide guidance when to utilize the standard Information Risk Strategy Management (IRSM) exhibit.

We outsource support for many different business functions within the Company. Examples include (but are not limited to) the use of companies to provide insurance services, or to administer pension plan benefits.

We may also need to disclose your personal data to our professional advisers, such as our accountants, auditors, lawyers, bankers, insurers and other advisers, as well as governments, government agencies, regulatory bodies and law enforcement authorities in countries where we do business.

We secure contractually that those with whom we do business protect the confidentiality and security of personal data, and only use personal data for the provision of services to the Company, and in compliance with all applicable laws.

Occasionally, we may need to disclose your personal data to a third party in connection with a corporate reorganization, sale of a portion of Chevron’s business or entry into joint ventures and other corporate or financial arrangements. In all such instances, your personal data will be shared or disclosed in full compliance with data protection law.

In certain circumstances, we may need to process personal data that the Data Privacy Law defines as “sensitive data”. This “sensitive” data can include but is not limited to data revealing racial or ethnic origin, trade union membership or health, genetic or biometric data or data about sexual orientation.

Use of sensitive data by the Company would almost always be limited to the following two circumstances:

• to comply with employment, social security or social protection law, and all applicable laws; or
•  data collected by Chevron’s Health and Medical team for the purposes of preventative or occupational medicine, or to assess fitness for work and any adjustments that may need to be made, under applicable law, to accommodate illness or disability. Such data is held under the supervision of team members who are doctors or nurses and who are therefore under strict ethical, deontological and legal duties of patient confidentiality.

Occasionally, we may also need to process sensitive data to establish, exercise or defend legal claims brought by or against Chevron (or in relation to disciplinary, grievance or complaint matters). In very rare circumstances, it may be necessary to process employees’ personal data in situations of extreme emergency and where an employee is incapable of giving consent (for example, in a medical emergency where an individual is unconscious and urgent medical treatment is required).

Chevron takes the security of personal data seriously and as a result our internal policies and procedures also require certain additional types of personal data to be treated as “sensitive” data even though the law does not require this. Broadly speaking, this would include bank account details and other data which could, in the event of unauthorized disclosure, lead to identity theft or fraud. There are strict limitations upon the use of such data and additional security measures may be taken when such data is being transmitted within or outside Chevron.

Although we may use algorithms and other technology in our business, we do not engage in automated individual decision-making as it is defined in the European Union's General Data Protection Regulation (known as "GDPR").

We are committed to maintaining the security of your personal data. Chevron maintains appropriate physical, procedural, organizational and technical security measures intended to prevent loss, misuse, unauthorized access, disclosure, or modification of your personal data under our control.

We retain your personal data no longer than is necessary for the purpose for which it was originally collected or required to be processed unless applicable law specifically requires a longer retention period (e.g.: under tax and/or privacy law). This means that your personal data will be processed as necessary for establishing, performing, and terminating the employment relationship and will thereafter be retained until applicable retention periods have expired.

Under local law, as well as applicable laws you are entitled to obtain information on the processing of your personal data, to object to processing of your personal data, make use of your right to data portability (to move your data if e.g.: you leave the company) and to have your personal data rectified or deleted or, potentially their processing restricted. You are also entitled to withdraw any consent that you might have given with respect to the processing of your personal data at any time with future effect. These are known as data subject rights.

If you are not satisfied with any response to requests that you make to exercise your rights, or believe that your personal data is not being processed in accordance with the law, you may contact or lodge a complaint with the competent supervisory authority (in Angola is the Data Privacy Agency (“APD”).

We strive to maintain your personal data in a manner that is accurate, complete and up-to-date. However, you should inform us of any significant changes to your personal data.

If you have any questions and/or concerns regarding this Notice, our processing of your personal data or to exercise your data subject rights, please contact Privacy Office at privacy@chevron.com.