This Privacy Notice (the “Privacy Notice”) contains the policies, procedures and practices to be followed by Pemex Procurement International Inc. (the “Company”) pertaining to the collection, use and disclosure of Personal Information and/or Sensitive Personal Information as defined on PPI’s Confidential Information Policy (Policy-011) of an identifiable person (the “Data Subject”).

This Privacy Notice is addressed to:

• Clients, suppliers, and service providers who are natural persons (such as self-employed persons).
• The representatives or contact persons of clients, suppliers and service providers who are legal entities.
• Any other visitors to this website or one of the Company’s facilities.
• Present, future, or former employees of the Company.

For the purposes of this Privacy Notice, Personal Information and Sensitive Personal Information will be indistinctively referred to as Personal Information.

The Company recognizes the confidential nature of the Personal Information in its care and is accountable for the compliance of itself and its directors, officers, management, employees, representatives, and agents including consultants and independent contractors (the “Staff”) in protecting this Personal Information.

Personal Information will not include the Data Subject’s business title, and business address and contact information when used or disclosed for the purposes of reasonable business communication.

The Company has implemented policies and procedures that give effect to this Privacy Notice, including procedures to protect and secure Personal Information; procedures to receive, investigate and resolve complaints; procedures to ensure adequate training of the Staff concerning the Company’s privacy policies; and procedures to distribute new and current information pertaining to the Company’s Privacy, Security, and Confidential Information Policies.

The Company and the Staff will always respect the confidentiality of the Personal Information placed in its care. The Company will endeavor to ensure that the policies affecting the collection, storage and disclosure of Personal Information reflect the confidential nature of the information.

The Company will comply with all applicable internal policies, privacy legislation and regulations in force now and in the future related to protecting the confidentiality of Personal Information.

The Company will not process Data Subject’s Personal Information if the Company does not have a proper justification foreseen in the law for that purpose. Therefore, the Company will only process Data Subject’s Personal Information, if:

1. the Company have obtained Data Subject prior consent.
2. the processing is necessary to perform the Company’s contractual obligations towards Data Subject or to take pre-contractual steps at Data Subject request.
3. the processing is necessary to comply with the Company’s legal or regulatory obligations.
4. the processing is necessary for the Company’s legitimate interests and does not unduly affect Data Subject interests or fundamental rights and freedoms.

When processing Data Subject’s Personal Information as described on the section iv) of the preceding paragraph, the Company always seek to maintain a balance between its legitimate interests and Data Subject privacy. Some examples of such legitimate interests may include but are not limited to data processing activities performed to:

• benefit from cost-effective services (e.g. we may opt to use certain platforms offered by suppliers to process data).
• offer the Company’s services to its clients.
• prevent fraud or criminal activity, misuses of our services as well as the security of the Company’s IT systems, architecture, and networks.
• meet the Company’s corporate and social responsibility objectives.

The Company always process Data Subject’s Personal Information for a specific purpose and only process the Personal Information which is relevant to achieve that purpose. The Company may process Data Subject’s Personal Information for the following purposes:

1. manage the Company’s suppliers and service providers throughout the supply chain.
2. offer the Company’s services to its clients.
3. organize tender-offers, implement tasks in preparation of or to perform existing contracts.
4. monitor activities at the Company’s facilities, including compliance with applicable policies as well as health and safety rules in place.
5. grant Data Subject access to the Company’s training modules allowing you to provide the Company with certain services.
6. manage the Company’s IT resources, including infrastructure management and business continuity.
7. preserve the Company’s economic interests and ensure compliance and reporting (such as complying with the Company’s policies and local legal requirements, tax and deductions, managing alleged cases of misconduct or fraud, conducting audits and defending litigation).
8. manage mergers and acquisitions involving the Company.
9. archiving and record-keeping.
10. billing and invoicing.
11. any other purposes required by the applicable law and authorities.

When applicable, Personal Information will be collected, used and disclosed for purposes pertaining to the Data Subject’s employment relationship with the Company, including but not limited to the administration of employee hiring, performance reviews, the administration of employee payroll, processing of employee benefit claims, and for the purpose of complying with all applicable labor and employment legislation; the aforementioned, in accordance with the Company’s Confidential Information Policy (Policy-011).

The purposes for collecting Personal Information will be documented by the Company. Personal Information will only be used for the stated purpose or purposes for which it was originally collected. The purposes for which Personal Information is being collected will be identified orally or in writing to the Data Subject before it is collected. The person collecting the information will be able to explain the purpose at the time that the information is collected.

The Company may use Personal Information for a purpose other than the originally stated purpose where the new purpose is required by law or where the Company has obtained consent in writing from the affected Data Subject for each new purpose.

Knowledge and consent are required from the affected Data Subject for the collection, use and disclosure of all Personal Information subject to exceptions noted elsewhere in the Privacy Notice statement.

Consent will not be obtained through deception or misrepresentation.

Any use or disclosure of Personal Information will be within the reasonable expectations of the Data Subject.

Subject to legal and contractual obligations, a Data Subject may withdraw their consent upon reasonable notice as mentioned later in number 10.

The Company is subject to the privacy legislation in all jurisdictions in which the Company operates. If any term, covenant, condition or provision of this Privacy Notice is held by a court of competent jurisdiction to be invalid, void or unenforceable, it is the intent of this Privacy Notice that the scope of the rights and obligations of the Privacy Notice be reduced only for the affected jurisdiction and only to the extent deemed necessary under the laws of the local jurisdiction to render the provision reasonable and enforceable and the remainder of the provisions of the Privacy Notice statement will in no way be affected, impaired or invalidated as a result.

Where this Privacy Notice provides greater rights and protections to the Data Subject than the available governing law, the terms of this Privacy Notice will prevail wherever allowed by law.

The rights and obligations described in this Privacy Notice will apply to all Data Subjects. The Company and the Staff must comply with the policies, procedures and practices described in this Privacy Notice or any other that the Company may implement related to this matter.

The type and amount of Personal Information collected by the Company will be limited to the minimum necessary to accomplish reasonable business purposes. Personal Information will not be collected maliciously, indiscriminately or without a reasonable business purpose.

Personal Information will be collected using fair and lawful means.

All Personal Information will be released internally only on a need-to-know basis. In the course of normal and reasonable business practices it is the policy of the Company to grant designated Company representatives’ access to Personal Information files. This access will not exceed that necessary to accomplish the specific business function of the Company representative nor the purpose for which the information was originally collected.

These representatives may not access Personal Information for any reason unrelated to their job duties and may not use Personal Information in a way that is incompatible with this Privacy Notice.

The Company will endeavor to ensure that all Personal Information collected is accurate, complete, and relevant to the purposes for which it was collected.

Data Subjects have rights when it comes to how their Personal Information is handled, that may include, among others:

1. The right to know what Personal Information the Company maintains about the Data Subject and/or with whom the Company has shared the Personal Information.
2. The right to access or correct the Personal Information, including obtaining the specific pieces of information Company collected from the Data Subject.
3. A right to delete the Personal Information.
4. A right to opt-out of Personal Information sales.

A Data Subject may apply for access to their Personal Information by submitting a request in writing along with adequate proof of identity, if necessary. The Individual will be provided with a copy of all available information that is not subject to restriction as described in this Privacy Notice. When applicable, the Company may elect to provide sensitive medical information (the “Medical Information”) through a licensed medical practitioner. All Personal Information and Medical Information will be provided at no cost or at a minimal cost that is not prohibitive.

The Company will also provide a specific summary of how the Personal Information has been used and to whom it has been disclosed. Where a detailed account of disclosure is not available, the Company will provide a list of organizations to which the Personal Information may have been disclosed.

The Personal Information disclosed to a Data Subject must be in a form that is reasonable and understandable. Where the meaning of information is not clear then translations and explanations will be provided without additional cost.

Where a Data Subject suspects that an error exists in their Personal Information, the Data Subject may submit a request in writing for correction. This request should include any relevant information substantiating the error and should describe the correction to be made. The Company will make all reasonable efforts to address any request for correction.

Where the Data Subject successfully demonstrates an error in their Personal Information the Company will make appropriate corrections. Any modifications, additions or deletions to the Data Subject’s Personal Information will be made only by authorized personnel.

Where a request for correction is not successful, the details and substantiating evidence of the request will be recorded and retained by the Company.

The Company will endeavor to respond promptly to any reasonable request for disclosure and correction made by a Data Subject to ensure the continued accuracy of Personal Information.

In some instances, the Company may be required to limit access to Personal Information because of statutory or regulatory requirements. In all instances however, the Company will make all reasonable efforts to comply with the Data Subject’s request for access and correction to the extent of what is allowed by statute or regulation.

The Company may refuse access to portions of the Personal Information of a Data Subject where it is found to contain Personal Information pertaining to another Data Subject.

If Data Subject have any inquiries, if Data Subject would like to exercise these rights or determine what, if any, Personal Information the Company has about Data Subject, please contact our Legal and Compliance Department at: LegalCompliance-dl@pemexprocurement.com.

The Company will not sell, share, or otherwise transfer Data Subject’s Personal Information to third parties other than those indicated in this Privacy Notice. During the Company’s activities and for the same purposes as those listed in this Privacy Notice, Data Subject’s Personal Information can be accessed by or transferred to the following categories of recipients on a need-to-know basis to achieve such purposes such as:

1. the Company’s personnel (including personnel and departments or other companies related to the services or products needed).
2. the Company’s independent agents or brokers (if any).
3. the Company’s other suppliers and services providers that provide services and products to the Company or to its clients.
4. the Company’s IT systems providers, cloud service providers, database providers and consultants.
5. any third party to whom the Company assign or novate any of our rights or obligations.
6. the Company’s advisors and external lawyers in the context of the sale or transfer of any part of its business or its assets. The above third parties are contractually bound to protect the confidentiality and security of Data Subject’s Personal Information, in compliance with applicable law.

Data Subject’s Personal Information can also be accessed by or transferred to any national and/or international regulatory, enforcement, public institutions, or court, where the Company is required to do so by applicable law or regulation or at their request. The Personal Information the Company collect from Data Subject may also be processed, accessed, or stored in a country outside the jurisdictions where the Company is operating, which may not offer the same level of protection of Personal Information. If the Company transfer Data Subject’s Personal Information to external companies in other jurisdictions, the Company will make sure to protect Data Subject’s  Personal Information by: (i) applying the level of protection required under the local data protection/privacy laws applicable to the Company.

The Company and the Staff will keep confidential all Personal Information under its control except where one or more of the following conditions apply:

1. where the Data Subject has provided written consent for the disclosure.
2. where the disclosure is in accord with the purposes for which the Personal Information was originally collected.
3. where the disclosure is for the purpose of providing employment references to prospective employers and where the Personal Information disclosed is limited to information considered reasonably necessary for the purpose of providing employment references.
4. where the Company is permitted or required to do so by applicable legislation or regulation.
5. where the disclosure is directed to health benefit providers and where the purpose of the disclosure is in accord with the purposes for which the Personal Information was originally collected.
6. where the disclosure is required by authorized government representatives who are acting to enforce any federal or state law or carrying out an investigation relating to the enforcement of any federal or state law or gathering information for the purpose of enforcing any federal or state law.
7. where the Company is required to comply with valid court orders, warrants or subpoenas or other valid legal processes.
8. in an emergency to protect the physical safety of any person or group of persons.

Where Medical Information is collected pertaining to a Data Subject, the Company will store and secure all Medical Information with a greater level of protection. Access to Medical Information will be restricted to Company personnel specifically selected for this task.

In all cases, any disclosure of Medical Information by the Company to any third party or agency will require the written consent of the affected Data Subject for each instance.

The Company will only retain Data Subject’s Personal Information for as long as necessary to fulfill the purpose for which it was collected or to comply with legal or regulatory requirements. The retention period is the term of Data Subject’s (or Data Subject company’s) supply or service contract, plus the period until the legal claims under a contract become time-barred, unless overriding legal or regulatory schedules require a longer or shorter retention period. When this period expires, Data Subject’s Personal Information is removed from the Company’s active systems. Personal Information collected and processed in the context of a dispute are deleted or archived (i) as soon as an amicable settlement has been reached, (ii) once a decision in last resort has been rendered or (iii) when the claim becomes time barred.

Any Personal Information of employees collected by the Company will be retained by the Company during the period of active employment of the Data Subject as well as during the post-employment period only as long as the Personal Information is required to serve its original purpose or as directed by applicable legislation or regulation.

Personal Information that is no longer needed for its stated purpose will be destroyed in accordance with the applicable records disposal procedures.

The rights and protections of the Company’s Privacy Notice will extend to deceased Data Subjects.

The Company have implemented appropriate technical and organizational measures to protect Personal Information from loss, unauthorized access, and unauthorized disclosure.

When handling Data Subject’s Personal Information, the Company: – only collect and process Personal Information which is adequate, relevant and not excessive, as required to meet the above purposes; and – ensure that Data Subject’s Personal Information remains up to date and accurate. For the latter, the Company may request Data Subject to confirm the Personal Information the Company holds about Data Subject. Data Subject is also invited to spontaneously inform the Company whenever there is a change in Data Subject personal circumstances so we can ensure Data Subject’s Personal Information is kept up-to-date.

In case of a cyber or security breach that results in the exposure or loss of Data Subject’s Personal Information, the Company will notify Data Subject without unreasonable delay and in no case later than 60 days following the discovery of that breach. The notification will include a brief description of the breach, a description of the types of information that were involved in the breach, the steps the Company consider Data Subject should take to protect itself from potential harm, a brief description of what the Company will be doing to investigate the breach, mitigate the harm, and prevent further breaches, as well as the Company contact information.