Who we are We are bp Benevolent Fund Trustees Ltd (referred to as the ‘Trustee’, ‘we’, ‘us’ or ‘our’ in this notice). We are the trustee of the BP Benevolent Fund (the ‘Fund’). As the Trustee of the Fund, we store certain personal data about (i) you, as a Fund member or beneficiary, and (ii) where applicable, your dependents and beneficiaries. Personal data is information from which you, as an individual, can be identified. Most of the information held about you and processed by or for us in running the Fund is personal data.



Personal data is subject to certain protections under UK data protection law. Under that law, we are the ‘data controller’ in respect of the personal data that we, or our service providers, process. This means we decide the purposes for and how the personal data we hold about you and other Fund members and beneficiaries is processed.

What information we collect about you and how we collect it We may collect and process some of or all the following categories of personal data about you: name

email address

date of birth and age

gender

relationship status (including marital and civil partnership status)

address and other contact details

tax information (including national insurance number, PAYE details and contracting out record)

income information

capital resources

existing loans

expenditure

details of your bank or building society account (to pay benefits)

relevant employment and remuneration information

identification information (including passport/ID card number)

pensions and national insurance number

medical and other details about your health

details about your dependants and beneficiaries

other personal information that is relevant for the purposes of administering the Fund

We receive this information because you share personal data with us. Other sources of this information may be from other bp entities. As we will likely receive data about your dependants and your partner, spouse or civil partner, you should ensure that any such adult individual is aware that we may hold some personal data in respect of them and share this privacy notice with them or direct them to it.



It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us.

How we use that information As Trustee, we have a number of legal bases and purposes for processing your personal data including:

our legitimate interest in ensuring the proper administration and management of the Fund, including (but not limited to) using personal data for the following purposes: ascertaining, calculating and paying grants and loans to you or your applicable survivors dealing with requests, queries or disputes, regulatory investigations and/or legal procedings from you or third parties in respect of you managing the Fund’s liabilities (including but not limited to taking steps to reduce risks

affecting the security of your benefits) investing Fund assets or making investment decisions training, note taking, fraud and crime prevention and due diligence activity

compliance with our legal obligations under common law, statute, regulation and/or the Fund’s governing provisions.

As part of running the Fund, we may also need to hold and process sensitive information about you and your dependants and beneficiaries (known as “sensitive” or “special category” personal data). Under law, details relating to health, racial or ethnic origin, religious or other similar beliefs, sexual orientation and political affiliations are regarded as sensitive personal data. Except where the legislation allows it, this information cannot be processed or passed to a third party without your express consent. We may hold and process sensitive personal data for the purposes of: administering the Fund (including, without limitation, administering death benefits and ill- health benefits and considering and making decisions in relation to the funding, investment and de-risking of the Fund)

meeting our trust law duties and responsibilities and/or legislative and regulatory requirements affecting pension schemes In most circumstances we will process this data as necessary for the lawful reasons of: (i) establishment, exercise or defence of legal claims to benefits; and/or (ii) in the performance of our legal obligations in connection with employment, social security and social protection. If we cannot lawfully process your special category data for the above reasons or another lawful reason, we will obtain your consent before carrying out any such processing.

Personal data relating to the Fund may be held on paper, microfiche and computer systems. As the data controller, we must process this information fairly and lawfully.

We are committed to protecting your personal data. We take all reasonable precautions to safeguard the confidentiality of your personal data. These include procedures and security features to prevent unauthorised access of your personal data, both internally and with any data processor we engage.

Who we share it with? We share or may share your personal data with the following categories of recipients in connection with the processing purposes set out under “How we use that information” above: BP p.l.c. as the main sponsoring employer of the Fund and other entities in the bp group of companies. Where this is the case, bp shall protect your data in line with its comprehensive, flexible and global compliance framework which implements appropriate measures and safeguards to guarantee an adequate level of data protection throughout the bp group. bp’s fair processing notice provides further details and can be found at https://myhr.bp.com/plus/myhr/pages/gdpr-banner1.aspx. If you do not have access to the bp intranet and would like a copy of this notice please contact us other pension schemes or insurers that receive assets in respect of members on an individual basis or as part of a bulk transfer IT and telephony service providers such as those providing: support, maintenance and troubleshooting services for the IT systems we use; our third party pension scheme administration software; cloud and data storage services; our telephony and call recording system and disaster recovery services your personal advisers and other third parties that are authorised by you payroll administrators and providers for the purpose of making benefit payments and payment service providers (such as give as you earn services) administrators responsible for consultancy administration services for the Fund on our behalf the Fund’s professional advisers including the scheme actuary, auditor, medical advisers, and lawyers the administrator who is responsible for the day-to-day administration of the Fund on our behalf any government bodies (such as HMRC), statutory bodies, public authorities, regulators (such as The Pensions Regulator) and judicial bodies identity verification service providers to verify your identity, to protect against fraud e.g. when you first draw benefits from the Fund. Such services may include electronic checks against public records and credit bureaus that leave a “soft footprint” on your credit record. Such checks are only visible to you and do not affect your credit score data enrichment service providers to help the Trustee understand and predict the Fund’s potential liabilities better for funding, investment and de-risking activities in respect of the Fund. Such services may include marital status checking services other third parties and the subcontractors of those parties whose services we may require from time to time including those providing communication, printers, shredding and/or cybersecurity services other third parties where disclosure of information is required by law, such as a spouse or their solicitor (in relation to divorce proceedings), police authority, court, the Pensions Regulator or Pensions Ombudsman, or where it is necessary for the purposes of our legitimate interests relating to the administration of the Fund.

Overseas data transfers We may store or transfer your Personal Information to other BP companies around the world, including outside the UK or European Economic Area in countries which are not subject to an adequacy decision of the European Commission or the UK Secretary of State. We do this under BP’s comprehensive, flexible and global compliance framework which implements appropriate measures and safeguards (including EU standard contractual clauses and the UK Addendum) which guarantee an adequate level of data protection wherever your Personal Information is physically kept or otherwise processed. Further information about these measures is available from the CDPO here: privacy3@bp.com.



How long we keep personal data for We must keep all personal data safe and only hold it for as long as necessary. To meet the requirements of the applicable laws, we must keep certain personal data (for example, details about the date a member joins the Fund, their name and address, and details of benefits paid) for a minimum of 7 years.



Your rights Depending on why the Trustee is processing your personal data, you will have certain rights in relation to that data. The type of rights you may have include: access – you have the right to see personal data that is held about you and a right to have a copy provided to you, or someone else on your behalf, in a digital format. Your data will generally be provided to you free of charge. However, we may charge a reasonable fee in certain circumstances rectification – you have the right to ask that we correct any personal data we hold about you that you consider to be inaccurate or wrong restrict processing – you can require us to limit the processing of your personal data in certain circumstances, for example, while a complaint about its accuracy is being resolved object to processing – as we are relying on legitimate interests as a reason for processing , you can object to your personal data being processed, although we can override this objection in certain circumstances withdraw consent – where you have given us your consent to processing your personal data, you can withdraw that consent at any time by notifying us. However, withdrawing your consent will not affect the processing of any personal data which took place before withdrawal and it may be possible for us to continue processing your personal data where your consent is not required erasure – you can request that your personal data is deleted altogether, although we can override this request in certain circumstances

If you wish to exercise any of these rights, please contact us using the details set out in the next section. You should be aware that exercising some of these rights could affect the payment of your benefits, your participation in the Fund and our ability to answer questions about your benefits.

Who to contact about your personal data If you wish to: exercise any of the rights mentioned above request a hard copy of this notice

make a complaint about how we have handled your data

please write to: BP Benevolent Fund Trustees Limited Chertsey Road, Sunbury-on-Thames TW16 7LN or bpheliosfund@bp.com

Making a complaint to the Information Commissioner’s Office If you are not satisfied with our response to any query you raise with us, or you believe we are processing your personal data in a way that is inconsistent with the law, you can complain to the Information Commissioner’s Office at Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF. You can also contact the Information Commissioner’s Office on 0303 123 1113 or via a contact form at www.ico.org.uk.