External Business Partners that Manage Personal Data

Privacy & Security Requirements for External Business Partners who collect, use, or process personal data as part of services for P&G.


The following Exhibits make up P&G's Privacy and Security requirements for vendors. To note, P&G has differing requirements for our Partners depending on their classification under applicable data privacy laws.


Exhibits for Data Processors

A Data Processor generally collects, uses, or processes personal data on behalf of P&G. Note that applicable data privacy laws may use different terminology (such as Service Provider rather than Data Processor), but the contractual requirements are generally the same. P&G requires the following contracts for Data Processors:


Exhibits for Data Controllers

A Data Controller generally determines the purposes and means (the “why” and “how”) by which it collects, uses, or processes personal data. Note that applicable data privacy laws may use different terminology to refer to Data Controllers, but the contractual requirements are generally the same. If P&G is sharing personal data with a Data Controller, P&G requires the following contracts:


Assessing transfers of EU personal data to P&G (Schrems II)

P&G recognizes that pursuant to the Schrems II ruling by the Court of Justice of the European Union and subsequent European Data Protection Board (“EDPB”) regulations and the new Standard Contractual Clauses published by the EU Commission, some of our third parties who transfer EU data to P&G will request P&G to provide information about our data protection and security safeguards. If you have such a request, in order for this to be handled by the appropriate P&G resources please send them directly to the following email address: corporateprivacy.im@pg.com

These requests will be reviewed by P&G’s Legal team and worked directly with the third parties.