External Business Partners that Manage Personal Data

Privacy & Security Requirements for External Business Partners who collect, use, or process personal data as part of services for P&G.

Privacy Exhibits

The following Exhibits make up P&G's Privacy and Security requirements for External Business Partners. To note, P&G has differing requirements for our Partners depending on their classification under applicable data privacy laws and whether there are any cross-border transfers of personal data.

Exhibits for Data Processors

A Data Processor generally collects, uses, or processes personal data on behalf of P&G. Note that applicable data privacy laws may use different terminology (such as Service Provider rather than Data Processor), but the contractual requirements are generally the same. P&G requires the following contracts for Data Processors:

• Exhibit A P&G Privacy Requirements
• Exhibit C P&G Information Security Requirements

Exhibits for Data Controllers

A Data Controller generally determines the purposes and means (the “why” and “how”) by which it collects, uses, or processes personal data. Note that applicable data privacy laws may use different terminology to refer to Data Controllers, but the contractual requirements are generally the same. If P&G is sharing personal data with a Data Controller, a Data Controller is sharing personal data with P&G, or P&G and the Data Controller both exchange personal data with one another, P&G requires the following contracts, as applicable:

• Data Controller Agreement (P&G Sharing Personal Data)
• Data Controller Agreement (P&G Receiving Personal Data)
• Data Controller Agreement (Exchanging Personal Data)

Exhibits for Cross-Border Transfers of Personal Data

In addition to the Exhibits above and where personal data is transferred outside of the country where it was originally collected, data privacy laws may require additional contractual measures. In such cases, P&G requires the cross-border data transfer agreement(s) below, as applicable:

• Exhibit B Standard Contractual Clauses (Module 1—Controller to Controller)
• Exhibit B (Module 2—Data Transfer Addendum + Controller to Processor Standard Contractual Clauses)

Additional Information Relevant to Cross-Border Data Transfers

EEA/UK/Swiss Cross-Border Personal Data Transfers – P&G Exporting Entities

When P&G exports EEA/UK/Swiss personal data to a vendor or business partner (a “Third Party”) located in a Non-Adequate Third Country we may rely on the Standard Contractual Clauses (“SCC’s”) as a valid mechanism of transfer. For purposes of identifying P&G exporting entities, this section provides a list of P&G’s affiliates that may operate as data exporters and thus export personal data outside of the EEA, UK and or Switzerland to other jurisdictions. These entities will be the exporting entities under P&G’s data transfer mechanisms (e.g., SCC’s).

To note, a “Non-Adequate Third Country” is a country that has not received an adequacy decision from the EU Commission. The official list of countries that have received a European Adequacy decision can be reviewed here: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en

Assessing transfers of EU personal data to P&G (Schrems II)

P&G recognizes that pursuant to the Schrems II ruling by the Court of Justice of the European Union and subsequent European Data Protection Board (“EDPB”) regulations and the new Standard Contractual Clauses published by the EU Commission, some of our third parties who transfer EU data to P&G will request P&G to provide information about our data protection and security safeguards. If you have such a request, in order for this to be handled by the appropriate P&G resources please send them directly to the following email address: corporateprivacy.im@pg.com

These requests will be reviewed by P&G’s Legal team and worked directly with the third parties.