Personal data

Shell respects the privacy of individuals and recognises that personal data belong to the individual. We take action to manage personal data in a professional, lawful and ethical way.

Our privacy policies, notices and other customer agreements clearly define the data we are collecting, why they are being collected, who has access to them and for how long. We seek to process only the minimum data required, such as when customers participate in loyalty schemes or pay for fuel on their phones without leaving their vehicle. Personal data processed in our systems are secured appropriately and treated with respect to maintain privacy for our employees, partners and millions of customers around the world. The COVID-19 pandemic increased the need to process personal data, for example, when employees, suppliers and others visit our premises.

Our specialists work closely with teams across Shell to maintain compliance with our data privacy standards and to ensure that we use data in an ethical way. In 2020, we continued to evolve our approach. For example, we analysed new data privacy regulations, such as those in Brazil and California, USA, and the advice of regulatory and industry bodies, including the World Federation of Advertisers. We also review our marketing standards, including our apps and websites, to keep them up to date with best practices.

Cyber security

Shell is subjected to frequent cyber-security attacks, including attacks targeting our customer database, and the COVID-19 pandemic led to an increase in such activity. Data breaches have occurred at Shell. Where systems, customer accounts and data have been compromised, we have notified data privacy regulators and affected customers where appropriate.

We regularly monitor our IT systems for possible vulnerabilities to cyber attacks. Our incident-handling process helps to ensure that we deal effectively with an issue. The process also helps us to meet the most stringent regulatory reporting timelines, for example, the 72-hour requirement under the General Data Protection Regulation.

Read more about our values at and our requirements for our businesses and functions to comply with at