Occasional offering or acceptance of business-related G&E can be an acceptable business practice. However, improper or excessive G&E can be a form of bribery and corruption, and cause serious harm to BAT and our Suppliers.

Suppliers must not offer or accept G&E where to do so would constitute, or would be perceived as constituting, bribery or other corrupt activity. As such:

• Suppliers are expected to observe the Group’s G&E chapter principles, as set out in the SoBC, when doing business with Group Companies and Employees;
• the exchange of G&E between BAT Employees and Suppliers is prohibited during any tender or competitive bidding process involving the Group; and
• Suppliers must not, directly or indirectly, seek to influence a Public Official on the Group’s behalf by providing any G&E (or other personal advantage) to them or any person, such as a Public Official’s close relative, friend or associate. Gifts to Public Officials of more than token value will rarely be appropriate.

Suppliers should ensure they conduct their business in compliance with all applicable international sanctions and export control regimes, and that they do not engage with any sanctioned territories or sanctioned parties where it is prohibited or restricted to do so.

As such, Suppliers must:

• be aware of, and fully comply with, all applicable sanctions regimes affecting their business;
• implement effective internal controls to minimise the risk of breaching sanctions or causing the Group to breach sanctions, and provide training and support to ensure their employees understand them and implement them effectively, particularly where their work involves sourcing from sanctioned territories, international financial transfers or cross-border supply or purchase of products, technologies or services; and
• inform the Group of any situation where they intend to supply goods or services to the Group originating from or transshipped through a sanctioned territory or intend to make payments or supply Group products to/through any sanctioned territory or party.

Sanctions are restrictions or prohibitions on trade or dealings, including funds transfers, with or involving certain targeted countries or persons, imposed by individual countries, such as the United States (US) and United Kingdom (UK); or supranational bodies, such as the United Nations and the European Union, on another country, entity or individual.

Some sanctions regimes are very broad; for example, US sanctions can apply even to non-US persons when acting entirely outside the US. In particular, US sanctions prohibit the use of US dollars and US banks for payments between non-US parties involving sanctioned parties, as well as exports/transshipments of US-origin products and products with US-origin content to, or for, sanctioned territories or certain sanctioned persons.

Some sanctions regimes apply to import/exports/re-exports of products originating in whole or in part from sanctioned territories, as well as transshipping products through sanctioned territories.

Separate from sanctions, export controls impose licensing obligations on the cross-border movement of certain types of items. Where export controls apply to a particular item, we must always ensure that we have the appropriate licence(s) in place before exporting it.

Breaching sanctions and export controls carries serious penalties, including fines, loss of export licences and imprisonment for individuals, in addition to significant reputational harm and damage to banking partner relationships.

It is unacceptable for any Supplier (or their employees or agents) to be involved or implicated in money laundering or terrorist financing.

Suppliers must put in place effective controls to ensure that they do not engage in any activity which would constitute a money laundering or terrorist financing offence in any relevant jurisdiction or which could cause BAT to commit such an offence – this includes (but is not limited to): concealing or converting illegal funds or property; possessing or dealing with the proceeds of crime; or knowingly assisting in financing, transferring assets for the benefit of, or otherwise supporting, terrorist groups and terrorist activity.

In order to conduct business with the Group, Suppliers may need to access confidential and private records relating to our business.

As such, Suppliers must:

• ensure this information is protected and remains confidential;
• not disclose confidential information without prior authorisation from the Group; and
• be mindful of the risk of unintentional disclosure of confidential information through discussions or use of documents in public places.

Suppliers must also maintain up-to-date business records, whether financial or non-financial, in accordance with applicable laws, and ensure they handle personal data in accordance with all relevant data protection and privacy laws. Any records related to the business of the Group should also be held for as long as required by the Group.

We are committed to protecting the integrity and security of our systems and data (including personal data) throughout our supply chain.

Suppliers are required to maintain appropriate systems and controls to protect Group data, including personal data, and, where appropriate, access to Group systems. Many Suppliers hold or have access to personal data or confidential information of the Group.

As well as complying with global data privacy laws, such as the General Data Protection Regulation (GDPR), maintenance of good cyber hygiene by Suppliers is critical to the security of that data and Group systems, and to protect the Group’s business. As such, we expect our Suppliers to comply with data protection and cybersecurity laws, regulatory guidance and industry best practice (including data protection assessments where required by law and the assessment of cyber threat assessments).

Cybersecurity threats and risks on how we manage data (including personal data) are constantly changing. It is vital that our Suppliers have appropriate technical measures, policies and processes in place to protect Group data, and to ensure that any access to Group systems, or processing of all data, is secure and managed in accordance with documented processes.

As such, Suppliers must:

• maintain all appropriate data protection, information security and cybersecurity policies, and update them regularly;
• monitor compliance with those policies on a continuous basis, and ensure that any remedial action is taken promptly;
• immediately investigate potential breaches of data protection policies, security incidents and report any such incidents or events that may affect Group data or systems to the Group; and
• when required to do so, put in place such remedial measures as may be required by the Group.

Suppliers should assess risk to their organisation, and how that risk may impact on the handling of Group data (including personal) or access to Group systems and data, on an ongoing basis.

Suppliers must consider the risk attaching to Group data in their possession, or that any access to Group systems may present, in accordance with threat and risk models.

We believe in free competition, in line with competition (or ‘antitrust’) laws.

As such, Suppliers must compete fairly and ethically, and comply with competition laws in each country and economic area in which they operate.

Suppliers must ensure they comply with all applicable tax laws and regulations in the countries where they operate, and be open and transparent with the tax authorities.

Under no circumstances should Suppliers engage in deliberate illegal tax evasion or facilitate such evasion on behalf of others.

As such, Suppliers must put in place effective controls to minimise the risk of tax evasion or its facilitation, and provide appropriate training, support and whistle-blowing procedures, to ensure their employees understand such controls, implement them effectively and report any concerns.