Privacy Statement
We believe it is important to be transparent about how we handle your personal information. This Privacy Statement (“Statement”) explains how BAMIN, a member of Eurasian Resources Group (ERG) (“BAMIN”, “ERG Entities in Brazil”, “ERG”, “we”, “us”) handles personal information of its employees, potential employees and contractors, customers, suppliers and other external parties.
ERG adheres to strict data privacy laws, such as the General Data Protection Regulation (“EU Regulation 2016/679” or “GDPR”), as well as local laws in jurisdictions where ERG is operating, such as the General Data Protection Law (“Law No. 13709/2018”, “LGPD), especially applicable in the context of BAMIN and the Brazil ERG Entities.
This Statement explains in detail the types of personal data we may collect about you and what we do with that personal data. It also describes the measures we take to keep your personal data secure, as well as your rights with respect to the personal data we hold about you. Please see the definitions and glossary to understand the meaning of some of the terms used in this Statement.
Definitions
“Eurasian Resources Group” means Eurasian Resources Group S.A. and includes all its subsidiaries, among them the ERG Entities in Brazil, of which BAMIN is part;
“Data Holders” means the individual to whom the personal data relates;
“Personal Data” means any information relating to an identified or identifiable natural person;
“Processing” means any operation or set of operations performed on personal data or on sets of personal data, whether or not by automated means, such as collection, production, receipt, classification, use, access, reproduction, transmission, distribution, processing, archiving, storage, deletion, evaluation or control of information, modification, communication, transfer, dissemination or extraction;
“Consent” of the data holder refers to any freely given, specific, informed – in certain cases explicit – and unambiguous manifestation of the data holder’s will, whereby he/she, by means of a statement or a clear affirmative action, expresses agreement to the processing of personal data concerning him/her;
“Legitimate Interest” is one of the legal bases for data processing in the GDPR and the LGPD. It applies whenever the company uses personal data for legitimate purposes of supporting and furthering the activities of the controller and/or protecting, in relation to the data holder, the regular exercise of his or her rights or providing services that benefit him or her, while respecting the data holder’s legitimate expectations and fundamental freedoms;
“Privacy Statement” means a notice that needs to be provided to personal data holders when we collect, use or distribute their personal data;
“Security Incident involving Personal Data” means a situation of unauthorized access or an accidental or unlawful situation of destruction, loss, alteration, communication or any form of inappropriate or unlawful processing of personal data;
“Data Protection Officer” or “DPO” means an independent data protection expert who is a member of the Group Compliance Department and responsible for monitoring compliance with ERG’s privacy policies, informing and advising ERG on its data protection obligations, and acting as a point of contact with personal data holders and with data protection supervisory authorities.
What personal data do we collect?
From employees, job applicants and contractors, we collect the minimum data necessary for human resources management, which includes:
- home address, immigration status and “right to work” (in relevant legislations);
- identity information
- emergency contact details and certain family information;
- details of service intermediary companies to which you are linked and time recording
From visitors to the Website, we may collect the following data as necessary:
- your Internet Protocol (IP) address so that you can be recognized the next time you visit our website
- cookies, pursuant to the Cookies Policy
Of those who visit our offices and our mines we may collect personal data to fulfill our legal, safety and security obligations, such as
- closed circuit television (CCTV) images;
- name, provided directly by you, linked to a temporary badge; fingerprints or other visual identification characteristics;
- fingerprints or other visual identification characteristics;
If you connect to our Wi-Fi system, we may collect: - IP address, MAC address, device type, connection duration, size of uploaded and downloaded data, access point (general location)
From customers, suppliers and other external parties, we may collect personal data involving:
- details of transactions you enter into with us;
- personal data required to sign a contract with you;
- other personal data submitted by you;
ERG Entities in Brazil also collect personal data in the course of fulfilling its legal and regulatory obligations (e.g., to comply with requests from government authorities and for due diligence/fraud prevention procedures).
We limit our collection and processing of personal data to the amount necessary for the specific purpose of the processing. If your data is processed for a different purpose, we will inform you of this new purpose and ask for your permission.
Legal grounds for processing personal data
- Performance of a contract: some of our processing of personal data is for us to fulfill contractual obligations with the persons, or to take steps at their request to sign a contract with them.
- Legitimate Interest: in many cases, we are processing your personal data based on the legitimate interest of the company, in ways that are not incompatible with the legitimate expectations and the fundamental rights and freedoms of personal data holders;
- Consent: in certain cases, where required or permitted by law, we may process your personal data based on your permission/consent;
- Legal compliance: we need to process and possibly disclose your personal data in certain ways to comply with our legal obligations to different authorities.
Why do we process your personal data?
ERG Entities in Brazil may process personal data for the following purposes:
- To maintain its administrative and customer/supplier relationship management systems, such as:
- Drafting contracts;
- Billing and payment of invoices;
- Communication and public relations;
- Organization of events and surveys;
- Quality assessments;
- Customer due diligence;
- Human resources information, such as recruitment, training, development, etc.
- To conduct third-party due diligence (including compliance, anti-money laundering, anti-bribery and counter-terrorist financing sanctions);
- To comply with its legal, regulatory, professional and contractual obligations;
- To maintain and protect your buildings, equipment, IT infrastructure and data (including access and authentication management, security and performance monitoring);
- To manage and monitor the presence in the buildings, the use of equipment and the interactions of personal data holders (including the management of workspaces, parking, meeting rooms, as well as the implementation and monitoring of security, health and hygiene measures, etc.);
- To ensure the continuity of your business;
- To manage risks and disputes;
- To comply with requests from the holders of personal data;
- To administer its websites; and/or
- For any other purpose expressly indicated to the data holder at the time of collection of her or his personal data.
Sharing of personal data with third parties
Depending on the purposes above, we may share personal data with the following categories of recipients in addition to the respective data holders:
- Subcontractors, business partners, consultants and specialists;
- Operators and sub-operators, such as IT providers (including system administrators, cloud service providers, hosting providers, etc.);
- Other ERG entities;
- ERG’s external consultants, agents, recruiters and auditors;
- Entities or individuals that have relationships with data holders (employers, relatives, counsel, business partners or potential business partners, etc.);
- Supervisory bodies;
- Public authorities.
International Transfers
We may transfer your personal information outside the country where you reside or work, including to countries that provide a different level of protection for your personal information than in your own country, taking the following precautions:
- Transfers and/or disclosures between ERG Entities will be protected by an Intergroup Agreement if it is necessary to share personal data outside the jurisdiction where your personal data was first collected;
- For transfers and/or disclosures outside ERG, the transfer or disclosure is protected by contractual data privacy clauses and/or any agreement establishing legal requirements for such transfer.
- In cases where ERG has not adopted another legally applicable protection mechanism, the Standard Contractual Clauses (SCP) approved by the European Commission will be adopted;
- Collection of the consent of the holders of personal data relevant to the transfer or disclosure;
- Verification that the transfer and/or disclosure is required by local law or expressly permitted by local data privacy laws, where the relevant personal data originates from that jurisdiction.
In all cases we will be transparent about international transfer processes, informing you when, where and for what purpose your personal data is sent.
We protect your data
We keep your data safe and secure against unlawful processing, including unauthorized access and accidental or unlawful destruction, loss, alteration, misrepresentation or mishandling of personal data. Thus, we take appropriate technical, physical, and organizational measures to manage all stages of the “life cycle” of personal data. Information security obligations apply whether your personal data is stored in printed form (e.g. on paper) or in electronic form (e.g. in databases). Access to your personal data is provided on a “need to know” and “need to access” basis for parties outside and within ERG.
We require our business groups to promptly report for investigation any breach regarding your personal data to the Data Protection Officer.
We limit the retention of your personal data
Your personal data is kept only as long as necessary for the lawful purpose for which it is processed or as long as required or permitted by local law.
After that time, records containing your personal data will be securely destroyed (as in the case of physical records) or permanently deleted (in the case of electronic records) in accordance with ERG’s Data Retention Schedule or as required by applicable local laws.
We respect your rights
We take reasonable steps to ensure that personal information is accurate, complete and current. Please note that you have mutual responsibility with respect to the accuracy of your personal information. In addition, you may:
- request information about how your personal data is handled;
- request access to your personal data;
- request deletion of your personal data;
- request the processing of your personal data to be stopped;
- request rectification if your personal data has been recorded incorrectly;
- be notified or request restriction of the processing of your personal data under certain circumstances;
- to object to the processing of your personal data under certain circumstances;
- to be notified if a Group company has made a decision concerning you based solely on automated data processing, so that you can request a human review of such decision if necessary;
- complain about the processing; or
- withdraw consent previously given in respect of ERG’s processing of your personal data.
There are legal exceptions to the exercise of these rights, and ERG Entities in Brazil will review each request on a case-by-case basis, referring to applicable law, including the General Data Protection Law. Your requests for the exercise of your rights should be directed to the Data Protection Officer, who can be contacted by e-mail to Roberto Meyer: dpo@bamin.com.br
Update
In order to comply with applicable laws and to adequately reflect how we handle personal data this privacy statement shall be updated from time to time.
