PRIVACY NOTICE FOR BUSINESS PARTNERS
Nexa Resources S.A., with a registered office at 37A Avenue J.F. Kennedy, L-1855 Luxembourg, Grand Duchy of Luxembourg, registered at the Luxembourg Trade and Company Register under number B185489 (“we”, “us” or “our”), collects and processes information about individuals connected with our business partners (e.g. clients, vendors and service providers) such as their directors, employees, and other employees and/or agents, representatives and/or beneficial owners and shareholders and about clients, vendors and service providers that are natural persons such as independent consultants (“you” or “yours”). This notice aims at informing you about what information we collect, how we process it, why we do so and when we share it with others. This notice does not apply to information related to legal persons.
We need to collect and process certain information about you for the purposes of entering into and performing contracts, where applicable, with your employer or with a company you hold shares in, as well as for maintaining our commercial and contractual relationship. If we are not provided with such information, we may not be in a position to enter into, execute or perform a contract with your employer or a company you hold shares in.
This data protection notice will continue to produce its effects as applicable after the end of the contracts we entered into.
The controller is the entity which determines the purposes and the means of the processing of personal Data. As required by applicable data protection law, we inform you that we are the controller of data processing activities described in this data protection notice. Such legislation includes the Regulation (EU) 2016/679 of 27 April 2016 (the “GDPR”) and any other applicable national or supranational statutory law (together the “Data Protection Legislation”).
You can contact us anytime by using the e-mail address displayed under section 9 below.
The information we collect include:
and any other personal data you provide us with in the course of your pre-contractual, contractual and commercial relationship with us (together “Personal Data”).
Safe for information mentioned under item (e) above, information about you may be obtained directly from you, or, for items (a) and (b) obtained from your employer, service provider or from the company you hold shares in.
a. professional contact details/information such as your name, address, telephone numbers, e-mail and IP addresses;
b. copy of identity card or passport;
c. relationship history with us and communications data (e.g. professional text messages or emails) and such other information that has to be processed for the purpose of contractual relationships;
d. financial information such as information required for the execution of payments (e.g. bank account numbers or credit card numbers);
e. publicly available information or information obtained from credit agencies or information databases which may notably include some of the information listed under item (a); and any other personal data you provide us with in the course of your pre-contractual, contractual and commercial relationship with us (together “Personal Data”).
Except for information mentioned under item (e) above, information about you may be obtained directly from you, or, for items (a) and (b) obtained from your employer, service provider or from the company you hold shares in.
| Legal bases | Purposes(together, “Purposes”) | Categories of personal data (by reference to information referred to under section 2 above) |
|---|---|---|
| The processing is strictly necessary for us to perform our contract with you or for requested pre-contractual steps | Initiation, performance and monitoring of contracts with you (regardless if such contracts are successfully concluded or not) and, if applicable, provision of the correlated services or execution of the orders requested by you. |
(a), (c), (d), (e) |
| Verifying your identity (KYC). | (a), (b), (e) | |
| Conducting market analysis. | (a), (c), (d), (e) | |
| The processing is necessary to comply with our legal and regulatory obligations | Compliance with our legal and, if any, regulatory obligations under applicable law (such as investigations to detect criminal offences or frauds, obligation to maintain adequate records of commercial, financial or tax related documents). |
(a), (b), (c), (d), (e) |
| The processing is necessary for our or a third party’s legitimate interests (as listed here) and your interests do not override these legitimate interests | Marketing actions, market or customer surveys, participation to promotional events or activities and commercial communications. |
(a), (c), (e) |
| Monitoring of our contract with you and, where relevant, managing disputes, complaints or litigations with or against you. |
(a), (c), (d), (e) |
|
| Ensuring the maintenance of our IT systems or repairing any IT defects or failures; securing communication channels and IT systems and ensure adequate level of prevention or protection to our products or services. |
(a), (c), (e) |
|
| Conducting internal or external audits or exercising risk management. |
(a), (c), (d), (e) |
|
| Investigation to detect or prevent breaches of policies or any other offences, threats or frauds, whether suspected or alleged. | ||
| Organisation of contests or other promotional activities or events. | (a), (c), (d), (e) |
We limit the access to Personal Data that we collect about you to our employees and third-party agents, who we reasonably believe need to have access to such data. Adequate market standard security measures are taken to help us protect your Personal Data against losses, unauthorised disclosure, accidental or unlawful destruction, unauthorised access, misuses or alterations. All employees and third parties are bound by strict professional confidentiality measures regarding personal data. Personal data shall only be processed to perform their contractual or legal obligations.
The international nature of our business, the worldwide location of our customers and service providers and the management of our global organisation of human and information technology resources entail some communications and transfers of information outside of the European Union, e.g. to our affiliate companies in Brazil. In relation to countries which do not offer a similar level of data protection as within the European Union, we have implemented appropriate safeguards according to Data Protection Law Legislation as mentioned below. You can obtain from us more information in respect of transfers outside of the European Union upon request.
In that context, we may share Personal Data to the following recipients (the “Recipients”) to the extent we deem such disclosure or transmission to be necessary or desirable for satisfying the Purposes:
a. our affiliate companies from the Nexa Group, mainly:
b. our controlling shareholder, Votorantim S.A., with registered office at R. Amauri, 255 – Jardim Europa, São Paulo – SP, 01406-200 Brazil;
c. our service providers, including:
- Banks, payment service providers or other credit institutions;
- Internal and External auditors;
- Lawyers, advisors, accountants and consultants;
- IT solution service providers;
- Insurers;
- Carriers, shipping companies or logistics service providers.
d. public, governmental, administrative or judicial entities in Luxembourg or abroad.
We have a legitimate interest for transferring such Personal Data which is rendered necessary by the international nature of our organisation and business. In case of transfer of your Personal Data to countries outside the European Union, strict guaranties that your rights as data subject are safeguarded are given by way of Standard Contractual Clauses, guaranteeing i.e. your right to request to access your Personal Data. A copy of the relevant safeguards implemented can be requested at any moment.
We will not keep your Personal Data for longer than the time necessary for satisfying the Purposes.
The criteria for determining the duration for which we will retain your Personal Data are as follows:
a. we will retain copies of your Personal Data in a form that permits identification only for as long as we maintain ongoing relationship with you; or
b. for the duration of any applicable limitation period under applicable law (i.e. any period during which any person could bring a legal claim against us in connection with your Personal Data, or to which your Personal Data may be relevant, e.g. 10 years for commercial matters); and
c. in addition, if any relevant legal claims are brought, we may continue to process your Personal Data for such additional periods as are necessary in connection with that claim.
Once the periods in paragraphs a. b. and c. above have concluded, each to the extent applicable, we will either:
• permanently delete or destroy the relevant Personal Data;
• archive your Personal Data so that it is beyond use; or
• anonymise the relevant Personal Data.
Subject to the conditions of the Data Protection Legislation, you may:
(a) obtain from us confirmation as to whether or not Personal Data relating to you are being processed, and, where that is the case, access to all relevant information concerning such Personal Data (Purpose, Processors and Controllers involved, categories and recipients of the data processed, transfer of data, duration of data storage, legal basis, the existence of an automated decision-making process, and origin of data);
(b) obtain from us without undue delay the rectification of inaccurate Personal Data relating to you and, taking into account the purposes of the processing, the right to have incomplete Personal Data completed;
(c) obtain from us that we erase Personal Data relating to you, although we might not always do so if we have a legal obligation to keep such Personal Data or if strictly necessary for the exercise of our contractual obligations;
(d) ask a restriction of the processing of Personal Data relating to you (i.e. the marking of stored Personal Data with the aim of limiting their processing in the future in order to solve an issue or to settle a claim);
(e) where relevant, request to receive Personal Data concerning you which you have provided to us on the basis of the contract with us in a structured, commonly used, machine-readable format, and to transmit it to another controller;
(f) Subject to the conditions of the Data Protection Legislation, you may, on grounds relating to your particular situation, object to the processing of Personal Data relating to you that we carry out on the basis of the legitimate interest we pursue; in such a situation we shall stop processing such Personal Data except if we demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims. In particular, where we are using your Personal Data to contact you for marketing purposes, you may object to such processing at any time.
You can exercise your above-mentioned rights by contacting us at the following address: data.protection@nexaresources.com.
Should you consider your rights as being violated, you also have the right to lodge a complaint with a supervisory authority, in particular in the member state of your habitual residence, place of work or of an alleged infringement of the GDPR (i.e. the National Data Protection Commission in Luxembourg – www.cnpd.lu).
We request that you inform us in writing and without undue delay about changes in the information you provided us about you, so that we can keep it up to date.
If you provide us with Personal Data not relating to you (e.g. information about your directors, employees or other staff members and/or agents, representatives, beneficial owners, shareholders, etc.), you must first inform them about this fact and make sure they acknowledge that we can use such information as set out in this data protection notice. In particular, you must provide them with the information relating to their rights as data subjects. We will consider that these individuals are informed of the processing of Personal Data relating to them that we may carry out and of the transfer of their Personal Data to third parties as described above.
If you would like to receive more information on how we process Personal Data relating to you, please contact us at the following address:
Changes may occur in the way we process information about you. Consequently, this policy may be updated from time to time. We will inform you about such update and will encourage you to review the policy.
The latest version will always be available at: https://www.nexaresources.com/privacy-policy