Privacy

At South32, a Policy is statement of principles to guide decisions and actions expected to be undertaken by any person involved in any of the entities part of South32, in this case, in relation to matters involving data privacy.

This Privacy Policy (“Policy”):

• relates to “Personal Information”, which is any information (including an opinion) about an identified or identifiable person
• explains how we collect, manage, and use Personal Information, and how you can exercise your privacy rights.

The privacy laws that apply in your case will depend on your relationship with South32 and the context in which South32 handles your Personal Information.

This Policy applies to South32 Limited, its subsidiaries, and its operated or controlled joint ventures. We require our People to follow this Policy, as well as those of our Processors authorised to manage Personal Information on our behalf.

Information that you provide voluntarily

At times, South32 may ask you to voluntarily supply Personal Information. For example, we may ask you to provide your contact details when you submit enquiries to us.

Information that we collect automatically

When you visit our website, or use our products and services, we may collect certain information automatically from your device. Specifically, we may collect information like your device type, unique device identification numbers, browser-type, broad geographical location, and other technical information from you.

Information that we obtain from third party sources

We may collect Personal Information about you from publicly available sources or from a third party, such as through your representatives, contractors who provide services to us, or where you have expressed interest in working with South32, Personal Information provided to us by HR practitioners.

The Personal Information we may collect depends on our relationship with you. Please see Appendix 1 in the policy document for a detailed breakdown.

The Personal Information you provide, is processed on either a) contractual basis, b) given your consent, or c) because it is required by law.

What are cookies?

Cookies are small data files that are placed on your computer or mobile device when you visit a website to track the number of visitors to our website, collect information (where available) about your computer or mobile device for system administration purposes, to evaluate our website’s effectiveness and improve your experience.

How can I control cookies?

You have the right to decide whether to accept or reject cookies. You can set or amend your web browser controls to accept or refuse cookies.

Protection of Personal Information

We are committed to protecting all Personal Information we collect from you in accordance with newest and current standards of technology, implementing security controls and conducting periodic audits.

Retention of Personal Information

We are committed to keeping your Personal Information safe, confidential, and secure. We update our Personal Information safeguards from time to time to address new and emerging security threats.

Disposal of Personal Information

We only retain Personal Information we collect from you where we have an ongoing legitimate business need to do so (for example, to provide you with a product or service you have requested, or to comply with applicable legal, tax or accounting requirements). In consideration of these requirements, South32’s aim is to keep your Personal Information for no longer than is necessary for compliance or other legitimate business purposes. We apply our standard document retention and disposal procedures and processes to records that include Personal Information.

Disclosure between South32 entities

Your Personal Information may be disclosed between related entities within the South32 Group worldwide and used by those entities for the same purposes for which we are entitled to use it.

Disclosure to Processors and other third parties

In appropriate circumstances, we may also disclose your Personal Information to Processors and third parties, to fulfil our contract with you or for legitimate purposes. These Processors and third parties may include auditors and advisers, service providers and business partners, law enforcement, or any other person with your consent to the disclosure, among others.

In some cases, the Processors and third parties to whom South32 may disclose your Personal Information may be located outside your country of residence. This means that when we collect your Personal Information we may process or transfer it to a country other than the country in which you are located, in which South32 operates. When doing this, we will take appropriate safeguards to protect your Personal Information and that the recipient will handle the information in a manner consistent with this Policy and all applicable privacy laws.

Make a request

You can submit a request to exercise any of the following Data Subject rights by writing us to [email protected]. We will first need to prove your identity, and then proceed to verify and enact your request.

Right of Access and Correction

You can request access to your Personal Information held by us, or request that it be updated or corrected, at any time, by contacting us.

Right to Delete

You may request removal of any Personal Information you provided to us by contacting us.

If you are not happy with the handling of your complaint or concern, you may escalate it to your relevant privacy regulator. Click on the relevant country below for contact details of the relevant privacy regulator in that jurisdiction.

Australia: Office of the Australian Information Commissioner

European Union: The privacy regulators for each Member State are listed (along with contact details) on the following website here, including the UK ICO here.

Brazil: No regulator website currently available.

Canada: Contact details for Office of the Privacy Commissioner of Canada and Office of the Information and Privacy Commissioner for British Columbia.

Colombia: Superintendence of Industry and Commerce

Singapore: Personal Data Protection Commission (Singapore)

South Africa: The Information Regulator (South Africa)

United States: Contact details for the Federal Trade Commission. You can also contact the Arizona Attorney General.

If a data breach occurs and your Personal Information is compromised, we will follow the applicable data breach response requirements issued by the applicable authorities based on the jurisdiction you are located, and notify you in a timely manner, if required.

Promptly report any such incident per the contact section.