1. GOAL
This document aims to inform you, the data subject, about how Nexa Resources S.A. (hereinafter “Nexa” or “We” or “Company”) treat your personal data, that is, how your personal data is collected, used, shared, stored and protected.
The protection of privacy and personal data are Nexa’s values, and this document reaffirms our respect and commitment to your privacy and validates that your personal data is processed in accordance with the laws that regulate the matter and only for informed purposes, striving to give you the due transparency and security in the processing of this data.
2. REFERENCES
– General Law for the Protection of Personal Data (Federal Law No. 13,709/2018).
– General Data Protection Regulation (Regulation (EU) 2016/679 of 27 April 2016).
– Personal Data Protection Act (Law No. 29733), as amended by Legislative Decree 1353 (hereinafter, “Peruvian Law”).
– Personal Data Protection Regulation, approved by Supreme Decree No. 003 2013-JUS (hereinafter, “Peruvian Regulation”).
– Directorial Resolution No. 02-2020-JUS/DGTAIPD, which regulates video surveillance.
– Directive on the Security of Information Managed by Personal Data Banks, approved by Directorial Resolution 019-2013-JUS/DGPDP (hereinafter, “Peruvian Security Directive”).
Hereinafter referred to as “Data Protection Legislation”.
3. DEFINITIONS
– Anonymized Data: Data that, through the use of reasonable technical means available at the time of processing, can no longer be directly or indirectly associated with an identified or identifiable individual.
– Data Controller: Natural or legal person, under public or private law, who is responsible for decisions regarding the Processing of Personal Data.
– Data Protection Officer: Person responsible for the supervision and implementation of the data protection strategy within Nexa, as well as for the development of mechanisms to ensure compliance with the requirements of applicable Data Protection Legislation.
– Data Processor: Natural or legal person, under public or private law, who carries out the Processing of Personal Data on behalf of the Data Controller.
– Data Subject: means the identified or identifiable living individual to whom the Personal Data relates.
– Personal Data: Information related to an identified or identifiable natural person.
– Processing Agents: The Data Controller and the Data Processor of Personal Data.
– Processing: Any operation or set of operations performed with Personal Data or sets of Personal Data, by automated or non-automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or any other form of making available, comparison or interconnection, limitation, elimination or destruction.
– Third Party: means any natural or legal person, public authority, agency or any other body than the Data Subject or the Data Controller. Any vendor or service provider that processes Personal Data solely or jointly on behalf of the Data Controller and acts in accordance with the instructions of the Data Controller.
4. LEGITIMACY FOR DATA PROCESSING
Nexa Resources S.A. has the role of Data Controller in cases where Nexa is responsible for making decisions about the processing of your Personal Data. Personal Data may be processed by our subsidiaries, direct and indirect subsidiaries, joint ventures and affiliates, located in Brazil, Peru, Luxembourg and other countries, always complying with the principles of data protection, in particular the principles of purpose, necessity, and proportionality.
5. INFORMATION WE COLLECT AND WHY
The type of Personal Data and how Nexa collects it depends on how you engage with us and why. According to the purposes presented, only adequate and necessary Personal Data will be processed.
To comply with the laws related to Personal Data Protection, the Personal Data provided by Data Subjects and collected by Nexa will be stored for the purposes detailed in the following Personal Data Banks, that may change from time to time depending on the evolution of our business:
Nexa collects, but is not limited to, (i) identification data, such as full name, national registration, parentage, nationality, and date of birth; (ii) contact information, such as a business/home address, email, telephone or mobile phone; (iii) professional and school history; (iv) browsing data, such as cookies and IP address; (v) financial data; (vi) biometric data and (vii) any data necessary for the execution of specific activities of the Company, such as images and photographs for security purposes, among others, which may vary according to the relationship between Nexa and you.
Notwithstanding the aforementioned, Nexa uses your Personal Data to provide high quality services and care. We detail below the purposes for which we use your data:
– Identify and authenticate you in our environments, such as to give you access to operational and corporate areas, visits to our units and use of Nexa platforms;
– To comply with contractual obligations and all those arising from concessions, permissions or authorizations granted by the Competent Public Authorities;
– Register and access requests or demands in our communication channels;
– Allow contact with our Ombudsman;
– Enable your registration in the recruitment and selection processes of candidates for job vacancies, internships, trainees, etc., available through the Careers option on the official website;
– Comply with legal and regulatory obligations;
– Enable humanitarian assistance and other assistance and interaction actions carried out by Nexa with the communities, whether they are voluntary initiatives or compliance with the general order; Respond to requests from competent public agents and authorities;
– Comply with determinations, court orders, decisions and/or sentences whose compliance is intended for Nexa;
– Check and maintain the safety of people and operational activities from the access, permanence and exit of Nexa’s physical environments;
– To allow the conduct of Nexa’s business activities, whether related to the execution of new business and acquisitions, to its partners and service providers, as well as in the handling of actions related to former employees and their dependents or beneficiaries;
– Analyze control processes executed to attest compliance with national and international laws, policies and Nexa’s code of conduct.
Nexa does not process Personal Data of children (under 12 years old) or adolescents (between 12 and 18 years old), except for employees’ children; in the context of judicial or arbitration proceedings involving children or adolescents; for recruiting new talents for our team (in the case of young apprentices or interns).
6. WHO WE SHARE YOUR PERSONAL DATAWITH
In order to comply with the aforementioned purposes, Nexa may share your Personal Data with third parties located within the national and international territory. All those transfers will be done in compliance with relevant laws and regulations. Also, in such cases, Nexa will ensure that the processing of Personal Data transferred will be limited to the purposes authorized, is kept confidential and that the appropriate security measures are implemented.
Nexa may share your Personal Data in certain situations, as exemplified below:
– With suppliers and partners, when necessary to provide services. For this sharing, rights and duties are established between the parties through contracts or agreements, in order to ensure compliance with applicable legislation;
– With our affiliated companies, whenever necessary to meet the established purposes;
– With competent judicial, administrative or governmental authorities, whenever there is a legal determination, request, court order or in order to meet questions, investigations or the need to defend interests;
– With companies located outside the national territory, whenever necessary to meet Nexa’s specific purposes. When there is an international transfer of Personal Data, we will make reasonable efforts to ensure adequate security and protection measures in accordance with the principle of an adequate level of protection or with appropriate safeguards in place; and
– With stakeholders in case of corporate transactions, such as mergers, acquisitions, incorporations, and disposals, in addition to due diligence procedures and legal audits within the scope of such transactions.
7. HOW WE PROTECT YOUR PERSONAL DATA
We use significant efforts to protect your Personal Data from unauthorized access, destruction, loss, alteration, communication, disclosure, or any form of inappropriate or unlawful processing. To this end, we have adopted technical, administrative, and organizational security measures, both in physical and digital environments.
In order to keep your Personal Data safe and avoid incidents, we employ strong logins and passwords for access to our servers and platforms, where Personal Data and access logs to such servers are stored, to control and keep the inventory of access to Personal Data and up to date information.
We also periodically make backup copies of the Personal Data (backups). All software, tools and technologies used by Nexa undergo careful evaluation and approval. All Personal Data processed by us is confidential and access to third parties is restricted, as only previously analyzed and authorized parties (whether the companies with whom we share them, or our employees and collaborators) are allowed access, subject to be bound by an absolute duty of confidentiality. Any use of Personal Data in an inappropriate manner, in disagreement with the provisions of this Policy and Data Protection Legislation, is not allowed.
You must also collaborate with the maintenance of the security of your Personal Data, ensuring that the environment of your computer or device accessing the website, systems and platforms remain secure, including (i) the use of appropriate tools, such as antivirus and firewall, (ii) the use of updated versions of browsers, operating systems and other software, (iii) not sharing your login credentials (username and password) with third parties, (iv) avoid clicking on unreliable and unsecured links and pages.
Nexa does not request, by email, telephone or WhatsApp, information related to your access passwords. If you suspect that your Personal Data processed by Nexa is at risk, please contact us.
When you use our environments, you may be led, via links to other portals or platforms, which may collect your Personal Data and have their own privacy policies. It is important that you read the privacy policies of such portals and platforms.
8. CROSS-BORDER FLOW OF PERSONAL DATA
The international nature of Nexa’s business, the worldwide location of its customers and service providers, in addition to its global human resources management and information technology organization necessitate communications and information transfers between Brazil, Peru and our holding company in the European Union, for example.
Nexa seeks to ensure that cross-border transfers of Personal Data occur only to recipients located in countries that provide an adequate level of protection or where appropriate safeguards are in place (for example, contractual safeguards), and always for legitimate purposes related to the processing.
9. HOW LONG PERSONAL DATA IS STORED
All Personal Data collected by Nexa is stored for the period necessary to meet the purposes described in this policy or until you, as the Data Subject, exercise your rights of objection, restriction, or erasure by requesting the deletion of the Personal Data or withdrawing your consent, when applicable.
Once the Personal Data is no longer necessary or relevant for the specific purpose, or you exercise, as a Data Subject your rights, such Personal Data will be deleted from our databases.
However, even if the purpose has been met or you have withdrawn your consent or requested the erasure of your Personal Data, Nexa may keep it stored, if necessary to protect rights, comply with court orders or requests from competent authorities, as well as to comply with legal and regulatory obligations.
10. YOUR RIGTHS AS A PERSONAL DATA SUBJECT
You have rights inherent to your status as Data Subject. These rights are intended to protect your Personal Data and safeguard your privacy. We list below what these rights are and how you can exercise them before Nexa. In the case a specific law or regulation provides further rights that are not listed below, Nexa will not hesitate to guarantee the compliance with such rights.
– Right of access: You have the right, at any time, to confirm whether we carry out any processing with your Personal Data, as well as to have access to such data processed by us;
– Right to rectification: You have the right to request the correction or updating of your Personal Data, if you find that it is incorrect or outdated;
– Right of cancellation: You have the right to request the erasure or cancellation of your personal data from a personal data bank when they are no longer necessary or relevant for the purposes for which they were collected.
– Right to anonymization or cancellation: You have the right to request (i) anonymization of your Personal Data, so that it can no longer be related to you and, therefore, ceases to be Personal Data; (ii) blocking of your Personal Data, temporarily suspending the possibility of us processing it; (iii) the deletion of your Personal Data, in which case we shall delete all your Personal Data without the possibility of reversal;
– Right to data portability: When the right to portability is regulated by relevant Data Protection Legislation, you may request that Nexa provides your Personal Data in a structured and interoperable format with a view to its transfer to a third party, provided that such transfer does not violate Nexa’s intellectual property and/or business secrets;
– Right to restriction: You have the right to object to the processing of your Personal Data. We will cease processing your Personal Data unless we can provide legitimate grounds for continuing the processing.
– Right of information: You have the right to be informed in detail, simply, explicitly, unequivocally, and prior to the collection of your Personal Data, about the purpose for which your Personal Data will be processed; who will be or who may be the recipients; the existence of the Personal Data bank in which your Personal Data will be stored; as well as the identity and address of the controller and, if applicable, the processor of your Personal Data. You must also be informed of the mandatory or optional nature of your responses to the questionnaire provided, especially in relation to sensitive data; the transfer of your Personal Data; the consequences of providing or refusing to provide your Personal Data; the duration for which your data will be kept; and the possibility of exercising the rights granted to you by the relevant Data Protection Legislation (including lodging a complaint with relevant data protection authority.
– Right to information about sharing: You have the right to know which public and private entities Nexa shares your personal data with. In this policy we mention the types of third parties with whom we share data. In any case, if you have questions or want more details, you have the right to request this information;
– Right to information about the possibility of not consenting: You have the right to receive clear and complete information about the possibility and consequences of not providing consent, when it is requested by Nexa. Your consent, when necessary, must be free, informed and unambiguous.
– Right to review of automated decisions: You may request the review of decisions made solely on the basis of automated processing of Personal Data that affect your interests and the indication of the criteria used for these decisions.
– Right to revocation: If you have provided consent for us to process your personal data, you can revoke it at any time. When we receive your request, we will no longer process your personal data, unless we carry out the respective data processing on different legal grounds (e.g. to continue to honour contracts with you).
For this purpose, the Data Subject must exercise his/her request to Nexa through the channels described in the “How to contact Nexa” section of this Privacy Policy. The request must contain, at least, the following: (i) the name of the Data Subject; (ii) a clear description of the Personal Data related to the exercise of the right to information and/ other rights, and an explicit statement of the right the Data Subject wishes to exercise; (iii) documents or evidence supporting the request (like ID of the Data Subject); (iv) an email address where Nexa can respond; and (v) the date and signature.
Response times for requests related to Data Subject rights may vary depending on the applicable law and the specific right exercised. As a general guideline, Nexa will respond within: (i) eight (8) business days for the right to information; (ii) ten (10) business days for the rights of rectification, erasure and restriction; and (iii) twenty (20) business days for the right of access. If an extension is required due to justified circumstances, Nexa may extend the deadline for an equal period and will inform the Data Subject (or their legal representative) within the original deadline, providing the justification.
In some cases, Nexa may have legitimate reasons to fail to comply with a request to exercise rights. These situations include, for example, cases in which a disclosure of specific information could violate intellectual property rights or trade secrets of Nexa or other companies in the group, as well as cases in which requests for data erasure cannot be met due to the existence of an obligation to retain data, either to comply with legal obligations, or to enable Nexa’s defense in disputes of any nature.
If Nexa rejects or fails to comply with an individual rights request, the Data Subject has the right to file a claim against Nexa before the relevant Data Protection authority.
11. HOW TO CONTACT NEXA
Nexa is always available to clarify questions related to the processing of your Personal Data and put you in control of such data. If you wish to exercise any of the rights mentioned in the previous topic, please fill out the form available at the following link:
Data Protection Officer: Loren Matias
12. CHANGES TO THIS PRIVACY POLICY
The services provided by Nexa may change from time to time, especially to optimize the operation of our website, our platforms and systems. Such changes may also affect the use of your Personal Data, always emphasizing attention to the principles of Data Protection Legislation, such as purpose. Thus, Nexa reserves the right to change this Privacy Policy without prior notice. We recommend that you periodically review this policy so that you are aware of changes and updates.