Privacy

Customer Privacy Statement
1. Introduction
This Customer Privacy Statement applies to all Customers of Rio Tinto Group1 companies (Rio Tinto).
In connection with the supply of our products to your organisation (also described as ‘you’), Rio Tinto will collect, use, disclose, access and otherwise process personal data relating to your owners, directors and staff (employees and contractors), described here as ‘your people’. We do this to engage you, to manage our relationship with you and your people, and to facilitate the supply of our products under the agreements we have signed with you.
Please make this Privacy Statement available to your people who are likely to interact with Rio Tinto, or who are involved in administering the contract that we have in place with you.
2. What personal data is processed?
Prior to contracting or transacting with your organisation, in the course of our due diligence or ‘know your customer’ procedures we will process personal data about your owners, directors and senior management (which we will request from you or obtain from public sources). This will include details of company ownership, career information, potential conflicts of interest and any regulatory enforcement actions taken against them or companies with which they are associated.
Once we have a contract or commence doing business with you, we will process names and business contact data (including business telephone, email and address details) and line management details of your people who have contact with us. We may also record information about our interactions with your people, to manage our relationship with you.
From time to time, we may also request further personal data from you about your people, in order to meet our regulatory obligations (including under anti-money laundering legislation or anti-corruption legislation) or to monitor legal compliance.
3. Why is personal data processed?
Rio Tinto processes personal data about your people for three key business purposes:
• To administer and manage your relationship within the Rio Tinto Group;
• To pursue Rio Tinto’s legitimate business interests in relation to supply of its products; and
• To meet legal, regulatory and compliance obligations.
To illustrate:
Administering and managing the relationship between Rio Tinto and you may include:
• Establishing records for the people we deal with within your organisation, including in a customer relationship management database;
• facilitating the issue and administration of invoices; and
• if your people visit our sites:
o verifying visitor identity (including through the use of photo ID where necessary); and
o recording and retaining visitor logs on sites (to meet our internal health and safety rules and obligations under our security standards).
To pursue Rio Tinto’s legitimate business interests may include:
• sharing information about you and your people with Rio Tinto external service providers that assist Rio Tinto to conduct its business, to perform its functions or to operate its systems (for example, IT support, accounts, finance); and
• undertaking data analytics on invoice processing.
1 The ‘Rio Tinto Group’ means all the companies or businesses which are wholly or majority owned or managed by Rio Tinto plc or Rio Tinto Limited (whether directly or indirectly).
To meet legal, regulatory and compliance obligations may include
• meeting any legal obligations we may have in respect of our customers (e.g. through processes such as Know Your Customer)
• monitoring and managing conflicts of interest.
4. Additional information about disclosures of personal data and data retention
The personal data which a Rio Tinto Group company holds will, for the purposes detailed above, be transferred by or on behalf of that company to other Rio Tinto Group companies or external service providers (as described above).
This may mean that personal data is transferred across national borders, including to recipients in countries that may not have data privacy legislation that is equivalent to that in the country where you or your people are located or where such personal data may be accessible by government agencies.
To protect data transfers across national borders (or out of the European Economic Area), the Rio Tinto Group relies on contractual clauses aimed to ensure an appropriate and adequate level of protection, or other legal mechanisms to protect personal data as necessary (including certification of external service providers under the EU-US Privacy Shield).
By providing personal data to Rio Tinto, you are understood to have made this Privacy Statement available to the relevant individuals, who consent to any such transfers. The Data Privacy Standard contains information about the countries where Rio Tinto operates and the locations of its key external service providers. The Data Privacy Standard forms part of the privacy policy available on the Rio Tinto website at www.riotinto.com (click on ‘Privacy’ link at the bottom of the page).
Personal data will only be processed for as long as this is required for the purposes it was collected for, or for the time required or authorised by law.
6. Privacy rights
Your people have the right to seek access to the personal data that the Rio Tinto Group holds about them as individuals (for which they may be charged a fee in some countries), and the right to ask the relevant Rio Tinto Group company to correct any inaccuracies in that information, or in some cases, to erase it. Your people also have the right to complain about how their personal data is processed, and have rights to information about how their personal data is processed and to object to its processing in some circumstances.
For further information on or to exercise any of these rights, please refer to Rio Tinto’s Data Privacy Standard or contact Rio Tinto’s Ethics and Integrity department.
This Statement was updated in September 2018