Nexa Privacy Policy

PRIVACY NOTICE FOR BUSINESS PARTNERS

Version 1 dated 25.05.2018

Nexa Resources S.A., with registered office in 26-28 Rue Edward Steichen, L-2540 Luxembourg, Grand Duchy of Luxembourg, registered at the Luxembourgish trade and company register under number B185489 (“we”, “us” or “our”) collects and processes information about individuals connected with our business partners (e.g. clients, vendors and service providers) such as their directors, employees, and other staff members and/or agents, representatives and/or beneficial owners and shareholders and about clients, vendors and service providers that are natural persons such as independent consultants (“you” or “yours”). This notice aims at informing you about what information we collect, how we process it, why we do so and when we share it with others. This notice does not apply to information related to legal persons.

We need to collect and process certain information about you for the purposes of entering into and performing contracts, where applicable, with your employer or with a company you hold shares in, as well as for maintaining our commercial and contractual relationship. If we are not provided with such information, we may not be in a position to enter into, execute or perform a contract with your employer or a company you hold shares in.

This data protection notice will continue to produce its effects as applicable after the end of the contracts we entered into.

As required by applicable data protection law, we inform you that we are the controller of data processing activities described in this data protection notice. Such legislation includes the Regulation (EU) 2016/679 of 27 April 2016 (the “GDPR”) and any other applicable national or supranational statutory law (together the “Data Protection Legislation”).

You can contact us anytime by using the e-mail address displayed under section 9 below.

The information we collect include:

  1. professional contact details/information such as your name, address, telephone numbers, e-mail and IP addresses;
  2. copy of identity card or passport;
  3. communications data (e.g. professional text messages or emails), relationship history with us;
  4. financial information such as information required for the execution of payments (e.g. bank account numbers or credit card numbers);
  5. publicly available information or information obtained from credit agencies or information databases which may notably include some of the information listed under item (a);
  6. and any other personal data you provide us with in the course of your pre-contractual, contractual and commercial relationship with us (together “Personal Data”).

    Safe for information mentioned under item (e) above, information about you may be obtained directly from you, or, for items (a) and (b) obtained from your employer, service provider or from the company you hold shares in.

Legal bases Purposes(together, “Purposes”) Categories of personal data (by reference to information referred to under section 2 above)
The processing is necessary for us to perform our contract with you or for requested pre-contractual steps Initiation, performance and monitoring of contracts with you (regardless if such contracts are successfully concluded or not) and, if applicable, provision of the correlated services or execution of the orders requested by you.

(a), (c), (d), (e)

Verifying your identity (KYC). (a), (b), (e)
The processing is necessary to comply with our legal and regulatory obligations Compliance with our legal and, if any, regulatory obligations under applicable law (such as investigations to detect criminal offences or frauds, obligation to maintain adequate records of commercial, financial or tax related documents).

(a), (b), (c), (d), (e)

The processing is necessary for our or a third party’s legitimate interests (as listed here) and your interests do not override these legitimate interests Marketing actions, market or customer surveys, participation to promotional events or activities and commercial communications.

(a), (c), (e)

Monitoring of our contract with you and, where relevant, managing disputes, complaints or litigations with or against you.

(a), (c), (d), (e)

Ensuring the maintenance of our IT systems or repairing any IT defects or failures; securing communication channels and IT systems and ensure adequate level of prevention or protection to our products or services.

(a), (c), (e)

Conducting internal or external audits or exercising risk management.

(a), (c), (d), (e)

Investigation to detect or prevent breaches of policies or any other offences, threats or frauds, whether suspected or alleged.

We limit the access to Personal Data that we collect about you to our employees and third-party agents, who we reasonably believe need to have access to such data. Adequate market standard security measures are taken to help us protect your Personal Data against losses, misuses or alterations.

The international nature of our business, the worldwide location of our customers and service providers and our global organisation of human and information technology resources management entails some communications and transfers of information outside of the European Union, e.g. to our affiliate companies in Brazil. In relation to countries which do not offer a similar level of data protection as within the European Union, we have implemented appropriate safeguards according to Data Protection Law Legislation as mentioned below. You can obtain from us more information in respect of transfers outside of the European Union upon request.

In that context, we may share Personal Data to the following recipients (the "Recipients") to the extent we deem such disclosure or transmission to be necessary or desirable for satisfying the Purposes:

  1. our affiliate companies, including:
    1. Votorantim Metais Zinco S.A. located in Av. Engenheiro Luís Carlos Berrini, 105 - Itaim Bibi, São Paulo - SP, 04571-010, Brazil ;
    2. Minera Milpo S.A.A., located in Av. San Borja Norte, 523 Lima, Peru ; and
    3. Nexa Resources Cajamarquilla S.A., located in Carretera Central Km. 9.5, desvío a Huachipa, district of Lurigancho – Chosica, Peru;
  2. our service providers, including:
    • Banks, payment service providers or other credit institutions;
    • Internal and External auditors;
    • Lawyers, advisors, accountants and consultants;
    • IT solution service providers;
    • Insurers;
    • Carriers, shipping companies or logistics service providers.
  3. public, governmental, administrative or judicial entities in Luxembourg or abroad.

We have a legitimate interest for transferring such Personal Data which is rendered necessary by the international nature of our organisation and business. In case of transfer of your Personal Data to countries outside the European Union, strict guaranties that your rights as data subject are safeguarded are given by way of Standard Contractual Clauses, guarantying i.a. you right to request to receive your Personal Data and in certain cases to oppose to their processing. A copy of the relevant safeguards implemented can be requested at any moment.

We will not keep your Personal Data for longer than the time necessary for satisfying the Purposes, subject to the legal periods of limitation (as a principle, 10 years for commercial matters) and to the situations where applicable laws require or allow Personal Data to be retained for a certain period of time after the termination of the contractual and commercial relationship (such as the legal obligation to keep accounting documents for a period of 10 years).

Without prejudice to the generality of the foregoing:

  1. Personal Data processed for the purpose of client and service provider/vendor administration and management will be kept for a period of 6 years after the termination of the contract ;
  2. Personal Data processed for the purpose of contacting you will be kept for 4 years after the end of our ongoing contacts with you;

We may also keep and process Personal Data about you after the termination of our contractual and commercial relationship for specific

purposes such as compliance with legal obligations or the establishment, exercise or defence of legal claims.

Subject to the conditions of the Data Protection Legislation, you may:

  1. obtain from us confirmation as to whether or not Personal Data relating to you are being processed, and, where that is the case, access to such Personal Data;
  2. obtain from us without undue delay the rectification of inaccurate Personal Data relating to you and, taking into account the purposes of the processing, the right to have incomplete Personal Data completed;
  3. obtain from us that we erase Personal Data relating to you, although we might not always do so for example if we have a legal obligation to keep such Personal Data;
  4. ask a restriction of the processing of Personal Data relating to you (i.e. the marking of stored Personal Data with the aim of limiting their processing in the future);
  5. where relevant, request to receive Personal Data concerning you which you have provided to us on the basis of the contract with us in a structured, commonly used, machine-readable format, and to transmit it to another controller;

You can exercise your above-mentioned rights by contacting our Compliance Department at the following address: nexa-compliance@nexaresources.com.

Should you consider your rights as being violated, you also have the right to lodge a complaint with a supervisory authority, in particular in the member state of your habitual residence, place of work or of an alleged infringement of the GDPR (i.e. the “Commission Nationale pour la Protection des Données” in Luxembourg – www.cnpd.lu).

Subject to the conditions of the Data Protection Legislation, you may, on grounds relating to your particular situation, object to the processing of Personal Data relating to you that we carry out on the basis of the legitimate interest we pursue; in such a situation we shall stop processing such Personal Data except if we demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims. In particular, where we are using your Personal Data to contact you for marketing purposes, you may object to such processing at any time.

You can exercise your above-mentioned rights by contacting our Compliance Department at the following address: nexa-compliance@nexaresources.com.

Should you consider your rights as being violated, you also have the right to lodge a complaint with a supervisory authority, in particular in the member state of your habitual residence, place of work or of an alleged infringement of the GDPR (i.e. the “Commission Nationale pour la Protection des Données” in Luxembourg – www.cnpd.lu).

We request that you inform us in writing and without undue delay about changes in the information you provided us about you, so that we can keep it up to date.

If you provide us with Personal Data not relating to you (e.g. information about your directors, employees or other staff members and/or agents, representatives, beneficial owners, shareholders, etc.), you must first inform them about this fact and make sure they acknowledge that we can use such information as set out in this data protection notice. In particular, you must provide them with the information relating to their rights as data subjects. We will consider that these individuals are informed of the processing of Personal Data relating to them that we may carry out and of the transfer of their Personal Data to third parties as described above.

If you would like to receive more information on how we process Personal Data relating to you, please contact our Compliance Department at the following address: 

nexa-compliance@nexaresources.com

Changes may occur in the way we process information about you. Consequently, this policy may be updated from time to time and we encourage you to review it periodically.

The latest version will always be available under the “Privacy” section of our websitehttps://www.nexaresources.com.

X Close
Investor Relations