Effective as of 25 May 2018
This Privacy Statement describes how Evraz plc and its affiliates (collectively, "EVRAZ") collects, uses, shares, and otherwise processes Personally Identifiable Information (“PII,” as defined below) about:
(i) Visitors to our websites, mobile applications, and other online properties (each, a "Site")
(ii) individuals who are customers, prospective customers, suppliers and prospective suppliers with whom EVRAZ does business;
(iii) representatives or contact persons of such customers, suppliers, and prospective customers and suppliers;
(iv) any other individuals about whom EVRAZ obtains PII.
In this Privacy Statement, "Personally Identifiable Information" or “PII” means any information, set of information, whether alone, or in combination with other Personally Identifiable Information, processed by EVRAZ, which is sufficient to identify an individual directly or indirectly.
“GDPR” means the General Data Protection Regulation, applicable in the EEA as from May 25, 2018.
Unless we specifically state otherwise, EVRAZ is the data controller of the PII we process, and is therefore responsible for ensuring that the systems and processes we use are compliant with data protection laws, to the extent applicable to us.
EVRAZ personnel are required to comply with this Privacy Statement and associated EVRAZ data privacy policies when dealing with PII and must also complete data protection training where appropriate to their role.
Summary of key points
We may collect the following categories of PII about Site visitors, clients, prospective clients, suppliers, individuals who are past, existing and prospective employees and directors of EVRAZ and other third parties:
• basic identification information, such as name, title, position, company name, email and/or postal address and the fixed and/or mobile phone number;
• administrative information (e.g. identity documents, birthdate, gender, language, etc.);
• numeric data (e.g. logs, IP address);
• biometric data (e.g. picture, sound, video);
• financial information (e.g. bank account details, credit card information, tax data, transactional data);
• any additional information you voluntarily provide, (e.g. by filling in a form or registering for an email newsletter).
This information may either be directly provided by the above individuals or provided by the legal entity for whom they work (e.g. if they are the contact person designated by their employer to manage the commercial relations with EVRAZ).
The purposes for which we use PII, and the legal bases for such processing, are as follows:
Legal Basis of the Processing
We are not allowed to process PII if we do not have a valid legal ground. Therefore, we will only process PII if:
We may share PII with the following categories of recipients:
· our employees (to the extent they need it to perform their tasks) and other EVRAZ affiliates;
· EVRAZ’s subcontractors, business partners and experts as well as external counsels, agents, auditors, banks and depositories;
· any third party to whom we assign or novate any of our rights or obliga-tions under a relevant agreement;
· processors and subprocessors such as our IT service providers, cloud service providers and database providers;
· any national and/or international regulatory, enforcement or exchange body or court where we are required to do so by applicable law or regula-tion or at their request; and
· any central or local government department and other statutory or public bodies.
If you have questions about the parties with which we share PII, please contact us as specified below.
Right of access
You have the right to obtain confirmation from us as to whether or not personal data concerning you are being processed. Where that is the case you may obtain access to the personal data and the pieces of information detailed in the article 15 of the GDPR.
Right to rectification
In case the personal data concerning you is inaccurate or incomplete you have the right to obtain rectification or completion from us without undue delay.
Right to erasure (‘right to be forgotten’)
You have the right to obtain from us the erasure of personal data concerning you without undue delay where one of the specific grounds applies and the processing is not necessary according to Art. 17 paragraph 3 GDPR.
Right to restriction of processing
Under certain circumstances you have the right to obtain the restriction of processing from us.
Right to data portability
Under the conditions defined in the GDPR, you have the right to receive the personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from us.
Right to object
You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on point (e) or (f) of Art. 6(1). We will no longer process the personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defense of legal claims.
Right to lodge a complaint with a supervisory authority
If you consider that the processing of personal data relating to you infringes the GDPR, you will have the right – without prejudice to any other administrative or judicial remedy – to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement.
We have implemented technical and organizational measures in an effort to safeguard the PII in our custody and control from unauthorized access, use or disclosure.
While we endeavour to always protect our systems, sites, operations and information against unauthorized access, use, modification and disclosure, due to the inherent nature of the Internet as an open global communications vehicle and other risk factors, we cannot guarantee that any information, during transmission or while stored on our systems, will be absolutely safe from intrusion by others.
You also have an important role in protecting PII. You should not share any username, password or other authentication data provided to you with anyone, and we recommend that you do not re-use passwords across more than one website or application. If you have any reason to believe that your username or password has been compromised, please contact us as detailed below.
We transfer PII to jurisdictions as necessary for the purposes described above, including to jurisdictions that may not provide the same level of data protection as your home country. In particular, some our Sites are hosted on servers in Russia. If you are located not in Russia, the transfer of PII is necessary to provide you with the requested information and/or to perform any requested transaction. To the extent permitted by law, such submission also constitutes your consent for the cross-border transfer.
With respect to transfers originating from the European Economic Area (“EEA”) to Russia and other non-EEA jurisdictions, we implement appropriate solutions to address cross-border transfers as required or permitted by Articles 46 and 49 of the GDPR. Where required by such laws, you may request a copy of the suitable mechanisms we have in place by contacting us as detailed below.
We will retain your PII for as long as necessary to fulfill the purposes for which we collected it, including for the purposes of satisfying any legal, accounting, or reporting requirements.
The criteria we use to determine retention periods for PII include: the purposes for which the PII is collected, legal statutory limitation periods, retention periods imposed by law, applicable contractual requirements and relevant industry standards.
If you have questions regarding this Privacy Statement or our handling of your personal information, you can contact our Group Data Protection Officer at email@example.com.
13, avenue Monterey, L-2163 Luxembourg, Grand Duchy of Luxembourg
If you wish to exercise your data protection rights, please feel in the contact form.
We may occasionally update this Privacy Statement. When we do, we will revise the effective date at the top of the Privacy Statement and take such additional steps as may be required by law.