Effective as of 25 May 2018
This Privacy Statement describes how Evraz plc and its affiliates (collectively, "EVRAZ") collects, uses, shares, and otherwise processes Personally Identifiable Information (“PII,” as defined below) about:
(i) Visitors to our websites, mobile applications, and other online properties (each, a "Site")
(ii) individuals who are customers, prospective customers, suppliers and prospective suppliers with whom EVRAZ does business;
(iii) representatives or contact persons of such customers, suppliers, and prospective customers and suppliers;
(iv) any other individuals about whom EVRAZ obtains PII.
In this Privacy Statement, "Personally Identifiable Information" or “PII” means any information, set of information, whether alone, or in combination with other Personally Identifiable Information, processed by EVRAZ, which is sufficient to identify an individual directly or indirectly.
“GDPR” means the General Data Protection Regulation, applicable in the EEA as from May 25, 2018.
Unless we specifically state otherwise, EVRAZ is the data controller of the PII we process, and is therefore responsible for ensuring that the systems and processes we use are compliant with data protection laws, to the extent applicable to us.
EVRAZ personnel are required to comply with this Privacy Statement and associated EVRAZ data privacy policies when dealing with PII and must also complete data protection training where appropriate to their role.
Summary of key points
Collection of PII
We may collect the following categories of PII about Site visitors, clients, prospective clients, suppliers, individuals who are past, existing and prospective employees and directors of EVRAZ and other third parties:
- basic identification information, such as name, title, position, company name, email and/or postal address and the fixed and/or mobile phone number;
- administrative information (e.g. identity documents, birthdate, gender, language, etc.);
- numeric data (e.g. logs, IP address);
- biometric data (e.g. picture, sound, video);
- financial information (e.g. bank account details, credit card information, tax data, transactional data);
- any additional information you voluntarily provide, (e.g. by filling in a form or registering for an email newsletter).
This information may either be directly provided by the above individuals or provided by the legal entity for whom they work (e.g. if they are the contact person designated by their employer to manage the commercial relations with EVRAZ).
Use of PII
The purposes for which we use PII, and the legal bases for such processing, are as follows:
- to make our Sites more intuitive and easy to use we use device data. It is necessary for our legitimate interests to monitor how our Sites are used to help us improve the layout and information available on our Sites and provide a better service to our Site users;
- to protect the security and effective functioning of our Sites and information technology systems we use basic data, registration data, transaction data, and device data. It is necessary for our legitimate interests to monitor how our Sites are used to detect and prevent fraud, other crimes and the misuse of our Sites. This helps us to ensure that you can safely use our Sites;
- to undertake sales and procurement activities relating to our products and services;
- to market our products and services;
- to administer our customers and suppliers (e.g. user registration, account opening, credit checks);
- to manage and enhance the relationship with our customers and suppliers;
- to supply our products and services to our customers (e.g. administering and tracking a purchase, payment, return, managing billing and invoicing; arranging for services);
- to prepare and manage contracts with our customers and suppliers;
- to improve our existing products and services (or those under development) by means of customer and non-customer surveys, statistics and tests, or requesting feedback on products and services;
- to periodically send promotional emails about our products, special offers and information that the company for which you work may find interesting, using the email address provided by you or for you (if any);
- to communicate with you through various channels, (e.g. by periodically sending you promotional emails about our products, including special offers and information);
- to monitor activities at our facilities, including compliance with applicable policies as well as security, health and safety rules in place;
- to manage and monitor our websites, IT resources, including infrastructure management & business continuity;
- to manage our archiving and records;
- to preserve the company’s economic interests;
- to reply to an official request from a public or judicial authority with the necessary authorization; and
- to manage legal and regulatory requirements, defend our legal rights and prevent and detect crime, including regular compliance monitoring.
Legal Basis of the Processing
We are not allowed to process PII if we do not have a valid legal ground. Therefore, we will only process PII if:
- we have obtained your prior consent;
- the processing is necessary to perform our contractual obligations towards you or to take pre-contractual steps at your request;
- the processing is necessary to comply with our legal or regulatory obligations (e.g. tax or accounting requirements);
- the processing is necessary for the legitimate interests of EVRAZ and does not unduly affect your interests or fundamental rights and freedoms. Please note that, when processing your PII on this basis, we seek to maintain a balance between our legitimate interests and your privacy.
Sharing of PII
We may share PII with the following categories of recipients:
- our employees (to the extent they need it to perform their tasks) and other EVRAZ affiliates;
- EVRAZ’s subcontractors, business partners and experts as well as external counsels, agents, auditors, banks and depositories;
- any third party to whom we assign or novate any of our rights or obliga-tions under a relevant agreement;
- processors and subprocessors such as our IT service providers, cloud service providers and database providers;
- any national and/or international regulatory, enforcement or exchange body or court where we are required to do so by applicable law or regula-tion or at their request; and
- any central or local government department and other statutory or public bodies.
If you have questions about the parties with which we share PII, please contact us as specified below.
Data Subject Rights
Right of access
You have the right to obtain confirmation from us as to whether or not personal data concerning you are being processed. Where that is the case you may obtain access to the personal data and the pieces of information detailed in the article 15 of the GDPR.
Right to rectification
In case the personal data concerning you is inaccurate or incomplete you have the right to obtain rectification or completion from us without undue delay.
Right to erasure (‘right to be forgotten’)
You have the right to obtain from us the erasure of personal data concerning you without undue delay where one of the specific grounds applies and the processing is not necessary according to Art. 17 paragraph 3 GDPR.
Right to restriction of processing
Under certain circumstances you have the right to obtain the restriction of processing from us.
Right to data portability
Under the conditions defined in the GDPR, you have the right to receive the personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from us.
Right to object
You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on point (e) or (f) of Art. 6(1) GDPR. We will no longer process the personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defense of legal claims.
Right to lodge a complaint with a supervisory authority
If you consider that the processing of personal data relating to you infringes the GDPR, you will have the right – without prejudice to any other administrative or judicial remedy – to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement.
We have implemented technical and organizational measures in an effort to safeguard the PII in our custody and control from unauthorized access, use or disclosure.
While we endeavour to always protect our systems, sites, operations and information against unauthorized access, use, modification and disclosure, due to the inherent nature of the Internet as an open global communications vehicle and other risk factors, we cannot guarantee that any information, during transmission or while stored on our systems, will be absolutely safe from intrusion by others.
You also have an important role in protecting PII. You should not share any username, password or other authentication data provided to you with anyone, and we recommend that you do not re-use passwords across more than one website or application. If you have any reason to believe that your username or password has been compromised, please contact us as detailed below.
Cross-Border Data Transfer
We transfer PII to jurisdictions as necessary for the purposes described above, including to jurisdictions that may not provide the same level of data protection as your home country. In particular, some our Sites are hosted on servers in Russia. If you are located not in Russia, the transfer of PII is necessary to provide you with the requested information and/or to perform any requested transaction. To the extent permitted by law, such submission also constitutes your consent for the cross-border transfer.
With respect to transfers originating from the European Economic Area (“EEA”) to Russia and other non-EEA jurisdictions, we implement appropriate solutions to address cross-border transfers as required or permitted by Articles 46 and 49 of the GDPR. Where required by such laws, you may request a copy of the suitable mechanisms we have in place by contacting us as detailed below.
We will retain your PII for as long as necessary to fulfill the purposes for which we collected it, including for the purposes of satisfying any legal, accounting, or reporting requirements.
The criteria we use to determine retention periods for PII include: the purposes for which the PII is collected, legal statutory limitation periods, retention periods imposed by law, applicable contractual requirements and relevant industry standards.
Group Data Protection Officer. Contact details
If you have questions regarding this Privacy Statement or our handling of your personal information or if you wish to exercise your data protection rights, please contact our Group Data Protection Officer at firstname.lastname@example.org.
13, avenue Monterey, L-2163 Luxembourg, Grand Duchy of Luxembourg
Updates to this statement
We may occasionally update this Privacy Statement. When we do, we will revise the effective date at the top of the Privacy Statement and take such additional steps as may be required by law.