Rio Tinto Privacy Statement

This Privacy Statement provides an overview of how Rio Tinto processes personal data about people it does business with, whether online through this website, or in other ways. 

Personal data is information that relates to you as an individual.

When we refer in this Privacy Statement to Rio Tinto "processing" personal data, we mean any handling by Rio Tinto of personal data - for example, collecting, storing, using, transferring disclosing, deleting or accessing personal data.

Rio Tinto is a leading international mining group headquartered in the UK, combining Rio Tinto plc, a London and New York Stock Exchange listed company, and Rio Tinto Limited, which is listed on the Australian Securities Exchange.The two companies are joined in a dual listed companies structure as a single economic entity, called the Rio Tinto Group. This Privacy Statement applies to the companies in the Rio Tinto Group (which may be described as "Rio Tinto", "we" or "us" in this Privacy Statement also). 

What this Privacy Statement covers

This Privacy Statement applies to personal data that Rio Tinto processes as a result of dealings through this website, including your use of this website. Section 4 addresses online privacy. If your only dealings with Rio Tinto are through this website, please refer to section 4. 

This Privacy Statement also applies to personal data that Rio Tinto processes as a result of other business dealings you may have with Rio Tinto. 

What this Privacy Statement does not cover

This Privacy Statement does not apply to Rio Tinto's processing of personal data relating to employees, prospective employees or contractors (i.e. individuals who provide services on a contract basis). Rio Tinto has separate privacy statements for employees, prospective employees and contractors, as follows:

  • if you are a Rio Tinto employee, please refer to the "Privacy Statement for Rio Tinto Employees" that is available from HR or from the compliance portal on the Rio Tinto intranet (Prospect);
  • if you are a contractor (providing labour services to Rio Tinto), please refer to the "Privacy Statement for Rio Tinto Contractors" that is also available from compliance portal on the Rio Tinto intranet (Prospect); and 
  • if you are a prospective Rio Tinto employee, please refer to the privacy statement on the careers page of the Rio Tinto website (which you will receive when you apply for a job). The privacy statement for prospective employees can be located by clicking on the following link, and then on the "sign in" link in the upper right hand side of that page: https://riotinto.taleo.net/careersection/4/jobsearch.ftl?lang=en

As a global company, Rio Tinto is regulated under data protection laws and privacy laws that apply in its countries of operation. This Privacy Statement is not intended to explain all the different legal obligations that apply to Rio Tinto around the globe under applicable privacy and data protection laws (Privacy Laws). However, it is intended to provide a general illustration of how Rio Tinto will process personal data about you. 

Structure

This Privacy Statement is organised as follows:

1. Processing of personal data
Whose personal data does Rio Tinto process?
What type of personal data is processed, and why?

2. Will personal data be shared?
Sharing of personal data within the Rio Tinto Group
Disclosures of personal data to third parties

3. Individual rights

4. Online privacy - processing of personal data collected through Rio Tinto websites
How we process personal data provided or obtained through this website

Cookies statement - our use of cookies and tracking data

Online security
Transfers of personal data collected or obtained via this website

5. Data security

6. Questions and contact information

1. Processing of personal data

Whose personal data does Rio Tinto process?

Rio Tinto processes personal data of individuals with whom it deals in the course of its business activities. 

This includes "contact people" within:

  • its customers and suppliers;
  • government departments and regulatory agencies;
  • the communities where it operates; and 
  • industry groups and other organisations that it has business dealings with. 

As explained in the introduction, Rio Tinto also processes personal data of employees, prospective employees and contractors, and more information about that is contained in the separate privacy statements referred to above. Rio Tinto also processes personal data of its shareholders and directors.   

What type of personal data is processed, and why?

Rio Tinto processes personal data that it needs for its business activities. The scope of your personal data that is processed will depend on the nature of Rio Tinto's dealings with you. We process personal data as we consider required or as permitted by applicable Privacy Laws.

If you are one of the "contact people" described above, Rio Tinto will process personal data that is needed to contact you or your organisation. Apart from your name, Rio Tinto will process your business contact details (egg title, work address, email address and telephone numbers). 

This personal data will be processed for the relevant business purposes for which it was collected or obtained, for example to supply goods to your company or acquire services from your company, to enter into contracts, for external communications and for related administrative purposes. 

Rio Tinto may also need to process other types of information in order to manage your relationship with Rio Tinto. In particular, we need to process personal data:

  • about individuals within our customers in order to take actions or measures we consider necessary or appropriate to comply with our legal obligations. For example, to meet our obligations under anti-money laundering legislation in some of our countries of operation, we need to process personal data that verifies the identity of beneficial owners of customers (egg passport data). We also need to collect personal data from shareholders for shareholding purposes (including for regulatory reporting  and shareholder communications); and
  • about visitors to our premises or sites for security and safety purposes.

In these situations, if you do not provide the personal data we need or request, we won't be able to do business with you (or the company that you represent). 

2. Will personal data be shared?

Sharing of personal data within the Rio Tinto Group

To the extent we consider required or permitted by applicable Privacy Laws, personal data may be shared between companies within the Rio Tinto Group as necessary or appropriate for the conduct of business activities (as described in section 1 above). 

Rio Tinto operates globally. This means that Rio Tinto companies may be located in a country which does not afford the same level of protection as your country or where your personal data may be accessible by law enforcement, government, regulatory or national security authorities. The sharing of personal data within the Rio Tinto Group is governed by the terms of the Rio Tinto Data Transfer Deed, which incorporates the European Commission's standard contractual clauses for the transfer of personal data. The Rio Tinto Data Transfer Deed is intended to ensure that personal data transfers are adequately protected for the purposes of applicable Privacy Laws that restrict transfers across national borders.

Disclosures of personal data to third parties

To the extent permitted by applicable Privacy Laws, Rio Tinto may disclose personal data:

  • to external service providers (as discussed below); 
  • in the event of a proposed sale, merger, reorganisation or other similar event relating to a Rio Tinto business or entity;
  • as we consider required or permitted under law or to comply with legal or regulatory requirements. This may require disclosures to courts, law enforcement agencies or government, regulatory or other competent authorities and bodies; or
  • to protect the rights or safety of any of its employees or any third party. 

Sometimes Rio Tinto engages external service providers (including professional advisers such as lawyers, accountants and auditors) to fulfil some of Rio Tinto's functions or to perform other important services (egg IT functions, data storage services, share registry services). In that context, personal data may be disclosed to those external service providers. 

Rio Tinto's external service providers (including external professional advisers) may be located in a country which does not have laws that provide the same level of data protection as in your country. Rio Tinto takes contractual steps to protect the confidentiality and security of your personal data when it is disclosed to external service providers (including, where necessary, execution of the European Commission's standard contractual clauses for the transfer of personal data). We also require external service providers to process your personal data only in accordance with Rio Tinto's instructions and applicable data privacy laws. 

3. Individual rights

You have a right to seek access to the personal data that Rio Tinto holds about you (subject to some exceptions under applicable Privacy Laws). 

You also have the right to ask us to update or correct your personal information when it is inaccurate, incomplete or out of date, and in some instances, you can request that we cease to process your personal data (for example, if the processing causes you damage or distress).  

If you wish to exercise these rights, you can contact your local Rio Tinto office, or email us. You will be referred to the data privacy co-ordinator for the relevant Rio Tinto business unit. The data privacy co-ordinator will provide you with an access request form (or other relevant form) to complete (so that we can respond to your request efficiently). We will assume (unless you tell us otherwise) that your request relates to our current records about you. These current records will include personal data about you which is included in our databases and in paper files (and which we may use on a day to day basis).

Generally, we will act upon your requests for access to your personal data free of charge. However, Rio Tinto reserves the right to charge you an appropriate fee or to ask you to reimburse it for reasonable costs associated with retrieving, copying or providing access to your data (if this is permitted under applicable Privacy Laws). 

You can also help us to keep your personal data up to date by notifying us if your business contact details change.

4. Online privacy - processing of personal data collected through Rio Tinto websites

This section of the Privacy Statement describes how Rio Tinto processes personal data that is collected or obtained through this website. 

Rio Tinto plc, a company registered in England, controls the personal data that is collected or obtained through this website.

How we process personal data provided or obtained through this website

If you use this website, you may choose to provide personal data to Rio Tinto (for example, by sending us an email). We will process the personal data that you provide through this website to answer your query and if relevant, to manage our business relationship with you or your company.  

Cookies statement - our use of cookies and tracking data

A cookie is a short text file that may be stored on your hard drive when you visit a website. We use the following types of cookies on this website:

  • "Google Analytics" cookies (a web analytics service provided by Google, Inc). Google Analytics sets four cookies that allow us to analyse traffic on the website. Google Analytics cookies allow us to recognise and count the number of visitors to this website and to see how visitors move around the site (in particular, what pages of the website are being visited). This helps us to improve the way our website works.
  • Display and preference settings cookies - for example, if you changed the size of the text on our website when you last visited, a cookie will remember that so that you don't need to do it again.
  • "Session cookies" - to identify and maintain a browsing session, and to remember whether you have rejected cookies through your browser settings.
  • Cookies that track whether a social networking option has been used to forward material from our website (so that we know which social networking tools are in use).

These cookies do not collect or track any personal data or information about you as an individual.  Instead, they are focused on how the website is used, and seek to enhance the accessibility of the website. 

We also log your domain and IP address automatically when you visit this website. This data identifies the computer that you are using to view this website and your approximate geographic location. Again, we do this to track usage patterns. 

We do not use cookies or other tracking data to send you advertising or promotional material. 

Note that most web browsers allow some control of cookies through browser settings. If you delete or block our cookies, some parts of the website may not work properly, because some of our cookies are strictly necessary for the operation of this website.

This Privacy Statement places all users of this website on notice about our use of cookies. Your continued use of this website confirms to us that you are aware of our use of cookies and have no objection to this.

Online security

We take reasonable steps to protect the security of information (including personal data) that is provided by you or exchanged with you through this website.

Our security measures include using firewalls, intrusion detection systems and virus scanning tools to protect against unauthorised persons and viruses from accessing the information that you provide to us, and we to you. However, please be aware that there are inherent risks in transmitting information by use of the Internet and other online or electronic transmission systems and that we cannot guarantee the security of information transmitted in this way. 

Transfers of personal data collected or obtained via this website

Personal data that is collected through this website may be stored and processed in any country where Rio Tinto operates. 

As with personal data that we collect in other ways, personal data that is collected online may be shared between companies in the Rio Tinto Group and with external service providers who assist us with our services and functions.

The protections outlined in section 2 of this Privacy Statement (with respect to the protection of personal data that is transferred across national borders) also apply to data that is collected through this website. 

This website may contain links to third party websites (i.e. that are not provided by Rio Tinto). Before providing personal data to third party websites, we recommend you examine the privacy policies on those websites. Rio Tinto is not responsible for the privacy practices on third party websites.

5. Data security

As noted above, Rio Tinto is regulated under data protection laws and privacy laws in its countries of operation around the globe. A common feature of those laws is that steps must be taken to keep personal data secure from unauthorised access, loss, destruction, misuse, modification or disclosure. Rio Tinto uses reasonable and appropriate physical and electronic security measures to keep personal data secure.

6. Questions and contact information

If you have any questions or complaints about your privacy or wish to make an access request, please email us or contact your local Rio Tinto office. Your correspondence will be forwarded to the Rio Tinto data privacy co-ordinator for the relevant business unit within Rio Tinto.  

This Privacy Statement may be updated from time to time. When appropriate, a revised statement will be posted on this website which will incorporate any changes. We recommend you return periodically to review the latest Privacy Statement. 

This Privacy Statement was last updated in May 2012.