Privacy at Vale

Fin

recent-searches

Liens rapides

Vous n'avez pas le role requis pour accéder à cette application.

com.liferay.portal.kernel.util.DateUtil_IW@6d063d34 — Photographer: Ricardo Teles

Privacy at Vale

Protecting your privacy is very important to us.
On this page you will find our External Privacy Notice and Privacy Communication Channel.

The purpose of the External Privacy Notice is to clarify how Vale processes the personal data of third parties, whether this involves the provision of services, access to our physical or digital environments, or other interactions with the company.

The Privacy Communication Channel is the means by which data owners can contact Vale’s Privacy Area in order to uphold their rights and ask questions about the processing of their personal data and the External Privacy Notice.

The protection of privacy and personal data reflects our values and commitments to people, as well as our vision of security and transparency in data processing.

The purpose of this notice is to clarify how Vale processes the Personal Data of third parties, in this case, You, during the provision of services or access to our environments, whether physical or digital, hereinafter referred to together as “Our Environments”

We are always looking to offer you services and features as efficiently as possible, constantly updating ourselves for that. For this reason, this Notice may be changed at any time, and You are responsible for checking it whenever possible.

Photographer: Lucas Lenci

Privacy communication Channel

To exercise your rights as a holder of Personal Data, ask questions regarding the privacy of Personal Data at Vale, or contact the Data Protection Officer (DPO) directly, please use the form below.

Your message will be analyzed by Vale's Privacy Area and you will receive our contact at privacy@vale.com.

Click here

For subjects not related to personal data privacy, use our Contact Us channel.

External privacy notice

See the External Privacy Notice to understand how Vale processes the personal data of third parties, whether this involves the provision of services, access to our physical or digital environments, or other interactions with the company.

We are constantly looking to offer services and features as efficiently as possible. For this reason, this notice may be amended at any time and it is up to you to check it whenever possible.

Brazil

Europe

China

Japan

Malaysia

Oman

Singapore

Brazil

External privacy notice

What personal data is covered?

Vale process personal data, which are those that can identify or allow a natural person identifiable.

The company collects personal data to carry out regular activities with users of Vale’s services. The list of collected data typically includes: identification data, contact data, financial data, navigation data (cookies, IP address), health data, biometric data and other data that may be needed to perform these services. The list of collected data may vary according to the relationship with the data subject.

More information regarding the use of this data can be found in the specific terms of each service, available on their respective platforms.

In what services does Vale collect personal data?

Personal data are collected for the performance of services, such as:

Passenger Train Services;
Newsroom;
Aerovale;
Visiting Vale;
Ethics and Conduct Office;
Access to Vale’s sites;
On-site help centers;
Assistance to communities.

In addition to the performance of services, the company collects personal data from its employees, suppliers and contracted parties. The processing of such personal data is regulated through specific documents.

What is the purpose of collection and processing of personal data?

The collection and processing of personal data within Vale are carried out to legitimate, explicit and specific purposes. Most of the personal information is provided directly by the data subjects, for one of the following reasons:

Get in touch when offering our services;
Browsing our websites and applications safely;
To better target the content of our sites;
To be able to perform our services, receive and make payments and aid; or
For carrying out regular activities with users of Vale’s services.

More information on the purposes and legal basis for collecting and processing personal data can be found in the specific terms of each service, available on their respective platforms.

The company stores the evidence of opt-in (express) consent, when such consent is considered, by the applicable personal data protection laws, indispensable for the data processing activity. Likewise, if consent is revoked, evidence of such revocation will also be stored.

How does Vale shares personal data?

Sharing with third-parties:

Vale may share personal data with its subsidiaries and suppliers, if necessary, for the provision of our services. For this sharing, rights and duties of the parties are established, aiming to prevent the use of personal data in a different way from that established by the company and / or that violate the applicable data protection laws. It is also required that everyone involved process personal data in a secure and confidential manner, and keep it only for a specified period. These obligations remain even after the end of the relationship between the parties.

In some circumstances, Vale may be legally required to share personal data in order to respond to inquiries or investigations.

International data transfer:

Vale may share personal data with its subsidiaries or with contracted companies with headquarters outside the national territory, subject to local legal requirements. The company shall only carry out a transfer to countries or international organizations that ensures an adequate level of protection related to the transferred personal data or that guarantees the compliance with the principles, rights and data protection regime of the applicable personal data protection laws.

It is possible to use one of the following safeguards: (i) contractual clauses approved by the supervisory authorities, according to the applicable personal data protection laws; or (ii) binding corporate rules.

Which are the data subject’s rights in relation to its personal data?

Data subjects have the following rights related to its personal data, to the extent that such rights are recognized by applicable laws:

Processing confirmation: confirmation as to whether or not Personal Data concerning the relevant data subject are being processed;
Access to data: access to data collected by Vale, except for cases of trade secret protection and industry;
Data rectification: request to correct incomplete, outdated or erroneous information;
Anonymization and suspension: anonymization and suspension of personal data considered unnecessary, excessive or processed in non-compliance with the provisions of the applicable legislation. Anonymization will take place considering the use of reasonable and available technical means when processing data;
Portability: portability of personal data to another product supplier or service provider upon express request. Vale and its subsidiaries reserve the right to deny portability in case of personal data that could compromise their commercial and industrial secrets.
Information on data sharing: information to the data subject about personal data that is shared with public and private entities;
Consent Revocation: revocation of the consent given, at any time, upon the express request of the data subject. The revocation procedure will always free and facilitated.
Elimination: personal data will be eliminated at the end of its purpose or if the data subject expresses its intent to revoke its consent to carry out that processing. Subject to local legal requirements, Vale may keep personal data if: (i) it is legally obliged to keep them, (ii) for compliance with laws and / or regulations that so determine; (iii) needs the data to establish, exercise or defend legal claims; and (iii) need to maintain control of the data for public health reasons.

It is possible to exercise these rights by contacting us using the form found at the bottom of this page.

How does Vale secures personal data?

Personal data is protected against unauthorized access, illegal processing or disclosure, as well as accidental loss, modification or destruction. This applies regardless of whether such data is processed electronically or on paper.

The company has appropriate technical and organizational measures to protect personal data, such as information classification, data backup and restoration and identity and access management. These measures are based on security analysis and data protection risks.

In the event of deletion of personal data, the process is carried out safely, in line with the appropriate technical measures, in order to ensure that the deleted personal data cannot be recovered.

For how long data is being retained?

All personal data collected will be processed and preserved as long as necessary for the fulfillment of the purposes described in the section “What is the purpose of collection and processing of personal data?”.

The data may be kept in our files in compliance with and observance of the deadlines defined in the legal system in question. This justifies, therefore, the retention of personal data in our databases, under the same security and protection mechanisms.

Europe

External privacy notice

What personal data is covered?

We may process the following categories of Personal Data about you:

Personal details: given name(s); preferred name; photograph; details of representative; curriculum vitae / résumés and/or applications; passport number (where applicable); and work permit or visa number (where applicable).
Demographic information: gender; date of birth / age; nationality; salutation; title; and language preferences.
Contact details: correspondence address; shipping address; telephone number; email address; details of personal assistants, where applicable; messenger app details; online messaging details; and social media details.
Expertise: records of your expertise, curriculum vitae / résumés, professional history, education history, practising details and qualification details; information about your experience, participation in meetings, seminars, advisory boards and conferences; salary expectations; referrals and references; information about your professional relationship with other individuals or institutions; and language abilities and other professional skills.
Background checks: details revealed by background checks conducted in accordance with applicable law and subject to your prior express written consent (where required, including details of past employment, details of residence, credit reference information, and criminal records checks.
Consthe date and time, means of consent and any related information (e.g., the subject matter of the consent).
Purchase details: records of purchases and prices; and consignee name, address, contact telephone number and email ent records: records of any consents you have given, together with address.
Payment details: invoice records; payment records; billing address; payment method; bank account number or credit card number; cardholder or accountholder name; card or account security details; card ‘valid from’ date; card expiry date; BACS details; SWIFT details; IBAN details; payment amount; payment date; and records of cheques.
Data relating to our websites and apps: device type; operating system; browser type; browser settings; IP address; language settings; dates and times of connecting to a website; app usage statistics; app settings; dates and times of connecting to an app; location data, and other technical communications information (some of which may constitute Personal Data); password; security login details; usage data; and aggregate statistical information.
Employer details: where you interact with us in your capacity as an employee of a third party, the name, address, telephone number and email address of your employer, to the extent relevant.
Content and advertising data: records of your interactions with our online advertising and content; and records of advertising and content displayed on pages or app screens displayed to you.
Views and opinions: any views and opinions that you choose to send to us, or publicly post about us on social media platforms.
Biometric and health data: biometric data and data about your health (including health information to monitor the spread of infectious diseases in the workplace and biological sampling data); and (if disclosed) any special needs or health condition and information relating to accommodations that you may request during the recruitment process.

In what services does Vale collect personal data?

We collect or obtain Personal Data about you from the following sources:

Data provided to us: We obtain Personal Data when those data are provided to us (e.g., where you contact us via email or telephone, or by any other means, or when you provide us with your business card, or when you submit a job application).
Data we obtain in person: We obtain Personal Data during meetings, at trade shows, during visits from sales or marketing representatives, or at events we attend.
Collaborations: We obtain Personal Data when you collaborate with us in research or in an advisory / consultancy capacity.
Relationship data: We collect or obtain Personal Data in the ordinary course of our relationship with you (e.g., we provide a service to you, or to your employer).
Data you make public: We collect or obtain Personal Data that you manifestly choose to make public, including via social media (e.g., we may collect information from your social media profile(s), if you make a public post about us).
App data: We collect or obtain Personal Data when you download or use any of our apps.
Website data: We collect or obtain Personal Data when you visit any of our websites or use any features or resources available on or through a website.
Registration details: We collect or obtain Personal Data when you use, or register to use, any of our websites, apps, products, or services.
Content and advertising information: If you interact with any third party content or advertising on a website or in an app (including third party plugins and Cookies) we receive Personal Data from the relevant third party provider of that content or advertising.
Third party information: We collect or obtain Personal Data from third parties who provide it to us (e.g., credit reference agencies; law enforcement authorities; recruiters; previous employers, referees, entities conducting background checks etc.).

Creation of Personal Data

We also create Personal Data about you in certain circumstances, such as records of your interactions with us, and details of your past interactions with us. We may also combine Personal Data from any of our websites, apps, products, or services, including where those data are collected from different devices.

More information regarding the use of this data can be found in the specific terms of each service, available on their respective platforms.

What is the purpose of collection and processing of personal data?

The purposes for which we Process Personal Data, and the legal bases on which we perform such Processing, within Vale, where the law applicable to our Processing requires a legal basis, are as follows:

Processing activity	Legal basis for Processing
Provision of websites, apps, products, and services: providing our websites, apps, products, or services; providing promotional items upon request; and communicating with you in relation to those websites, apps, products, or services.	The Processing is necessary in connection with any contract that you have entered into with us, or to take steps prior to entering into a contract with us; or We have a legitimate interest in carrying out the Processing for the purpose of providing our websites, apps, products, or services (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms); or We have obtained your prior consent to the Processing (this legal basis is only used in relation to Processing that is entirely voluntary – it is not used for Processing that is necessary or obligatory in any way).
Operating our business: operating and managing our websites, our apps, our products, and our services; providing content to you; displaying advertising and other information to you; communicating and interacting with you via our websites, our apps, our products, or our services; and notifying you of changes to any of our websites, our apps, our products, or our services.	The Processing is necessary in connection with any contract that you have entered into with us, or to take steps prior to entering into a contract with us; or We have a legitimate interest in carrying out the Processing for the purpose of providing our websites, our apps, our products, or our services to you (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms); or We have obtained your prior consent to the Processing (this legal basis is only used in relation to Processing that is entirely voluntary – it is not used for Processing that is necessary or obligatory in any way).
Communications and marketing: communicating with you via any means (including via email, telephone, text message, social media, post or in person) to provide news items and other information in which you may be interested, subject always to obtaining your prior opt-in consent to the extent required under applicable law; personalising our websites, products and services for you; maintaining and updating your contact information where appropriate; obtaining your prior, opt-in consent where required; and enabling and recording your choice to opt-out or unsubscribe, where applicable.	The Processing is necessary in connection with any contract that you have entered into with us, or to take steps prior to entering into a contract with us; or We have a legitimate interest in carrying out the Processing for the purpose of contacting you, subject always to compliance with applicable law (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms); or We have obtained your prior consent to the Processing (this legal basis is only used in relation to Processing that is entirely voluntary – it is not used for Processing that is necessary or obligatory in any way).
Management of IT systems: management and operation of our communications, IT and security systems; and audits (including security audits) and monitoring of such systems.	The Processing is necessary for compliance with a legal obligation; or We have a legitimate interest in carrying out the Processing for the purpose of managing and maintaining our communications and IT systems (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms).
Health and safety: health and safety assessments and record keeping (including collecting biological sampling data); providing a safe and secure environment at our premises (including monitoring body temperatures on Vale premises in the UK to prevent the spread of infectious diseases in the workplace); and compliance with related legal obligations.	The Processing is necessary for compliance with a legal obligation (especially in respect of applicable employment, social security or social protection law); or We have a legitimate interest in carrying out the Processing for the purpose of ensuring a safe environment at our premises (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms); or The Processing is necessary to protect the vital interests of any individual; or The Processing is necessary for reasons of public interest in the area of public health; or We have obtained your prior consent to the Processing (this legal basis is only used in relation to Processing that is entirely voluntary – it is not used for Processing that is necessary or obligatory in any way).
Financial management: sales; finance; corporate audit; and vendor management.	We have a legitimate interest in carrying out the Processing for the purpose of managing and operating the financial affairs of our business (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms); or We have obtained your prior consent to the Processing (this legal basis is only used in relation to Processing that is entirely voluntary – it is not used for Processing that is necessary or obligatory in any way).
Vendor management: collating supplier data for background and compliance checks.	The Processing is necessary for compliance with a legal obligation; or We have a legitimate interest in carrying out the Processing for the purpose of performing background and compliance checks (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms).
Surveys: engaging with you for the purposes of obtaining your views on our websites, our apps, our products, or our services.	We have a legitimate interest in carrying out the Processing for the purpose of conducting surveys, satisfaction reports and market research (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms); or We have obtained your prior consent to the Processing (this legal basis is only used in relation to Processing that is entirely voluntary – it is not used for Processing that is necessary or obligatory in any way).
Security: physical security of our premises (including records of visits to our premises); CCTV recordings; and electronic security (including login records and access details).	The Processing is necessary for compliance with a legal obligation; or We have a legitimate interest in carrying out the Processing for the purpose of ensuring the physical and electronic security of our business and our premises (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms).
Investigations: detecting, investigating and preventing breaches of policy, and criminal offences, in accordance with applicable law.	The Processing is necessary for compliance with a legal obligation; or We have a legitimate interest in carrying out the Processing for the purpose of detecting, and protecting against, breaches of our policies and applicable laws (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms).
Legal compliance: compliance with our legal and regulatory obligations under applicable law.	The Processing is necessary for compliance with a legal obligation.
Improving our websites, apps, products, and services: identifying issues with our websites, our apps, our products, or our services; planning improvements to our websites, our apps, our products, or our services; and creating new websites, apps, products, or services.	We have a legitimate interest in carrying out the Processing for the purpose of improving our websites, our apps, our products, or our services (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms); or We have obtained your prior consent to the Processing (this legal basis is only used in relation to Processing that is entirely voluntary – it is not used for Processing that is necessary or obligatory in any way).
Establishment, exercise and defence of legal claims: management of legal claims; establishment of facts and claims, including collection, review and production of documents, facts, evidence and witness statements; and exercise and defence of legal rights and claims, including formal legal proceedings.	The Processing is necessary for compliance with a legal obligation; or We have a legitimate interest in carrying out the Processing for the purpose of establishing, exercising or defending our legal rights (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms); or The Processing is necessary for the establishment, exercise or defence of legal claims.
Recruitment and job applications: recruitment activities; advertising of positions; interview activities; verifying information provided to us; analysis of suitability for the relevant position; records of hiring decisions; offer details; performing background checks; accommodations as part of the recruitment process; and acceptance details.	The Processing is necessary in connection with any contract that you have entered into with us, or to take steps prior to entering into a contract with us; or The Processing is necessary for compliance with a legal obligation (especially in respect of applicable employment law); or We have a legitimate interest in carrying out the Processing for the purpose of recruitment activities and handling job applications (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms); or We have obtained your prior consent to the Processing (this legal basis is only used in relation to Processing that is entirely voluntary – it is not used for Processing that is necessary or obligatory in any way).
Future opportunities: maintaining databases of unsuccessful candidates; advertising new roles; and invitations to future events.	We have a legitimate interest in carrying out the Processing for the purpose of recruitment activities (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms); or We have obtained your prior consent to the Processing (this legal basis is only used in relation to Processing that is entirely voluntary – it is not used for Processing that is necessary or obligatory in any way).

Processing activity

Legal basis for Processing

Provision of websites, apps, products, and services: providing our websites, apps, products, or services; providing promotional items upon request; and communicating with you in relation to those websites, apps, products, or services.

The Processing is necessary in connection with any contract that you have entered into with us, or to take steps prior to entering into a contract with us; or
We have a legitimate interest in carrying out the Processing for the purpose of providing our websites, apps, products, or services (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms); or
We have obtained your prior consent to the Processing (this legal basis is only used in relation to Processing that is entirely voluntary – it is not used for Processing that is necessary or obligatory in any way).

Operating our business: operating and managing our websites, our apps, our products, and our services; providing content to you; displaying advertising and other information to you; communicating and interacting with you via our websites, our apps, our products, or our services; and notifying you of changes to any of our websites, our apps, our products, or our services.

The Processing is necessary in connection with any contract that you have entered into with us, or to take steps prior to entering into a contract with us; or
We have a legitimate interest in carrying out the Processing for the purpose of providing our websites, our apps, our products, or our services to you (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms); or
We have obtained your prior consent to the Processing (this legal basis is only used in relation to Processing that is entirely voluntary – it is not used for Processing that is necessary or obligatory in any way).

Communications and marketing: communicating with you via any means (including via email, telephone, text message, social media, post or in person) to provide news items and other information in which you may be interested, subject always to obtaining your prior opt-in consent to the extent required under applicable law; personalising our websites, products and services for you; maintaining and updating your contact information where appropriate; obtaining your prior, opt-in consent where required; and enabling and recording your choice to opt-out or unsubscribe, where applicable.

The Processing is necessary in connection with any contract that you have entered into with us, or to take steps prior to entering into a contract with us; or
We have a legitimate interest in carrying out the Processing for the purpose of contacting you, subject always to compliance with applicable law (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms); or
We have obtained your prior consent to the Processing (this legal basis is only used in relation to Processing that is entirely voluntary – it is not used for Processing that is necessary or obligatory in any way).

Management of IT systems: management and operation of our communications, IT and security systems; and audits (including security audits) and monitoring of such systems.

The Processing is necessary for compliance with a legal obligation; or
We have a legitimate interest in carrying out the Processing for the purpose of managing and maintaining our communications and IT systems (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms).

Health and safety: health and safety assessments and record keeping (including collecting biological sampling data); providing a safe and secure environment at our premises (including monitoring body temperatures on Vale premises in the UK to prevent the spread of infectious diseases in the workplace); and compliance with related legal obligations.

The Processing is necessary for compliance with a legal obligation (especially in respect of applicable employment, social security or social protection law); or
We have a legitimate interest in carrying out the Processing for the purpose of ensuring a safe environment at our premises (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms); or
The Processing is necessary to protect the vital interests of any individual; or
The Processing is necessary for reasons of public interest in the area of public health; or
We have obtained your prior consent to the Processing (this legal basis is only used in relation to Processing that is entirely voluntary – it is not used for Processing that is necessary or obligatory in any way).

Financial management: sales; finance; corporate audit; and vendor management.

We have a legitimate interest in carrying out the Processing for the purpose of managing and operating the financial affairs of our business (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms); or
We have obtained your prior consent to the Processing (this legal basis is only used in relation to Processing that is entirely voluntary – it is not used for Processing that is necessary or obligatory in any way).

Vendor management: collating supplier data for background and compliance checks.

The Processing is necessary for compliance with a legal obligation; or
We have a legitimate interest in carrying out the Processing for the purpose of performing background and compliance checks (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms).

Surveys: engaging with you for the purposes of obtaining your views on our websites, our apps, our products, or our services.

We have a legitimate interest in carrying out the Processing for the purpose of conducting surveys, satisfaction reports and market research (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms); or
We have obtained your prior consent to the Processing (this legal basis is only used in relation to Processing that is entirely voluntary – it is not used for Processing that is necessary or obligatory in any way).

Security: physical security of our premises (including records of visits to our premises); CCTV recordings; and electronic security (including login records and access details).

The Processing is necessary for compliance with a legal obligation; or
We have a legitimate interest in carrying out the Processing for the purpose of ensuring the physical and electronic security of our business and our premises (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms).

Investigations: detecting, investigating and preventing breaches of policy, and criminal offences, in accordance with applicable law.

The Processing is necessary for compliance with a legal obligation; or
We have a legitimate interest in carrying out the Processing for the purpose of detecting, and protecting against, breaches of our policies and applicable laws (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms).

Legal compliance: compliance with our legal and regulatory obligations under applicable law.

The Processing is necessary for compliance with a legal obligation.

Improving our websites, apps, products, and services: identifying issues with our websites, our apps, our products, or our services; planning improvements to our websites, our apps, our products, or our services; and creating new websites, apps, products, or services.

We have a legitimate interest in carrying out the Processing for the purpose of improving our websites, our apps, our products, or our services (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms); or
We have obtained your prior consent to the Processing (this legal basis is only used in relation to Processing that is entirely voluntary – it is not used for Processing that is necessary or obligatory in any way).

Establishment, exercise and defence of legal claims: management of legal claims; establishment of facts and claims, including collection, review and production of documents, facts, evidence and witness statements; and exercise and defence of legal rights and claims, including formal legal proceedings.

The Processing is necessary for compliance with a legal obligation; or
We have a legitimate interest in carrying out the Processing for the purpose of establishing, exercising or defending our legal rights (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms); or
The Processing is necessary for the establishment, exercise or defence of legal claims.

Recruitment and job applications: recruitment activities; advertising of positions; interview activities; verifying information provided to us; analysis of suitability for the relevant position; records of hiring decisions; offer details; performing background checks; accommodations as part of the recruitment process; and acceptance details.

The Processing is necessary in connection with any contract that you have entered into with us, or to take steps prior to entering into a contract with us; or
The Processing is necessary for compliance with a legal obligation (especially in respect of applicable employment law); or
We have a legitimate interest in carrying out the Processing for the purpose of recruitment activities and handling job applications (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms); or
We have obtained your prior consent to the Processing (this legal basis is only used in relation to Processing that is entirely voluntary – it is not used for Processing that is necessary or obligatory in any way).

Future opportunities: maintaining databases of unsuccessful candidates; advertising new roles; and invitations to future events.

We have a legitimate interest in carrying out the Processing for the purpose of recruitment activities (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms); or
We have obtained your prior consent to the Processing (this legal basis is only used in relation to Processing that is entirely voluntary – it is not used for Processing that is necessary or obligatory in any way).

How does Vale share personal data?

1. Sharing with third-parties:

Vale shares Personal Data with other entities within the Vale group, to suppliers, if necessary, for legitimate business purpose, and for the provision of our services, products, apps and websites, in accordance with applicable law. In addition, we disclose Personal Data to:

you and, where appropriate, your appointed representatives;
legal and regulatory authorities, upon request, or for the purposes of reporting any actual or suspected breach of applicable law or regulation;
accountants, auditors, consultants, lawyers and other outside professional advisors to Vale, subject to binding contractual obligations of confidentiality;
third-party Processors (such as payment services providers; recruiters; pre-employment screenings services etc.), located anywhere in the world (subject to the requirements noted below);
any relevant party, regulatory body, governmental authority, law enforcement agency or court, to the extent necessary for the establishment, exercise or defence of legal claims;
any relevant party, regulatory body, governmental authority, law enforcement agency or court, for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties;
any relevant third party acquirer(s) or successor(s) in title, in the event that we sell or transfer all or any relevant portion of our business or assets (including in the event of a reorganization, dissolution or liquidation); andany relevant third party provider, where our websites and our apps use third party advertising, plugins or content. If you choose to interact with any such advertising, plugins or content, your Personal Data may be shared with the relevant third party provider. We recommend that you review that third party’s privacy policy before interacting with its advertising, plugins or content.
If we engage a third-party Processor to Process your Personal Data, the Processor will be subject to binding contractual obligations to: (i) only Process the Personal Data in accordance with our prior written instructions; and (ii) use measures to protect the confidentiality and security of the Personal Data, together with any additional requirements under applicable law.

2. International data transfer:

Because of the international nature of our business, we transfer Personal Data within the Vale group, and to the third-parties set out above under the sub-heading entitled “Sharing with third-parties”. Recipients of Personal Data we transfer may be located in all countries where the Vale group is present but in other countries globally as well. For this reason, we transfer Personal Data to other countries that may have different legal requirements and data protection compliance requirements to those that apply in the country in which you are located or in which you disclosed your Personal Data to us. We may transfer your Personal Data to the following jurisdictions in particular but also other jurisdictions globally where third-party recipients or their service providers are located:
Argentina;
Australia;
Brazil;
Canada;
Chile;
China;
India;
Indonesia;
Japa;
Malaysia;
Oman;
Peru; and
Singapore.

For the international transfer of Personal Data related to individuals located in the EU or UK or Switzerland, if an exemption or derogation applies (e.g., where a transfer is necessary to establish, exercise or defend a legal claim, based on explicit consent, or where the transfer is necessary for the performance of a contract with the data subject or pre-contractual measures at the data subject’s request.) we may rely on that exemption or derogation, as appropriate. Where no exemption or derogation applies, and we transfer your Personal Data from the EEA or UK or Switzerland to recipients located outside the EEA or UK or Switzerland who are not in Adequate Jurisdictions, we do so on the basis of Standard Contractual Clauses. You are entitled to request a copy of our Standard Contractual Clauses using the contact details provided below.

Which are the data subject’s rights in relation to its personal data?

Subject to applicable law, data subjects may have the following rights regarding the Processing of their Personal Data:

the right to request access to, or copies of, Personal Data, together with information regarding the nature, Processing and disclosure of Personal Data;
the right to request rectification to any inaccuracies in Personal Data;
the right to request, on legitimate grounds erasure of Personal Data or restriction of Processing of Personal Data;
the right to request portability of Personal Data to another controller, in a structured, commonly used and machine-readable format, to the extent applicable;
where we Process Personal Data on the basis of your consent, the right to withdraw consent given, at any time, upon the express request of the data subject (noting that such withdrawal does not affect the lawfulness of any Processing performed prior to the date on which we receive notice of such withdrawal, and does not prevent the Processing of your Personal Data in reliance upon any other available legal bases); and
the right to lodge complaints regarding the Processing of Personal Data with a Data Protection Authority.

Subject to applicable law, you may also have the following additional rights regarding the Processing of your Personal Data:

the right to object, on grounds relating to your particular situation, to the Processing of your Personal Data by us or on our behalf, where such Processing is based on Articles 6(1)(e) (public interest) or 6(1)(f) (legitimate interests) of the GDPR / UK GDPR; and
the right to object to the Processing of your Personal Data by us or on our behalf for direct marketing purposes.

This does not affect your statutory rights.

To exercise one of these rights, or to ask a question about these rights or any other provision of this Privacy Notice, or about the Processing of your Personal Data, please use the contact details found at the bottom of this page.

Please note that:

in some cases it will be necessary to provide evidence of your identity before we can give effect to these rights; and
where your request requires the establishment of additional facts (e.g., a determination of whether any Processing is non-compliant with applicable law) we will investigate your request reasonably promptly, before deciding what action to take.

How does Vale secure personal data?

Personal Data is protected against unauthorized access, illegal Processing or disclosure, as well as accidental loss, modification or destruction. This applies regardless of whether such data is Processed electronically or on paper.

Vale has appropriate technical and organizational measures to protect Personal Data, such as information classification, data backup and restoration and identity and access management. These measures are based on security analysis and data protection risks.

In the event of deletion of Personal Data, the process is carried out safely, in line with the appropriate technical measures, in order to ensure that the deleted Personal Data cannot be recovered.

Data accuracy

We take every reasonable step to ensure that:

your Personal Data that we Process is accurate and, where necessary, kept up to date; and
any of your Personal Data that we Process that is inaccurate (having regard to the purposes for which such Personal Data is Processed) is erased or rectified without delay.

From time to time we may ask you to confirm the accuracy of your Personal Data.

Data minimization

We take every reasonable step to ensure that your Personal Data that we Process is limited to the Personal Data reasonably necessary in connection with the purposes set out in this Privacy Notice.

For how long is Personal Data retained?

We take every reasonable step to ensure that all Personal Data collected will be Processed and retained for the minimum period necessary for the fulfilment of the purposes described under the heading entitled “What is the purpose of collection and Processing of Personal Data?”.

The data may be kept in our files in compliance with and observance of the deadlines defined in the legal system in question. This justifies, therefore, the retention of Personal Data in our databases, under the same security and protection mechanisms.

Sensitive Personal Data

We do not seek to collect or otherwise Process Sensitive Personal Data in the ordinary course of our business. Where it becomes necessary to Process your Sensitive Personal Data for any reason, we rely on one of the following legal bases, where the law applicable to our Processing requires a legal basis:

Compliance with applicable law: We may Process your Sensitive Personal Data where the Processing is required or permitted by applicable law (e.g., to comply with our diversity reporting obligations);
Employment law: We may Process your Sensitive Personal Data where the Processing is necessary for the purposes of carrying out the obligations and exercising specific rights in the field of employment, social security and social protection law;
Detection and prevention of crime: We may Process your Sensitive Personal Data where the Processing is necessary for the detection or prevention of crime (e.g., the prevention of fraud);
Vital interests: We may Process your Sensitive Personal Data where the Processing is necessary to protect the vital interests of any individual; or
Vital interests: We may Process your Sensitive Personal Data where the Processing is necessary to protect the vital interests of any individual; or
Public health: We may Process your Sensitive Personal Data where the Processing is necessary for reasons of public interest in the area of public health (e.g., protecting against serious cross-border threats to health); or
Establishment, exercise or defence of legal claims: We may Process your Sensitive Personal Data where the Processing is necessary for the establishment, exercise or defence of legal claims; or
Consent: We may Process your Sensitive Personal Data where we have, in accordance with applicable law, obtained your express consent prior to Processing your Sensitive Personal Data (this legal basis is only used in relation to Processing that is entirely voluntary – it is not used for Processing that is necessary or obligatory in any way).

If you provide Sensitive Personal Data to us, you must ensure that it is lawful for you to disclose such data to us, and you must ensure a valid legal basis applies to the Processing of those Sensitive Personal Data.

Communication Channel

To contact Vale's privacy team and Vale’s Data Protection Officer (“DPO”), use the form below or send an email to dpo@vale.com or to breach@logicdocument.com (if you are located in UK).

The purpose of this form, the dpo@vale.com  and of the breach@logicdocument.com (for UK) emails address is to establish a channel for contacting the DPO and for the exercise of data subjects’ rights. For matters not related to privacy, access  Contact Us.

Details of Controllers

For the purposes of this Privacy Notice, the relevant Controllers are:

Controller entity

Contact details

Vale S.A.

Praia de Botafogo, 186, Botafogo, Rio de Janeiro, Brazil; Data Privacy Department / privacy@vale.com

Vale Europe Limited

Vale Europe Limited – Suite 1, 3rd Floor, 11-12 St. Jame´s Square, London, United Kingdom, SW1Y 4LB; Data Privacy Department / breach@logicdocument.com

Vale Holdings B.V.

Piet Heinkade 55, 1019 GM, Amsterdam, the Netherlands; Data Privacy Department / privacy@vale.com

Vale International SA

Route de Pallatex 29, 1162 Saint-Prex, Switzerland; Data Privacy Department / privacy@vale.com

Definitions

“Adequate Jurisdiction” means a jurisdiction that has been formally designated by the European Commission, or the UK Government, or other competent local authority, as providing an adequate level of protection for Personal Data;

“Cookie” means a small file that is placed on your device when you visit a website (including our websites). In this Privacy Notice, a reference to a “cookie” includes analogous technologies such as web beacons and clear GIFs;
“Controller” means the entity that decides how and why Personal Data is Processed. In many jurisdictions, the controller has primary responsibility for complying with applicable data protection laws;
“Data Protection Authority” means an independent public authority that is legally tasked with overseeing compliance with applicable data protection laws;
“EEA” means the European Economic Area;
“GDPR” means the General Data Protection Regulation (EU) 2016/679;
“Personal Data” means information that is about any individual, or from which any individual is directly or indirectly identifiable, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that individual; provided, however, that where applicable data protection law protects legal entities as data subjects “Personal Data” will be deemed to include information relating to legal entities;
“Process”, “Processing” or “Processed” means anything that is done with any Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
“Processor” means any person or entity that Processes Personal Data on behalf of the Controller (other than employees of the Controller);
“Sensitive Personal Data” means Personal Data about race or ethnicity, political opinions, religious or philosophical beliefs, trade union membership, biometric data, physical or mental health, sexual life, any actual or alleged criminal offences or penalties, national identification number, or any other information that are deemed to be sensitive under applicable law;
“Standard Contractual Clauses” means template transfer clauses adopted by the European Commission or adopted by a Data Protection Authority and approved by the European Commission, or the UK Government; and
“UK GDPR” means the UK’s equivalent of the GDPR.

China

External privacy notice

What personal data is covered?

We may process the following categories of Personal Data about you:

Personal details: given name(s); preferred name; photograph; details of representative; curriculum vitae / résumés and/or applications; passport number (where applicable); and work permit or visa number (where applicable).
Demographic information: gender; date of birth / age; nationality; salutation; title; and language preferences.
Contact details: correspondence address; shipping address; telephone number; email address; details of personal assistants, where applicable; messenger app details; online messaging details; and social media details.
Expertise: records of your expertise, curriculum vitae / résumés, professional history, education history, practising details and qualification details; information about your experience, participation in meetings, seminars, advisory boards and conferences; salary expectations; referrals and references; information about your professional relationship with other individuals or institutions; and language abilities and other professional skills.
Background checks: details revealed by background checks conducted in accordance with applicable law and subject to your prior express written consent (where required, including details of past employment, details of residence, credit reference information, and criminal records checks.
Consthe date and time, means of consent and any related information (e.g., the subject matter of the consent).
Purchase details: records of purchases and prices; and consignee name, address, contact telephone number and email ent records: records of any consents you have given, together with address.
Payment details: invoice records; payment records; billing address; payment method; bank account number or credit card number; cardholder or accountholder name; card or account security details; card ‘valid from’ date; card expiry date; BACS details; SWIFT details; IBAN details; payment amount; payment date; and records of cheques.
Data relating to our websites and apps: device type; operating system; browser type; browser settings; IP address; language settings; dates and times of connecting to a website; app usage statistics; app settings; dates and times of connecting to an app; location data, and other technical communications information (some of which may constitute Personal Data); password; security login details; usage data; and aggregate statistical information.
Employer details: where you interact with us in your capacity as an employee of a third party, the name, address, telephone number and email address of your employer, to the extent relevant.
Content and advertising data: records of your interactions with our online advertising and content; and records of advertising and content displayed on pages or app screens displayed to you.
Views and opinions: any views and opinions that you choose to send to us, or publicly post about us on social media platforms.
Biometric and health data: biometric data and data about your health (including health information to monitor the spread of infectious diseases in the workplace and biological sampling data); and (if disclosed) any special needs or health condition and information relating to accommodations that you may request during the recruitment process.

In what services does Vale collect personal data?

We collect or obtain Personal Data about you from the following sources:

Data provided to us: We obtain Personal Data when those data are provided to us (e.g., where you contact us via email or telephone, or by any other means, or when you provide us with your business card, or when you submit a job application).
Data we obtain in person: We obtain Personal Data during meetings, at trade shows, during visits from sales or marketing representatives, or at events we attend.
Collaborations: We obtain Personal Data when you collaborate with us in research or in an advisory / consultancy capacity.
Relationship data: We collect or obtain Personal Data in the ordinary course of our relationship with you (e.g., we provide a service to you, or to your employer).
Data you make public: We collect or obtain Personal Data that you manifestly choose to make public, including via social media (e.g., we may collect information from your social media profile(s), if you make a public post about us).
App data: We collect or obtain Personal Data when you download or use any of our apps.
Website data: We collect or obtain Personal Data when you visit any of our websites or use any features or resources available on or through a website.
Registration details: We collect or obtain Personal Data when you use, or register to use, any of our websites, apps, products, or services.
Content and advertising information: If you interact with any third party content or advertising on a website or in an app (including third party plugins and Cookies) we receive Personal Data from the relevant third party provider of that content or advertising.
Third party information: We collect or obtain Personal Data from third parties who provide it to us (e.g., credit reference agencies; law enforcement authorities; recruiters; previous employers, referees, entities conducting background checks etc.).

Creation of Personal Data

More information regarding the use of this data can be found in the specific terms of each service, available on their respective platforms.

What is the purpose of collection and processing of personal data?

Processing activity	Legal basis for Processing
Provision of websites, apps, products, and services: providing our websites, apps, products, or services; providing promotional items upon request; and communicating with you in relation to those websites, apps, products, or services.	The Processing is necessary in connection with any contract that you have entered into with us, or to take steps prior to entering into a contract with us; or We have a legitimate interest in carrying out the Processing for the purpose of providing our websites, apps, products, or services (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms); or We have obtained your prior consent to the Processing (this legal basis is only used in relation to Processing that is entirely voluntary – it is not used for Processing that is necessary or obligatory in any way).
Operating our business: operating and managing our websites, our apps, our products, and our services; providing content to you; displaying advertising and other information to you; communicating and interacting with you via our websites, our apps, our products, or our services; and notifying you of changes to any of our websites, our apps, our products, or our services.	The Processing is necessary in connection with any contract that you have entered into with us, or to take steps prior to entering into a contract with us; or We have a legitimate interest in carrying out the Processing for the purpose of providing our websites, our apps, our products, or our services to you (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms); or We have obtained your prior consent to the Processing (this legal basis is only used in relation to Processing that is entirely voluntary – it is not used for Processing that is necessary or obligatory in any way).
Communications and marketing: communicating with you via any means (including via email, telephone, text message, social media, post or in person) to provide news items and other information in which you may be interested, subject always to obtaining your prior opt-in consent to the extent required under applicable law; personalising our websites, products and services for you; maintaining and updating your contact information where appropriate; obtaining your prior, opt-in consent where required; and enabling and recording your choice to opt-out or unsubscribe, where applicable.	The Processing is necessary in connection with any contract that you have entered into with us, or to take steps prior to entering into a contract with us; or We have a legitimate interest in carrying out the Processing for the purpose of contacting you, subject always to compliance with applicable law (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms); or We have obtained your prior consent to the Processing (this legal basis is only used in relation to Processing that is entirely voluntary – it is not used for Processing that is necessary or obligatory in any way).
Management of IT systems: management and operation of our communications, IT and security systems; and audits (including security audits) and monitoring of such systems.	The Processing is necessary for compliance with a legal obligation; or We have a legitimate interest in carrying out the Processing for the purpose of managing and maintaining our communications and IT systems (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms).
Health and safety: health and safety assessments and record keeping (including collecting biological sampling data); providing a safe and secure environment at our premises (including monitoring body temperatures on Vale premises in the UK to prevent the spread of infectious diseases in the workplace); and compliance with related legal obligations.	The Processing is necessary for compliance with a legal obligation (especially in respect of applicable employment, social security or social protection law); or We have a legitimate interest in carrying out the Processing for the purpose of ensuring a safe environment at our premises (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms); or The Processing is necessary to protect the vital interests of any individual; or The Processing is necessary for reasons of public interest in the area of public health; or We have obtained your prior consent to the Processing (this legal basis is only used in relation to Processing that is entirely voluntary – it is not used for Processing that is necessary or obligatory in any way).
Financial management: sales; finance; corporate audit; and vendor management.	We have a legitimate interest in carrying out the Processing for the purpose of managing and operating the financial affairs of our business (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms); or We have obtained your prior consent to the Processing (this legal basis is only used in relation to Processing that is entirely voluntary – it is not used for Processing that is necessary or obligatory in any way).
Vendor management: collating supplier data for background and compliance checks.	The Processing is necessary for compliance with a legal obligation; or We have a legitimate interest in carrying out the Processing for the purpose of performing background and compliance checks (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms).
Surveys: engaging with you for the purposes of obtaining your views on our websites, our apps, our products, or our services.	We have a legitimate interest in carrying out the Processing for the purpose of conducting surveys, satisfaction reports and market research (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms); or We have obtained your prior consent to the Processing (this legal basis is only used in relation to Processing that is entirely voluntary – it is not used for Processing that is necessary or obligatory in any way).
Security: physical security of our premises (including records of visits to our premises); CCTV recordings; and electronic security (including login records and access details).	The Processing is necessary for compliance with a legal obligation; or We have a legitimate interest in carrying out the Processing for the purpose of ensuring the physical and electronic security of our business and our premises (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms).
Investigations: detecting, investigating and preventing breaches of policy, and criminal offences, in accordance with applicable law.	The Processing is necessary for compliance with a legal obligation; or We have a legitimate interest in carrying out the Processing for the purpose of detecting, and protecting against, breaches of our policies and applicable laws (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms).
Legal compliance: compliance with our legal and regulatory obligations under applicable law.	The Processing is necessary for compliance with a legal obligation.
Improving our websites, apps, products, and services: identifying issues with our websites, our apps, our products, or our services; planning improvements to our websites, our apps, our products, or our services; and creating new websites, apps, products, or services.	We have a legitimate interest in carrying out the Processing for the purpose of improving our websites, our apps, our products, or our services (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms); or We have obtained your prior consent to the Processing (this legal basis is only used in relation to Processing that is entirely voluntary – it is not used for Processing that is necessary or obligatory in any way).
Establishment, exercise and defence of legal claims: management of legal claims; establishment of facts and claims, including collection, review and production of documents, facts, evidence and witness statements; and exercise and defence of legal rights and claims, including formal legal proceedings.	The Processing is necessary for compliance with a legal obligation; or We have a legitimate interest in carrying out the Processing for the purpose of establishing, exercising or defending our legal rights (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms); or The Processing is necessary for the establishment, exercise or defence of legal claims.
Recruitment and job applications: recruitment activities; advertising of positions; interview activities; verifying information provided to us; analysis of suitability for the relevant position; records of hiring decisions; offer details; performing background checks; accommodations as part of the recruitment process; and acceptance details.	The Processing is necessary in connection with any contract that you have entered into with us, or to take steps prior to entering into a contract with us; or The Processing is necessary for compliance with a legal obligation (especially in respect of applicable employment law); or We have a legitimate interest in carrying out the Processing for the purpose of recruitment activities and handling job applications (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms); or We have obtained your prior consent to the Processing (this legal basis is only used in relation to Processing that is entirely voluntary – it is not used for Processing that is necessary or obligatory in any way).
Future opportunities: maintaining databases of unsuccessful candidates; advertising new roles; and invitations to future events.	We have a legitimate interest in carrying out the Processing for the purpose of recruitment activities (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms); or We have obtained your prior consent to the Processing (this legal basis is only used in relation to Processing that is entirely voluntary – it is not used for Processing that is necessary or obligatory in any way).

Processing activity

Legal basis for Processing

Provision of websites, apps, products, and services: providing our websites, apps, products, or services; providing promotional items upon request; and communicating with you in relation to those websites, apps, products, or services.

The Processing is necessary in connection with any contract that you have entered into with us, or to take steps prior to entering into a contract with us; or
We have a legitimate interest in carrying out the Processing for the purpose of providing our websites, apps, products, or services (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms); or
We have obtained your prior consent to the Processing (this legal basis is only used in relation to Processing that is entirely voluntary – it is not used for Processing that is necessary or obligatory in any way).

Operating our business: operating and managing our websites, our apps, our products, and our services; providing content to you; displaying advertising and other information to you; communicating and interacting with you via our websites, our apps, our products, or our services; and notifying you of changes to any of our websites, our apps, our products, or our services.

The Processing is necessary in connection with any contract that you have entered into with us, or to take steps prior to entering into a contract with us; or
We have a legitimate interest in carrying out the Processing for the purpose of providing our websites, our apps, our products, or our services to you (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms); or
We have obtained your prior consent to the Processing (this legal basis is only used in relation to Processing that is entirely voluntary – it is not used for Processing that is necessary or obligatory in any way).

Communications and marketing: communicating with you via any means (including via email, telephone, text message, social media, post or in person) to provide news items and other information in which you may be interested, subject always to obtaining your prior opt-in consent to the extent required under applicable law; personalising our websites, products and services for you; maintaining and updating your contact information where appropriate; obtaining your prior, opt-in consent where required; and enabling and recording your choice to opt-out or unsubscribe, where applicable.

The Processing is necessary in connection with any contract that you have entered into with us, or to take steps prior to entering into a contract with us; or
We have a legitimate interest in carrying out the Processing for the purpose of contacting you, subject always to compliance with applicable law (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms); or
We have obtained your prior consent to the Processing (this legal basis is only used in relation to Processing that is entirely voluntary – it is not used for Processing that is necessary or obligatory in any way).

Management of IT systems: management and operation of our communications, IT and security systems; and audits (including security audits) and monitoring of such systems.

The Processing is necessary for compliance with a legal obligation; or
We have a legitimate interest in carrying out the Processing for the purpose of managing and maintaining our communications and IT systems (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms).

Health and safety: health and safety assessments and record keeping (including collecting biological sampling data); providing a safe and secure environment at our premises (including monitoring body temperatures on Vale premises in the UK to prevent the spread of infectious diseases in the workplace); and compliance with related legal obligations.

The Processing is necessary for compliance with a legal obligation (especially in respect of applicable employment, social security or social protection law); or
We have a legitimate interest in carrying out the Processing for the purpose of ensuring a safe environment at our premises (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms); or
The Processing is necessary to protect the vital interests of any individual; or
The Processing is necessary for reasons of public interest in the area of public health; or
We have obtained your prior consent to the Processing (this legal basis is only used in relation to Processing that is entirely voluntary – it is not used for Processing that is necessary or obligatory in any way).

Financial management: sales; finance; corporate audit; and vendor management.

We have a legitimate interest in carrying out the Processing for the purpose of managing and operating the financial affairs of our business (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms); or
We have obtained your prior consent to the Processing (this legal basis is only used in relation to Processing that is entirely voluntary – it is not used for Processing that is necessary or obligatory in any way).

Vendor management: collating supplier data for background and compliance checks.

The Processing is necessary for compliance with a legal obligation; or
We have a legitimate interest in carrying out the Processing for the purpose of performing background and compliance checks (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms).

Surveys: engaging with you for the purposes of obtaining your views on our websites, our apps, our products, or our services.

We have a legitimate interest in carrying out the Processing for the purpose of conducting surveys, satisfaction reports and market research (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms); or
We have obtained your prior consent to the Processing (this legal basis is only used in relation to Processing that is entirely voluntary – it is not used for Processing that is necessary or obligatory in any way).

Security: physical security of our premises (including records of visits to our premises); CCTV recordings; and electronic security (including login records and access details).

The Processing is necessary for compliance with a legal obligation; or
We have a legitimate interest in carrying out the Processing for the purpose of ensuring the physical and electronic security of our business and our premises (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms).

Investigations: detecting, investigating and preventing breaches of policy, and criminal offences, in accordance with applicable law.

The Processing is necessary for compliance with a legal obligation; or
We have a legitimate interest in carrying out the Processing for the purpose of detecting, and protecting against, breaches of our policies and applicable laws (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms).

Legal compliance: compliance with our legal and regulatory obligations under applicable law.

The Processing is necessary for compliance with a legal obligation.

Improving our websites, apps, products, and services: identifying issues with our websites, our apps, our products, or our services; planning improvements to our websites, our apps, our products, or our services; and creating new websites, apps, products, or services.

We have a legitimate interest in carrying out the Processing for the purpose of improving our websites, our apps, our products, or our services (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms); or
We have obtained your prior consent to the Processing (this legal basis is only used in relation to Processing that is entirely voluntary – it is not used for Processing that is necessary or obligatory in any way).

Establishment, exercise and defence of legal claims: management of legal claims; establishment of facts and claims, including collection, review and production of documents, facts, evidence and witness statements; and exercise and defence of legal rights and claims, including formal legal proceedings.

The Processing is necessary for compliance with a legal obligation; or
We have a legitimate interest in carrying out the Processing for the purpose of establishing, exercising or defending our legal rights (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms); or
The Processing is necessary for the establishment, exercise or defence of legal claims.

Recruitment and job applications: recruitment activities; advertising of positions; interview activities; verifying information provided to us; analysis of suitability for the relevant position; records of hiring decisions; offer details; performing background checks; accommodations as part of the recruitment process; and acceptance details.

The Processing is necessary in connection with any contract that you have entered into with us, or to take steps prior to entering into a contract with us; or
The Processing is necessary for compliance with a legal obligation (especially in respect of applicable employment law); or
We have a legitimate interest in carrying out the Processing for the purpose of recruitment activities and handling job applications (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms); or
We have obtained your prior consent to the Processing (this legal basis is only used in relation to Processing that is entirely voluntary – it is not used for Processing that is necessary or obligatory in any way).

Future opportunities: maintaining databases of unsuccessful candidates; advertising new roles; and invitations to future events.

We have a legitimate interest in carrying out the Processing for the purpose of recruitment activities (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms); or
We have obtained your prior consent to the Processing (this legal basis is only used in relation to Processing that is entirely voluntary – it is not used for Processing that is necessary or obligatory in any way).

How does Vale share personal data?

1. Sharing with third-parties:

you and, where appropriate, your appointed representatives;
legal and regulatory authorities, upon request, or for the purposes of reporting any actual or suspected breach of applicable law or regulation;
accountants, auditors, consultants, lawyers and other outside professional advisors to Vale, subject to binding contractual obligations of confidentiality;
third-party Processors (such as payment services providers; recruiters; pre-employment screenings services etc.), located anywhere in the world (subject to the requirements noted below);
any relevant party, regulatory body, governmental authority, law enforcement agency or court, to the extent necessary for the establishment, exercise or defence of legal claims;
any relevant party, regulatory body, governmental authority, law enforcement agency or court, for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties;
any relevant third party acquirer(s) or successor(s) in title, in the event that we sell or transfer all or any relevant portion of our business or assets (including in the event of a reorganization, dissolution or liquidation); andany relevant third party provider, where our websites and our apps use third party advertising, plugins or content. If you choose to interact with any such advertising, plugins or content, your Personal Data may be shared with the relevant third party provider. We recommend that you review that third party’s privacy policy before interacting with its advertising, plugins or content.
If we engage a third-party Processor to Process your Personal Data, the Processor will be subject to binding contractual obligations to: (i) only Process the Personal Data in accordance with our prior written instructions; and (ii) use measures to protect the confidentiality and security of the Personal Data, together with any additional requirements under applicable law.

2. International data transfer:

Because of the international nature of our business, we transfer Personal Data within the Vale group, and to the third-parties set out above under the sub-heading entitled “Sharing with third-parties”. Recipients of Personal Data we transfer may be located in all countries where the Vale group is present but in other countries globally as well. For this reason, we transfer Personal Data to other countries that may have different legal requirements and data protection compliance requirements to those that apply in the country in which you are located or in which you disclosed your Personal Data to us. We may transfer your Personal Data to the following jurisdictions in particular but also other jurisdictions globally where third-party recipients or their service providers are located:
Argentina;
Australia;
Brazil;
Canada;
Chile;
China;
India;
Indonesia;
Japa;
Malaysia;
Oman;
Peru; and
Singapore.

Which are the data subject’s rights in relation to its personal data?

Subject to applicable law, data subjects may have the following rights regarding the Processing of their Personal Data:

the right to request access to, or copies of, Personal Data, together with information regarding the nature, Processing and disclosure of Personal Data;
the right to request rectification to any inaccuracies in Personal Data;
the right to request, on legitimate grounds erasure of Personal Data or restriction of Processing of Personal Data;
the right to request portability of Personal Data to another controller, in a structured, commonly used and machine-readable format, to the extent applicable;
where we Process Personal Data on the basis of your consent, the right to withdraw consent given, at any time, upon the express request of the data subject (noting that such withdrawal does not affect the lawfulness of any Processing performed prior to the date on which we receive notice of such withdrawal, and does not prevent the Processing of your Personal Data in reliance upon any other available legal bases); and
the right to lodge complaints regarding the Processing of Personal Data with a Data Protection Authority.

Subject to applicable law, you may also have the following additional rights regarding the Processing of your Personal Data:

the right to object, on grounds relating to your particular situation, to the Processing of your Personal Data by us or on our behalf, where such Processing is based on Articles 6(1)(e) (public interest) or 6(1)(f) (legitimate interests) of the GDPR / UK GDPR; and
the right to object to the Processing of your Personal Data by us or on our behalf for direct marketing purposes.

This does not affect your statutory rights.

Please note that:

in some cases it will be necessary to provide evidence of your identity before we can give effect to these rights; and
where your request requires the establishment of additional facts (e.g., a determination of whether any Processing is non-compliant with applicable law) we will investigate your request reasonably promptly, before deciding what action to take.

How does Vale secure personal data?

In the event of deletion of Personal Data, the process is carried out safely, in line with the appropriate technical measures, in order to ensure that the deleted Personal Data cannot be recovered.

Data accuracy

We take every reasonable step to ensure that:

your Personal Data that we Process is accurate and, where necessary, kept up to date; and
any of your Personal Data that we Process that is inaccurate (having regard to the purposes for which such Personal Data is Processed) is erased or rectified without delay.

From time to time we may ask you to confirm the accuracy of your Personal Data.

Data minimization

We take every reasonable step to ensure that your Personal Data that we Process is limited to the Personal Data reasonably necessary in connection with the purposes set out in this Privacy Notice.

For how long is Personal Data retained?

Sensitive Personal Data

Compliance with applicable law: We may Process your Sensitive Personal Data where the Processing is required or permitted by applicable law (e.g., to comply with our diversity reporting obligations);
Employment law: We may Process your Sensitive Personal Data where the Processing is necessary for the purposes of carrying out the obligations and exercising specific rights in the field of employment, social security and social protection law;
Detection and prevention of crime: We may Process your Sensitive Personal Data where the Processing is necessary for the detection or prevention of crime (e.g., the prevention of fraud);
Vital interests: We may Process your Sensitive Personal Data where the Processing is necessary to protect the vital interests of any individual; or
Vital interests: We may Process your Sensitive Personal Data where the Processing is necessary to protect the vital interests of any individual; or
Public health: We may Process your Sensitive Personal Data where the Processing is necessary for reasons of public interest in the area of public health (e.g., protecting against serious cross-border threats to health); or
Establishment, exercise or defence of legal claims: We may Process your Sensitive Personal Data where the Processing is necessary for the establishment, exercise or defence of legal claims; or
Consent: We may Process your Sensitive Personal Data where we have, in accordance with applicable law, obtained your express consent prior to Processing your Sensitive Personal Data (this legal basis is only used in relation to Processing that is entirely voluntary – it is not used for Processing that is necessary or obligatory in any way).

Communication Channel

To contact Vale's privacy team and Vale’s Data Protection Officer (“DPO”), use the form below or send an email to dpo@vale.com or to breach@logicdocument.com (if you are located in UK).

Details of Controllers

For the purposes of this Privacy Notice, the relevant Controllers are:

Controller entity

Contact details

Vale S.A.

Praia de Botafogo, 186, Botafogo, Rio de Janeiro, Brazil; Data Privacy Department / privacy@vale.com

Vale Europe Limited

Vale Europe Limited – Suite 1, 3rd Floor, 11-12 St. Jame´s Square, London, United Kingdom, SW1Y 4LB; Data Privacy Department / breach@logicdocument.com

Vale Holdings B.V.

Piet Heinkade 55, 1019 GM, Amsterdam, the Netherlands; Data Privacy Department / privacy@vale.com

Vale International SA

Route de Pallatex 29, 1162 Saint-Prex, Switzerland; Data Privacy Department / privacy@vale.com

Definitions

“Cookie” means a small file that is placed on your device when you visit a website (including our websites). In this Privacy Notice, a reference to a “cookie” includes analogous technologies such as web beacons and clear GIFs;
“Controller” means the entity that decides how and why Personal Data is Processed. In many jurisdictions, the controller has primary responsibility for complying with applicable data protection laws;
“Data Protection Authority” means an independent public authority that is legally tasked with overseeing compliance with applicable data protection laws;
“EEA” means the European Economic Area;
“GDPR” means the General Data Protection Regulation (EU) 2016/679;
“Personal Data” means information that is about any individual, or from which any individual is directly or indirectly identifiable, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that individual; provided, however, that where applicable data protection law protects legal entities as data subjects “Personal Data” will be deemed to include information relating to legal entities;
“Process”, “Processing” or “Processed” means anything that is done with any Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
“Processor” means any person or entity that Processes Personal Data on behalf of the Controller (other than employees of the Controller);
“Sensitive Personal Data” means Personal Data about race or ethnicity, political opinions, religious or philosophical beliefs, trade union membership, biometric data, physical or mental health, sexual life, any actual or alleged criminal offences or penalties, national identification number, or any other information that are deemed to be sensitive under applicable law;
“Standard Contractual Clauses” means template transfer clauses adopted by the European Commission or adopted by a Data Protection Authority and approved by the European Commission, or the UK Government; and
“UK GDPR” means the UK’s equivalent of the GDPR.

Europe

What personal data is covered?

We may process the following categories of Personal Data about you:

Personal details: given name(s); preferred name; photograph; details of representative; curriculum vitae / résumés and/or applications; passport number (where applicable); and work permit or visa number (where applicable).
Demographic information: gender; date of birth / age; nationality; salutation; title; and language preferences.
Contact details: correspondence address; shipping address; telephone number; email address; details of personal assistants, where applicable; messenger app details; online messaging details; and social media details.
Expertise: records of your expertise, curriculum vitae / résumés, professional history, education history, practising details and qualification details; information about your experience, participation in meetings, seminars, advisory boards and conferences; salary expectations; referrals and references; information about your professional relationship with other individuals or institutions; and language abilities and other professional skills.
Background checks: details revealed by background checks conducted in accordance with applicable law and subject to your prior express written consent (where required, including details of past employment, details of residence, credit reference information, and criminal records checks.
Consthe date and time, means of consent and any related information (e.g., the subject matter of the consent).
Purchase details: records of purchases and prices; and consignee name, address, contact telephone number and email ent records: records of any consents you have given, together with address.
Payment details: invoice records; payment records; billing address; payment method; bank account number or credit card number; cardholder or accountholder name; card or account security details; card ‘valid from’ date; card expiry date; BACS details; SWIFT details; IBAN details; payment amount; payment date; and records of cheques.
Data relating to our websites and apps: device type; operating system; browser type; browser settings; IP address; language settings; dates and times of connecting to a website; app usage statistics; app settings; dates and times of connecting to an app; location data, and other technical communications information (some of which may constitute Personal Data); password; security login details; usage data; and aggregate statistical information.
Employer details: where you interact with us in your capacity as an employee of a third party, the name, address, telephone number and email address of your employer, to the extent relevant.
Content and advertising data: records of your interactions with our online advertising and content; and records of advertising and content displayed on pages or app screens displayed to you.
Views and opinions: any views and opinions that you choose to send to us, or publicly post about us on social media platforms.
Biometric and health data: biometric data and data about your health (including health information to monitor the spread of infectious diseases in the workplace and biological sampling data); and (if disclosed) any special needs or health condition and information relating to accommodations that you may request during the recruitment process.

In what services does Vale collect personal data?

We collect or obtain Personal Data about you from the following sources:

Data provided to us: We obtain Personal Data when those data are provided to us (e.g., where you contact us via email or telephone, or by any other means, or when you provide us with your business card, or when you submit a job application).
Data we obtain in person: We obtain Personal Data during meetings, at trade shows, during visits from sales or marketing representatives, or at events we attend.
Collaborations: We obtain Personal Data when you collaborate with us in research or in an advisory / consultancy capacity.
Relationship data: We collect or obtain Personal Data in the ordinary course of our relationship with you (e.g., we provide a service to you, or to your employer).
Data you make public: We collect or obtain Personal Data that you manifestly choose to make public, including via social media (e.g., we may collect information from your social media profile(s), if you make a public post about us).
App data: We collect or obtain Personal Data when you download or use any of our apps.
Website data: We collect or obtain Personal Data when you visit any of our websites or use any features or resources available on or through a website.
Registration details: We collect or obtain Personal Data when you use, or register to use, any of our websites, apps, products, or services.
Content and advertising information: If you interact with any third party content or advertising on a website or in an app (including third party plugins and Cookies) we receive Personal Data from the relevant third party provider of that content or advertising.
Third party information: We collect or obtain Personal Data from third parties who provide it to us (e.g., credit reference agencies; law enforcement authorities; recruiters; previous employers, referees, entities conducting background checks etc.).

Creation of Personal Data

More information regarding the use of this data can be found in the specific terms of each service, available on their respective platforms.

What is the purpose of collection and processing of personal data?

Processing activity	Legal basis for Processing
Provision of websites, apps, products, and services: providing our websites, apps, products, or services; providing promotional items upon request; and communicating with you in relation to those websites, apps, products, or services.	The Processing is necessary in connection with any contract that you have entered into with us, or to take steps prior to entering into a contract with us; or We have a legitimate interest in carrying out the Processing for the purpose of providing our websites, apps, products, or services (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms); or We have obtained your prior consent to the Processing (this legal basis is only used in relation to Processing that is entirely voluntary – it is not used for Processing that is necessary or obligatory in any way).
Operating our business: operating and managing our websites, our apps, our products, and our services; providing content to you; displaying advertising and other information to you; communicating and interacting with you via our websites, our apps, our products, or our services; and notifying you of changes to any of our websites, our apps, our products, or our services.	The Processing is necessary in connection with any contract that you have entered into with us, or to take steps prior to entering into a contract with us; or We have a legitimate interest in carrying out the Processing for the purpose of providing our websites, our apps, our products, or our services to you (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms); or We have obtained your prior consent to the Processing (this legal basis is only used in relation to Processing that is entirely voluntary – it is not used for Processing that is necessary or obligatory in any way).
Communications and marketing: communicating with you via any means (including via email, telephone, text message, social media, post or in person) to provide news items and other information in which you may be interested, subject always to obtaining your prior opt-in consent to the extent required under applicable law; personalising our websites, products and services for you; maintaining and updating your contact information where appropriate; obtaining your prior, opt-in consent where required; and enabling and recording your choice to opt-out or unsubscribe, where applicable.	The Processing is necessary in connection with any contract that you have entered into with us, or to take steps prior to entering into a contract with us; or We have a legitimate interest in carrying out the Processing for the purpose of contacting you, subject always to compliance with applicable law (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms); or We have obtained your prior consent to the Processing (this legal basis is only used in relation to Processing that is entirely voluntary – it is not used for Processing that is necessary or obligatory in any way).
Management of IT systems: management and operation of our communications, IT and security systems; and audits (including security audits) and monitoring of such systems.	The Processing is necessary for compliance with a legal obligation; or We have a legitimate interest in carrying out the Processing for the purpose of managing and maintaining our communications and IT systems (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms).
Health and safety: health and safety assessments and record keeping (including collecting biological sampling data); providing a safe and secure environment at our premises (including monitoring body temperatures on Vale premises in the UK to prevent the spread of infectious diseases in the workplace); and compliance with related legal obligations.	The Processing is necessary for compliance with a legal obligation (especially in respect of applicable employment, social security or social protection law); or We have a legitimate interest in carrying out the Processing for the purpose of ensuring a safe environment at our premises (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms); or The Processing is necessary to protect the vital interests of any individual; or The Processing is necessary for reasons of public interest in the area of public health; or We have obtained your prior consent to the Processing (this legal basis is only used in relation to Processing that is entirely voluntary – it is not used for Processing that is necessary or obligatory in any way).
Financial management: sales; finance; corporate audit; and vendor management.	We have a legitimate interest in carrying out the Processing for the purpose of managing and operating the financial affairs of our business (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms); or We have obtained your prior consent to the Processing (this legal basis is only used in relation to Processing that is entirely voluntary – it is not used for Processing that is necessary or obligatory in any way).
Vendor management: collating supplier data for background and compliance checks.	The Processing is necessary for compliance with a legal obligation; or We have a legitimate interest in carrying out the Processing for the purpose of performing background and compliance checks (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms).
Surveys: engaging with you for the purposes of obtaining your views on our websites, our apps, our products, or our services.	We have a legitimate interest in carrying out the Processing for the purpose of conducting surveys, satisfaction reports and market research (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms); or We have obtained your prior consent to the Processing (this legal basis is only used in relation to Processing that is entirely voluntary – it is not used for Processing that is necessary or obligatory in any way).
Security: physical security of our premises (including records of visits to our premises); CCTV recordings; and electronic security (including login records and access details).	The Processing is necessary for compliance with a legal obligation; or We have a legitimate interest in carrying out the Processing for the purpose of ensuring the physical and electronic security of our business and our premises (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms).
Investigations: detecting, investigating and preventing breaches of policy, and criminal offences, in accordance with applicable law.	The Processing is necessary for compliance with a legal obligation; or We have a legitimate interest in carrying out the Processing for the purpose of detecting, and protecting against, breaches of our policies and applicable laws (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms).
Legal compliance: compliance with our legal and regulatory obligations under applicable law.	The Processing is necessary for compliance with a legal obligation.
Improving our websites, apps, products, and services: identifying issues with our websites, our apps, our products, or our services; planning improvements to our websites, our apps, our products, or our services; and creating new websites, apps, products, or services.	We have a legitimate interest in carrying out the Processing for the purpose of improving our websites, our apps, our products, or our services (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms); or We have obtained your prior consent to the Processing (this legal basis is only used in relation to Processing that is entirely voluntary – it is not used for Processing that is necessary or obligatory in any way).
Establishment, exercise and defence of legal claims: management of legal claims; establishment of facts and claims, including collection, review and production of documents, facts, evidence and witness statements; and exercise and defence of legal rights and claims, including formal legal proceedings.	The Processing is necessary for compliance with a legal obligation; or We have a legitimate interest in carrying out the Processing for the purpose of establishing, exercising or defending our legal rights (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms); or The Processing is necessary for the establishment, exercise or defence of legal claims.
Recruitment and job applications: recruitment activities; advertising of positions; interview activities; verifying information provided to us; analysis of suitability for the relevant position; records of hiring decisions; offer details; performing background checks; accommodations as part of the recruitment process; and acceptance details.	The Processing is necessary in connection with any contract that you have entered into with us, or to take steps prior to entering into a contract with us; or The Processing is necessary for compliance with a legal obligation (especially in respect of applicable employment law); or We have a legitimate interest in carrying out the Processing for the purpose of recruitment activities and handling job applications (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms); or We have obtained your prior consent to the Processing (this legal basis is only used in relation to Processing that is entirely voluntary – it is not used for Processing that is necessary or obligatory in any way).
Future opportunities: maintaining databases of unsuccessful candidates; advertising new roles; and invitations to future events.	We have a legitimate interest in carrying out the Processing for the purpose of recruitment activities (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms); or We have obtained your prior consent to the Processing (this legal basis is only used in relation to Processing that is entirely voluntary – it is not used for Processing that is necessary or obligatory in any way).

Processing activity

Legal basis for Processing

Provision of websites, apps, products, and services: providing our websites, apps, products, or services; providing promotional items upon request; and communicating with you in relation to those websites, apps, products, or services.

The Processing is necessary in connection with any contract that you have entered into with us, or to take steps prior to entering into a contract with us; or
We have a legitimate interest in carrying out the Processing for the purpose of providing our websites, apps, products, or services (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms); or
We have obtained your prior consent to the Processing (this legal basis is only used in relation to Processing that is entirely voluntary – it is not used for Processing that is necessary or obligatory in any way).

Operating our business: operating and managing our websites, our apps, our products, and our services; providing content to you; displaying advertising and other information to you; communicating and interacting with you via our websites, our apps, our products, or our services; and notifying you of changes to any of our websites, our apps, our products, or our services.

The Processing is necessary in connection with any contract that you have entered into with us, or to take steps prior to entering into a contract with us; or
We have a legitimate interest in carrying out the Processing for the purpose of providing our websites, our apps, our products, or our services to you (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms); or
We have obtained your prior consent to the Processing (this legal basis is only used in relation to Processing that is entirely voluntary – it is not used for Processing that is necessary or obligatory in any way).

Communications and marketing: communicating with you via any means (including via email, telephone, text message, social media, post or in person) to provide news items and other information in which you may be interested, subject always to obtaining your prior opt-in consent to the extent required under applicable law; personalising our websites, products and services for you; maintaining and updating your contact information where appropriate; obtaining your prior, opt-in consent where required; and enabling and recording your choice to opt-out or unsubscribe, where applicable.

The Processing is necessary in connection with any contract that you have entered into with us, or to take steps prior to entering into a contract with us; or
We have a legitimate interest in carrying out the Processing for the purpose of contacting you, subject always to compliance with applicable law (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms); or
We have obtained your prior consent to the Processing (this legal basis is only used in relation to Processing that is entirely voluntary – it is not used for Processing that is necessary or obligatory in any way).

Management of IT systems: management and operation of our communications, IT and security systems; and audits (including security audits) and monitoring of such systems.

The Processing is necessary for compliance with a legal obligation; or
We have a legitimate interest in carrying out the Processing for the purpose of managing and maintaining our communications and IT systems (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms).

Health and safety: health and safety assessments and record keeping (including collecting biological sampling data); providing a safe and secure environment at our premises (including monitoring body temperatures on Vale premises in the UK to prevent the spread of infectious diseases in the workplace); and compliance with related legal obligations.

The Processing is necessary for compliance with a legal obligation (especially in respect of applicable employment, social security or social protection law); or
We have a legitimate interest in carrying out the Processing for the purpose of ensuring a safe environment at our premises (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms); or
The Processing is necessary to protect the vital interests of any individual; or
The Processing is necessary for reasons of public interest in the area of public health; or
We have obtained your prior consent to the Processing (this legal basis is only used in relation to Processing that is entirely voluntary – it is not used for Processing that is necessary or obligatory in any way).

Financial management: sales; finance; corporate audit; and vendor management.

We have a legitimate interest in carrying out the Processing for the purpose of managing and operating the financial affairs of our business (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms); or
We have obtained your prior consent to the Processing (this legal basis is only used in relation to Processing that is entirely voluntary – it is not used for Processing that is necessary or obligatory in any way).

Vendor management: collating supplier data for background and compliance checks.

The Processing is necessary for compliance with a legal obligation; or
We have a legitimate interest in carrying out the Processing for the purpose of performing background and compliance checks (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms).

Surveys: engaging with you for the purposes of obtaining your views on our websites, our apps, our products, or our services.

We have a legitimate interest in carrying out the Processing for the purpose of conducting surveys, satisfaction reports and market research (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms); or
We have obtained your prior consent to the Processing (this legal basis is only used in relation to Processing that is entirely voluntary – it is not used for Processing that is necessary or obligatory in any way).

Security: physical security of our premises (including records of visits to our premises); CCTV recordings; and electronic security (including login records and access details).

The Processing is necessary for compliance with a legal obligation; or
We have a legitimate interest in carrying out the Processing for the purpose of ensuring the physical and electronic security of our business and our premises (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms).

Investigations: detecting, investigating and preventing breaches of policy, and criminal offences, in accordance with applicable law.

The Processing is necessary for compliance with a legal obligation; or
We have a legitimate interest in carrying out the Processing for the purpose of detecting, and protecting against, breaches of our policies and applicable laws (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms).

Legal compliance: compliance with our legal and regulatory obligations under applicable law.

The Processing is necessary for compliance with a legal obligation.

Improving our websites, apps, products, and services: identifying issues with our websites, our apps, our products, or our services; planning improvements to our websites, our apps, our products, or our services; and creating new websites, apps, products, or services.

We have a legitimate interest in carrying out the Processing for the purpose of improving our websites, our apps, our products, or our services (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms); or
We have obtained your prior consent to the Processing (this legal basis is only used in relation to Processing that is entirely voluntary – it is not used for Processing that is necessary or obligatory in any way).

Establishment, exercise and defence of legal claims: management of legal claims; establishment of facts and claims, including collection, review and production of documents, facts, evidence and witness statements; and exercise and defence of legal rights and claims, including formal legal proceedings.

The Processing is necessary for compliance with a legal obligation; or
We have a legitimate interest in carrying out the Processing for the purpose of establishing, exercising or defending our legal rights (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms); or
The Processing is necessary for the establishment, exercise or defence of legal claims.

Recruitment and job applications: recruitment activities; advertising of positions; interview activities; verifying information provided to us; analysis of suitability for the relevant position; records of hiring decisions; offer details; performing background checks; accommodations as part of the recruitment process; and acceptance details.

The Processing is necessary in connection with any contract that you have entered into with us, or to take steps prior to entering into a contract with us; or
The Processing is necessary for compliance with a legal obligation (especially in respect of applicable employment law); or
We have a legitimate interest in carrying out the Processing for the purpose of recruitment activities and handling job applications (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms); or
We have obtained your prior consent to the Processing (this legal basis is only used in relation to Processing that is entirely voluntary – it is not used for Processing that is necessary or obligatory in any way).

Future opportunities: maintaining databases of unsuccessful candidates; advertising new roles; and invitations to future events.

We have a legitimate interest in carrying out the Processing for the purpose of recruitment activities (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms); or
We have obtained your prior consent to the Processing (this legal basis is only used in relation to Processing that is entirely voluntary – it is not used for Processing that is necessary or obligatory in any way).

How does Vale share personal data?

1. Sharing with third-parties:

you and, where appropriate, your appointed representatives;
legal and regulatory authorities, upon request, or for the purposes of reporting any actual or suspected breach of applicable law or regulation;
accountants, auditors, consultants, lawyers and other outside professional advisors to Vale, subject to binding contractual obligations of confidentiality;
third-party Processors (such as payment services providers; recruiters; pre-employment screenings services etc.), located anywhere in the world (subject to the requirements noted below);
any relevant party, regulatory body, governmental authority, law enforcement agency or court, to the extent necessary for the establishment, exercise or defence of legal claims;
any relevant party, regulatory body, governmental authority, law enforcement agency or court, for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties;
any relevant third party acquirer(s) or successor(s) in title, in the event that we sell or transfer all or any relevant portion of our business or assets (including in the event of a reorganization, dissolution or liquidation); andany relevant third party provider, where our websites and our apps use third party advertising, plugins or content. If you choose to interact with any such advertising, plugins or content, your Personal Data may be shared with the relevant third party provider. We recommend that you review that third party’s privacy policy before interacting with its advertising, plugins or content.
If we engage a third-party Processor to Process your Personal Data, the Processor will be subject to binding contractual obligations to: (i) only Process the Personal Data in accordance with our prior written instructions; and (ii) use measures to protect the confidentiality and security of the Personal Data, together with any additional requirements under applicable law.

2. International data transfer:

Because of the international nature of our business, we transfer Personal Data within the Vale group, and to the third-parties set out above under the sub-heading entitled “Sharing with third-parties”. Recipients of Personal Data we transfer may be located in all countries where the Vale group is present but in other countries globally as well. For this reason, we transfer Personal Data to other countries that may have different legal requirements and data protection compliance requirements to those that apply in the country in which you are located or in which you disclosed your Personal Data to us. We may transfer your Personal Data to the following jurisdictions in particular but also other jurisdictions globally where third-party recipients or their service providers are located:
Argentina;
Australia;
Brazil;
Canada;
Chile;
China;
India;
Indonesia;
Japa;
Malaysia;
Oman;
Peru; and
Singapore.

Which are the data subject’s rights in relation to its personal data?

Subject to applicable law, data subjects may have the following rights regarding the Processing of their Personal Data:

the right to request access to, or copies of, Personal Data, together with information regarding the nature, Processing and disclosure of Personal Data;
the right to request rectification to any inaccuracies in Personal Data;
the right to request, on legitimate grounds erasure of Personal Data or restriction of Processing of Personal Data;
the right to request portability of Personal Data to another controller, in a structured, commonly used and machine-readable format, to the extent applicable;
where we Process Personal Data on the basis of your consent, the right to withdraw consent given, at any time, upon the express request of the data subject (noting that such withdrawal does not affect the lawfulness of any Processing performed prior to the date on which we receive notice of such withdrawal, and does not prevent the Processing of your Personal Data in reliance upon any other available legal bases); and
the right to lodge complaints regarding the Processing of Personal Data with a Data Protection Authority.

Subject to applicable law, you may also have the following additional rights regarding the Processing of your Personal Data:

the right to object, on grounds relating to your particular situation, to the Processing of your Personal Data by us or on our behalf, where such Processing is based on Articles 6(1)(e) (public interest) or 6(1)(f) (legitimate interests) of the GDPR / UK GDPR; and
the right to object to the Processing of your Personal Data by us or on our behalf for direct marketing purposes.

This does not affect your statutory rights.

Please note that:

in some cases it will be necessary to provide evidence of your identity before we can give effect to these rights; and
where your request requires the establishment of additional facts (e.g., a determination of whether any Processing is non-compliant with applicable law) we will investigate your request reasonably promptly, before deciding what action to take.

How does Vale secure personal data?

In the event of deletion of Personal Data, the process is carried out safely, in line with the appropriate technical measures, in order to ensure that the deleted Personal Data cannot be recovered.

Data accuracy

We take every reasonable step to ensure that:

your Personal Data that we Process is accurate and, where necessary, kept up to date; and
any of your Personal Data that we Process that is inaccurate (having regard to the purposes for which such Personal Data is Processed) is erased or rectified without delay.

From time to time we may ask you to confirm the accuracy of your Personal Data.

Data minimization

We take every reasonable step to ensure that your Personal Data that we Process is limited to the Personal Data reasonably necessary in connection with the purposes set out in this Privacy Notice.

For how long is Personal Data retained?

Sensitive Personal Data

Compliance with applicable law: We may Process your Sensitive Personal Data where the Processing is required or permitted by applicable law (e.g., to comply with our diversity reporting obligations);
Employment law: We may Process your Sensitive Personal Data where the Processing is necessary for the purposes of carrying out the obligations and exercising specific rights in the field of employment, social security and social protection law;
Detection and prevention of crime: We may Process your Sensitive Personal Data where the Processing is necessary for the detection or prevention of crime (e.g., the prevention of fraud);
Vital interests: We may Process your Sensitive Personal Data where the Processing is necessary to protect the vital interests of any individual; or
Vital interests: We may Process your Sensitive Personal Data where the Processing is necessary to protect the vital interests of any individual; or
Public health: We may Process your Sensitive Personal Data where the Processing is necessary for reasons of public interest in the area of public health (e.g., protecting against serious cross-border threats to health); or
Establishment, exercise or defence of legal claims: We may Process your Sensitive Personal Data where the Processing is necessary for the establishment, exercise or defence of legal claims; or
Consent: We may Process your Sensitive Personal Data where we have, in accordance with applicable law, obtained your express consent prior to Processing your Sensitive Personal Data (this legal basis is only used in relation to Processing that is entirely voluntary – it is not used for Processing that is necessary or obligatory in any way).

Communication Channel

To contact Vale's privacy team and Vale’s Data Protection Officer (“DPO”), use the form below or send an email to dpo@vale.com or to breach@logicdocument.com (if you are located in UK).

Details of Controllers

For the purposes of this Privacy Notice, the relevant Controllers are:

Controller entity

Contact details

Vale S.A.

Praia de Botafogo, 186, Botafogo, Rio de Janeiro, Brazil; Data Privacy Department / privacy@vale.com

Vale Europe Limited

Vale Europe Limited – Suite 1, 3rd Floor, 11-12 St. Jame´s Square, London, United Kingdom, SW1Y 4LB; Data Privacy Department / breach@logicdocument.com

Vale Holdings B.V.

Piet Heinkade 55, 1019 GM, Amsterdam, the Netherlands; Data Privacy Department / privacy@vale.com

Vale International SA

Route de Pallatex 29, 1162 Saint-Prex, Switzerland; Data Privacy Department / privacy@vale.com

Definitions

“Cookie” means a small file that is placed on your device when you visit a website (including our websites). In this Privacy Notice, a reference to a “cookie” includes analogous technologies such as web beacons and clear GIFs;
“Controller” means the entity that decides how and why Personal Data is Processed. In many jurisdictions, the controller has primary responsibility for complying with applicable data protection laws;
“Data Protection Authority” means an independent public authority that is legally tasked with overseeing compliance with applicable data protection laws;
“EEA” means the European Economic Area;
“GDPR” means the General Data Protection Regulation (EU) 2016/679;
“Personal Data” means information that is about any individual, or from which any individual is directly or indirectly identifiable, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that individual; provided, however, that where applicable data protection law protects legal entities as data subjects “Personal Data” will be deemed to include information relating to legal entities;
“Process”, “Processing” or “Processed” means anything that is done with any Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
“Processor” means any person or entity that Processes Personal Data on behalf of the Controller (other than employees of the Controller);
“Sensitive Personal Data” means Personal Data about race or ethnicity, political opinions, religious or philosophical beliefs, trade union membership, biometric data, physical or mental health, sexual life, any actual or alleged criminal offences or penalties, national identification number, or any other information that are deemed to be sensitive under applicable law;
“Standard Contractual Clauses” means template transfer clauses adopted by the European Commission or adopted by a Data Protection Authority and approved by the European Commission, or the UK Government; and
“UK GDPR” means the UK’s equivalent of the GDPR.

Privacy communication Channel

To exercise your rights as a personal data owner or to ask questions regarding personal data privacy at Vale, use the form below.
Your message will be analyzed by Vale’s Privacy Area and we will email you from privacy@vale.com.

Click here

To directly contact Vale’s Data Protection Officer, email dpo@vale.com.

For subjects not related to personal data privacy, use our Contact Us channel.

External privacy notice

Brazil

What personal data is covered?

Vale process personal data, which are those that can identify or allow a natural person identifiable.

More information regarding the use of this data can be found in the specific terms of each service, available on their respective platforms.

In what services does Vale collect personal data?

Personal data are collected for the performance of services, such as:

Passenger Train Services;
Newsroom;
Aerovale;
Visiting Vale;
Ethics and Conduct Office;
Access to Vale’s sites;
On-site help centers;
Assistance to communities.

What is the purpose of collection and processing of personal data?

Get in touch when offering our services;
Browsing our websites and applications safely;
To better target the content of our sites;
To be able to perform our services, receive and make payments and aid; or
For carrying out regular activities with users of Vale’s services.

More information on the purposes and legal basis for collecting and processing personal data can be found in the specific terms of each service, available on their respective platforms.

How does Vale shares personal data?

Sharing with third-parties:

International data transfer:

Which are the data subject’s rights in relation to its personal data?

Data subjects have the following rights related to its personal data, to the extent that such rights are recognized by applicable laws:

Processing confirmation: confirmation as to whether or not Personal Data concerning the relevant data subject are being processed;
Access to data: access to data collected by Vale, except for cases of trade secret protection and industry;
Data rectification: request to correct incomplete, outdated or erroneous information;
Anonymization and suspension: anonymization and suspension of personal data considered unnecessary, excessive or processed in non-compliance with the provisions of the applicable legislation. Anonymization will take place considering the use of reasonable and available technical means when processing data;
Portability: portability of personal data to another product supplier or service provider upon express request. Vale and its subsidiaries reserve the right to deny portability in case of personal data that could compromise their commercial and industrial secrets.
Information on data sharing: information to the data subject about personal data that is shared with public and private entities;
Consent Revocation: revocation of the consent given, at any time, upon the express request of the data subject. The revocation procedure will always free and facilitated.
Elimination: personal data will be eliminated at the end of its purpose or if the data subject expresses its intent to revoke its consent to carry out that processing. Subject to local legal requirements, Vale may keep personal data if: (i) it is legally obliged to keep them, (ii) for compliance with laws and / or regulations that so determine; (iii) needs the data to establish, exercise or defend legal claims; and (iii) need to maintain control of the data for public health reasons.

It is possible to exercise these rights by contacting us using the form found at the bottom of this page.

How does Vale secures personal data?

In the event of deletion of personal data, the process is carried out safely, in line with the appropriate technical measures, in order to ensure that the deleted personal data cannot be recovered.

For how long data is being retained?

External privacy notice

Europe

External privacy notice

What personal data is covered?

We may process the following categories of Personal Data about you:

Personal details: given name(s); preferred name; photograph; details of representative; curriculum vitae / résumés and/or applications; passport number (where applicable); and work permit or visa number (where applicable).
Demographic information: gender; date of birth / age; nationality; salutation; title; and language preferences.
Contact details: correspondence address; shipping address; telephone number; email address; details of personal assistants, where applicable; messenger app details; online messaging details; and social media details.
Expertise: records of your expertise, curriculum vitae / résumés, professional history, education history, practising details and qualification details; information about your experience, participation in meetings, seminars, advisory boards and conferences; salary expectations; referrals and references; information about your professional relationship with other individuals or institutions; and language abilities and other professional skills.
Background checks: details revealed by background checks conducted in accordance with applicable law and subject to your prior express written consent (where required, including details of past employment, details of residence, credit reference information, and criminal records checks.
Consthe date and time, means of consent and any related information (e.g., the subject matter of the consent).
Purchase details: records of purchases and prices; and consignee name, address, contact telephone number and email ent records: records of any consents you have given, together with address.
Payment details: invoice records; payment records; billing address; payment method; bank account number or credit card number; cardholder or accountholder name; card or account security details; card ‘valid from’ date; card expiry date; BACS details; SWIFT details; IBAN details; payment amount; payment date; and records of cheques.
Data relating to our websites and apps: device type; operating system; browser type; browser settings; IP address; language settings; dates and times of connecting to a website; app usage statistics; app settings; dates and times of connecting to an app; location data, and other technical communications information (some of which may constitute Personal Data); password; security login details; usage data; and aggregate statistical information.
Employer details: where you interact with us in your capacity as an employee of a third party, the name, address, telephone number and email address of your employer, to the extent relevant.
Content and advertising data: records of your interactions with our online advertising and content; and records of advertising and content displayed on pages or app screens displayed to you.
Views and opinions: any views and opinions that you choose to send to us, or publicly post about us on social media platforms.
Biometric and health data: biometric data and data about your health (including health information to monitor the spread of infectious diseases in the workplace and biological sampling data); and (if disclosed) any special needs or health condition and information relating to accommodations that you may request during the recruitment process.

In what services does Vale collect personal data?

We collect or obtain Personal Data about you from the following sources:

Data provided to us: We obtain Personal Data when those data are provided to us (e.g., where you contact us via email or telephone, or by any other means, or when you provide us with your business card, or when you submit a job application).
Data we obtain in person: We obtain Personal Data during meetings, at trade shows, during visits from sales or marketing representatives, or at events we attend.
Collaborations: We obtain Personal Data when you collaborate with us in research or in an advisory / consultancy capacity.
Relationship data: We collect or obtain Personal Data in the ordinary course of our relationship with you (e.g., we provide a service to you, or to your employer).
Data you make public: We collect or obtain Personal Data that you manifestly choose to make public, including via social media (e.g., we may collect information from your social media profile(s), if you make a public post about us).
App data: We collect or obtain Personal Data when you download or use any of our apps.
Website data: We collect or obtain Personal Data when you visit any of our websites or use any features or resources available on or through a website.
Registration details: We collect or obtain Personal Data when you use, or register to use, any of our websites, apps, products, or services.
Content and advertising information: If you interact with any third party content or advertising on a website or in an app (including third party plugins and Cookies) we receive Personal Data from the relevant third party provider of that content or advertising.
Third party information: We collect or obtain Personal Data from third parties who provide it to us (e.g., credit reference agencies; law enforcement authorities; recruiters; previous employers, referees, entities conducting background checks etc.).

Creation of Personal Data

More information regarding the use of this data can be found in the specific terms of each service, available on their respective platforms.

What is the purpose of collection and processing of personal data?

Processing activity	Legal basis for Processing
Provision of websites, apps, products, and services: providing our websites, apps, products, or services; providing promotional items upon request; and communicating with you in relation to those websites, apps, products, or services.	The Processing is necessary in connection with any contract that you have entered into with us, or to take steps prior to entering into a contract with us; or We have a legitimate interest in carrying out the Processing for the purpose of providing our websites, apps, products, or services (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms); or We have obtained your prior consent to the Processing (this legal basis is only used in relation to Processing that is entirely voluntary – it is not used for Processing that is necessary or obligatory in any way).
Operating our business: operating and managing our websites, our apps, our products, and our services; providing content to you; displaying advertising and other information to you; communicating and interacting with you via our websites, our apps, our products, or our services; and notifying you of changes to any of our websites, our apps, our products, or our services.	The Processing is necessary in connection with any contract that you have entered into with us, or to take steps prior to entering into a contract with us; or We have a legitimate interest in carrying out the Processing for the purpose of providing our websites, our apps, our products, or our services to you (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms); or We have obtained your prior consent to the Processing (this legal basis is only used in relation to Processing that is entirely voluntary – it is not used for Processing that is necessary or obligatory in any way).
Communications and marketing: communicating with you via any means (including via email, telephone, text message, social media, post or in person) to provide news items and other information in which you may be interested, subject always to obtaining your prior opt-in consent to the extent required under applicable law; personalising our websites, products and services for you; maintaining and updating your contact information where appropriate; obtaining your prior, opt-in consent where required; and enabling and recording your choice to opt-out or unsubscribe, where applicable.	The Processing is necessary in connection with any contract that you have entered into with us, or to take steps prior to entering into a contract with us; or We have a legitimate interest in carrying out the Processing for the purpose of contacting you, subject always to compliance with applicable law (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms); or We have obtained your prior consent to the Processing (this legal basis is only used in relation to Processing that is entirely voluntary – it is not used for Processing that is necessary or obligatory in any way).
Management of IT systems: management and operation of our communications, IT and security systems; and audits (including security audits) and monitoring of such systems.	The Processing is necessary for compliance with a legal obligation; or We have a legitimate interest in carrying out the Processing for the purpose of managing and maintaining our communications and IT systems (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms).
Health and safety: health and safety assessments and record keeping (including collecting biological sampling data); providing a safe and secure environment at our premises (including monitoring body temperatures on Vale premises in the UK to prevent the spread of infectious diseases in the workplace); and compliance with related legal obligations.	The Processing is necessary for compliance with a legal obligation (especially in respect of applicable employment, social security or social protection law); or We have a legitimate interest in carrying out the Processing for the purpose of ensuring a safe environment at our premises (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms); or The Processing is necessary to protect the vital interests of any individual; or The Processing is necessary for reasons of public interest in the area of public health; or We have obtained your prior consent to the Processing (this legal basis is only used in relation to Processing that is entirely voluntary – it is not used for Processing that is necessary or obligatory in any way).
Financial management: sales; finance; corporate audit; and vendor management.	We have a legitimate interest in carrying out the Processing for the purpose of managing and operating the financial affairs of our business (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms); or We have obtained your prior consent to the Processing (this legal basis is only used in relation to Processing that is entirely voluntary – it is not used for Processing that is necessary or obligatory in any way).
Vendor management: collating supplier data for background and compliance checks.	The Processing is necessary for compliance with a legal obligation; or We have a legitimate interest in carrying out the Processing for the purpose of performing background and compliance checks (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms).
Surveys: engaging with you for the purposes of obtaining your views on our websites, our apps, our products, or our services.	We have a legitimate interest in carrying out the Processing for the purpose of conducting surveys, satisfaction reports and market research (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms); or We have obtained your prior consent to the Processing (this legal basis is only used in relation to Processing that is entirely voluntary – it is not used for Processing that is necessary or obligatory in any way).
Security: physical security of our premises (including records of visits to our premises); CCTV recordings; and electronic security (including login records and access details).	The Processing is necessary for compliance with a legal obligation; or We have a legitimate interest in carrying out the Processing for the purpose of ensuring the physical and electronic security of our business and our premises (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms).
Investigations: detecting, investigating and preventing breaches of policy, and criminal offences, in accordance with applicable law.	The Processing is necessary for compliance with a legal obligation; or We have a legitimate interest in carrying out the Processing for the purpose of detecting, and protecting against, breaches of our policies and applicable laws (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms).
Legal compliance: compliance with our legal and regulatory obligations under applicable law.	The Processing is necessary for compliance with a legal obligation.
Improving our websites, apps, products, and services: identifying issues with our websites, our apps, our products, or our services; planning improvements to our websites, our apps, our products, or our services; and creating new websites, apps, products, or services.	We have a legitimate interest in carrying out the Processing for the purpose of improving our websites, our apps, our products, or our services (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms); or We have obtained your prior consent to the Processing (this legal basis is only used in relation to Processing that is entirely voluntary – it is not used for Processing that is necessary or obligatory in any way).
Establishment, exercise and defence of legal claims: management of legal claims; establishment of facts and claims, including collection, review and production of documents, facts, evidence and witness statements; and exercise and defence of legal rights and claims, including formal legal proceedings.	The Processing is necessary for compliance with a legal obligation; or We have a legitimate interest in carrying out the Processing for the purpose of establishing, exercising or defending our legal rights (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms); or The Processing is necessary for the establishment, exercise or defence of legal claims.
Recruitment and job applications: recruitment activities; advertising of positions; interview activities; verifying information provided to us; analysis of suitability for the relevant position; records of hiring decisions; offer details; performing background checks; accommodations as part of the recruitment process; and acceptance details.	The Processing is necessary in connection with any contract that you have entered into with us, or to take steps prior to entering into a contract with us; or The Processing is necessary for compliance with a legal obligation (especially in respect of applicable employment law); or We have a legitimate interest in carrying out the Processing for the purpose of recruitment activities and handling job applications (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms); or We have obtained your prior consent to the Processing (this legal basis is only used in relation to Processing that is entirely voluntary – it is not used for Processing that is necessary or obligatory in any way).
Future opportunities: maintaining databases of unsuccessful candidates; advertising new roles; and invitations to future events.	We have a legitimate interest in carrying out the Processing for the purpose of recruitment activities (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms); or We have obtained your prior consent to the Processing (this legal basis is only used in relation to Processing that is entirely voluntary – it is not used for Processing that is necessary or obligatory in any way).

Processing activity

Legal basis for Processing

Provision of websites, apps, products, and services: providing our websites, apps, products, or services; providing promotional items upon request; and communicating with you in relation to those websites, apps, products, or services.

The Processing is necessary in connection with any contract that you have entered into with us, or to take steps prior to entering into a contract with us; or
We have a legitimate interest in carrying out the Processing for the purpose of providing our websites, apps, products, or services (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms); or
We have obtained your prior consent to the Processing (this legal basis is only used in relation to Processing that is entirely voluntary – it is not used for Processing that is necessary or obligatory in any way).

Operating our business: operating and managing our websites, our apps, our products, and our services; providing content to you; displaying advertising and other information to you; communicating and interacting with you via our websites, our apps, our products, or our services; and notifying you of changes to any of our websites, our apps, our products, or our services.

The Processing is necessary in connection with any contract that you have entered into with us, or to take steps prior to entering into a contract with us; or
We have a legitimate interest in carrying out the Processing for the purpose of providing our websites, our apps, our products, or our services to you (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms); or
We have obtained your prior consent to the Processing (this legal basis is only used in relation to Processing that is entirely voluntary – it is not used for Processing that is necessary or obligatory in any way).

Communications and marketing: communicating with you via any means (including via email, telephone, text message, social media, post or in person) to provide news items and other information in which you may be interested, subject always to obtaining your prior opt-in consent to the extent required under applicable law; personalising our websites, products and services for you; maintaining and updating your contact information where appropriate; obtaining your prior, opt-in consent where required; and enabling and recording your choice to opt-out or unsubscribe, where applicable.

The Processing is necessary in connection with any contract that you have entered into with us, or to take steps prior to entering into a contract with us; or
We have a legitimate interest in carrying out the Processing for the purpose of contacting you, subject always to compliance with applicable law (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms); or
We have obtained your prior consent to the Processing (this legal basis is only used in relation to Processing that is entirely voluntary – it is not used for Processing that is necessary or obligatory in any way).

Management of IT systems: management and operation of our communications, IT and security systems; and audits (including security audits) and monitoring of such systems.

The Processing is necessary for compliance with a legal obligation; or
We have a legitimate interest in carrying out the Processing for the purpose of managing and maintaining our communications and IT systems (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms).

Health and safety: health and safety assessments and record keeping (including collecting biological sampling data); providing a safe and secure environment at our premises (including monitoring body temperatures on Vale premises in the UK to prevent the spread of infectious diseases in the workplace); and compliance with related legal obligations.

The Processing is necessary for compliance with a legal obligation (especially in respect of applicable employment, social security or social protection law); or
We have a legitimate interest in carrying out the Processing for the purpose of ensuring a safe environment at our premises (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms); or
The Processing is necessary to protect the vital interests of any individual; or
The Processing is necessary for reasons of public interest in the area of public health; or
We have obtained your prior consent to the Processing (this legal basis is only used in relation to Processing that is entirely voluntary – it is not used for Processing that is necessary or obligatory in any way).

Financial management: sales; finance; corporate audit; and vendor management.

We have a legitimate interest in carrying out the Processing for the purpose of managing and operating the financial affairs of our business (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms); or
We have obtained your prior consent to the Processing (this legal basis is only used in relation to Processing that is entirely voluntary – it is not used for Processing that is necessary or obligatory in any way).

Vendor management: collating supplier data for background and compliance checks.

The Processing is necessary for compliance with a legal obligation; or
We have a legitimate interest in carrying out the Processing for the purpose of performing background and compliance checks (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms).

Surveys: engaging with you for the purposes of obtaining your views on our websites, our apps, our products, or our services.

We have a legitimate interest in carrying out the Processing for the purpose of conducting surveys, satisfaction reports and market research (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms); or
We have obtained your prior consent to the Processing (this legal basis is only used in relation to Processing that is entirely voluntary – it is not used for Processing that is necessary or obligatory in any way).

Security: physical security of our premises (including records of visits to our premises); CCTV recordings; and electronic security (including login records and access details).

The Processing is necessary for compliance with a legal obligation; or
We have a legitimate interest in carrying out the Processing for the purpose of ensuring the physical and electronic security of our business and our premises (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms).

Investigations: detecting, investigating and preventing breaches of policy, and criminal offences, in accordance with applicable law.

The Processing is necessary for compliance with a legal obligation; or
We have a legitimate interest in carrying out the Processing for the purpose of detecting, and protecting against, breaches of our policies and applicable laws (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms).

Legal compliance: compliance with our legal and regulatory obligations under applicable law.

The Processing is necessary for compliance with a legal obligation.

Improving our websites, apps, products, and services: identifying issues with our websites, our apps, our products, or our services; planning improvements to our websites, our apps, our products, or our services; and creating new websites, apps, products, or services.

We have a legitimate interest in carrying out the Processing for the purpose of improving our websites, our apps, our products, or our services (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms); or
We have obtained your prior consent to the Processing (this legal basis is only used in relation to Processing that is entirely voluntary – it is not used for Processing that is necessary or obligatory in any way).

Establishment, exercise and defence of legal claims: management of legal claims; establishment of facts and claims, including collection, review and production of documents, facts, evidence and witness statements; and exercise and defence of legal rights and claims, including formal legal proceedings.

The Processing is necessary for compliance with a legal obligation; or
We have a legitimate interest in carrying out the Processing for the purpose of establishing, exercising or defending our legal rights (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms); or
The Processing is necessary for the establishment, exercise or defence of legal claims.

Recruitment and job applications: recruitment activities; advertising of positions; interview activities; verifying information provided to us; analysis of suitability for the relevant position; records of hiring decisions; offer details; performing background checks; accommodations as part of the recruitment process; and acceptance details.

The Processing is necessary in connection with any contract that you have entered into with us, or to take steps prior to entering into a contract with us; or
The Processing is necessary for compliance with a legal obligation (especially in respect of applicable employment law); or
We have a legitimate interest in carrying out the Processing for the purpose of recruitment activities and handling job applications (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms); or
We have obtained your prior consent to the Processing (this legal basis is only used in relation to Processing that is entirely voluntary – it is not used for Processing that is necessary or obligatory in any way).

Future opportunities: maintaining databases of unsuccessful candidates; advertising new roles; and invitations to future events.

We have a legitimate interest in carrying out the Processing for the purpose of recruitment activities (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms); or
We have obtained your prior consent to the Processing (this legal basis is only used in relation to Processing that is entirely voluntary – it is not used for Processing that is necessary or obligatory in any way).

How does Vale share personal data?

1. Sharing with third-parties:

you and, where appropriate, your appointed representatives;
legal and regulatory authorities, upon request, or for the purposes of reporting any actual or suspected breach of applicable law or regulation;
accountants, auditors, consultants, lawyers and other outside professional advisors to Vale, subject to binding contractual obligations of confidentiality;
third-party Processors (such as payment services providers; recruiters; pre-employment screenings services etc.), located anywhere in the world (subject to the requirements noted below);
any relevant party, regulatory body, governmental authority, law enforcement agency or court, to the extent necessary for the establishment, exercise or defence of legal claims;
any relevant party, regulatory body, governmental authority, law enforcement agency or court, for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties;
any relevant third party acquirer(s) or successor(s) in title, in the event that we sell or transfer all or any relevant portion of our business or assets (including in the event of a reorganization, dissolution or liquidation); andany relevant third party provider, where our websites and our apps use third party advertising, plugins or content. If you choose to interact with any such advertising, plugins or content, your Personal Data may be shared with the relevant third party provider. We recommend that you review that third party’s privacy policy before interacting with its advertising, plugins or content.
If we engage a third-party Processor to Process your Personal Data, the Processor will be subject to binding contractual obligations to: (i) only Process the Personal Data in accordance with our prior written instructions; and (ii) use measures to protect the confidentiality and security of the Personal Data, together with any additional requirements under applicable law.

2. International data transfer:

Because of the international nature of our business, we transfer Personal Data within the Vale group, and to the third-parties set out above under the sub-heading entitled “Sharing with third-parties”. Recipients of Personal Data we transfer may be located in all countries where the Vale group is present but in other countries globally as well. For this reason, we transfer Personal Data to other countries that may have different legal requirements and data protection compliance requirements to those that apply in the country in which you are located or in which you disclosed your Personal Data to us. We may transfer your Personal Data to the following jurisdictions in particular but also other jurisdictions globally where third-party recipients or their service providers are located:
Argentina;
Australia;
Brazil;
Canada;
Chile;
China;
India;
Indonesia;
Japa;
Malaysia;
Oman;
Peru; and
Singapore.

Which are the data subject’s rights in relation to its personal data?

Subject to applicable law, data subjects may have the following rights regarding the Processing of their Personal Data:

the right to request access to, or copies of, Personal Data, together with information regarding the nature, Processing and disclosure of Personal Data;
the right to request rectification to any inaccuracies in Personal Data;
the right to request, on legitimate grounds erasure of Personal Data or restriction of Processing of Personal Data;
the right to request portability of Personal Data to another controller, in a structured, commonly used and machine-readable format, to the extent applicable;
where we Process Personal Data on the basis of your consent, the right to withdraw consent given, at any time, upon the express request of the data subject (noting that such withdrawal does not affect the lawfulness of any Processing performed prior to the date on which we receive notice of such withdrawal, and does not prevent the Processing of your Personal Data in reliance upon any other available legal bases); and
the right to lodge complaints regarding the Processing of Personal Data with a Data Protection Authority.

Subject to applicable law, you may also have the following additional rights regarding the Processing of your Personal Data:

the right to object, on grounds relating to your particular situation, to the Processing of your Personal Data by us or on our behalf, where such Processing is based on Articles 6(1)(e) (public interest) or 6(1)(f) (legitimate interests) of the GDPR / UK GDPR; and
the right to object to the Processing of your Personal Data by us or on our behalf for direct marketing purposes.

This does not affect your statutory rights.

Please note that:

in some cases it will be necessary to provide evidence of your identity before we can give effect to these rights; and
where your request requires the establishment of additional facts (e.g., a determination of whether any Processing is non-compliant with applicable law) we will investigate your request reasonably promptly, before deciding what action to take.

How does Vale secure personal data?

In the event of deletion of Personal Data, the process is carried out safely, in line with the appropriate technical measures, in order to ensure that the deleted Personal Data cannot be recovered.

Data accuracy

We take every reasonable step to ensure that:

your Personal Data that we Process is accurate and, where necessary, kept up to date; and
any of your Personal Data that we Process that is inaccurate (having regard to the purposes for which such Personal Data is Processed) is erased or rectified without delay.

From time to time we may ask you to confirm the accuracy of your Personal Data.

Data minimization

We take every reasonable step to ensure that your Personal Data that we Process is limited to the Personal Data reasonably necessary in connection with the purposes set out in this Privacy Notice.

For how long is Personal Data retained?

Sensitive Personal Data

Compliance with applicable law: We may Process your Sensitive Personal Data where the Processing is required or permitted by applicable law (e.g., to comply with our diversity reporting obligations);
Employment law: We may Process your Sensitive Personal Data where the Processing is necessary for the purposes of carrying out the obligations and exercising specific rights in the field of employment, social security and social protection law;
Detection and prevention of crime: We may Process your Sensitive Personal Data where the Processing is necessary for the detection or prevention of crime (e.g., the prevention of fraud);
Vital interests: We may Process your Sensitive Personal Data where the Processing is necessary to protect the vital interests of any individual; or
Vital interests: We may Process your Sensitive Personal Data where the Processing is necessary to protect the vital interests of any individual; or
Public health: We may Process your Sensitive Personal Data where the Processing is necessary for reasons of public interest in the area of public health (e.g., protecting against serious cross-border threats to health); or
Establishment, exercise or defence of legal claims: We may Process your Sensitive Personal Data where the Processing is necessary for the establishment, exercise or defence of legal claims; or
Consent: We may Process your Sensitive Personal Data where we have, in accordance with applicable law, obtained your express consent prior to Processing your Sensitive Personal Data (this legal basis is only used in relation to Processing that is entirely voluntary – it is not used for Processing that is necessary or obligatory in any way).

Communication Channel

To contact Vale's privacy team and Vale’s Data Protection Officer (“DPO”), use the form below or send an email to dpo@vale.com or to breach@logicdocument.com (if you are located in UK).

Details of Controllers

For the purposes of this Privacy Notice, the relevant Controllers are:

Controller entity

Contact details

Vale S.A.

Praia de Botafogo, 186, Botafogo, Rio de Janeiro, Brazil; Data Privacy Department / privacy@vale.com

Vale Europe Limited

Vale Europe Limited – Suite 1, 3rd Floor, 11-12 St. Jame´s Square, London, United Kingdom, SW1Y 4LB; Data Privacy Department / breach@logicdocument.com

Vale Holdings B.V.

Piet Heinkade 55, 1019 GM, Amsterdam, the Netherlands; Data Privacy Department / privacy@vale.com

Vale International SA

Route de Pallatex 29, 1162 Saint-Prex, Switzerland; Data Privacy Department / privacy@vale.com

Definitions

“Cookie” means a small file that is placed on your device when you visit a website (including our websites). In this Privacy Notice, a reference to a “cookie” includes analogous technologies such as web beacons and clear GIFs;
“Controller” means the entity that decides how and why Personal Data is Processed. In many jurisdictions, the controller has primary responsibility for complying with applicable data protection laws;
“Data Protection Authority” means an independent public authority that is legally tasked with overseeing compliance with applicable data protection laws;
“EEA” means the European Economic Area;
“GDPR” means the General Data Protection Regulation (EU) 2016/679;
“Personal Data” means information that is about any individual, or from which any individual is directly or indirectly identifiable, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that individual; provided, however, that where applicable data protection law protects legal entities as data subjects “Personal Data” will be deemed to include information relating to legal entities;
“Process”, “Processing” or “Processed” means anything that is done with any Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
“Processor” means any person or entity that Processes Personal Data on behalf of the Controller (other than employees of the Controller);
“Sensitive Personal Data” means Personal Data about race or ethnicity, political opinions, religious or philosophical beliefs, trade union membership, biometric data, physical or mental health, sexual life, any actual or alleged criminal offences or penalties, national identification number, or any other information that are deemed to be sensitive under applicable law;
“Standard Contractual Clauses” means template transfer clauses adopted by the European Commission or adopted by a Data Protection Authority and approved by the European Commission, or the UK Government; and
“UK GDPR” means the UK’s equivalent of the GDPR.

China

External privacy notice

What personal data is covered?

We may process the following categories of Personal Data about you:

Personal details: given name(s); preferred name; photograph; details of representative; curriculum vitae / résumés and/or applications; passport number (where applicable); and work permit or visa number (where applicable).
Demographic information: gender; date of birth / age; nationality; salutation; title; and language preferences.
Contact details: correspondence address; shipping address; telephone number; email address; details of personal assistants, where applicable; messenger app details; online messaging details; and social media details.
Expertise: records of your expertise, curriculum vitae / résumés, professional history, education history, practising details and qualification details; information about your experience, participation in meetings, seminars, advisory boards and conferences; salary expectations; referrals and references; information about your professional relationship with other individuals or institutions; and language abilities and other professional skills.
Background checks: details revealed by background checks conducted in accordance with applicable law and subject to your prior express written consent (where required, including details of past employment, details of residence, credit reference information, and criminal records checks.
Consthe date and time, means of consent and any related information (e.g., the subject matter of the consent).
Purchase details: records of purchases and prices; and consignee name, address, contact telephone number and email ent records: records of any consents you have given, together with address.
Payment details: invoice records; payment records; billing address; payment method; bank account number or credit card number; cardholder or accountholder name; card or account security details; card ‘valid from’ date; card expiry date; BACS details; SWIFT details; IBAN details; payment amount; payment date; and records of cheques.
Data relating to our websites and apps: device type; operating system; browser type; browser settings; IP address; language settings; dates and times of connecting to a website; app usage statistics; app settings; dates and times of connecting to an app; location data, and other technical communications information (some of which may constitute Personal Data); password; security login details; usage data; and aggregate statistical information.
Employer details: where you interact with us in your capacity as an employee of a third party, the name, address, telephone number and email address of your employer, to the extent relevant.
Content and advertising data: records of your interactions with our online advertising and content; and records of advertising and content displayed on pages or app screens displayed to you.
Views and opinions: any views and opinions that you choose to send to us, or publicly post about us on social media platforms.
Biometric and health data: biometric data and data about your health (including health information to monitor the spread of infectious diseases in the workplace and biological sampling data); and (if disclosed) any special needs or health condition and information relating to accommodations that you may request during the recruitment process.

In what services does Vale collect personal data?

We collect or obtain Personal Data about you from the following sources:

Data provided to us: We obtain Personal Data when those data are provided to us (e.g., where you contact us via email or telephone, or by any other means, or when you provide us with your business card, or when you submit a job application).
Data we obtain in person: We obtain Personal Data during meetings, at trade shows, during visits from sales or marketing representatives, or at events we attend.
Collaborations: We obtain Personal Data when you collaborate with us in research or in an advisory / consultancy capacity.
Relationship data: We collect or obtain Personal Data in the ordinary course of our relationship with you (e.g., we provide a service to you, or to your employer).
Data you make public: We collect or obtain Personal Data that you manifestly choose to make public, including via social media (e.g., we may collect information from your social media profile(s), if you make a public post about us).
App data: We collect or obtain Personal Data when you download or use any of our apps.
Website data: We collect or obtain Personal Data when you visit any of our websites or use any features or resources available on or through a website.
Registration details: We collect or obtain Personal Data when you use, or register to use, any of our websites, apps, products, or services.
Content and advertising information: If you interact with any third party content or advertising on a website or in an app (including third party plugins and Cookies) we receive Personal Data from the relevant third party provider of that content or advertising.
Third party information: We collect or obtain Personal Data from third parties who provide it to us (e.g., credit reference agencies; law enforcement authorities; recruiters; previous employers, referees, entities conducting background checks etc.).

Creation of Personal Data

More information regarding the use of this data can be found in the specific terms of each service, available on their respective platforms.

What is the purpose of collection and processing of personal data?

Processing activity	Legal basis for Processing
Provision of websites, apps, products, and services: providing our websites, apps, products, or services; providing promotional items upon request; and communicating with you in relation to those websites, apps, products, or services.	The Processing is necessary in connection with any contract that you have entered into with us, or to take steps prior to entering into a contract with us; or We have a legitimate interest in carrying out the Processing for the purpose of providing our websites, apps, products, or services (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms); or We have obtained your prior consent to the Processing (this legal basis is only used in relation to Processing that is entirely voluntary – it is not used for Processing that is necessary or obligatory in any way).
Operating our business: operating and managing our websites, our apps, our products, and our services; providing content to you; displaying advertising and other information to you; communicating and interacting with you via our websites, our apps, our products, or our services; and notifying you of changes to any of our websites, our apps, our products, or our services.	The Processing is necessary in connection with any contract that you have entered into with us, or to take steps prior to entering into a contract with us; or We have a legitimate interest in carrying out the Processing for the purpose of providing our websites, our apps, our products, or our services to you (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms); or We have obtained your prior consent to the Processing (this legal basis is only used in relation to Processing that is entirely voluntary – it is not used for Processing that is necessary or obligatory in any way).
Communications and marketing: communicating with you via any means (including via email, telephone, text message, social media, post or in person) to provide news items and other information in which you may be interested, subject always to obtaining your prior opt-in consent to the extent required under applicable law; personalising our websites, products and services for you; maintaining and updating your contact information where appropriate; obtaining your prior, opt-in consent where required; and enabling and recording your choice to opt-out or unsubscribe, where applicable.	The Processing is necessary in connection with any contract that you have entered into with us, or to take steps prior to entering into a contract with us; or We have a legitimate interest in carrying out the Processing for the purpose of contacting you, subject always to compliance with applicable law (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms); or We have obtained your prior consent to the Processing (this legal basis is only used in relation to Processing that is entirely voluntary – it is not used for Processing that is necessary or obligatory in any way).
Management of IT systems: management and operation of our communications, IT and security systems; and audits (including security audits) and monitoring of such systems.	The Processing is necessary for compliance with a legal obligation; or We have a legitimate interest in carrying out the Processing for the purpose of managing and maintaining our communications and IT systems (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms).
Health and safety: health and safety assessments and record keeping (including collecting biological sampling data); providing a safe and secure environment at our premises (including monitoring body temperatures on Vale premises in the UK to prevent the spread of infectious diseases in the workplace); and compliance with related legal obligations.	The Processing is necessary for compliance with a legal obligation (especially in respect of applicable employment, social security or social protection law); or We have a legitimate interest in carrying out the Processing for the purpose of ensuring a safe environment at our premises (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms); or The Processing is necessary to protect the vital interests of any individual; or The Processing is necessary for reasons of public interest in the area of public health; or We have obtained your prior consent to the Processing (this legal basis is only used in relation to Processing that is entirely voluntary – it is not used for Processing that is necessary or obligatory in any way).
Financial management: sales; finance; corporate audit; and vendor management.	We have a legitimate interest in carrying out the Processing for the purpose of managing and operating the financial affairs of our business (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms); or We have obtained your prior consent to the Processing (this legal basis is only used in relation to Processing that is entirely voluntary – it is not used for Processing that is necessary or obligatory in any way).
Vendor management: collating supplier data for background and compliance checks.	The Processing is necessary for compliance with a legal obligation; or We have a legitimate interest in carrying out the Processing for the purpose of performing background and compliance checks (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms).
Surveys: engaging with you for the purposes of obtaining your views on our websites, our apps, our products, or our services.	We have a legitimate interest in carrying out the Processing for the purpose of conducting surveys, satisfaction reports and market research (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms); or We have obtained your prior consent to the Processing (this legal basis is only used in relation to Processing that is entirely voluntary – it is not used for Processing that is necessary or obligatory in any way).
Security: physical security of our premises (including records of visits to our premises); CCTV recordings; and electronic security (including login records and access details).	The Processing is necessary for compliance with a legal obligation; or We have a legitimate interest in carrying out the Processing for the purpose of ensuring the physical and electronic security of our business and our premises (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms).
Investigations: detecting, investigating and preventing breaches of policy, and criminal offences, in accordance with applicable law.	The Processing is necessary for compliance with a legal obligation; or We have a legitimate interest in carrying out the Processing for the purpose of detecting, and protecting against, breaches of our policies and applicable laws (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms).
Legal compliance: compliance with our legal and regulatory obligations under applicable law.	The Processing is necessary for compliance with a legal obligation.
Improving our websites, apps, products, and services: identifying issues with our websites, our apps, our products, or our services; planning improvements to our websites, our apps, our products, or our services; and creating new websites, apps, products, or services.	We have a legitimate interest in carrying out the Processing for the purpose of improving our websites, our apps, our products, or our services (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms); or We have obtained your prior consent to the Processing (this legal basis is only used in relation to Processing that is entirely voluntary – it is not used for Processing that is necessary or obligatory in any way).
Establishment, exercise and defence of legal claims: management of legal claims; establishment of facts and claims, including collection, review and production of documents, facts, evidence and witness statements; and exercise and defence of legal rights and claims, including formal legal proceedings.	The Processing is necessary for compliance with a legal obligation; or We have a legitimate interest in carrying out the Processing for the purpose of establishing, exercising or defending our legal rights (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms); or The Processing is necessary for the establishment, exercise or defence of legal claims.
Recruitment and job applications: recruitment activities; advertising of positions; interview activities; verifying information provided to us; analysis of suitability for the relevant position; records of hiring decisions; offer details; performing background checks; accommodations as part of the recruitment process; and acceptance details.	The Processing is necessary in connection with any contract that you have entered into with us, or to take steps prior to entering into a contract with us; or The Processing is necessary for compliance with a legal obligation (especially in respect of applicable employment law); or We have a legitimate interest in carrying out the Processing for the purpose of recruitment activities and handling job applications (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms); or We have obtained your prior consent to the Processing (this legal basis is only used in relation to Processing that is entirely voluntary – it is not used for Processing that is necessary or obligatory in any way).
Future opportunities: maintaining databases of unsuccessful candidates; advertising new roles; and invitations to future events.	We have a legitimate interest in carrying out the Processing for the purpose of recruitment activities (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms); or We have obtained your prior consent to the Processing (this legal basis is only used in relation to Processing that is entirely voluntary – it is not used for Processing that is necessary or obligatory in any way).

Processing activity

Legal basis for Processing

Provision of websites, apps, products, and services: providing our websites, apps, products, or services; providing promotional items upon request; and communicating with you in relation to those websites, apps, products, or services.

The Processing is necessary in connection with any contract that you have entered into with us, or to take steps prior to entering into a contract with us; or
We have a legitimate interest in carrying out the Processing for the purpose of providing our websites, apps, products, or services (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms); or
We have obtained your prior consent to the Processing (this legal basis is only used in relation to Processing that is entirely voluntary – it is not used for Processing that is necessary or obligatory in any way).

Operating our business: operating and managing our websites, our apps, our products, and our services; providing content to you; displaying advertising and other information to you; communicating and interacting with you via our websites, our apps, our products, or our services; and notifying you of changes to any of our websites, our apps, our products, or our services.

The Processing is necessary in connection with any contract that you have entered into with us, or to take steps prior to entering into a contract with us; or
We have a legitimate interest in carrying out the Processing for the purpose of providing our websites, our apps, our products, or our services to you (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms); or
We have obtained your prior consent to the Processing (this legal basis is only used in relation to Processing that is entirely voluntary – it is not used for Processing that is necessary or obligatory in any way).

Communications and marketing: communicating with you via any means (including via email, telephone, text message, social media, post or in person) to provide news items and other information in which you may be interested, subject always to obtaining your prior opt-in consent to the extent required under applicable law; personalising our websites, products and services for you; maintaining and updating your contact information where appropriate; obtaining your prior, opt-in consent where required; and enabling and recording your choice to opt-out or unsubscribe, where applicable.

The Processing is necessary in connection with any contract that you have entered into with us, or to take steps prior to entering into a contract with us; or
We have a legitimate interest in carrying out the Processing for the purpose of contacting you, subject always to compliance with applicable law (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms); or
We have obtained your prior consent to the Processing (this legal basis is only used in relation to Processing that is entirely voluntary – it is not used for Processing that is necessary or obligatory in any way).

Management of IT systems: management and operation of our communications, IT and security systems; and audits (including security audits) and monitoring of such systems.

The Processing is necessary for compliance with a legal obligation; or
We have a legitimate interest in carrying out the Processing for the purpose of managing and maintaining our communications and IT systems (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms).

Health and safety: health and safety assessments and record keeping (including collecting biological sampling data); providing a safe and secure environment at our premises (including monitoring body temperatures on Vale premises in the UK to prevent the spread of infectious diseases in the workplace); and compliance with related legal obligations.

The Processing is necessary for compliance with a legal obligation (especially in respect of applicable employment, social security or social protection law); or
We have a legitimate interest in carrying out the Processing for the purpose of ensuring a safe environment at our premises (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms); or
The Processing is necessary to protect the vital interests of any individual; or
The Processing is necessary for reasons of public interest in the area of public health; or
We have obtained your prior consent to the Processing (this legal basis is only used in relation to Processing that is entirely voluntary – it is not used for Processing that is necessary or obligatory in any way).

Financial management: sales; finance; corporate audit; and vendor management.

We have a legitimate interest in carrying out the Processing for the purpose of managing and operating the financial affairs of our business (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms); or
We have obtained your prior consent to the Processing (this legal basis is only used in relation to Processing that is entirely voluntary – it is not used for Processing that is necessary or obligatory in any way).

Vendor management: collating supplier data for background and compliance checks.

The Processing is necessary for compliance with a legal obligation; or
We have a legitimate interest in carrying out the Processing for the purpose of performing background and compliance checks (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms).

Surveys: engaging with you for the purposes of obtaining your views on our websites, our apps, our products, or our services.

We have a legitimate interest in carrying out the Processing for the purpose of conducting surveys, satisfaction reports and market research (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms); or
We have obtained your prior consent to the Processing (this legal basis is only used in relation to Processing that is entirely voluntary – it is not used for Processing that is necessary or obligatory in any way).

Security: physical security of our premises (including records of visits to our premises); CCTV recordings; and electronic security (including login records and access details).

The Processing is necessary for compliance with a legal obligation; or
We have a legitimate interest in carrying out the Processing for the purpose of ensuring the physical and electronic security of our business and our premises (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms).

Investigations: detecting, investigating and preventing breaches of policy, and criminal offences, in accordance with applicable law.

The Processing is necessary for compliance with a legal obligation; or
We have a legitimate interest in carrying out the Processing for the purpose of detecting, and protecting against, breaches of our policies and applicable laws (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms).

Legal compliance: compliance with our legal and regulatory obligations under applicable law.

The Processing is necessary for compliance with a legal obligation.

Improving our websites, apps, products, and services: identifying issues with our websites, our apps, our products, or our services; planning improvements to our websites, our apps, our products, or our services; and creating new websites, apps, products, or services.

We have a legitimate interest in carrying out the Processing for the purpose of improving our websites, our apps, our products, or our services (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms); or
We have obtained your prior consent to the Processing (this legal basis is only used in relation to Processing that is entirely voluntary – it is not used for Processing that is necessary or obligatory in any way).

Establishment, exercise and defence of legal claims: management of legal claims; establishment of facts and claims, including collection, review and production of documents, facts, evidence and witness statements; and exercise and defence of legal rights and claims, including formal legal proceedings.

The Processing is necessary for compliance with a legal obligation; or
We have a legitimate interest in carrying out the Processing for the purpose of establishing, exercising or defending our legal rights (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms); or
The Processing is necessary for the establishment, exercise or defence of legal claims.

Recruitment and job applications: recruitment activities; advertising of positions; interview activities; verifying information provided to us; analysis of suitability for the relevant position; records of hiring decisions; offer details; performing background checks; accommodations as part of the recruitment process; and acceptance details.

The Processing is necessary in connection with any contract that you have entered into with us, or to take steps prior to entering into a contract with us; or
The Processing is necessary for compliance with a legal obligation (especially in respect of applicable employment law); or
We have a legitimate interest in carrying out the Processing for the purpose of recruitment activities and handling job applications (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms); or
We have obtained your prior consent to the Processing (this legal basis is only used in relation to Processing that is entirely voluntary – it is not used for Processing that is necessary or obligatory in any way).

Future opportunities: maintaining databases of unsuccessful candidates; advertising new roles; and invitations to future events.

We have a legitimate interest in carrying out the Processing for the purpose of recruitment activities (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms); or
We have obtained your prior consent to the Processing (this legal basis is only used in relation to Processing that is entirely voluntary – it is not used for Processing that is necessary or obligatory in any way).

How does Vale share personal data?

1. Sharing with third-parties:

you and, where appropriate, your appointed representatives;
legal and regulatory authorities, upon request, or for the purposes of reporting any actual or suspected breach of applicable law or regulation;
accountants, auditors, consultants, lawyers and other outside professional advisors to Vale, subject to binding contractual obligations of confidentiality;
third-party Processors (such as payment services providers; recruiters; pre-employment screenings services etc.), located anywhere in the world (subject to the requirements noted below);
any relevant party, regulatory body, governmental authority, law enforcement agency or court, to the extent necessary for the establishment, exercise or defence of legal claims;
any relevant party, regulatory body, governmental authority, law enforcement agency or court, for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties;
any relevant third party acquirer(s) or successor(s) in title, in the event that we sell or transfer all or any relevant portion of our business or assets (including in the event of a reorganization, dissolution or liquidation); andany relevant third party provider, where our websites and our apps use third party advertising, plugins or content. If you choose to interact with any such advertising, plugins or content, your Personal Data may be shared with the relevant third party provider. We recommend that you review that third party’s privacy policy before interacting with its advertising, plugins or content.
If we engage a third-party Processor to Process your Personal Data, the Processor will be subject to binding contractual obligations to: (i) only Process the Personal Data in accordance with our prior written instructions; and (ii) use measures to protect the confidentiality and security of the Personal Data, together with any additional requirements under applicable law.

2. International data transfer:

Because of the international nature of our business, we transfer Personal Data within the Vale group, and to the third-parties set out above under the sub-heading entitled “Sharing with third-parties”. Recipients of Personal Data we transfer may be located in all countries where the Vale group is present but in other countries globally as well. For this reason, we transfer Personal Data to other countries that may have different legal requirements and data protection compliance requirements to those that apply in the country in which you are located or in which you disclosed your Personal Data to us. We may transfer your Personal Data to the following jurisdictions in particular but also other jurisdictions globally where third-party recipients or their service providers are located:
Argentina;
Australia;
Brazil;
Canada;
Chile;
China;
India;
Indonesia;
Japa;
Malaysia;
Oman;
Peru; and
Singapore.

Which are the data subject’s rights in relation to its personal data?

Subject to applicable law, data subjects may have the following rights regarding the Processing of their Personal Data:

the right to request access to, or copies of, Personal Data, together with information regarding the nature, Processing and disclosure of Personal Data;
the right to request rectification to any inaccuracies in Personal Data;
the right to request, on legitimate grounds erasure of Personal Data or restriction of Processing of Personal Data;
the right to request portability of Personal Data to another controller, in a structured, commonly used and machine-readable format, to the extent applicable;
where we Process Personal Data on the basis of your consent, the right to withdraw consent given, at any time, upon the express request of the data subject (noting that such withdrawal does not affect the lawfulness of any Processing performed prior to the date on which we receive notice of such withdrawal, and does not prevent the Processing of your Personal Data in reliance upon any other available legal bases); and
the right to lodge complaints regarding the Processing of Personal Data with a Data Protection Authority.

Subject to applicable law, you may also have the following additional rights regarding the Processing of your Personal Data:

the right to object, on grounds relating to your particular situation, to the Processing of your Personal Data by us or on our behalf, where such Processing is based on Articles 6(1)(e) (public interest) or 6(1)(f) (legitimate interests) of the GDPR / UK GDPR; and
the right to object to the Processing of your Personal Data by us or on our behalf for direct marketing purposes.

This does not affect your statutory rights.

Please note that:

in some cases it will be necessary to provide evidence of your identity before we can give effect to these rights; and
where your request requires the establishment of additional facts (e.g., a determination of whether any Processing is non-compliant with applicable law) we will investigate your request reasonably promptly, before deciding what action to take.

How does Vale secure personal data?

In the event of deletion of Personal Data, the process is carried out safely, in line with the appropriate technical measures, in order to ensure that the deleted Personal Data cannot be recovered.

Data accuracy

We take every reasonable step to ensure that:

your Personal Data that we Process is accurate and, where necessary, kept up to date; and
any of your Personal Data that we Process that is inaccurate (having regard to the purposes for which such Personal Data is Processed) is erased or rectified without delay.

From time to time we may ask you to confirm the accuracy of your Personal Data.

Data minimization

We take every reasonable step to ensure that your Personal Data that we Process is limited to the Personal Data reasonably necessary in connection with the purposes set out in this Privacy Notice.

For how long is Personal Data retained?

Sensitive Personal Data

Compliance with applicable law: We may Process your Sensitive Personal Data where the Processing is required or permitted by applicable law (e.g., to comply with our diversity reporting obligations);
Employment law: We may Process your Sensitive Personal Data where the Processing is necessary for the purposes of carrying out the obligations and exercising specific rights in the field of employment, social security and social protection law;
Detection and prevention of crime: We may Process your Sensitive Personal Data where the Processing is necessary for the detection or prevention of crime (e.g., the prevention of fraud);
Vital interests: We may Process your Sensitive Personal Data where the Processing is necessary to protect the vital interests of any individual; or
Vital interests: We may Process your Sensitive Personal Data where the Processing is necessary to protect the vital interests of any individual; or
Public health: We may Process your Sensitive Personal Data where the Processing is necessary for reasons of public interest in the area of public health (e.g., protecting against serious cross-border threats to health); or
Establishment, exercise or defence of legal claims: We may Process your Sensitive Personal Data where the Processing is necessary for the establishment, exercise or defence of legal claims; or
Consent: We may Process your Sensitive Personal Data where we have, in accordance with applicable law, obtained your express consent prior to Processing your Sensitive Personal Data (this legal basis is only used in relation to Processing that is entirely voluntary – it is not used for Processing that is necessary or obligatory in any way).

Communication Channel

To contact Vale's privacy team and Vale’s Data Protection Officer (“DPO”), use the form below or send an email to dpo@vale.com or to breach@logicdocument.com (if you are located in UK).

Details of Controllers

For the purposes of this Privacy Notice, the relevant Controllers are:

Controller entity

Contact details

Vale S.A.

Praia de Botafogo, 186, Botafogo, Rio de Janeiro, Brazil; Data Privacy Department / privacy@vale.com

Vale Europe Limited

Vale Europe Limited – Suite 1, 3rd Floor, 11-12 St. Jame´s Square, London, United Kingdom, SW1Y 4LB; Data Privacy Department / breach@logicdocument.com

Vale Holdings B.V.

Piet Heinkade 55, 1019 GM, Amsterdam, the Netherlands; Data Privacy Department / privacy@vale.com

Vale International SA

Route de Pallatex 29, 1162 Saint-Prex, Switzerland; Data Privacy Department / privacy@vale.com

Definitions

“Cookie” means a small file that is placed on your device when you visit a website (including our websites). In this Privacy Notice, a reference to a “cookie” includes analogous technologies such as web beacons and clear GIFs;
“Controller” means the entity that decides how and why Personal Data is Processed. In many jurisdictions, the controller has primary responsibility for complying with applicable data protection laws;
“Data Protection Authority” means an independent public authority that is legally tasked with overseeing compliance with applicable data protection laws;
“EEA” means the European Economic Area;
“GDPR” means the General Data Protection Regulation (EU) 2016/679;
“Personal Data” means information that is about any individual, or from which any individual is directly or indirectly identifiable, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that individual; provided, however, that where applicable data protection law protects legal entities as data subjects “Personal Data” will be deemed to include information relating to legal entities;
“Process”, “Processing” or “Processed” means anything that is done with any Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
“Processor” means any person or entity that Processes Personal Data on behalf of the Controller (other than employees of the Controller);
“Sensitive Personal Data” means Personal Data about race or ethnicity, political opinions, religious or philosophical beliefs, trade union membership, biometric data, physical or mental health, sexual life, any actual or alleged criminal offences or penalties, national identification number, or any other information that are deemed to be sensitive under applicable law;
“Standard Contractual Clauses” means template transfer clauses adopted by the European Commission or adopted by a Data Protection Authority and approved by the European Commission, or the UK Government; and
“UK GDPR” means the UK’s equivalent of the GDPR.

Europe

What personal data is covered?

We may process the following categories of Personal Data about you:

Personal details: given name(s); preferred name; photograph; details of representative; curriculum vitae / résumés and/or applications; passport number (where applicable); and work permit or visa number (where applicable).
Demographic information: gender; date of birth / age; nationality; salutation; title; and language preferences.
Contact details: correspondence address; shipping address; telephone number; email address; details of personal assistants, where applicable; messenger app details; online messaging details; and social media details.
Expertise: records of your expertise, curriculum vitae / résumés, professional history, education history, practising details and qualification details; information about your experience, participation in meetings, seminars, advisory boards and conferences; salary expectations; referrals and references; information about your professional relationship with other individuals or institutions; and language abilities and other professional skills.
Background checks: details revealed by background checks conducted in accordance with applicable law and subject to your prior express written consent (where required, including details of past employment, details of residence, credit reference information, and criminal records checks.
Consthe date and time, means of consent and any related information (e.g., the subject matter of the consent).
Purchase details: records of purchases and prices; and consignee name, address, contact telephone number and email ent records: records of any consents you have given, together with address.
Payment details: invoice records; payment records; billing address; payment method; bank account number or credit card number; cardholder or accountholder name; card or account security details; card ‘valid from’ date; card expiry date; BACS details; SWIFT details; IBAN details; payment amount; payment date; and records of cheques.
Data relating to our websites and apps: device type; operating system; browser type; browser settings; IP address; language settings; dates and times of connecting to a website; app usage statistics; app settings; dates and times of connecting to an app; location data, and other technical communications information (some of which may constitute Personal Data); password; security login details; usage data; and aggregate statistical information.
Employer details: where you interact with us in your capacity as an employee of a third party, the name, address, telephone number and email address of your employer, to the extent relevant.
Content and advertising data: records of your interactions with our online advertising and content; and records of advertising and content displayed on pages or app screens displayed to you.
Views and opinions: any views and opinions that you choose to send to us, or publicly post about us on social media platforms.
Biometric and health data: biometric data and data about your health (including health information to monitor the spread of infectious diseases in the workplace and biological sampling data); and (if disclosed) any special needs or health condition and information relating to accommodations that you may request during the recruitment process.

In what services does Vale collect personal data?

We collect or obtain Personal Data about you from the following sources:

Data provided to us: We obtain Personal Data when those data are provided to us (e.g., where you contact us via email or telephone, or by any other means, or when you provide us with your business card, or when you submit a job application).
Data we obtain in person: We obtain Personal Data during meetings, at trade shows, during visits from sales or marketing representatives, or at events we attend.
Collaborations: We obtain Personal Data when you collaborate with us in research or in an advisory / consultancy capacity.
Relationship data: We collect or obtain Personal Data in the ordinary course of our relationship with you (e.g., we provide a service to you, or to your employer).
Data you make public: We collect or obtain Personal Data that you manifestly choose to make public, including via social media (e.g., we may collect information from your social media profile(s), if you make a public post about us).
App data: We collect or obtain Personal Data when you download or use any of our apps.
Website data: We collect or obtain Personal Data when you visit any of our websites or use any features or resources available on or through a website.
Registration details: We collect or obtain Personal Data when you use, or register to use, any of our websites, apps, products, or services.
Content and advertising information: If you interact with any third party content or advertising on a website or in an app (including third party plugins and Cookies) we receive Personal Data from the relevant third party provider of that content or advertising.
Third party information: We collect or obtain Personal Data from third parties who provide it to us (e.g., credit reference agencies; law enforcement authorities; recruiters; previous employers, referees, entities conducting background checks etc.).

Creation of Personal Data

More information regarding the use of this data can be found in the specific terms of each service, available on their respective platforms.

What is the purpose of collection and processing of personal data?

Processing activity	Legal basis for Processing
Provision of websites, apps, products, and services: providing our websites, apps, products, or services; providing promotional items upon request; and communicating with you in relation to those websites, apps, products, or services.	The Processing is necessary in connection with any contract that you have entered into with us, or to take steps prior to entering into a contract with us; or We have a legitimate interest in carrying out the Processing for the purpose of providing our websites, apps, products, or services (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms); or We have obtained your prior consent to the Processing (this legal basis is only used in relation to Processing that is entirely voluntary – it is not used for Processing that is necessary or obligatory in any way).
Operating our business: operating and managing our websites, our apps, our products, and our services; providing content to you; displaying advertising and other information to you; communicating and interacting with you via our websites, our apps, our products, or our services; and notifying you of changes to any of our websites, our apps, our products, or our services.	The Processing is necessary in connection with any contract that you have entered into with us, or to take steps prior to entering into a contract with us; or We have a legitimate interest in carrying out the Processing for the purpose of providing our websites, our apps, our products, or our services to you (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms); or We have obtained your prior consent to the Processing (this legal basis is only used in relation to Processing that is entirely voluntary – it is not used for Processing that is necessary or obligatory in any way).
Communications and marketing: communicating with you via any means (including via email, telephone, text message, social media, post or in person) to provide news items and other information in which you may be interested, subject always to obtaining your prior opt-in consent to the extent required under applicable law; personalising our websites, products and services for you; maintaining and updating your contact information where appropriate; obtaining your prior, opt-in consent where required; and enabling and recording your choice to opt-out or unsubscribe, where applicable.	The Processing is necessary in connection with any contract that you have entered into with us, or to take steps prior to entering into a contract with us; or We have a legitimate interest in carrying out the Processing for the purpose of contacting you, subject always to compliance with applicable law (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms); or We have obtained your prior consent to the Processing (this legal basis is only used in relation to Processing that is entirely voluntary – it is not used for Processing that is necessary or obligatory in any way).
Management of IT systems: management and operation of our communications, IT and security systems; and audits (including security audits) and monitoring of such systems.	The Processing is necessary for compliance with a legal obligation; or We have a legitimate interest in carrying out the Processing for the purpose of managing and maintaining our communications and IT systems (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms).
Health and safety: health and safety assessments and record keeping (including collecting biological sampling data); providing a safe and secure environment at our premises (including monitoring body temperatures on Vale premises in the UK to prevent the spread of infectious diseases in the workplace); and compliance with related legal obligations.	The Processing is necessary for compliance with a legal obligation (especially in respect of applicable employment, social security or social protection law); or We have a legitimate interest in carrying out the Processing for the purpose of ensuring a safe environment at our premises (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms); or The Processing is necessary to protect the vital interests of any individual; or The Processing is necessary for reasons of public interest in the area of public health; or We have obtained your prior consent to the Processing (this legal basis is only used in relation to Processing that is entirely voluntary – it is not used for Processing that is necessary or obligatory in any way).
Financial management: sales; finance; corporate audit; and vendor management.	We have a legitimate interest in carrying out the Processing for the purpose of managing and operating the financial affairs of our business (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms); or We have obtained your prior consent to the Processing (this legal basis is only used in relation to Processing that is entirely voluntary – it is not used for Processing that is necessary or obligatory in any way).
Vendor management: collating supplier data for background and compliance checks.	The Processing is necessary for compliance with a legal obligation; or We have a legitimate interest in carrying out the Processing for the purpose of performing background and compliance checks (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms).
Surveys: engaging with you for the purposes of obtaining your views on our websites, our apps, our products, or our services.	We have a legitimate interest in carrying out the Processing for the purpose of conducting surveys, satisfaction reports and market research (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms); or We have obtained your prior consent to the Processing (this legal basis is only used in relation to Processing that is entirely voluntary – it is not used for Processing that is necessary or obligatory in any way).
Security: physical security of our premises (including records of visits to our premises); CCTV recordings; and electronic security (including login records and access details).	The Processing is necessary for compliance with a legal obligation; or We have a legitimate interest in carrying out the Processing for the purpose of ensuring the physical and electronic security of our business and our premises (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms).
Investigations: detecting, investigating and preventing breaches of policy, and criminal offences, in accordance with applicable law.	The Processing is necessary for compliance with a legal obligation; or We have a legitimate interest in carrying out the Processing for the purpose of detecting, and protecting against, breaches of our policies and applicable laws (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms).
Legal compliance: compliance with our legal and regulatory obligations under applicable law.	The Processing is necessary for compliance with a legal obligation.
Improving our websites, apps, products, and services: identifying issues with our websites, our apps, our products, or our services; planning improvements to our websites, our apps, our products, or our services; and creating new websites, apps, products, or services.	We have a legitimate interest in carrying out the Processing for the purpose of improving our websites, our apps, our products, or our services (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms); or We have obtained your prior consent to the Processing (this legal basis is only used in relation to Processing that is entirely voluntary – it is not used for Processing that is necessary or obligatory in any way).
Establishment, exercise and defence of legal claims: management of legal claims; establishment of facts and claims, including collection, review and production of documents, facts, evidence and witness statements; and exercise and defence of legal rights and claims, including formal legal proceedings.	The Processing is necessary for compliance with a legal obligation; or We have a legitimate interest in carrying out the Processing for the purpose of establishing, exercising or defending our legal rights (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms); or The Processing is necessary for the establishment, exercise or defence of legal claims.
Recruitment and job applications: recruitment activities; advertising of positions; interview activities; verifying information provided to us; analysis of suitability for the relevant position; records of hiring decisions; offer details; performing background checks; accommodations as part of the recruitment process; and acceptance details.	The Processing is necessary in connection with any contract that you have entered into with us, or to take steps prior to entering into a contract with us; or The Processing is necessary for compliance with a legal obligation (especially in respect of applicable employment law); or We have a legitimate interest in carrying out the Processing for the purpose of recruitment activities and handling job applications (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms); or We have obtained your prior consent to the Processing (this legal basis is only used in relation to Processing that is entirely voluntary – it is not used for Processing that is necessary or obligatory in any way).
Future opportunities: maintaining databases of unsuccessful candidates; advertising new roles; and invitations to future events.	We have a legitimate interest in carrying out the Processing for the purpose of recruitment activities (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms); or We have obtained your prior consent to the Processing (this legal basis is only used in relation to Processing that is entirely voluntary – it is not used for Processing that is necessary or obligatory in any way).

Processing activity

Legal basis for Processing

Provision of websites, apps, products, and services: providing our websites, apps, products, or services; providing promotional items upon request; and communicating with you in relation to those websites, apps, products, or services.

The Processing is necessary in connection with any contract that you have entered into with us, or to take steps prior to entering into a contract with us; or
We have a legitimate interest in carrying out the Processing for the purpose of providing our websites, apps, products, or services (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms); or
We have obtained your prior consent to the Processing (this legal basis is only used in relation to Processing that is entirely voluntary – it is not used for Processing that is necessary or obligatory in any way).

Operating our business: operating and managing our websites, our apps, our products, and our services; providing content to you; displaying advertising and other information to you; communicating and interacting with you via our websites, our apps, our products, or our services; and notifying you of changes to any of our websites, our apps, our products, or our services.

The Processing is necessary in connection with any contract that you have entered into with us, or to take steps prior to entering into a contract with us; or
We have a legitimate interest in carrying out the Processing for the purpose of providing our websites, our apps, our products, or our services to you (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms); or
We have obtained your prior consent to the Processing (this legal basis is only used in relation to Processing that is entirely voluntary – it is not used for Processing that is necessary or obligatory in any way).

Communications and marketing: communicating with you via any means (including via email, telephone, text message, social media, post or in person) to provide news items and other information in which you may be interested, subject always to obtaining your prior opt-in consent to the extent required under applicable law; personalising our websites, products and services for you; maintaining and updating your contact information where appropriate; obtaining your prior, opt-in consent where required; and enabling and recording your choice to opt-out or unsubscribe, where applicable.

The Processing is necessary in connection with any contract that you have entered into with us, or to take steps prior to entering into a contract with us; or
We have a legitimate interest in carrying out the Processing for the purpose of contacting you, subject always to compliance with applicable law (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms); or
We have obtained your prior consent to the Processing (this legal basis is only used in relation to Processing that is entirely voluntary – it is not used for Processing that is necessary or obligatory in any way).

Management of IT systems: management and operation of our communications, IT and security systems; and audits (including security audits) and monitoring of such systems.

The Processing is necessary for compliance with a legal obligation; or
We have a legitimate interest in carrying out the Processing for the purpose of managing and maintaining our communications and IT systems (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms).

Health and safety: health and safety assessments and record keeping (including collecting biological sampling data); providing a safe and secure environment at our premises (including monitoring body temperatures on Vale premises in the UK to prevent the spread of infectious diseases in the workplace); and compliance with related legal obligations.

The Processing is necessary for compliance with a legal obligation (especially in respect of applicable employment, social security or social protection law); or
We have a legitimate interest in carrying out the Processing for the purpose of ensuring a safe environment at our premises (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms); or
The Processing is necessary to protect the vital interests of any individual; or
The Processing is necessary for reasons of public interest in the area of public health; or
We have obtained your prior consent to the Processing (this legal basis is only used in relation to Processing that is entirely voluntary – it is not used for Processing that is necessary or obligatory in any way).

Financial management: sales; finance; corporate audit; and vendor management.

We have a legitimate interest in carrying out the Processing for the purpose of managing and operating the financial affairs of our business (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms); or
We have obtained your prior consent to the Processing (this legal basis is only used in relation to Processing that is entirely voluntary – it is not used for Processing that is necessary or obligatory in any way).

Vendor management: collating supplier data for background and compliance checks.

The Processing is necessary for compliance with a legal obligation; or
We have a legitimate interest in carrying out the Processing for the purpose of performing background and compliance checks (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms).

Surveys: engaging with you for the purposes of obtaining your views on our websites, our apps, our products, or our services.

We have a legitimate interest in carrying out the Processing for the purpose of conducting surveys, satisfaction reports and market research (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms); or
We have obtained your prior consent to the Processing (this legal basis is only used in relation to Processing that is entirely voluntary – it is not used for Processing that is necessary or obligatory in any way).

Security: physical security of our premises (including records of visits to our premises); CCTV recordings; and electronic security (including login records and access details).

The Processing is necessary for compliance with a legal obligation; or
We have a legitimate interest in carrying out the Processing for the purpose of ensuring the physical and electronic security of our business and our premises (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms).

Investigations: detecting, investigating and preventing breaches of policy, and criminal offences, in accordance with applicable law.

The Processing is necessary for compliance with a legal obligation; or
We have a legitimate interest in carrying out the Processing for the purpose of detecting, and protecting against, breaches of our policies and applicable laws (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms).

Legal compliance: compliance with our legal and regulatory obligations under applicable law.

The Processing is necessary for compliance with a legal obligation.

Improving our websites, apps, products, and services: identifying issues with our websites, our apps, our products, or our services; planning improvements to our websites, our apps, our products, or our services; and creating new websites, apps, products, or services.

We have a legitimate interest in carrying out the Processing for the purpose of improving our websites, our apps, our products, or our services (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms); or
We have obtained your prior consent to the Processing (this legal basis is only used in relation to Processing that is entirely voluntary – it is not used for Processing that is necessary or obligatory in any way).

Establishment, exercise and defence of legal claims: management of legal claims; establishment of facts and claims, including collection, review and production of documents, facts, evidence and witness statements; and exercise and defence of legal rights and claims, including formal legal proceedings.

The Processing is necessary for compliance with a legal obligation; or
We have a legitimate interest in carrying out the Processing for the purpose of establishing, exercising or defending our legal rights (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms); or
The Processing is necessary for the establishment, exercise or defence of legal claims.

Recruitment and job applications: recruitment activities; advertising of positions; interview activities; verifying information provided to us; analysis of suitability for the relevant position; records of hiring decisions; offer details; performing background checks; accommodations as part of the recruitment process; and acceptance details.

The Processing is necessary in connection with any contract that you have entered into with us, or to take steps prior to entering into a contract with us; or
The Processing is necessary for compliance with a legal obligation (especially in respect of applicable employment law); or
We have a legitimate interest in carrying out the Processing for the purpose of recruitment activities and handling job applications (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms); or
We have obtained your prior consent to the Processing (this legal basis is only used in relation to Processing that is entirely voluntary – it is not used for Processing that is necessary or obligatory in any way).

Future opportunities: maintaining databases of unsuccessful candidates; advertising new roles; and invitations to future events.

We have a legitimate interest in carrying out the Processing for the purpose of recruitment activities (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms); or
We have obtained your prior consent to the Processing (this legal basis is only used in relation to Processing that is entirely voluntary – it is not used for Processing that is necessary or obligatory in any way).

How does Vale share personal data?

1. Sharing with third-parties:

you and, where appropriate, your appointed representatives;
legal and regulatory authorities, upon request, or for the purposes of reporting any actual or suspected breach of applicable law or regulation;
accountants, auditors, consultants, lawyers and other outside professional advisors to Vale, subject to binding contractual obligations of confidentiality;
third-party Processors (such as payment services providers; recruiters; pre-employment screenings services etc.), located anywhere in the world (subject to the requirements noted below);
any relevant party, regulatory body, governmental authority, law enforcement agency or court, to the extent necessary for the establishment, exercise or defence of legal claims;
any relevant party, regulatory body, governmental authority, law enforcement agency or court, for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties;
any relevant third party acquirer(s) or successor(s) in title, in the event that we sell or transfer all or any relevant portion of our business or assets (including in the event of a reorganization, dissolution or liquidation); andany relevant third party provider, where our websites and our apps use third party advertising, plugins or content. If you choose to interact with any such advertising, plugins or content, your Personal Data may be shared with the relevant third party provider. We recommend that you review that third party’s privacy policy before interacting with its advertising, plugins or content.
If we engage a third-party Processor to Process your Personal Data, the Processor will be subject to binding contractual obligations to: (i) only Process the Personal Data in accordance with our prior written instructions; and (ii) use measures to protect the confidentiality and security of the Personal Data, together with any additional requirements under applicable law.

2. International data transfer:

Because of the international nature of our business, we transfer Personal Data within the Vale group, and to the third-parties set out above under the sub-heading entitled “Sharing with third-parties”. Recipients of Personal Data we transfer may be located in all countries where the Vale group is present but in other countries globally as well. For this reason, we transfer Personal Data to other countries that may have different legal requirements and data protection compliance requirements to those that apply in the country in which you are located or in which you disclosed your Personal Data to us. We may transfer your Personal Data to the following jurisdictions in particular but also other jurisdictions globally where third-party recipients or their service providers are located:
Argentina;
Australia;
Brazil;
Canada;
Chile;
China;
India;
Indonesia;
Japa;
Malaysia;
Oman;
Peru; and
Singapore.

Which are the data subject’s rights in relation to its personal data?

Subject to applicable law, data subjects may have the following rights regarding the Processing of their Personal Data:

the right to request access to, or copies of, Personal Data, together with information regarding the nature, Processing and disclosure of Personal Data;
the right to request rectification to any inaccuracies in Personal Data;
the right to request, on legitimate grounds erasure of Personal Data or restriction of Processing of Personal Data;
the right to request portability of Personal Data to another controller, in a structured, commonly used and machine-readable format, to the extent applicable;
where we Process Personal Data on the basis of your consent, the right to withdraw consent given, at any time, upon the express request of the data subject (noting that such withdrawal does not affect the lawfulness of any Processing performed prior to the date on which we receive notice of such withdrawal, and does not prevent the Processing of your Personal Data in reliance upon any other available legal bases); and
the right to lodge complaints regarding the Processing of Personal Data with a Data Protection Authority.

Subject to applicable law, you may also have the following additional rights regarding the Processing of your Personal Data:

the right to object, on grounds relating to your particular situation, to the Processing of your Personal Data by us or on our behalf, where such Processing is based on Articles 6(1)(e) (public interest) or 6(1)(f) (legitimate interests) of the GDPR / UK GDPR; and
the right to object to the Processing of your Personal Data by us or on our behalf for direct marketing purposes.

This does not affect your statutory rights.

Please note that:

in some cases it will be necessary to provide evidence of your identity before we can give effect to these rights; and
where your request requires the establishment of additional facts (e.g., a determination of whether any Processing is non-compliant with applicable law) we will investigate your request reasonably promptly, before deciding what action to take.

How does Vale secure personal data?

In the event of deletion of Personal Data, the process is carried out safely, in line with the appropriate technical measures, in order to ensure that the deleted Personal Data cannot be recovered.

Data accuracy

We take every reasonable step to ensure that:

your Personal Data that we Process is accurate and, where necessary, kept up to date; and
any of your Personal Data that we Process that is inaccurate (having regard to the purposes for which such Personal Data is Processed) is erased or rectified without delay.

From time to time we may ask you to confirm the accuracy of your Personal Data.

Data minimization

We take every reasonable step to ensure that your Personal Data that we Process is limited to the Personal Data reasonably necessary in connection with the purposes set out in this Privacy Notice.

For how long is Personal Data retained?

Sensitive Personal Data

Compliance with applicable law: We may Process your Sensitive Personal Data where the Processing is required or permitted by applicable law (e.g., to comply with our diversity reporting obligations);
Employment law: We may Process your Sensitive Personal Data where the Processing is necessary for the purposes of carrying out the obligations and exercising specific rights in the field of employment, social security and social protection law;
Detection and prevention of crime: We may Process your Sensitive Personal Data where the Processing is necessary for the detection or prevention of crime (e.g., the prevention of fraud);
Vital interests: We may Process your Sensitive Personal Data where the Processing is necessary to protect the vital interests of any individual; or
Vital interests: We may Process your Sensitive Personal Data where the Processing is necessary to protect the vital interests of any individual; or
Public health: We may Process your Sensitive Personal Data where the Processing is necessary for reasons of public interest in the area of public health (e.g., protecting against serious cross-border threats to health); or
Establishment, exercise or defence of legal claims: We may Process your Sensitive Personal Data where the Processing is necessary for the establishment, exercise or defence of legal claims; or
Consent: We may Process your Sensitive Personal Data where we have, in accordance with applicable law, obtained your express consent prior to Processing your Sensitive Personal Data (this legal basis is only used in relation to Processing that is entirely voluntary – it is not used for Processing that is necessary or obligatory in any way).

Communication Channel

To contact Vale's privacy team and Vale’s Data Protection Officer (“DPO”), use the form below or send an email to dpo@vale.com or to breach@logicdocument.com (if you are located in UK).

Details of Controllers

For the purposes of this Privacy Notice, the relevant Controllers are:

Controller entity

Contact details

Vale S.A.

Praia de Botafogo, 186, Botafogo, Rio de Janeiro, Brazil; Data Privacy Department / privacy@vale.com

Vale Europe Limited

Vale Europe Limited – Suite 1, 3rd Floor, 11-12 St. Jame´s Square, London, United Kingdom, SW1Y 4LB; Data Privacy Department / breach@logicdocument.com

Vale Holdings B.V.

Piet Heinkade 55, 1019 GM, Amsterdam, the Netherlands; Data Privacy Department / privacy@vale.com

Vale International SA

Route de Pallatex 29, 1162 Saint-Prex, Switzerland; Data Privacy Department / privacy@vale.com

Definitions

“Cookie” means a small file that is placed on your device when you visit a website (including our websites). In this Privacy Notice, a reference to a “cookie” includes analogous technologies such as web beacons and clear GIFs;
“Controller” means the entity that decides how and why Personal Data is Processed. In many jurisdictions, the controller has primary responsibility for complying with applicable data protection laws;
“Data Protection Authority” means an independent public authority that is legally tasked with overseeing compliance with applicable data protection laws;
“EEA” means the European Economic Area;
“GDPR” means the General Data Protection Regulation (EU) 2016/679;
“Personal Data” means information that is about any individual, or from which any individual is directly or indirectly identifiable, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that individual; provided, however, that where applicable data protection law protects legal entities as data subjects “Personal Data” will be deemed to include information relating to legal entities;
“Process”, “Processing” or “Processed” means anything that is done with any Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
“Processor” means any person or entity that Processes Personal Data on behalf of the Controller (other than employees of the Controller);
“Sensitive Personal Data” means Personal Data about race or ethnicity, political opinions, religious or philosophical beliefs, trade union membership, biometric data, physical or mental health, sexual life, any actual or alleged criminal offences or penalties, national identification number, or any other information that are deemed to be sensitive under applicable law;
“Standard Contractual Clauses” means template transfer clauses adopted by the European Commission or adopted by a Data Protection Authority and approved by the European Commission, or the UK Government; and
“UK GDPR” means the UK’s equivalent of the GDPR.