- Introduction
- Anglo American plc and our associated companies ("Company", "we", "us" and "our") has set up a whistleblowing system and reporting hotline known as "YourVoice". YourVoice is a confidential service through which concerns about potentially unethical, unlawful or unsafe conduct and practices can be reported and investigated. It is independently managed on our behalf by an external service provider (Convercent) ("Service Provider").
- YourVoice is open to all employees (including contractors), customers, suppliers and other stakeholders of the Company and its associated companies.
- Should an individual make a report through YourVoice, we will process personal data of that individual and of anyone else who may be named in the report.
- If you are an employee of an Anglo American company or are making a report that concerns an employee of an Anglo American company, the data controller of any of your personal data that may be processed in connection with YourVoice are Anglo American Services (UK) Ltd (17 Charterhouse Street, London, EC1N 6RA), and the relevant Anglo American employing entity (whose name and contact details can be found in your employment contract). If you are not employed by Anglo American and you have chosen to make a report using YourVoice, or are the subject of a report made through YourVoice, the data controllers of any of your personal data contained in that report are Anglo American Services (UK) Ltd (17 Charterhouse Street, London, EC1N 6RA), and the most appropriate Group entity that is local to the location of the incident being reported.
- This Privacy Notice is supplementary to the External Privacy Notice which is available online and the Employee Privacy Notice which is available to Anglo American employees through the intranet, which together are referred to as the "Privacy Notices". The content of the Privacy Notices continues to apply to YourVoice, in addition to the information set out below.
- The following Privacy Notice describes how and why personal data is processed in connection with YourVoice. It is intended to comply with our obligations to provide individuals with information about the processing of their personal data under privacy laws.
- If you have any questions about this Privacy Notice, have any concerns relating to your personal data, want to exercise any of the rights granted by applicable laws or would like to access the information contained in this Privacy Notice in a different format please contact our Data Protection Team at [email protected].
-
What data do we process?
- If you make a report using the YourVoice system, you have the option to submit the report anonymously. If you do so, none of your personal data will be processed in connection with your report.
- If you choose to disclose your identity to the Service Provider, the Service Provider will collect any personal data that you provide, including name, surname, email address, contact number and, if you are an employee of Anglo American, your employee number and location. The content of your report will also be processed in connection with your personal data, which may include details of the relevant incident or event you have witnessed / wish to report, and details of any personal opinion or expressions you wish to make in connection with the incident. If you choose to disclose your identity to us, we will also process this personal data.
- If a report is made about your alleged conduct or involvement in a particular event or practice, we and the Service Provider will (where permitted by applicable laws) collect your name, surname, alias or nickname, and (where applicable), gender, employee number, title, company and contact information. We and the Service Provider will also collect information about the allegation that is reported, including the nature of the allegation. This may include information about alleged or proven criminal offences, which the Service Provider processes on our behalf where permitted by applicable laws. We will also collect further information during any subsequent verification and investigation into the alleged conduct.
- Notwithstanding the basis on which the report is made, all personal data provided through the YourVoice system will be managed confidentially by the Company. The Company recognises that an individual may not wish to be identified during the course of raising a concern. In such circumstances, the Company will do everything possible to protect the person's identity and will not disclose it without their consent. If it proves impossible to assess, evaluate, and investigate the reported concerns without revealing the individual's identity, the investigation team dealing with the matter will discuss with the individual whether and how to proceed. In some cases, confidentiality cannot be absolutely guaranteed as the very fact of the investigation may serve to reveal the source of the information, the statement of the person raising the concern may be needed as part of evidence against the perpetrator, or legal proceedings at a later stage may require the individual to appear as a witness.
-
How does the company collect data?
- Any personal data processed in connection with the YourVoice system will be collected from the reporting party. Furthermore, additional personal data may be generated and processed through the course of any investigation into the report. In particular:
- identity, responsibilities and contact information of the persons who are involved in receiving or processing the whistleblowing report;
- facts reported;
- information gathered in connection with the verification of the reported facts;
- report on the verification procedure; and (as applicable)
- follow-up.
- Details regarding how you or any third party can make a report are contained in the Group Whistleblowing Policy.
-
What are the purposes for which data is processed and what is our legal basis for carrying out the processing?
- Where we process personal data in connection with YourVoice, the overarching purpose is to facilitate the raising of concerns about serious misconduct, conduct contrary to our Values and Code of Conduct, the investigation of those concerns, and (where the concerns are found to be valid) taking appropriate action to address them, and prevent similar concerns from arising in the future.
- This involves processing personal data to:
- receive, discuss and (where applicable) sanitise the report;
- request additional information to substantiate the report;
- collate information received in reports and make that information available to designated teams for investigation (see section 6 for further information on disclosures of personal data);
- investigate the alleged conduct; and
- provide feedback to the Service Provider and to the individual making a report (where relevant) and make recommendations to Anglo American companies.
-
As set out in the Privacy Notices, certain data protection laws require a valid legal ground to process personal data. We process the information where necessary to:
- comply with our legal or regulatory obligations (for example, in the European Economic Area (EEA), laws relating to the combating of bribery, and other laws that require us to operate whistleblowing hotlines), pursuant, in the EEA, to GDPR Article 6(1)(c) - legal obligation;
- meet our legitimate interests (see a description of these interests below), provided the processing does not unduly affect your interests or fundamental rights and freedoms, pursuant, in the EEA, to GDPR Article 6(1)(f) - legitimate interests; or
- protect the vital interests (e.g. such as to protect the life or physical safety) of the relevant individual or of another natural person, pursuant in the EEA, to GDPR Article 6(1)(d) - vital interests; or
- facilitate the raising of your concerns about conduct contrary to our Values and Code of Conduct, carry out investigations into those concerns take appropriate action to address them, and prevent similar concerns from arising in the future. For the purposes of applicable data protection law, these purposes include the legitimate interests described in greater detail in paragraph 4.4.
- Where required under applicable data protection laws, we will obtain your notified consent to the collection, use and disclosure of your personal data prior to the collection, use and disclosure of your personal data.
-
The legitimate interests referred to above include our interests in:
- protecting against conduct which is contrary to our values and Code of Conduct, acting ethically and responsibly as a business, complying with laws, and protecting the health and safety of our employees;
- using appropriate teams to investigate reports on behalf of all Anglo American entities, for impartiality and efficiency reasons; and
- exercising our rights under Articles 16 and 17 of the Charter of Fundamental Rights (where applicable), or provided under similar applicable legislation, including our freedom to conduct a business and right to property.
- Special categories of personal data (or sensitive information) will only be processed where authorised by applicable laws. For example:
- If the allegation made through YourVoice relates to discrimination in the workplace, we will process relevant special categories of personal data on the basis of carrying out obligations and exercising specific rights in the field of employment and social security and social protection law (pursuant to GDPR Article 9(2)(b) – employment and social security and social protection law) and applicable laws;
- If the allegation made through YourVoice relates to other allegations of discrimination, we will process relevant special categories of personal data on the basis of substantial public interest (pursuant to GDPR Article 9(2)(g) – substantial public interest) and applicable laws. For example, in the United Kingdom, we will process special categories of personal data relating to equality of opportunity or treatment, pursuant to paragraph 8 of Schedule 1 of the Data Protection Act 2018;
- If the allegation made through YourVoice relates to an infringement of applicable laws to the detriment of the Company, we will process relevant special categories of personal data in order to establish, exercise or defend a legal claim (pursuant to GDPR Article 9 (2) (f) - establishment, exercise or defence of legal claims); and
- In South Africa, if the allegation made through YourVoice relates to unfair discrimination or harassment in the workplace, the processing is necessary to establish, exercise or defend a right or obligation in law pursuant to section 27(1)(b) of the Protection of Personal Data Act 4 of 2014.
- Personal data relating to criminal convictions and offences will only be processed where authorised by applicable laws. For example:
- If the allegation made through the YourVoice system could amount to an allegation of criminal activity, we will process that personal data on the basis of substantial public interest (pursuant to GDPR Article 9(2)(g) – substantial public interest) and applicable laws. For example, in the United Kingdom, we will process that personal data in order to prevent or detect unlawful acts, pursuant to paragraph 10 of Schedule 1 of the Data Protection Act 2018. Also, in Germany, personal data of the alleged employees will only be processed where this is necessary to detect the criminal offence, but only if there is a documented reason to believe the employee has committed the criminal offence while employed, the processing of the respective data is necessary to investigate the criminal offence and is not outweighed by the employee’s legitimate interest in the Company not processing the data, and in particular the type and extent are not disproportionate to the reason, pursuant to section 26 para. 1 sentence 2 of the German Federal Data Protection Act.
- Retention of personal data
- Personal data is retained for as long as it is required to satisfy the purpose for which it was collected.
- The Service Provider will retain reports for as long as is appropriate to investigate the matter and (where relevant) to complete actions relating to the outcome of any investigation, in both cases in accordance with applicable law and to comply with legal, regulatory or internal policy requirements.
- In general, reports are retained in a secure and limited-access database in order for the Company to retain an ability to respond to future legal claims in respect of associated actions. The Company endeavours to ensure that personal data are kept as current as possible and that irrelevant or excessive data are deleted or made anonymous as soon as reasonably practicable.
- Please note that some data may need to be kept for longer periods, pursuant to the Privacy Notice. In particular, we may keep some specific types of data for different periods of time, as required by applicable law or in order to comply with legal and regulatory obligations and for other legitimate business reasons for example for the period of the applicable statutes of limitation.
- Disclosures of personal data
-
Your personal data can be accessed by or may be disclosed on a need to know basis to:
- The specific investigations teams working on individual cases (such as ABAS, the Forensic Investigations Unit and the Information Security team), relevant members of HR (where the investigation is HR related) and relevant members of Security (where the investigation is security related);
- Individuals and governance bodies that oversee the whistleblowing and investigations processes, such as relevant Heads of Risk and Assurance, members of the YourVoice Oversight Committee, Ethics Committees, Business Unit CEOs and Group Function Heads;
- the Service Provider, who receives the information submitted as part of a report, and receives feedback from Anglo American companies on the report;
- designated contact persons in ABAS who receive information from the Service Provider;
- internal and external professionals, which may include Group Legal and forensic companies, who assist the specific investigations teams working on individual cases;
- Anglo American companies who have a need to access information in a report, for example, if the ABAS investigation recommends action against an employee the investigation report will be provided to the relevant employer at Anglo American, including the line manager and relevant member of the HR team;
- third parties who provide services to Anglo American and the Service Provider, such as IT systems providers or hosting providers; and
- courts,public bodies, law enforcement agents and litigants where laws require us to make a disclosure, such as where a report is found to be false, unsubstantiated and made maliciously, and the accused person seeks that disclosure as part of an action for libel or defamation.
- The Company expects any third parties to process any data disclosed to them in accordance with applicable law, including with respect to data confidentiality and security. In particular, our contract with the Service Provider requires it to protect personal data, including withholding whistleblowers’ identities where necessary. In addition, the other service providers described above have entered into contracts with us which include terms to protect personal data.
- Where these third parties act as a "data processor" they carry out their tasks on our behalf and upon our instructions for the above mentioned purposes. In this case, your personal data will only be disclosed to these parties to the extent necessary to provide the required services.
- If you are making a report through YourVoice in certain locations, the Company may need to share your identity with the person(s) the report relates to in order to comply with its data protection obligations pursuant GDPR Article 14(2)(f). However, we will always carefully assess whether these obligations require us to reveal your identity before doing so. We are, in particular, not obliged to inform you or any other person about the source of information if this is likely to render impossible or seriously impair the achievement of the objectives of our investigation or due to other exceptions provided for by applicable laws providing appropriate measures to protect the reported person's legitimate interests. For example, applicable laws may provide that information relating to the reporter's identity might remain a secret due to the reporter's overriding legitimate interests.
- In addition, we may share personal data with national authorities in order to comply with a legal obligation to which we are subject. This is for example the case in the framework of imminent or pending legal proceedings or a statutory audit.
- International transfer of personal data
- The Service Provider and its call centre are based in the USA, although the data will be hosted within the EEA. As a result, Anglo American companies in the EEA may transfer personal data outside of the EEA to the USA, if the whistleblowing report is made by phone, and in the event that the Service Provider’s USA team accesses the data through system maintenance. Anglo American companies based in jurisdictions outside the EEA may also transfer personal data from their own jurisdictions to the USA in accordance with applicable data protection laws, and you consent to this where such consent is required by applicable law.
- Further, Anglo American companies in the EEA also transfer personal data to other Anglo American companies based outside the EEA and vice versa, such as when the investigation is conducted by the ABAS team local to the alleged conduct.
- Where a report is made by an individual, or about an individual, based in China, details about the report will also be hosted in China.
- In each case of transfers of personal data outside the EEA, personal data is protected by entering into a data transfer agreement with the recipient, based on standard contractual clauses under Article 46(2) of the GDPR, approved by the European Commission. In relation to the transfers of personal data from Anglo American companies in jurisdictions other than the EEA in the context of the YourVoice hotline, personal data is protected in accordance with the requirements of applicable data protection laws.
- Where permitted by applicable laws, you may have a right to request a copy of any data transfer agreement under which your personal data is transferred, or to otherwise have access to the safeguards used. Any data transfer agreement made available to you may be redacted for reasons of commercial sensitivity. To request sight of these contact [email protected].
- Notice of changes
- The Company may change or update this Privacy Notice at any time. Where applicable data protection laws require us to do so, we will obtain your consent to such changes or updates.
- Should we change our approach to data protection or modify the provided information on the processing of your personal data, as determined by applicable laws, you will be informed of these changes or made aware that we have updated the Privacy Notices or this Privacy Notice so that you know which information we process and how we use this information and we will obtain your consent to such changes where applicable data protection laws require us to do so.
- This Privacy Notice was last updated and reviewed in October 2019.
SCHEDULE:
Part1: Additional information for European Union data subjects
- What are your rights?
- Subject to certain exemptions, and in some cases dependent upon the processing activity we are undertaking, you have certain rights in relation to your personal data. More information about each of these rights is set out below:
- Access. You have a right to request that we provide you with a copy of your personal data that we hold and you have the right to be informed of (a) the source of your personal data; (b) the purposes, legal basis and methods of processing; (c) the data controller’s identity; and (d) the entities or categories of entities to whom your personal data may be transferred, allow you to access such data and give you a copy of it, including as it relates to a report. Note that in certain jurisdictions, e.g. France, the person implicated by a report cannot obtain from the data controller, on the basis of his/her access rights, information concerning the identity of the whistle-blower.
- Rectification. You can ask us to rectify or complete inaccurate or incomplete personal data. We may seek to verify the accuracy of the personal data before rectifying it.
- Erasure. You can ask us to erase your personal data in the following cases: where it is no longer necessary for the purposes for which it was collected; you have withdrawn your consent (where the data processing was based on consent), you objected to the processing of your personal data; your personal data has been processed unlawfully; or to comply with a legal obligation to which we are subject. We are not required to comply with your request if the processing of your personal data is necessary for compliance with a legal obligation or for the establishment, exercise or defence of legal claims.
- Restriction. You can ask us to restrict the processing of your personal data where: the accuracy of your personal data is contested, to allow us to verify its accuracy; the processing is unlawful, but you do not want it erased; it is still necessary to establish, exercise or defend legal claims; to verify the existence overriding grounds following the exercise of your right of objection. We can continue to use your personal data following a request for restriction, where: we have your consent; to establish, exercise or defend legal claims; or to protect the rights of another natural or legal person.
- Digital legacy. In France only, you have the right to define (general or specific) directives regarding the fate of your personal data after your death.
- To transfer your personal data: You can ask us to provide your personal data to you in a structured, commonly used, machine‑readable format, or you can ask to have it transferred directly to another data controller, but in each case only where: the processing is based on your consent or on the performance of a contract with you; and the processing is carried out by automated means.
- You also have a right to object to processing justified on legitimate interest grounds. Where we are relying upon legitimate interest to process personal data, then you have the right to object to that processing. If you object, we must stop that processing unless we can either demonstrate compelling legitimate grounds for the processing that override your interests, rights and freedoms or where we need to process the data for the establishment, exercise or defence of legal claims.
- You have a right to request a copy of any personal data safeguards used for transfers outside your jurisdiction. Any such safeguards, including data transfer agreement made available to you may be redacted for reasons of commercial sensitivity. To request sight of these contact [email protected]
- You also have the right to lodge a complaint with your local supervisory authority (i.e. at your place of habitual residence, place of work or place of alleged infringement) if you consider that the processing of your personal data infringes applicable law. You can find the contact details of your local supervisory authority here.
Part2: Additional information for German data subjects
Additional information for Section 1 (INTRODUCTION) of the Privacy Notice
Please note that if you are in Germany it is only possible to report serious issues through YourVoice. YourVoice can be used namely to report on behaviour that:
- Constitutes a criminal offence against the interests of the Company (in particular falsification of company records, fraud, corruption, insider trading, etc.); or
- Violates human rights (e.g. taking advantage of favourable production conditions abroad through accepted child labour), workplace violence or threats, sexual harassment, violations of regulations protecting the environment as well as violations of the German General Equal Treatment Act (AGG).
If you are in Germany, YourVoice is in particular not intended for the reporting of violations of the Company’s Values and Code of Conduct unless these also fall into one of the categories listed above. Namely so called "soft factors", e.g. friendliness in customer service, should not be reported through YourVoice. The private life of employees should also not be made subject to a report.
If you have concerns you would like to report that cannot be reported through YourVoice, please do so by contacting your line manager or HR.
If you have any questions about this Privacy Notice, have any concerns relating to your personal data, want to exercise any of the rights granted by applicable laws or would like to access the information it contains in a different format please contact our Data Protection Team at [email protected] or the Data Protection Officer at [email protected].
Additional information for Section 2 (WHAT DATA DO WE PROCESS?) of the Privacy Notice
It will only be possible for you to disclose your identity when making a report through YourVoice, if you have given your consent to the processing of your personal data. Upon collecting this consent, you will be made aware of the consequences involved in disclosing your identity. We will, in particular let you know that your identity may have to be disclosed to the person(s) your allegations relate to in order to comply with data protection information obligations. If you do not wish to provide your consent, but would nevertheless like to disclose your identity when communicating your concern, please make use of our other communication channels (e.g. by contacting your line manager or HR). Making use of YourVoice is only one of several options you have for letting us know about your concerns.
However, any person reporting in a non-anonymous way through YourVoice should be aware that – depending on the specific case – it may be necessary to share the reporter's identity with the person(s) the report relates to in order to comply with data protection information obligations.
Additional information for Section 4 (WHAT ARE THE PURPOSES FOR WHICH DATA IS PROCESSED AND WHAT IS OUR LEGAL BASIS FOR CARRYING OUT THE PROCESSING?) of the Privacy Notice
4.8 If you are making a report through YourVoice in Germany and would like to disclose your identity, we process your personal data on the legal basis of your consent, pursuant to GDPR Article 6(1)(a) – consent.
4.9 In Germany, if the allegation made through the YourVoice system could amount to an allegation of criminal activity, personal data of the alleged employees will only be processed where this is necessary to detect the criminal offence of but only if there is a documented reason to believe the employee has committed the criminal offence while employed, the processing of the respective data is necessary to investigate the criminal offence and is not outweighed by the employee’s legitimate interest in the Company not processing the data, and in particular the type and extent are not disproportionate to the reason, pursuant to paragraph 26 para. 1 sentence 2 of the German Federal Data Protection Act.
Part3: Additional important information for Singapore and China data subjects
Additional information for Section 2 (WHAT DATA DO WE PROCESS?) of the Privacy Notice
Paragraph 2.2 is replaced with the following
2.2 If you choose to disclose your identity to the Service Provider, you provide your consent to the Service Provider to collect your personal data including name, surname, date of birth, email address, contact number and, if you are an employee of Anglo American, the name of your employer, your employee number, business unit and location. You also consent that the content of your report will also be processed in connection with your personal information, which may include details of the relevant incident or event you have witnessed / wish to report, and details of any personal opinion or expressions you wish to make in connection with the incident.
Additional information for Section 4 (WHAT ARE THE PURPOSES FOR WHICH DATA IS PROCESSED AND WHAT IS OUR LEGAL BASIS FOR CARRYING OUT THE PROCESSING?) of the Privacy Notice
Paragraph 4.5 is replaced with the following:
4.5 Sensitive personal data will only be processed where authorised by applicable laws. For example:
4.5.1 In Singapore and China, we will process this personal data in accordance with the applicable data protection laws, including obtaining consent where consent is necessary for the processing of such personal data.
4.5.2 If this data is being submitted in China and consent is not obtained for the processing of such data, it may not be possible for us to process the allegation in full.
Paragraph 4.6 is replaced with the following:
4.6 Personal data relating to criminal convictions and offences will only be processed where authorised by applicable laws. For example:
4.6.1 In Singapore and China, we will process this personal data in accordance with the applicable data protection laws, including obtaining consent where consent is necessary for the processing of such personal data.
4.6.2 If this data is being submitted in China and consent is not obtained for the processing of such data, it may not be possible for us to process the allegation in full.
Additional information for Section 6 (DISCLOSURES OF PERSONAL DATA) of the Privacy Notice
Paragraph 6.1 is replaced with the following:
6.1 You consent that your personal data can be accessed by or may be disclosed on a need‑to‑know basis to:
6.1.1 The specific investigations teams working on individual cases (such as ABAS, the Forensic Investigations Unit and the Information Security team), relevant members of HR (where the investigation is HR related) and relevant members of Security (where the investigation is security related);
6.1.2 Individuals and governance bodies that oversee the whistleblowing and investigations processes, such as relevant Heads of Risk and Assurance, members of the YourVoice Oversight Committee, Ethics Committees, Business Unit CEOs and Group Function Heads;
6.1.3 the Service Provider, who receives the information submitted as part of a report, and receives feedback from Anglo American companies on the report;
6.1.4 designated contact persons in ABAS who receive information from the Service Provider;
6.1.5 internal and external professionals, which may include Group Legal and forensic companies, who assist the specific investigations teams working on individual cases;
6.1.6 Anglo American companies who have a need to access information in a report, for example, if the ABAS investigation recommends action against an employee the investigation report will be provided to the relevant employer at Anglo American, including the line manager and relevant member of the HR team;
6.1.7 third parties who provide services to Anglo American and the Service Provider, such as IT systems providers or hosting providers; and
6.1.8 courts, public bodies, law enforcement agents and litigants where laws require us to make a disclosure, such as where a report is found to be false, unsubstantiated and made maliciously, and the accused person seeks that disclosure as part of an action for libel or defamation.
Consent
By agreeing to this privacy policy, I hereby consent to the collection, use, disclosure and/or processing of my personal data (including my sensitive personal data, where applicable) by the Company, for the purposes set out in the above notice, including without limitation the transfer of my personal data overseas.