Ferrexpo is committed to protecting your personal data.  This privacy notice (“Privacy Notice”) informs you how we process, share, and protect your personal data.

For the purpose of applicable data protection legislation (including but not limited to the UK version of the General Data Protection Regulation applicable in the United Kingdom and the Data Protection Act 2018), Ferrexpo plc ("Ferrexpo", “we”, “our” and “us”) is the controller of your personal data.

Ferrexpo is registered in the UK (05432915) and our address is 55 St. James's Street, London, England, SW1A 1LA.

We may amend this Privacy Notice from time to time. You are advised to review this Privacy Notice periodically for any changes.  Changes to this Privacy Notice are effective when they are posted on our website.

Please note that our website is not intended for children and we do not knowingly collect information about any person under the age of 18. Our website may include links to third-party websites, plug-ins and applications. We do not control these third-party websites and are not responsible for their privacy statements. When navigating to a third party site, we recommend that you review their privacy statements to understand how your personal data may be being processed.

Personal data we collect about you

We collect and process personal data about individuals (collectively “you”): (i) who visit our website; (ii) who make an enquiry; or (iii) who are representatives, directors, officers, authorised signatories, employees and agents of Ferrexpo vendors or any other third party with whom we interact.

Depending on the relevant circumstances, we collect some or all of the personal data listed below for the reasons which we describe in this Privacy Notice:

  • name;
  • postal address;
  • email address and other contact information;
  • IP address; and
  • any other personal data you disclose to us in the form of an enquiry or request.

Some of the personal data we collect from you is required to enable us to fulfil our duties to you.  For example, to respond to an enquiry, we need to collect your email address and name to be able to process your request.

Depending on the type of personal data in question and the grounds on which we may be processing it, should you decline to provide us with such data, we may not be able to fulfil the request.  For example, if you do not provide contact details, we will not be able to respond to your enquiry.

How and why do we collect your personal data?

The majority of the data we hold about you will be collected directly from you.

We collect, use, and disclose your personal data for a number of reasons, including:

  • to enable us to provide and improve the Ferrexpo services and website, including reporting to our stakeholders (to the extent that this is appropriate and in accordance with local laws);
  • to enable us to respond to your enquiries;
  • to enable us to comply with our legal obligations;
  • to help us establish, exercise or defend legal claims;
  • for internal administrative purposes (for example, vendor management); or
  • for other reasons with your consent.

Lawful bases for us processing your data

We have set out in the table below the key purposes for which we use your personal data, as well as the types of personal data used and the lawful bases relied upon for that use in accordance with applicable data protection law.

Why do we hold this data?What types of personal data?What legal basis do we rely upon?

To enable us to investigate your enquiries and to respond to any requests for information.

  • Name
  • Postal address
  • Email address
  • Other personal data explicitly disclosed to us in an enquiry

Legitimate interests, namely it is in our interests:

  • to provide our services;
  • to develop our relationships with customers and other interested parties; and
  • to ensure our business runs smoothly.

To enable us to provide our services, including perform research and development to enhance our ability to produce high grade iron ore, related technologies and lower carbon emissions.

  • Name
  • Postal address
  • Email address
  • IP address

Legitimate interests, namely it is in our interests:

  • to develop our future products and services;
  • to ensure our business runs smoothly;
  • to safeguard our business interests; and
  • to provide our services.
We may also need to process your data to comply with our legal obligations.

To carry out analytics and provide information to our stakeholders.

  • IP address
  • Other personal data explicitly disclosed to us

Legitimate interests, namely it is in our interests:

  • to ensure our business runs smoothly; and
to safeguard our business interests.

To help us to establish, exercise, or defend legal claims.

  • Name
  • Postal address
  • Email address
  • IP address

Legitimate interests, namely it is in our interests for us to be able to establish and defend our legal rights and understand our obligations, and seek legal advice in connection with them.

To enable us to provide you with marketing information.

  • Name
  • Postal address
  • Email address
  • IP address

Legitimate interests, namely it is in our interests to be able to market our products and services to potential customers.

In certain circumstances we may also seek your consent for marketing activities. In such circumstances, we will provide you with sufficient information so that you can decide whether or not you wish to consent.  You have the right to withdraw your consent at any time.

Who do we share your information with?

We may share your information with any of the following groups:

  • Any other Ferrexpo entities. Your personal data may be shared within the Ferrexpo group as required.
  • Tax, audit, or other authorities. We may share your information with tax, audit, or other authorities when we believe that the law or other regulation requires us to do so or in order to help prevent fraud or to enforce or protect our rights.
  • Third party service providers. We may share your information with third party service providers who perform functions on our behalf, such as information service security providers, IT infrastructure and email service providers, and IT service providers. These service providers may also include external consultants and professional advisers (including law firms, auditors and accountants).
  • Other parties in connection with a corporate transaction. We may disclose or share your information in the event that we purchase, sell, finance, transfer, or acquire all or a portion of a business or assets, such as in connection with a merger, or in the event of a bankruptcy reorganisation or liquidation.

How long do we keep your personal data for?

We may retain your personal data as long as it remains necessary in relation to the purposes we collected the information for.  When determining the appropriate retention period, we consider the risks of the processing, our contractual, legal, and regulatory obligations, internal data retention policies and our legitimate interests as described in this Privacy Notice.

How do we keep your personal data secure?

We care about protecting your information.  That is why we put in place appropriate measures that are designed to prevent unauthorised access to, and misuse of, your personal data.

We are committed to taking all reasonable and appropriate steps to protect the personal data that we hold from misuse, loss, or unauthorised access.  We do this by having in place a range of appropriate technical and organisational measures, including encryption measures and disaster recovery plans.

Unfortunately, there is always risk involved in sending information through any channel over the internet. You send information over the internet entirely at your own risk.  Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted over the internet and we do not warrant the security of any information, including personal data, which you transmit to us over the internet.

How do we store and transfer your data internationally?

Your personal data may be transferred outside of the EEA and the UK to the types of entities described in the section called ‘Who do we share your information with?’ above.

We want to make sure that your personal data is stored and transferred in a way which is secure.  We will therefore only transfer data outside of the EEA and the UK where it is compliant with data protection legislation and the means of transfer provides adequate safeguards in relation to your data, for example by way of an intra-group agreement in place between Ferrexpo group entities or a data transfer agreement with a third party, in each case incorporating appropriate standard contractual clauses adopted by the EU or the UK.

Where we transfer your personal data to a third party outside the EEA and the UK, as applicable, and where the country or territory in question does not maintain adequate data protection standards, we will take all reasonable steps to ensure that your data is treated securely and in accordance with this Privacy Notice.

Your rights

Under certain circumstances, you have various rights in relation to the data which we hold about you.  We have set these out below.

  • Right to access your personal data: You have the right to request a copy of the personal data that we hold about you, and request us to modify, update or delete such information. However, you should be aware that where we are legally permitted to do so, we may refuse your request.  If we refuse your request, we will always tell you the reasons for doing so.
  • Right to object to, and/or restrict, processing: You have the right to object to, or restrict our processing of, your personal data in certain circumstances. We will stop such processing unless we can demonstrate compelling legitimate grounds for the processing which overrides your interests or if the processing is necessary for the establishment, exercise or defence of legal claims.  You also have the right to object to any direct marketing.
  • Right to erasure: You have the right to request that we erase your personal data in certain circumstances. We would only be entitled to refuse to comply with your request for erasure in limited circumstances and we will always tell you our reason for doing so.
  • Right to rectification: You have the right to request that we rectify any inaccurate or incomplete personal data that we hold about you.
  • Right of data portability: You have the right to transfer your personal data between service providers.
  • Right not to be subject to automated decision making: You have the right not to be subject to a decision based solely on automated processing including profiling which produces legal effects on you or similarly affects you. However please note that we do not make recruiting or hiring decisions based solely on automated decision-making.
  • Right to withdraw consent: Where we have obtained your consent to process your personal data for certain activities, you may withdraw this consent at any time by contacting us on the details in the ‘Contact Us’ section below.
  • Right to complain: You also have the right to lodge a complaint and can contact us using the details below in the ‘Contact Us’ section. You also have the right to make a complaint to your local supervisory authority.  The privacy regulator for the UK is the Information Commission Officer ("ICO").  Complaints can be made to the ICO here: https://ico.org.uk/make-a-complaint/data-protection-complaints/data-protection-complaints/

Contact us

If you have any questions or concerns about our use of your personal data, please contact us at [email protected].  We take privacy seriously and will get back to you as soon as possible.