Holcim ANZ Privacy Policy

October 2023

Privacy Policy

Introduction

This privacy policy is issued by Holcim (Australia) Pty Ltd ACN 099 732 297 with its registered office at Level 7, Tower B, 799 Pacific Highway, Chatswood NSW 2067 Australia (“Holcim Australia”) and it applies to Holcim Australia and Holcim (New Zealand) Limited with its registered office at 1/1 Show Place, Addington, Christchurch, New Zealand (“Holcim New Zealand") and their respective related bodies corporate in Australia and New Zealand (“Holcim”).

Holcim respects the privacy of all persons and is committed to protecting all personal information (that being, information or an opinion about an identified individual or an individual who is reasonably identifiable) in compliance with applicable privacy legislation. Holcim is bound by the Privacy Act 1988 (Cth) (“Act”) including the Australian Privacy Principles (“APP”) as well as various State and Territory legislation governing the collection, use, storage and disclosure of personal information (“State and Territory legislation"), and the Privacy Act 2020 in New Zealand (“NZ Act”) (and collectively, “Privacy Law”).

This policy describes how personal information (including credit information) is collected by Holcim and has been created for the purposes of compliance with Privacy Law. This policy may be amended by Holcim Legal department from time to time. Any enquiries on this policy may be directed to Holcim General Counsel or Holcim Privacy Officer, using the contact details contained in this document.

Collection

The type of personal information collected and held by Holcim may include (without limitation) an individual's:

name;
gender;
address (residential, business);
date of birth;
contact details (telephone number, e-mail address);
identification documents (passport, driver's licence);
employment details (past and current);
Holcim transaction information;
credit information;
insurance information;
digital information (such as location, IP address);
marketing information;
camera surveillance (such as CCTV); and/or
biometric information (such as fingerprints or facial recognition).

Personal information is collected by Holcim:

from individuals in response to a request from Holcim;
from other entities in response to a request from Holcim or an arrangement for sharing or transferring information between entities;
at business meetings, such as when business cards are exchanged;
when an individual uses Holcim's website;
when a completed form or application is submitted to Holcim by an individual;
when a written complaint is sent to Holcim;
when an employment application is sent to Holcim;
when an individual performs any function or engages in any activity as an employee or contractor of Holcim;
when an individual participates in Holcim's supply chain;
when a form is completed to enter a competition being conducted by Holcim;
when personal information is provided to a 'fraud hotline' designed to capture 'tip-offs' from the public;
when an entry is made in Holcim's visitors book;
when an individual attends an event hosted by Holcim;
when an individual opts to receive publication or marketing material from Holcim;
from a record of a credit card payment;
from camera surveillance;
from biometric information;
from location information; or
when an individual otherwise interacts with Holcim in the course of business, such as when Holcim provides goods or services or is approached with an application for consumer credit.

Personal information is also collected by Holcim from third parties, such as former employers, regulatory authorities, credit-reporting bodies and referees, and/or the public domain. Holcim may combine an individual's personal information which has been gathered from more than one source.

The collection of such personal information is necessary for the operation of Holcim's businesses (Concrete, Aggregates, Humes, Transport, Services) and the performance of associated activities in compliance with law and relevant standards. Each business is responsible for identifying the type of personal information it requires as well as the particular functions within that business for which the personal information is required. Each business is expected to reassess its requirements for personal information on a regular basis, and endeavor to do so once each calendar year. This is to ensure that Holcim only engages in the collection of personal information to the extent reasonably necessary for Holcim's functions and activities (and not otherwise).

Further, all personal information is collected lawfully and fairly. Individuals are informed of the following, as close as possible to the time that their personal information is collected by Holcim:

Holcim's corporate identity and contact details;
the fact and the way in which Holcim is collecting (or has collected) the personal information;
whether collecting the personal information is required by law, permitted by law, or entirely voluntary at the individual's discretion, in which case Holcim gives the individual the option of not identifying themselves;
the reason(s) Holcim is collecting the personal information;
the consequences of Holcim not collecting the personal information;
Holcim's usual disclosures of the kind of personal information being collected;
information about Holcim's privacy policy; and
whether Holcim is likely to disclose the personal information to any overseas recipients, and if practical, the countries where the overseas recipients are located.

Where the personal information being collected by Holcim constitutes “sensitive information”, the individual's prior written consent is sought and obtained by Holcim. Sensitive information is personal information that includes information or an opinion about an individual's:

racial or ethnic origin;
political opinions or associations;
religious or philosophical beliefs;
trade union membership or associations;
sexual orientation or practices;
criminal record;
health or genetic information; or
certain aspects of biometric information.

Where the European Union and United Kingdom's General Data Protection Regulation (“GDPR") applies, personal information may only be processed by Holcim with the individual's prior written consent.

Templates are available from Holcim Legal department for the purposes of this section.

Use

The personal information collected by Holcim is or may be used:

to promote and provide goods and services;
to source and purchase goods and services;
for the rectification of product/service defects;
for marketing and research (including by third parties engaged by Holcim to conduct market or industry surveys on an anonymous basis);
to monitor the use of Holcim's website and related applications;
to monitor the use of Holcim's assets;
to monitor the condition and use of Holcim's property (including all offices, plants and facilities, whether owned or leased by Holcim);
to negotiate contracts and other arrangements;
to communicate with individuals;
to verify an individual's identity;
to assess an individual's creditworthiness;
to exercise any legal rights available to Holcim as a “credit provider”;
to issue invoices and process payments;
to engage in debt collection activities;
to assess suitability for employment;
to make offers of employment;
to investigate incidents;
to monitor and/or investigate employee or contractor conduct;
to monitor and/or investigate employee or contractor performance;
to gather evidence of employee or contractor wrongdoing or misconduct;
to fulfil Holcim's obligations as an employer;
to manage and/or improve Holcim's business and/or Holcim's operations;
for legal compliance including WHS compliance;
to manage security risks and prevent crime; and
for maintenance of Holcim's accounts and records.

Disclosure

Holcim may, in the course of operating its business, disclose an individual's personal information to one or more third parties such as:

its related entities (within or outside of Australia and New Zealand);
its contractors who carry out services for Holcim and/or Holcim's customers;
its service providers including its professional advisors (legal, accounting, audit), insurance, IT support, research, banking, data processing and security;
one or more credit reporting bodies for the purpose of processing an application for customer credit (namely, ApplyEasy at https://applyeasy.com.au/home); and
regulatory or law enforcement authorities, courts, tribunals, government agencies.

Holcim may also disclose an individual's personal information to authorised third party partners such as:

Holcim's own clients and customers who might assist in delivering Holcim's products and services; or
third party technology and marketing partners such as Amazon Web Services and Google (including Google Analytics) when an individual accesses Holcim's website.

These partners may contact an individual directly and in that event their collection, use, storage and disclosure of that individual's personal information will be governed by the third party's own privacy policy and not Holcim's.

Notwithstanding that, Holcim's third party partners are only permitted to use an individual's personal information to the extent necessary to provide the applicable services. Where Holcim discloses personal information to a third party acting on its behalf (for example, to an IT system provider), Holcim ensures the receipt of personal information by that third party is subject to written undertakings by that third party to handle the personal information solely for the permitted purpose and to protect the personal information using appropriate measures.

Direct marketing

Holcim may use an individual's personal information (including analytic information gathered from use of Holcim's website) for the marketing and promotion of Holcim goods or services. Holcim may contact an individual either in person or via an electronic device, on an impromptu basis or using targeted advertising, but will cease all direct marketing approaches immediately upon being instructed to do so. Individuals may convey such instructions to Holcim either by using the "opt-out” option in a message or by contacting Holcim directly using the details contained in this document.

Integrity of personal information

Holcim recognises that under the APP, any personal information being held by Holcim must be kept accurate, up to date and complete. Holcim takes all reasonable steps to confirm the accuracy of personal information immediately upon receipt (including by contacting external bodies, such as road transport authorities to verify driver's licence details). Individuals are also invited to notify Holcim directly of any changes in their personal information, using the contact details published on Holcim's website at www.holcim.com.au

Security

Holcim understands the legal requirement to protect any personal information being held by Holcim from misuse, interference, loss, unauthorised access, modification or disclosure. To meet this requirement:

Holcim determines who has access and modification rights in relation to personal information;
Holcim ensures that personal information is held securely and only for as long as it is needed for Holcim's business functions;
Soft copy personal information is stored in Holcim's secured IT systems with standard security features such as user passwords, designated user access, access history, and data encryption;
Hard copy personal information is either stored onsite at Holcim's own premises or at secure external storage facilities;
Any personal information that is out of date or that can no longer be assumed to be correct or that is no longer required by Holcim is deleted or destroyed; and
In any case, Holcim employees are bound by strict confidentiality agreements and are strictly required to observe Holcim's document retention policies and information security guidelines, all of which operate to secure any personal information being held by Holcim.

Access and correction

Where permitted by law, individuals can obtain access to their personal information being held by Holcim and can seek to correct errors in that information by contacting and communicating with Holcim's Privacy Officer whose name and contact details are included in this document. Holcim will respond to any such request within 14 days. Holcim reserves the right to charge a fee where additional expenses are likely to be incurred by Holcim in retrieving the personal information the subject of an individual's request for access or correction.

Holcim reserves the right to not grant access to personal information being held by Holcim where:

Holcim reasonably believes that giving access would pose a serious threat to the life, health or safety of any individual, or to public health or public safety;
giving access would have an unreasonable impact on the privacy of other individuals;
the request for access is frivolous or vexatious;
the information relates to existing or anticipated legal proceedings between Holcim and the individual, and would not be accessible by the process of discovery in those proceedings;
giving access would reveal Holcim's intentions in relation to negotiations with the individual in such a way as to prejudice those negotiations;
giving access would be unlawful;
denying access is required or authorised by or under an Australian law or a court/tribunal order (for example, employee records in Australia are exempt from the operation of APP);
Holcim has reason to suspect that unlawful activity, or misconduct of a serious nature, that relates to Holcim's functions or activities has been, is being or may be engaged in, and that giving access would be likely to prejudice the taking of appropriate action in relation to the matter;
giving access would be likely to prejudice one or more enforcement related activities conducted by, or on behalf of, an enforcement body;
giving access would reveal evaluative information generated within the Holcim organisation in connection with a commercially sensitive decision-making process.

Cross-border disclosures

Holcim might disclose personal information to a recipient outside of Australia (either directly or indirectly) in the following circumstances:

in the course of reporting to Holcim's regional shared service center (in India) or Holcim's parent organisation (in Switzerland); and
in the course of storing such information in cloud-based data hosting facilities or other networked or electronic systems which are only accessible via an internet connection.

Holcim takes all reasonable steps to ensure that any overseas recipient of personal information held or disclosed by Holcim is strictly bound by enforceable undertakings:

to operate in a manner which is generally consistent with the Act and APP;
to report any deviations or breaches to Holcim within a specified timeframe; and
to review its systems and safeguards on a regular basis and commit to continuous improvement of the same.

Credit information

Holcim may collect personal information which constitutes credit information under Part IIIA of the Act (such as an individual's credit arrangements, credit history, defaults) if Holcim provides, or is approached to provide, goods or services on credit to an individual. In that event the credit information collected by Holcim will be about the individual applying for credit and may be collected from that individual and/or a third party, such as a (another) credit provider or a credit reporting body.

Holcim may use such credit information to verify the individual's identity, assess their creditworthiness and manage any credit provided to them.

Holcim may store credit information with other personal information of an individual. All credit information held by Holcim is handled in accordance with this policy and the Privacy Law including Part IIIA of the Act and remains subject to the conditions and restrictions in the latter.

NZ Act

Holcim acknowledges it is bound by the additional privacy obligations and compliance requirements presented by the NZ Act with effect from 1 December 2020, including without limitation, the NZ Act's:

extraterritorial scope, which confirms that Holcim entities other than Holcim New Zealand which "carry on business” in New Zealand are likewise bound by the NZ Act;
mandatory data breach reporting regime, which requires entities to notify the regulator and affected individuals of a “notifiable privacy breach”, which term (besides meaning unauthorised access, disclosure or loss of personal information) now also means any action which prevents an agency from "accessing information on either a temporary or permanent basis", hence making it possible for a ransomware incident to amount to a "privacy breach";
restrictions on overseas transfers, whereby the transfer of personal information outside of New Zealand is prohibited unless the receiving entity is bound by comparable safeguards to those contained in the NZ Act;
criminal offences regime, whereby failure to comply with the NZ Act will amount to a criminal offence in respect of which fines might be imposed;
regulatory powers regime, whereby the New Zealand Office of the Privacy Commissioner (OPC) is authorised to issue compliance notices if OPC considers that agencies are not complying with their obligations under the NZ Act.

Enquiries and complaints

Any enquiries on this policy or on Holcim's handling of personal information (or credit information) or any complaints regarding Holcim's alleged failure to comply with the Privacy Law or to meet the requirements of any one or more of the APP should be directed to Holcim Legal department in the first instance to:
Jessica Blomfield, Holcim General Counsel, at jessica.blomfield@holcim.com
or
Kasia Ciula, Holcim Privacy Officer, at kasia.ciula@holcim.com

Holcim commits to providing an initial response to a complaint within 7 days of receipt of the complaint, and further commits to resolving a complaint or otherwise confirming Holcim's position on a complaint within a further period of 21 days, provided the complainant remains contactable to provide further information on the complaint as and when requested by Holcim. In the absence of a complainant being readily contactable by Holcim, no assurances are given as to when a complaint can be resolved.

Complainants who remain dissatisfied with Holcim's handling or resolution of a complaint may escalate the complaint to the Office of the Australian Information Commissioner (“OAIC”) at GPO Box 5288, Sydney NSW 2001 Australia. A complaint to the OAIC must include the following:

the complainant's name and contact details;
any relevant reference numbers or identifiers;
the name of the organisation or agency the subject of a complaint;
a brief description of the privacy complaint (what happened and when);
any action the organisation or agency has taken to fix the problem;
a copy of any relevant document (such as the original complaint to the organisation and their response); and
what outcome the complainant would like.

Document Control

Approved by: Holcim ANZ Executive Committee August 2023

Version control

Version Number	Date Issued	Author	Update information
1	12-Oct-2023	Cynthia Paul Senior Legal Counsel
2	26-Oct-2023	Cynthia Paul Senior Legal Counsel	1. US spelling amended to Australian spelling. 2. "Australia" added to OAIC street address.