POPI | GDPA

We may process your personal information for legitimate business purposes to administer our employment, contractual or other relationship with you and to run our businesses. We may collect, use, transfer, and otherwise process your personal information through automated and/or paper-based data processing systems. We have established routine processing functions such as processing for regular payroll and benefits and supplier payments. We also process personal information on an occasional or ad hoc basis in the context of employment and vendor or customer requests for information concerning personal data or any requests from the data subject.

From employees, job applicants and contractors we may collect as minimum necessary data for managing human resources, including:
- Information you provide us in relation to a job vacancy, for example, personal data you send us via CVs or automated online application forms;
- immigration, right-to-work and residence status;
- identity information;
- emergency contact details and a limited amount of family information
- agency details and hours administration
From website visitors we may collect as necessary data including:
- in relation to your visit to our websites, we will log your internet protocol (IP) address so that it is recognised the next time you visit;
From visitors to our offices and mine sites we may collect personal data to protect our security, safety and legal obligations, including:
- Images from closed circuit television (CCTV);
- Name, which is linked to a temporary badge, and obtained directly from you
- Fingerprints or other visual identification features. If you connect to our Wi-Fi system: IP address, MAC address, device type, duration of connection, size of uploaded and downloaded data, access point (general location)
From customers, suppliers and other external parties we collect personal data, including:
- Details of the transactions you carry out with us;
- personal data that you send us;
- personal data required to conclude a contract with you.
ERG also collects personal data in the course of complying with its legal obligations (for example, to comply with government requests and to undertake due diligence).
We limit our personal data collection and processing to the amount needed for the relevant processing purpose. If your data is to be processed for a different purpose we will inform you of that new purpose and ask your permission.

• Contractual commitments: some of our personal data processing is to meet contractual obligations to data subjects, or to take steps at their request of entering into a contract with them.
• Legitimate interest: In many cases we are processing your personal data on the ground of legitimate interest of the company, in ways that are not overridden by the interest or fundamental rights and freedoms of the affected individuals.
• Consent: in certain cases, - where required or allowed by law – we might handle your personal data on the basis of your permission/consent.
• Legal compliance: we need to process, thus disclose, your personal data in certain ways to comply with our legal obligations towards different authorities.

ERG may process personal data for the following purposes:

• To maintain its administrative and clients/suppliers relationships management systems, such as:
  • Contract drafting;
  • Invoicing and payment of invoices;
  • Communications and public relations;
  • Event organizations and surveys
  • Quality reviews;
  • Customer due diligence procedure;
  • Human resources matters such as recruitment etc.
• To apply third party diligence processes(including compliance sanctions, anti-money laundering, anti-bribery and counter terrorist financing)
• To facilitate compliance with its legal, regulatory, professional, contractual obligations
• To maintain and protect its buildings, equipment, IT infrastructure and data (including access management and authentication, security and performance monitoring);
• To manage and monitor the presence in the buildings, the use of equipment and the interactions of the data subjects (including the management of workspaces, parking, meeting rooms as well as the implementation and the monitoring of safety, health and hygiene measures, etc.);
• To ensure its business continuity;
• To manage risks and litigation;
• To process the data subjects’ requests;
• To manage its websites; and/or
• For any other purpose expressly indicated to the data subject at the time of collection of his/her personal data.

Depending on the purposes above, and besides the data subjects themselves, we may share the personal data to the following categories of recipients:

• Subcontractors, business partners, consultants and experts;
• Processors and sub-processors such as IT suppliers (including system administrators, cloud service providers, hosting providers etc.);
• Other ERG entities;
• ERG`s external counsels, agents, recruiters and auditors;
• Entities or individuals that have relationship with the data subjects (employers, relatives, counsels, business or potential business partners, etc.);
• Supervisory bodies;
• Public authorities.

We may transfer your personal information outside the country where you reside or work, including to countries that do not provide the same level of protection for your personal information as you may expect in your own country, where the following criteria are met:  

• Transfers and/or disclosures within ERG will be protected by an Inter-Group Agreement if it is necessary to share personal data outside of the jurisdiction where your personal data was first collected;
• For transfers and/or disclosures outside ERG, the transfer or disclosure is protected by contractual data privacy clauses and/or any suitable agreement which contains the legal requirements for such transfer. This will include a privacy and security assessment of whether any transfers across national borders comply with applicable data privacy laws;
• Where ERG has not adopted another legally sufficient adequacy mechanism, the Standard Contractual Clauses (SCCs), approved by the European Commission will be concluded;
• The relevant data subjects have consented to the transfer or disclosure; or
• The transfer and/or disclosure is otherwise required by local law or is expressly permitted under local data privacy laws, and that the relevant personal data originates in that jurisdiction.

In every case, we will inform you prior the cross-border transfer when, to where and for what purpose your personal data is sent.

We keep your data secure and protected against accidental, unauthorised or unlawful processing, including against loss and unauthorised access, destruction, misuse, modification or disclosure. This means we ensure that we have the appropriate technical, physical, and organisational measures in place for all stages of the personal data ‘life cycle.’  Data security obligations apply whether your personal data is stored in hard copy form (e.g., paper) or in electronic form (e.g., in databases). Access to your personal data is provided on a ‘need to know’ and `need to access` basis for parties outside and within ERG.

We require our business groups to immediately report any breaches in relation to  your personal data to the ERG Data Privacy Officer for investigation. 

Your personal data is kept only for as long as necessary for the lawful purpose for which it is processed (as notified to the relevant individuals), or for the time required or permitted under local laws. After such time, records containing your personal data will be securely destroyed (as in the case of physical records) or permanently deleted (in the case of electronic records) in accordance with ERG’s Data Retention Schedule or as required by applicable local laws.

We take reasonable steps to ensure that personal information is accurate, complete, and current. Please note that you have shared responsibility with regard to the accuracy of your personal information.  Additionally, you may:

• request information about how your personal data is processed;
• request access to your personal data;
• seek erasure of your personal data;
• ask for processing of your personal data to cease;
• request for rectification, if your personal data is recorded incorrectly
• be notified or ask for restriction of your personal data processing under certain circumstances
• make objection against your personal data processing under certain circumstances
• be notified if a Group business has made a decision about you that is based on automated data processing alone, so that you can request human review of such decision, if necessary;
• complain about processing; or
• withdraw previously given consent regarding ERG’s processing of your personal data.

There are legal exceptions to the exercise of these rights, and ERG will review each request on a case by case basis, referring to the laws of the country where you are located.  Your requests for exercising your rights should be referred to the ERG Data Protection Officer for your region, who can be contacted at: GD*************@er*.net