Candidate Privacy Statement

This Privacy Statement explains how Rio Tinto Group Companies (“Rio Tinto”, “we”, “us”, “our””) will collect, use, and share your Personal Data when you apply for a role or update your profile on our Careers Site.

For purposes of this Privacy Statement, “Personal Data” means information relating to an identified or identifiable natural person, including any personal information or personal data as defined under the applicable privacy or data protection laws, rules, or regulations (Applicable Law). We will only process your Personal Data in accordance with this Privacy Statement unless otherwise required by Applicable Law. We take steps to ensure that the Personal Data we collect about you is adequate, relevant, not excessive, and is processed for limited purposes.

Under the California Consumer Privacy Act (CCPA), applicants who are California residents have specific rights regarding their Personal Data. For more information, please see our “Additional Information for California Residents” below.

What personal data is processed?

In connection with your application to work with us, we may collect, store, and use the Personal Data in the table below, about you. We may also ask that you provide information that may be treated as Sensitive Personal Data, in accordance with Applicable Law, such as racial or ethnic origin, religious or philosophical beliefs, genetic information, and health or disability of our applicants (diversity Information for monitoring equal opportunities, making reasonable adjustments, or information about your criminal record). We will follow all applicable processing restrictions associated with processing such data. Where applicable, we will obtain your consent when any of your Sensitive Personal Data is processed in connection with your job application.

Type of Personal Data	Description of the Personal Data
Contact and communications information	Your contact details (including email address, telephone number, and postal address); Records of communications and interactions we have with you.
Biographical, educational, and social information	Your name, title, signature, gender, nationality, and date of birth; Citizenship, residency, nationality, and immigration status; Curriculum vitae, resume, education history, academics, or achievements; Details of your education and references from your institutions of study.
Professional or employment relation information	Application materials; Details of your work history and references from your previous employers, including details of restrictions such as restrictive covenants, non-compete, or non-solicitation; Skills and qualifications; Hire state; Job end or termination date; Work authorization status.
Government issued identification and identifiers	Passport; Drivers’ licenses; National Insurance Number, Social Security Number, Aadhaar Number, Individual Number, Personal ID Number, tax file number or other unique identifiers; Other documents issued by a government such as citizenship, visa, residency.
Digital or electronic information	Date and time of your visits to our Careers Site, geographical information, IP addresses, the date and time of accessing digital services and geolocation where this is enabled in your device settings; Pages viewed and browsing behavior on our websites including interaction and navigation and fields completed on forms and applications; Username, and password for access and log in credentials; Audio, electronic, visual, or similar information such as CCTV footage, photographs, or interview recordings.
Any other information you choose to provide	Employment preferences, such as willingness to relocate, current salary, desired salary, professional memberships;
Background checks and references	Information about your performance, skills, attitude, and personal attributes, including personality assessments; Criminal records (relevant for certain roles); Credit reports.
Sensitive Personal Data, such as:	Ethnicity, or Race; Religion; Sexual orientation; Gender identity; Genetic information; Health information; Trade union membership; Philosophical beliefs.

In accordance with Applicable Laws, if we require your consent to process or share your Personal Data (including any Sensitive Personal Data) and you do not allow us to process or share that data (including overseas) as intended, then we may not be able to process your application properly or at all.

How is your personal data collected?

We may collect Personal Data about you from the following sources:

You, the candidate;
Recruitment agency, or internal recruiters;
Background checks provider;
Candidate assessment providers;
Your named referees;
Publicly available information;
Health care professionals;
Our employees that may have referred you for a role.

In China, your Personal Data will be collected by one or more of the
following entities:

Rio Tinto Trading (Shanghai) Co Ltd (branches in Shanghai and Beijing);
Rio Tinto Mining Commercial (Shanghai) Co Ltd;
Rio Tinto Mineral Exploration (Beijing) Co Ltd;
Rio Tinto Iron & Titanium (Suzhou) Co Ltd;
Rio Tinto China.

In Mongolia, your Personal Data will be collected by one or more of the
following entities:

Rio Tinto Holdings LLC;
Rio Tinto Mongolia LLC;
Oyu Tolgoi LLC.

Why Is Your Personal Data Processed?

Rio Tinto processes Personal Data about applicants for a variety of purposes, as shown below. We typically rely on one of four bases for the processing of your Personal Data: consent, to perform or enter into contractual obligations, to meet legal obligations and/or for our legitimate interests in accordance with Applicable Law. Where we process Sensitive Personal Data, we rely on multiple legal bases. The specific legal bases for a particular processing activity will depend on local law and practice. The examples in the chart below describe our typical legal bases for processing Personal Data where we are subject to the European Union General Data Protection Regulation (GDPR). In some other jurisdictions (such as the United States), we may use consent as the legal basis for fewer or different processing activities than what is stated below.

Legal Basis to Collect Your Personal or Sensitive Data	Description of Why We Will Process Your Personal or Sensitive Data
Consent. This means we will not process your Personal Data without consent, which will be freely given, specific, informed and unambiguous. When we ask you for consent, it will usually involve you: Signing a consent statement on a paper form; Clicking an opt in button or link online; Selecting from prominent yes/no options; Choosing technical settings or preference dashboard settings; Responding to an email requesting consent; Answering yes to an oral request (where permitted by Applicable Law); Volunteering information for a specific purpose. Should you provide us your consent to process your Personal or Sensitive Personal Data, you may withdraw your consent at any time by emailing us, or clicking the provided button, or using another designated method. In some cases, if consent is not given, or given, and then later withdrawn, then we will be unable process your application.	To assess your suitability to undertake certain positions or activities. For example, to record your disclosed medical or physical conditions, limitations, pre-employment or medical and health checks and assessments and alcohol and drug testing; Application review, including assessing your skills, qualifications, and suitability for applicable roles and opportunities; Facilitating in person or online interviews, assessments; Future recruitment with your consent to add you to our Talent Community to be considered for other opportunities at Rio Tinto and its Affiliates beyond the one(s) for which you apply; To carry out background checks, which can include background, credit, and criminal checks; To check references, you provide to us in relation to your employment history; For Equity, Inclusion and Diversity, such as monitoring and fostering equal opportunity in recruitment processes; To ascertain whether a potential candidate with a health condition needs reasonable adjustments to be made to the recruitment process (not the role) to allow them to participate; Access or log in credentials; Onboarding, and human resources planning and management, and creating an Employee Profile after offer acceptance. We will rely on consent where this is the only legal basis for processing your Personal or Sensitive Data. In some cases, we will be clear with you that we cannot rely on any other basis and if you do not consent, we will be unable to process your application. We will also rely on consent where this is the only legal basis for transferring your Personal or Sensitive Data out of your home jurisdiction (meaning the jurisdiction in which you were located when your Personal or Sensitive Data was collected) and sharing it with third parties. In such cases, we will be clear with you that we cannot rely on any other basis and if you do not consent, we will be unable process your application.
Legal obligations. We may need to process Personal Data to comply with legal obligations.	When notified to us, to provide additional assistance and support to you under Equal Opportunity or Discrimination laws (or equivalent); To address, manage and mitigate health and safety at our workplace; To take action to protect and defend our rights or property and/or the rights or property of third parties or to protect the public against dishonesty, malpractice or seriously improper conduct, unfitness or incompetence, mismanagement or failures in services provided; To meet our legal and regulatory obligations, such as compliance with applicable global laws and regulations; Diversity and inclusion monitoring, for example in certain countries we must collect this information to ensure we comply with our obligations not to discriminate on protected characteristics in accordance with applicable laws.
Entering into a Contract with You.	Pre employment medical screening, or health checks; Drug and alcohol testing; Onboarding, and human resources planning and management, and creating an Employee Profile after offer acceptance.
For the legitimate interests of Rio Tinto this means that we consider whether the processing is necessary for pursuing the legitimate interests of Rio Tinto or by a third party. We will not rely on legitimate interests if we assess that your interests or fundamental rights and freedoms which require protection of your Personal Data override our reliance on legitimate interests.	Application review, including assessing your skills, qualifications, and suitability for applicable roles and opportunities; Identifying candidates, including by recruiters; Access or log in credentials; Facilitating in person or online interviews, or assessments; To monitor access and/or use of Rio Tinto systems and devices, premises, and sites for safety and security; Effective management of our business and providing our employees with opportunities; For conducting and processing data analytics and/or generating insights for the benefit of Rio Tinto; Diversity and inclusion, such as monitoring and fostering equal opportunity in recruitment processes; Defending and protecting our rights and interests, including those of third parties.
Vital Interests	To protect your and someone else’s life. For example, if you are involved in an emergency and you require emergency care or medical treatment or you witness an emergency situation and are able to provide information to us about it; To contact you or your family members where appropriate, for compliance with health and safety requirements or during medical emergencies.

Will your personal data be shared?

Rio Tinto is a global company with operations in more than 35 countries and may share your Personal Data with affiliates, or partners (such as managed and non managed joint ventures) that are involved in evaluating candidates for a given position around the world. We may also share your Personal Data to the extent necessary to third party service providers such as those who support our recruitment or human resources functions and/or administer our business, other administrative support such as updating or troubleshooting, hosting our web servers, analyzing data, to conform to legal requirements, protect our and third-party property rights and safety, or where you consent. These companies may be located in a country whose data protection legislation is different from your country. In such cases, Rio Tinto will carry out the transfers in accordance with the requirements of the Applicable Laws for the security, confidentiality and lawfulness of the data processing, and in some cases, we may need your further consent. We may also share your Personal Data with a third party in the event of a merger, sale, joint venture, transfer, or other disposition of all or any of our business, assets, or stock, including in connection with bankruptcy or similar proceedings. Under no circumstances, will your Personal Data be made public.

The recipients where we will share, transfer and/or store Personal Data
are:

Recipient/Delegate (and Country)	Country of Recipient	Purpose of Transfer	Personal Data Transferred	Timing and Method of the Transfer	Use and Retention Period
Rio Tinto Group Affiliates	Click here for Affiliates and contact details	Business legitimate interest, on a need-to-know basis	Name, role, contact details, employment-related information, Sensitive Data (as and where required)	Frequent, electronic transfer	As per Retention Policy
Rio Tinto Joint Venture partners (managed, and non-managed)	EU, UK, US	For talent acquisition and recruiting, business legitimate interest, on a need-to-know basis	Name, role, contact details, employment-related information, Sensitive Data (as and where required)	Frequent, electronic transfer	As per Retention Policy
Microsoft 365 Suite	US	Communication and collaboration, SharePoint, Emails	Contact information, employment information	Frequent, real-time, electronic transfer	As per Retention Policy
Workday Cloud Solutions Software	Europe	Talent Acquisition and Recruiting Software	Refer to above “What Personal Data is processed?”	Frequent, real-time, electronic transfer	As per Retention Policy
Enablon	US	Environment, Health, and Safety Software	Limited contact information of reporter/inputter of incident	Frequent, real-time, electronic transfer	As per Retention Policy
Navex	EU	Incident Management and Reporting Software (whistleblowing hotline)	Limited Personal Data of reporter (if provided – usually anonymous), including Sensitive Data dependent on the report or conduct alleged) of the individual that is the subject of the report, and others that may be involved	Frequent, real-time, electronic transfer	As per Retention Policy

The Application materials allow you to apply for jobs world-wide, as a benefit of Rio Tinto’s centralized global recruitment function. Any hiring or other employment-related decisions will be made by the hiring affiliate in accordance with the laws of the country where the job will be located.

How long will we keep your data?

Personal Data will only be processed for as long as this is required for the purposes it was collected for or for the time required and otherwise authorized by law. We will then destroy your Personal Data in accordance with Applicable Laws and pursuant to procedures established in relation to our systems or processes. Retention periods containing Personal Data are based upon the business need, regulatory record keeping obligations in the countries we do business or where you are located, and our legal obligations. Should you require further information, please contact recruitment.support@riotinto.com.

We may also remove Personal Data for inactive accounts from our database, subject to any applicable legal or regulatory obligations.

Your privacy rights

Depending on your country of residence, you may have certain rights under Applicable Laws. These may include the right to access, correct, update, suppress, restrict, or delete your Personal Data, or object (including, the right to object to automated decision making) to the processing of your Personal Data, as well as nominate an individual who would be able to exercise your rights under the Applicable Laws in the event of your death or incapacity. If you register on our Careers Site, you may access, review, and change your Personal Data stored therein by logging in and updating your account information. Please note, that these rights are not absolute. If you would like to exercise any of your rights or would like to request to receive an electronic copy of your Personal Data, please contact us at recruitment.support@riotinto.com. We may need to request additional Personal Data from you to verify your identity to protect against fraudulent requests.

How to unsubscribe or remove my profile?

You can opt out from receiving information from us regarding new opportunities at any time by emailing recruitment.support@riotinto.com or by using the unsubscribe function in emails that you receive. If you have registered on our Careers Site, you may delete your Personal Data stored therein by logging in and deleting your profile. At any time, you can also request for your profile to be removed and for you to no longer be considered for future opportunities. In some countries we may be required by law to hold Personal Data for a prescribed period, and in such circumstances we will delete your profile as soon as we are legally permitted to do so.

Profiling and data analytics

Where permitted by law, Rio Tinto may use data analytics and/or automated decision making to administer and manage its recruitment processes, including planning future recruitment. Examples include: assessing candidate suitability for roles, determining if candidates have the right to work (e.g. citizenship or work visa) in a jurisdiction where a role is located, and asking candidates to complete an automated online test which may be used to shortlist them for roles. If you would like more information or would like us to review an automated decision, please contact recruitment.support@riotinto.com.

Cookies and other web technologies

Along with our service providers, we may use “Cookies” and similar technologies on the Careers Site to collect certain information. Please click on Cookies settings to update your preferences and read more about how we use Cookies for our business. Our Cookies page on our website contains information on our use of Cookies.

Contact information and complaints

If you have any questions or concerns regarding our use of your Personal Data, or if you wish to exercise any of your rights described in this Privacy Statement, please contact us by emailing recruitment.support@riotinto.com, or by contacting the data protection officer responsible for your country or region, if applicable, here. You may also lodge a complaint with the Data Protection Authority for your country or region if you believe that we have violated any of the rights concerning your Personal Data.

A list of EEA Data Protection Authorities, is available here , and if you are based in the United Kingdom, you may contact the Information Commissioner’s Office here.

Changes to this privacy statement

We reserve the right to update this Privacy Statement at any time.

Additional Information for California Residents

This section applies, generally, to California Personal Data, referred to in this section as “Personal Information”, that we collect and otherwise process about California residents, in accordance with the California Consumer Privacy Act (CCPA), in the context of managing, storing, or processing your Application and the use of our Career Site. This section does not address or apply to our collection of Personal Information that is not subject to the CCPA, such as consumer credit reports and background checks, publicly available data, or other information that is exempt under the CCPA.

What personal information has been collected and disclosed?

The table below identifies the categories of Personal Information about California residents that we collected, in the past 12 months, as well as the categories of third parties to whom we disclosed the information for a business or commercial purpose.

Categories	Examples	Categories of Third Parties and Other Recipients to Whom We Disclosed It
Government-issued Identifiers	Such as social security number, driver’s license, state identification card, passport number and other government identifiers.	Service providers Advisors and agents Affiliates and subsidiaries Regulators, government entities, and law enforcement
Other Identifiers	Such as name and contact information	Service providers Advisors and agents Affiliates and subsidiaries Regulators, government entities, and law enforcement Internet service providers, operating systems, and platforms
Internet or Other Electronic Network Activity Information	Internet or other electronic network activity information, such as information regarding your interactions with our recruiting website	Service providers Advisors and agents Affiliates and subsidiaries Regulators, government entities, and law enforcement Internet service providers, operating systems, and platforms
Characteristics of Protected Classifications Under California and Federal Law	Such as race or ethnicity, gender, sexual orientation, religion, health information, genetic information, trade union membership, and philosophical beliefs	Service providers Advisors and agents Affiliates and subsidiaries Regulators, government entities, and law enforcement
Audio, Electronic, Visual, Thermal, or Similar Information	Audio, electronic, visual, or similar information, such as CCTV/video footage, photographs, call recordings, and other audio recordings (e.g., recorded interviews)	Service providers Advisors and agents Affiliates and subsidiaries Regulators, government entities, and law enforcement
Professional or Employment related Information	Such as performance information, professional membership records, references, assessments records, resumes, cover letters, work history, conduct information, and termination data	Service providers Advisors and agents Affiliates and subsidiaries Regulators, government entities, and law enforcement
Education Information	Such as degrees earned, educational institutions attended, transcripts, training records and other information about your educational history or background.	Service providers Advisors and agents Affiliates and subsidiaries

We do not “sell” or “share” (as defined by the CCPA) Personal Information or Sensitive Personal Information related to California residents.

Purposes for collecting, using, disclosing, and processing personal information

Subject to applicable legal restrictions, generally, we collect, use, disclose, and otherwise process California residents’ Personal Information as further described in the “Why is your Personal Data Processed?”section above. For your convenience, we have listed those purposes again here:

To assess your suitability to undertake certain positions or activities. For example, to record your disclosed medical or physical conditions, limitations, pre-employment or medical and health checks and assessments, and alcohol and drug testing;
Application review, including assessing your skills, qualifications, and suitability for applicable roles and opportunities;
Facilitating in-person or online interviews and assessments;
Future recruitment with your consent to add you to our Talent Community to be considered for other opportunities at Rio Tinto and Affiliates beyond the one(s) for which you apply;
To carry out background checks, which can include background, credit, and criminal checks;
To check references you provide to us in relation to your employment history;
For diversity and inclusion, such as monitoring and fostering equal opportunity in recruitment processes;
To ascertain whether a potential candidate with a health condition needs reasonable adjustments to be made to the recruitment process (not the role) to allow them to participate;
To facilitate access or logins;
Onboarding, human resources planning and management, and creating an Employee Profile after offer acceptance;
To provide additional assistance and support to you under Equal Opportunity or Discrimination laws (or equivalent);
To address, manage, and mitigate health and safety at our workplace;
To take action to protect and defend our rights or property and/or the rights or property of third parties or to protect the public against dishonesty, malpractice or seriously improper conduct, unfitness or incompetence, mismanagement or failures in services provided;
To meet our legal and regulatory obligations, such as compliance with applicable global laws and regulations;
Pre-employment medical screening or health checks;
Drug and alcohol testing;
Identifying candidates, including by recruiters;
To monitor access and/or use of Rio Tinto systems and devices, premises, and sites for safety and security;
Effective management of our business and providing our employees with opportunities;
For conducting and processing data analytics and/or generating insights for the benefit of Rio Tinto;
To protect your and someone else’s life. For example, if you are involved in an emergency and you require emergency care or medical treatment or you witness an emergency situation and are able to provide information to us about it;
To contact you or your family members where appropriate, for compliance with health and safety requirements or during medical emergencies;
For other activities that further our legitimate interests.

Processing of sensitive personal information

Notwithstanding the purposes described above, we do not collect, use, or disclose Sensitive Personal about you for any purpose for which the CCPA would give you an opt out right due to the sensitive nature of the data.

Data retention

We retain Personal Information until after we determine that its retention no longer is necessary for the processing purposes described in this notice. Because we may collect and use the same category of Personal Information for different purposes and in different contexts, there is not typically a fixed retention period that always will apply to a particular category of Personal Information. Examples of how long we normally intend to retain California Personal Information for which we are subject to the CCPA in certain situations are set forth below. Data about individuals who reside outside California is handled differently and may be subject to different retention periods.

Categories of Personal Information Collected About California Residents	Examples of How Long We Plan to Retain Certain Copies of This Data
Government-issued Identifiers	For California candidates we chose not to hire, we normally plan to retain their job application, which may contain this kind of personal information, for at least four years for compliance purposes.
Other identifiers, such as a real name and contact info	For California candidates we chose not to hire, we normally plan to retain their job application, which would contain this kind of personal information, for at least four years for compliance purposes.
Internet or other electronic networking activity information, such as details about your interaction with our recruiting website.	We may retain server logs reflecting California traffic to our recruiting pages for several years for security purposes.
Characteristics of protected classifications under California and federal law	For California candidates we chose not to hire, we normally plan to retain responses to equal employment opportunity questions in job applications for four years.
Audio, electronic, visual, thermal, or similar information	We typically delete voicemails soon after responding to them or resolving the matter under discussion.
Professional or employment related information	For California candidates we chose not to hire, we normally plan to retain their job application, which would contain this kind of personal information, for at least four years for compliance purposes.
Education information	For California candidates we chose not to hire, we normally plan to retain their job application, which would contain this kind of personal information, for at least four years for compliance purposes.
Biometric information	Typically deleted as soon as the identity authentication is performed.

Your rights as a California resident

You have certain rights under the CCPA with respect to your Personal Information, subject to certain limitations and exceptions:

The right to delete your Personal Information;
Know/access: the right to know what Personal Information we have collected about you, including the categories of Personal Information in the last 12 months, the categories of sources from which the Personal Information is collected, the business or commercial purpose for collecting, selling, or sharing Personal Information, the categories of third parties to whom we disclose Personal Information, and the specific Personal Information we have collected about you;
Correct the information we hold about you;
Opt out of “sales” and “sharing” as defined in the CCPA; however, as discussed above, we do not “sell” or “share” California residents’ Personal Information.
Limit use/disclosure of Sensitive Personal Information: the right to request to limit certain use and disclosure of Sensitive Personal Information. However, as discussed above, we do not use or disclose California residents’ Personal Information in a manner that would trigger this right.
Non-discrimination: not to be subject to discriminatory treatment (as defined by the CCPA), including an employee’s or contractor’s right not to be retaliated against for the exercise of their rights under the CCPA.

Please note that the CCPA or other laws may sometimes allow or require us to deny certain requests to exercise CCPA rights. For example, we need to retain certain information to evaluate your application and thus cannot delete it if you want us to continue evaluating your application.

Submitting a CCPA Request

You may submit a request to us at recruitment.support@riotinto.com, or by phoning our free toll number on +1 800 872 6729.

We will take steps to verify your request by matching the information provided by you with the Information we have on our records. Your request must provide sufficient information that allows us to reasonably verify you are the person about whom we collected Personal Information, or an authorized representative, and describe your request with sufficient details that allows us to properly understand, evaluate, and respond to it. If you are an agent making a request on behalf of an individual covered by this notice, you should follow the submission steps mentioned above, and we reserve the right to take steps to verify that you are authorized to make that request, which may include requiring you to provide us with written proof such as a notarized authentication letter or a legally sufficient power of attorney signed by the data subject pursuant to California Probate Code sections 4121 to 4130, or other written authorization acceptable to us. We also may require the individual to verify their identity directly with us where permitted.

Contact information

For additional details, or if you have questions about our use of your Personal Information as described in this California section, you may contact us at recruitment.support@riotinto.com.