This following document sets forth the Privacy Policy for the Idemitsu Australia Resources Pty Ltd (“Idemitsu”) website, www.idemitsu.com.au.

Idemitsu is committed to providing you with the best possible customer service experience. Idemitsu is bound by the Privacy Act 1988 (Crh), which sets out a number of principles concerning the privacy of individuals.

1. Introduction

Idemitsu Australia Resources Pty Ltd (ABN 45 010 236 272) (“Idemitsu”, “we”, “our” or “us” in this Privacy Policy) is an Australian subsidiary of a Japanese company, Idemitsu Kosan Co., Ltd. Idemitsu was formed to manage Idemitsu Kosan’s Australian coal operations.

This Privacy Policy also applies to Idemitsu’s sister company, Idemitsu Coal Marketing Australia Pty Ltd, and  Idemitsu’s subsidiaries, including Boggabri Coal Operations Pty Ltd, Muswellbrook Coal Company Limited, Ensham Resources Pty Ltd and Idemitsu Renewable Developments Australia Pty Ltd (for the purposes of this Privacy Policy also referred to as ” Idemitsu”, “we”, “our” or “us”).

The expressions “you” and “your” refer to an individual whose personal information we may handle from time to time.

We respect the privacy of the personal information you may provide to us. The way we manage your personal information is governed by the Privacy Act 1988 (Cth) (Privacy Act) and the Australian Privacy Principles (APPs) established under the Privacy Act.

For the purposes of this Privacy Policy, “personal information” has the meaning given to it in the Privacy Act, being information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether the information is true or not, and whether the information or opinion is recorded in a material form or not.

This Privacy Policy explains how we manage any personal information we hold about you. Please note that this Privacy Policy is to be read subject to any overriding provisions of law or contract.

2. Collecting personal information

2.1 What kinds of personal information do we collect?

The kinds of personal information we may collect include but are not limited to:

• your name (current and former (if any)) and date of birth;
• your personal and business contact details (including your address, landline or mobile telephone numbers, fax number and e-mail address);
• your employment details (including your company name, job title and business sector);
• banking and tax details (including your tax file number and ABN if applicable);
• personal information provided when you commence a business relationship with us;
• contact and identification details of any third party whom you have authorised to negotiate or provide your personal information on your behalf (including any agents or attorneys appointed by you under a power of attorney);
• any correspondence between you and us; and
• any other personal information provided to us when you make an inquiry, request information, correspond with us or lodge a complaint.

2.2 How do we collect personal information?

Where possible, we always try to collect personal information directly from you, for example when you:

• request information or contact us through our website, by telephone or in writing (including emailing us);
• provide to us your contact details, business card or documents containing your personal information (such as contracts or public records); or
• meet with us in person.

We may also obtain your personal information from third parties we deal with, such as:

• our related bodies corporate;
• our shareholders;
• our joint venture partners;
• government and law enforcement agencies;
• our professional advisers;
• our contracted service providers; and
• any other organisation with whom we do business.

Where we collect personal information from third parties you refer to us, we will assume and you will ensure that you have made that third party aware of the referral and the purposes of collection, use and disclosure of the relevant personal information

2.3 Dealing with us anonymously

For certain transactions, you have the option of dealing with us anonymously or by using a pseudonym (for example, if you contact us asking for general information about us or our website).  However, it is generally not possible for us to enter into a business relationship or carry out commercial transactions with you without first collecting your personal information.

3. Why do we collect, hold, use and disclose your personal information?

We collect, use and disclose your personal information to perform our functions and activities, carry out our operations and to otherwise enable us to provide the services, products and information you request. In particular, we may collect, use and disclose your personal information for the purposes of:

• for landowners or other stakeholders with whom we don’t have a business relationship – to decide whether or not to enter into a business relationship with you;
• maintaining and administering your business or other relationship with us (for example, updating and maintaining our records);
• communicating with you during the course of your business or other relationship with us;
• any other purpose which relates to or arises out of requests made by you;
• if you lodge a complaint with us – processing and responding to your complaint;
• doing anything which you authorise or consent to us doing;
• disclosure to maintenance personnel or other third party contractors (including outsourced and cloud service providers) who may be unable to avoid accessing personal information in the course of providing technical or other support services to our company; or
• taking any action we are required or authorised by law to take.

If you do not provide us with your personal information, it may not be possible for us to carry out the above functions and activities.

4. Disclosing your personal information

4.1 Who we may disclose your personal information to

We may disclose your personal information to:

• our related bodies corporate;
• our shareholders;
• our joint venture partners;
• our business partners and service providers (such as contractors who provide website, IT, marketing, administration and other services to support us);
• suppliers we engage for data processing and other administrative and support functions;
• our professional advisers (for example, our insurers, auditors, lawyers, accountants and consultants);
• your authorised agents or attorneys;
• financial institutions (for payment processing);
• any entity to whom we are required or authorised by law to disclose your personal information (for example, the Australian Taxation Office, law enforcement agencies and government and regulatory authorities); and
• with your consent (express or implied) – other entities.

The above entities may in turn disclose your personal information to other entities as described in their respective privacy policies or notices.

5. Dealing with Idemitsu online

This Privacy Policy applies to your use of our website (www.idemitsu.com.au) and any personal information that you may provide to us via our websites.

When you visit our websites, we and/or our contractors may collect certain information about your visit. Examples of such information may include:

Cookies – Cookies are small amounts of information which we may store on your computer (after you register on our website) to enable our server to collect certain information from your web browser. Cookies in themselves do not identify the individual user, just the computer used. Cookies and other similar technology make it easier for you to log on to and use the website during future visits. It also allows us to monitor website traffic, to identify you when you visit this website, to personalise the content of the website for you and to enable you to both carry out transactions and have access to information about your account. Cookies themselves only record which areas of the site have been visited by the computer in question, and for how long. Allowing us to create a cookie does not give us access to the rest of your computer and we will not use cookies to track your online activity once you leave our site. Cookies are read only by the server that placed them, and are unable to execute any code or virus; and

Site visit information – we collect general information about your visit to the Idemitsu website. The information we collect is not used to personally identify you, but instead may include your server address, the date and time of your visit, the pages you accessed and the type of internet browser you use. This information is aggregated and used for the purposes of system administration, and to prepare statistics on the use of our website.

Our websites may contain links to other websites which do not belong to us and are not covered by this Privacy Policy. If you access other websites using the links provided, the operators of these websites may collect information from you which will be used by them in accordance with their privacy policy, which may be different from ours.

6. Data storage, retention, security and location of your personal information

We will take reasonable steps to protect your personal information from loss, misuse, unauthorised access, modification or disclosure. We may store your personal information in different forms, including in hardcopy and electronic form. We have implemented policies, procedures and systems to keep your personal information secure to the extent reasonably possible. When using our website, you should be aware that no data transmission over the internet can be guaranteed as totally secure. Although we strive to protect such information, we do not warrant the security of any information that you transmit to us over the Internet and you do so at your own risk.

We may be required by law to retain certain information for a set period of time. Once this period of time expires, or we no longer need to hold your personal information, we will take reasonable steps to destroy, delete or de-identify your personal information in a secure manner.

7. Overseas disclosure of personal information

We may disclose your personal information to our related bodies corporate and our shareholders which may be located in overseas countries, including Japan.

Your personal information may also be transferred overseas when the third parties with whom we may share it (as described in this policy) are located overseas.

It is also possible that we, or our subcontractors, will utilise cloud technology in connection with the storage of personal information, and it is possible that this may result in off-shore storage.

Where we disclose your personal information to an entity located overseas, we will take reasonable steps to ensure that the overseas recipient of your personal information handles your personal information in accordance with the Privacy Act.

However, it is not practicable for us to specify in advance the location of every service provider with whom we deal.  It is possible that information will be transferred to a jurisdiction where you will not be able to seek redress under the Privacy Act and that does not have an equivalent level of data protection as Australia.  We will not be accountable for how these overseas recipients handle your personal information.  By providing your personal information to us, you consent to our disclosure of your personal information to these parties.  If you have any concerns regarding the transfer of your personal information overseas please contact us using the details provided below.

8. Access and correction

To effectively conduct business with you, it is important that the personal information we hold about you is complete, accurate and current. At any time while we hold your personal information, we may ask you to tell us of changes to your personal information.

You can request us to update or correct your personal information if you believe that the personal information we hold about you is inaccurate, out-of-date, incomplete, irrelevant or misleading or otherwise needs to be corrected or updated. Our contact details are provided below. We will respond to a request to correct your personal information within a reasonable period after the request is made.

If we refuse to correct your personal information, you may request that we associate with the information a statement that the information is inaccurate, out-of-date, incomplete, irrelevant or misleading.

You can also request access to the personal information we hold about you by contacting us using our details provided below. We will respond to a request for access within a reasonable period after the request is made, either by giving you access to the personal information requested, or by notifying you of our refusal to give access.

We will not charge you an application fee for making a request to access the personal information we hold about you or for making any corrections to your personal information.

However, we may charge a reasonable fee to cover our costs of providing you with access to your personal information, for example, if you make multiple requests for information, where your request relates to a large volume of information, or we incur third party costs in providing you with access.

We may request to verify your identity before responding to any request.

If we decide not to provide you with access to or correct your personal information, we will give you reasons for our decision.

9. Lodging a complaint

If you have a complaint about our handling of your personal information (including our handling of any requests to correct or access your personal information), please contact us at the contact details below.

Please note that we may ask you to lodge your complaint in writing.

We will acknowledge receipt of your complaint as soon as possible after receiving your complaint in writing. We will investigate your complaint and provide you with a response within a reasonable timeframe.

If you are not satisfied with how your complaint is handled by us, then you can lodge a formal complaint with the Office of the Australian Information Commissioner (OAIC) at:

• Post: Office of the Australian Information Commissioner, GPO Box 5218, SYDNEY NSW 2001
• Fax: +61 2 9284 9666
• Email: enquiries@oaic.gov.au
• Online: You can submit a complaint online through the OAIC’s website (www.oaic.gov.au/privacy/privacy-complaints/lodge-a-privacy-complaint-with-us/)

The above information has been taken from the OAIC’s website as at 12 May 2021  – please refer to the website for the most up to date contact information.

10. Contacting Us

If you wish to contact us regarding our handling of your personal information or any of the matters covered in this Privacy Policy, please contact the Company Secretary:

• by post at: Idemitsu Australia Resources Pty Ltd, GPO Box 301, Brisbane QLD 4001
• by completing our online enquiry form through the ‘Contact Us’ page on our website idemitsu.com.au
• by phone: 07 3222 5600

We welcome your questions and any suggestions you may have about our Privacy Policy.

11. Changes to this Policy.

Idemitsu reserves the right to amend or revise this Privacy Policy from time to time. The updated version of this Privacy Policy will be posted on our website www.idemitsu.com.au and will be effective from the date of posting. It is your responsibility to check the website from time to time in order to determine whether there have been any changes.

This Privacy Policy was last updated on 25 June 2021.