It is very important to voestalpine Präzisionsprofil GmbH, Franz-Tilgner-Strasse 10, 50354 Hürth, Deutschland (hereinafter “we,” “us,” or “our”) to protect the personal data of our business partners (such as customers, vendors, contractors we commission, and service providers). We are obligated to protect your data and take this duty seriously. We expect the same from our business partners.

Our business relationship with you requires us to process your personal data and/or the data of your employees. In doing so, we comply with the legal requirements applicable to the protection, lawful handling, and confidential treatment of data as well as with those pertaining to data security, specifically the European General Data Protection Regulation (“GDPR”) and pertinent national data privacy rules and regulations.

This Data Protection Notice informs you of the type, scope, and purposes of the collection and use by us of your data and the data of your employees in connection with our business relationship.

1. Who is responsible for data processing and who can you contact?

Controller:

voestalpine Präzisionsprofil GmbH
Franz-Tilgner-Strasse 10,
50354 Hürth, Deutschland
info.praezisionsprofil@voestalpine.com

Email address of the data protection officer (DPO) or data protection manager (DPM):

2. What is personal data?

The term “data” refers to all information concerning an identified or identifiable natural person (e.g., name, address, email address, corporate affiliation).

1. Processing of data in connection with business relationships

• Communication with (potential) business partners

Purpose: We process data as part of our communications with (potential) business partners in order to process inquiries about products, services, and projects and to offer the requisite support. We do, however, also process your data whenever we obtain information on products or services from you in your capacity as our business partner (e.g., vendor, consulting firm, or tradesperson).

Categories of data: Personal data (e.g., name, salutation, language); business contact information (e.g., business address, email address, telephone number); communication data associated with business correspondence (e.g., emails, letters, telephone calls, exchanges on collaboration platforms); data related to inquiries (e.g., content, date, and time of the inquiry); written reports of visits from business partners.

Legal basis: It is in our legitimate business interest to communicate with business partners with the aim of ascertaining whether there is a basis for establishing a business relationship in the future or for entering into a stand-alone contract. That is why we process data in accordance with Article 6 (1) (f) GDPR.

Retention period: We store your data until the purpose thereof has been fulfilled. Furthermore, we store your data only if statutory retention periods apply, or if we need the given data to establish, exercise, and defend our legal claims and to fend off legal claims against us (especially guarantee and warranty claims).

Categories of recipients: If necessary and subject to statutory requirements, your data will be transferred to other specialized voestalpine Group companies (www.voestalpine.com/locations) for the purposes set forth above. As part of our communications, and depending on the means of communication utilized, your data may also be transferred to telecommunications companies or so-called “processors” (IT service providers).

• Initiating, processing, and managing business relationships

Purpose: We process data to initiate, process, and manage business relationships. In particular, this includes order fulfillment and billing, associated (and legally required) bookkeeping, invoicing, and accounting, as well as goods delivery and implementation of stipulated maintenance activities or other agreed services. We also process your data for the purpose of settling claims and in connection with our collection procedures.

Categories of data: Personal data (e.g., name, salutation, language); business contact information (e.g., business address, telephone number, fax number); organizational categorization (e.g., job title, powers of representation); corporate data (e.g., company name, company registration number, industry); business relationship data (e.g., information on product offerings, revenue data, terms and conditions of service, claims settlement); banking data (e.g., bank name, bank account number, invoice data); contract data (e.g., contracts concluded, draft contracts and offers, as well as related correspondence); transaction data (e.g., invoice item, payment amount, invoice date); tax data (e.g., sales tax, other taxpayer numbers); business correspondence data (e.g., contents of email, telephone, and fax communications); credit check information.

Legal basis: Article 6 (1) (b) GDPR (fulfillment of a contract to which the data subject is party) is the legal basis for the processing of data. In other respects, pursuant to Art. 6 (1) (f) GDPR, it is in our legitimate interest to process the data of our business partners’ employees for the purpose of fulfilling the contract with the business partner. Finally, we are subject to various statutory requirements such as, for example, regulatory requirements as well as documentation duties under tax and corporate law. We therefore also process data in accordance with Art. 6 (1) (c) GDPR (fulfillment of legal requirements) in the scope required under a given law.

Retention period: We store your data until the purpose thereof has been fulfilled. Over and above the foregoing, we store your data only if statutory retention periods apply and if there is no other reason for retaining them, such as our need to establish, exercise, or defend our legal claims, or to fend off legal claims against us (especially guarantee and warranty claims).

Categories of recipients: If necessary and subject to statutory requirements, your data will be transferred to other specialized voestalpine Group companies (www.voestalpine.com/locations) for the purposes set forth above. In addition and as necessary, data collected for the given purpose may also be transferred to other business partners (e.g., delivery or logistics partners tasked with carrying out and settling orders) as well as to tax consultants, auditors, credit bureaus and, in case of a legal dispute, also to courts, government agencies, and legal representatives.

• Maintenance of the business relationship, customer and vendor surveys, marketing campaigns, prize games and similar activities and events, as well as training sessions

Purpose: In order to maintain and cultivate a business relationship with you as our business partner, we set up mutual customer visits; from time to time, we carry out customer and vendor surveys, marketing campaigns, prize games, competitions and similar activities or events; we also offer training for business partners. Besides that which is necessary for contract fulfillment, we process the data of our business partners for the aforementioned purposes in a customer/vendor management system or IT system that is comparable thereto or serves the stated purpose.

Categories of data: Personal data (e.g., name, salutation, language); business contact information (e.g., business address, telephone number, fax number); organizational categorization (e.g., job title, powers of representation); corporate data (e.g., company name, company registration number, industry); business relationship data (e.g., information on product offerings, revenue data, terms and conditions of service, claims settlement); correspondence and other communications content concerning individual activities (e.g., email content, comments on portals, visit reports); data on participation in training (e.g., certificates, training content).

Legal basis: Depending on the type of contact (e.g., survey on satisfaction with our products, prize games, training), either the legitimate interest of the controller pursuant to Art. 6 (1) (f) GDPR (for example, to ascertain satisfaction with our products and services) or the separately obtained consent of the data subject thereto in accordance with Art. 6 (1) (a) GDPR (which the data subject may withdraw at any time) serves as the legal basis for collecting the given data. We maintain a customer/vendor management system based on our legitimate interest in documenting, maintaining, and cultivating relationships with our business partners (Art. 6 (1) (f) GDPR).

Retention period: We store your data until the purpose thereof has been fulfilled. In addition, we retain your data only if statutory retention periods apply.

Categories of recipients: If necessary and subject to statutory requirements, your data will be transferred to other specialized voestalpine Group companies (www.voestalpine.com/locations) for the purposes set forth above. We also transfer your data to IT processors (e.g., customer management system, survey tools). Your data may also be transferred to third parties (e.g., hotels, taxi companies, external presenters) in connection with training or other events.

• Monitoring of compliance requirements as well as detection and persecution of criminal acts

Purpose: Data may be processed to fulfill legal obligations and comply with statutory requirements (e.g., requirements arising from data protection, export, or antitrust law); to comply with voestalpine’s guidelines; to protect the security of our products and services; as well as to prevent and detect security risks (maintenance of information security), fraudulent activities as well as acts of a criminal nature or carried out with the intent to cause harm.

Categories of data: Personal data (e.g., name, salutation, language, nationality); business contact data (e.g., business address, email address, telephone number); contract and billing data (e.g., bank name, products ordered, invoice data); communications data (e.g., emails, letters, telephone calls); network protocol and identification data (e.g., IP addresses, login data); IT data regarding access and authorization credentials (e.g., authorizations or activations in IT systems). In this connection, special categories of personal data pursuant to Art. 9 GDPR and data relevant to criminal matters pursuant to Art. 10 GDPR may also be processed.

Legal basis: This data processing is carried out in accordance with Art. 6 (1) (c) GDPR (fulfillment of legal obligations) and Art. 6 (1) (f) GDPR (legitimate interest). In particular, it is in our legitimate interest to investigate crimes and to detect violations of compliance requirements associated with our business relationship, as well as to establish, exercise, or defend resulting legal claims.

Retention period: We store your data until the purpose thereof has been fulfilled. Furthermore, we retain your data only if statutory retention periods apply and if there is no other reason for such retention, for example, establishing, exercising, and defending our legal claims and fending off legal claims against us; as well as processing data required for initiating criminal and/or administrative proceedings.

Categories of recipients: If necessary and subject to statutory requirements, your data will be transferred to other specialized voestalpine Group companies (www.voestalpine.com/locations) for the purposes set forth above. In addition and as necessary, data collected for the given purpose may also be transferred to courts, government agencies, and legal representatives.

2. International data transfers

Given the complexity of prevailing data processing processes, we engage so-called processors to process your data. To the extent possible in this connection, we only engage processors that are domiciled within the European Union (EU) or the European Economic Area (EEA) and are thus subject to the GDPR.

There are scenarios, however, where we process data in third countries (i.e. outside the EU and/or the EEA) or where the processing takes place in connection with the use of service providers domiciled outside of the EU and/or the EEA. The level of data protection in some of these third countries may not correspond to EU standards. For example, the processing of personal data by law enforcement agencies may not be restricted to that which is absolutely necessary, and data subjects may only have limited rights of legal recourse.

We do, however, always ensure that European data protection and data security standards are maintained.

• First of all, under certain circumstances, we may be able to transfer data to those third countries that the European Commission has certified, pursuant to an adequacy decision under Art. 45 GDPR, as possessing an adequate level of data protection.
• If the European Commission has not adopted an adequacy decision regarding a specific third country, we only transfer data subject to appropriate safeguards pursuant to Art. 46 GDPR. In particular, we then apply the standard contractual data protection clauses approved by the European Commission or binding internal data protection regulations; we may also ensure by other means that an adequate level of data protection is put in place (e.g., recipient’s participation in an approved certification system).
• In individual cases, the aforementioned appropriate guarantees pursuant to Art. 46 GDPR as well as the additional measures taken may not be effective enough, thus leaving gaps in legal protections. In cases like these, we process your data in accordance with the exemption under Art. 49 GDPR. Depending on the case at hand, therefore, and to legitimize data transfers we rely on a variety of factors, including (i) your express consent (Art. 49 (1) (a) GDPR); (ii) the need to fulfill the contract (Art. 49 (1) (b) GDPR); or (iii) the need to establish, exercise, or defend our legal claims (Art. 49 (1) (e) GDPR).

You may use the contact information provided in section 4 to obtain further information as well as a copy of the implemented measures.

3. Rights of data subjects and revocation of consent provided
   

• Article 15 GDPR gives you the right to request confirmation as to whether your data is processed by the controller and the right to access information regarding this data.
• Article 16 GDPR gives you the right to request immediate rectification of inaccurate data concerning your person and/or completion of incomplete data.
• Article 17 GDPR gives you the right to have your data erased.
• Article 18 GDPR gives you the right to restrict the processing of your data.
• Article 20 GDPR gives you the right to data portability.
• Article 21 GDPR gives you the right to object to the processing of your data.
• Finally, you also have the option of filing a complaint with the competent regulatory authority.
• If your data is processed pursuant to your consent thereto, you have the right to withdraw your consent at any time; doing so, however, does not affect the legality of the processing carried out until you withdrew your consent.
  

4. Contact information

If you have any questions regarding the issue of data protection and the establishment of your rights as enumerated in the foregoing, you may contact our data protection organization at [•]@voestalpine.com or by postal mail to voestalpine Präzisionsprofil GmbH, Franz-Tilgner-Strasse 10, 50354 Hürth, Deutschland.

This Data Protection Notice is amended from time to time. The date of the most recent amendment is shown in the footer.