It is necessary for us to process your personal data in the course of our business relationship. Personal data include any information that directly or indirectly pertains to natural persons, i.e. names and email addresses. At voestalpine (voestalpine Stahl GmbH and subsidiary companies), we take great care to protect the security and privacy of our customers’ and suppliers’ personal data. We know we are obligated to protect your data and take this responsibility very seriously. We expect the same from our business partners. Please read the following details about how we treat the personal data of our business partners:

1. Data categories, processing purposes and statutory sourceAs part of our collaboration with business partners, voestalpine processes personal data for the following purposes:

▪ Communication with business partners about products, services and projects, e.g. the processing of customer inquiries

▪ Establishment, implementation and administration of (contractual) business relationships as well as the maintenance of relationships between voestalpine and the business partner, i.e. for the purpose of ordering products and services, collecting payments, accounting purposes, settlement of accounts, incoming receivables, deliveries, maintenance activities and repairs.

▪ Execution of customer surveys, marketing campaigns, market analyses, competitions, giveaway contests or similar activities and events

▪ Maintaining the security of our products, services, web sites and avoiding security risks, fraudulent activity and other criminal acts with intent to cause damage

▪ Compliance with legal requirements, e.g. commercial or tax-related obligation to retain data, and compliance with voestalpine regulations

▪ The settlement of legal disputes, the execution of existing agreements as well as the enforcement, execution and defense of legal claims

For the afore mentioned purposes, voestalpine processes personal data in the following categories:

▪ Business-related information such as names, contact data, business phone number or email address

▪ Payment data and other information required for the processing of payments or prevention of fraud, including credit card information and credit card security numbers

▪ Information from public sources, information databases or credit agencies

▪ Other personal data that must be processed for the establishment, implementation and administration of (contractual) business relationships as well as for the maintenance of business relationships or data voluntarily submitted by you, e.g. orders, order details, inquiries or project details, correspondence or other data pertaining to the business relationship

Personal data must be processed in order to achieve the afore mentioned objectives, including the fulfillment of contractual relationships and carrying out pre-contractual activities with the business partner. To the extent not otherwise agreed, the legal basis for data processing is found in Article 6, Section1, Letter a (to the extent that consent was granted) and/or Article 6, Section1, Letters b and f of the EU General Data Protection Regulation (GDPR):

▪ Processing is required for fulfillment of a contractual agreement, of which the party to the agreement is the respective entity, or for fulfillment of pre-contractual measures.

▪ Data processing is required to protect the justified interests of the respective entity or third party.

Should personal data not be provided to the required extent or voestalpine is not in a position to access the required data, voestalpine will not be able to provide the respective services and/or properly respond to the respective inquiries and requests. Please note that this would not constitute nonfulfillment of the contractual agreement on our part.

2. Transmission and disclosure of personal data

Within the framework of legal permissions, voestalpine may transmit personal data to other voestalpine companies (www.voestalpine.com/standorte), courts, authorities, law offices and other business partners, e.g. shipping and logistics partners, for the processing and execution of orders. Additionally, voestalpine commissions service providers with the task of processing personal data, e.g. as part of an IT support agreement. These service providers are obligated to comply with all applicable data privacy regulations.

The recipients described in Section 2 may be located in countries outside the European Union (third-party countries) where applicable law does not guarantee the same level of data security and privacy as in your home country. In such a case, data transmission depends on compliance with the legal stipulations with respect to an adequacy decision made by the European Commission for the third-party country and appropriate guarantees have been agreed upon with the recipient, e.g. standard EU provisions. The recipient is also required to implement an approved certification system, e.g. EU-US Privacy Shield. Compliance with internal data protection guidelines pursuant to Section 47 of the Data Protection Regulation is mandatory or an exception pursuant to Section 49 of the Data Protection Regulation has been approved (because you expressly consented to the proposed data transfer after you were sufficiently informed of the existing risks of such data transfers without the existence of an adequacy decision and without proper guarantees). Please contact the address under Section 6 for more detailed information and a list of implemented measures.

3. Time limits on data storage

Unless an explicit storage period is indicated, your personal data will be deleted as soon as their purpose has been fulfilled and there is no legal obligation, e.g. of a commercial or tax-related nature, to store the data any longer, and if no obligation exists to enforce a legal claim.

4. Right to information, correction, deletion and limitation of your personal data; right to object, right of data transfer and revocation of consent

▪ Pursuant to Section 15 of the EU General Data Protection Regulation, you have the right to request a confirmation of whether personal data may be processed and to receive information on such data.

▪ Pursuant to Section 16 of the EU General Data Protection Regulation, you have the right to request that any incorrect personal data be corrected and/or made complete.

▪ Pursuant to Section 17 of the EU General Data Protection Regulation, you have the right to deletion of your data.

▪ Pursuant to Section 18 of the, you have the right to limited processing of your personal data.

▪ Pursuant to Section 20 of the EU General Data Protection Regulation, you have the right to transmission of your data.

▪ Pursuant to Section 21 of the EU General Data Protection Regulation, you have the right to object to the processing of your data.

▪ Finally, you have the right to lodge a complaint with the data protection panel.

▪ If your data are processed under your permission, you have the right to revoke this permission at any time without affecting the legality of any processing carried out pursuant to your consent up until the time of your revocation.

In order to ensure efficient processing of such inquiries, we ask that you contact us using the email address below and that you provide us with proof of your identity by transmitting electronic documentation.

5. Protection of your personal data

We care about the security and privacy of your personal data and take the following measures to protect your data against misuse, loss and unauthorized access, change or disclosure:

▪ Limited access to our facilities (access monitoring)

▪ Implementation of access authorizations and protection of data storage devices (monitoring of access and disclosure

▪ Implementation of network security measures such as anti-virus software, firewalls, security updates (network monitoring) etc.

Our service providers are also obligated to comply with the same security measures that we have implemented.

6. Contact partners

If you have any questions regarding data privacy or the protection of your rights, please contact the data privacy organization at Datenschutz.Stahl@voestalpine.com. This Data Privacy Statement for Business Partners will be amended from time to time. You will find the calendar day of the most recent update in the footer.