Data Privacy Policy

Protecting the security and privacy of your personal data is highly important to voestalpine Stahl GmbH, voestalpine-Straße 3, A-4020 Linz, as well as its subsidiary companies, hereinafter referred to as voestalpine, “we” and “us.”

We comply with the applicable laws pertaining to the protection, lawful handling and confidentiality of personal data as well as data security, in particular the European General Data Protection Regulation (GDPR) and all applicable national data protection regulations. This Data Privacy Policy is intended to provide you with the details of the type, extent and purpose of personal data collection and use in connection with your visit to our web site and social media platforms (by contacting us or registering as a subscriber to our LinkedIn Newsletter..

You will find separate privacy policies pertaining to specific topics:

1. Who is responsible for data processing and who can you contact?

Responsible person

voestalpine Stahl GmbH

voestalpine-Straße 3

A-4020 Linz

Email address: datenschutz.stahl@voestalpine.com

2. What is meant by personal data?

Personal data (data) is information that relates to an identified or identifiable natural person (data subject). This includes, for example, your name, e-mail address or IP address.

3. Processing of data related to the use of our website

Your data will be processed for the following purposes:

3.1 Site use and protection

Purpose

You can visit our website without providing any personal information. Your device sends data to our web server whenever you use our website. This data is processed by our web servers and automatically stored in so-called log files. The processing of your data is necessary in order to provide website access to you. Log file storage is necessary to ensure the security and functionality of our website.

Data categories

IT log and discovery data (IP address, HTTP header fields, browser type, previously visited websites (referrers), date and time of access, other traffic data, such as device information, amount of data sent, etc.)

Statutory source

Providing a secure, functional and user-friendly website is our legitimate business interest. Processing is thus conducted in accordance with Article 6 (1) (f) GDPR.

Storage time

We store your data until the purpose has been fulfilled. Your data will only be stored by us if there are legal retention periods and there is no other reason for retention, such as assertion or defense of legal claims or the protection of vital interests (warranty and warranty claims in particular).

Recipient categories

Order processing personnel (IT service providers), and in the event of a security incident perhaps to law enforcement authorities, legal representatives, courts and/or administrative authorities

3.2 Use of cookies and Google Analytics

Please refer to the cookie banner for data protection regulations on the use and utilization of cookies and Google Analytics. This will provide additional information, among other things, about the type, scope, purposes, data categories, legal bases, storage duration and recipient categories of cookies.

3.3 Direct contact

Purpose

You can contact us by e-mail, telephone or fax if you have any questions about our company, products or services. In such cases we will process your data for the purpose of your request, whereby your data may also be processed in one of our customer management systems.

Data categories

Personal master data, e.g. title, first and last name; contact data, e.g. address, telephone number, e-mail address; correspondence data, e.g. content of the request; IT log and recognition data, e.g. date and time of the request; other data that you provide to us by uploading or attaching documents.

Statutory source

Inquiries are processed either for the implementation of (pre-)contractual measures (Article 6 (b) GDPR) or on the basis of our legitimate business interest (Article 6 (1) (f) GDPR), namely in communication with our customers and website users.

Storage time

We will store your data as long as this is necessary to process your request. After your request has been completely processed, your data will be deleted in compliance with statutory retention periods, unless this is necessary for the possible assertion, defense or protection of legal claims and their enforcement in official or judicial proceedings.

Recipient categories

Order processing personnel (IT service providers)

In order to achieve the intended purposes, it may also be necessary in some cases that we forward your data to certain internal companies (www.voestalpine.com/standorte) in order to ensure rapid processing of your request.

3.4 Newsletter subscribers

Purpose

You have the option on our web site of subscribing to our newsletter. When you subscribe to our newsletter, your data must be processed so that we can the newsletter to you. Your data may also be processed in one of our customer management systems.

Data categories Contact data, e.g. email address

Statutory source

We process your data for the newsletter only on the basis of your consent (Article 6 (1) (a) GDPR). You can revoke your consent at any time, e.g. by e-mail to datenschutz.stahl@voestalpine.com or by clicking on the unsubscribe link directly in the footer of the newsletter.

Storage time

We store your data for the purpose of transmitting the newsletter for as long as you do not revoke your consent to receive the newsletter.

Recipient categories

Order processing personnel (IT service providers)

4. Data transmission to third countries

The complexity of today's data processing is due to the fact that we commission processing personnel to process your data. In doing so, we employ only processing personnel  who have their registered offices in the European Union (EU) or the European Economic Area (EEA) and are therefore subject to the regulations of GDPR. However, it may happen that we process data in third countries, i.e. outside the EU or the EEA, or that processing is conducted by service providers with registered offices outside the EU or the EEA. Some of these third countries may not have a level of data protection that meets EU standards. For example, the processing of personal data by criminal authorities cannot be restricted to the required strict extent, and data subjects may have only limited legal protection. However, we always ensure that the European level of data protection and European data security standards are respected.

  • First, we may be able to transmit data in third countries that the European Commission attests to an appropriate level of data protection by means of an adequacy decision under Article 45, GDPR
  • Unless there is a decision by the European Commission regarding adequacy in relation to a third country, we only transfer data subject to appropriate guarantees in accordance with Article 46, GDPR. We apply the standard data protection clauses approved by the European Commission, binding internal data protection regulations and we take other measures to ensure that an adequate level of data protection is achieved, e.g. participation of the recipient in an approved certification system.
  • In individual cases, it may happen that the above-mentioned adequate guarantees pursuant to Article 46, GDPR, as well as the additional measures, are not effective enough and legal protection gaps remain.

In such cases, we process your data in accordance with the exception of Article 49, GDPR. In the interest of legitimacy of transmission, this means that we rely in individual cases on (i) your express consent (Article 49 (1) (a) GDPR), (ii) the necessity of contract fulfillment (Article 49 (1) (b) GDPR) or (iii) for the assertion, exercise or defense of legal claims (Article 49 (1) (e) GDPR). Please direct any inquiries about more detailed information and a list of the implemented measures to the contact indicated in Section 11.

5. Rights of the data subject and possibility of appeal

Pursuant to Section 15 of the EU General Data Protection Regulation, you have the right to request a confirmation of whether data may be processed and to receive information on such data.

Pursuant to Section 16 of the EU General Data Protection Regulation, you have the right to request that any incorrect data be corrected and/or made complete.

Pursuant to Section 17 of the EU General Data Protection Regulation, you have the right to deletion of your data.

Pursuant to Section 18 of DSGVO, you have the right to limited processing of your personal data.

Pursuant to Section 20 of the EU General Data Protection Regulation, you have the right to data portability.

Pursuant to Section 21 of the EU General Data Protection Regulation, you have the right to object to the processing of your data.

Finally, you have the right to lodge a complaint with your data regulatory authority.

If your data are processed under your permission, you have the right to revoke this permission at any time without affecting the legality of any processing carried out pursuant to your consent up until the time of your revocation.

6. Contact data

If you have any questions regarding data privacy or the protection of your rights, please contact our data privacy organization at datenschutz.stahl@voestalpine.com or by mail to voestalpine Stahl GmbH, Department FPG, voestalpine Straße 3, 4020 Linz.

This Data Privacy Policy will be amended from time to time.