Skip to main content

Data protection/privacy

The protection of your personal data is very important to voestalpine AG, voestalpine-Strasse 1, A-4020 Linz (hereinafter “we”, “us”). We comply with the applicable legal provisions concerning the protection, lawful handling and confidentiality of personal data and on data security, in particular the European General Data Protection Regulation (“GDPR”) and the applicable national data protection regulations.

This privacy policy informs you about the nature, scope and purpose of the collection and use of your personal data by us in connection with your visit to and your use of our website  (“Microsite greentec steel”) as well as our social media profiles.

You can also find separate privacy policies for individual topic areas:


  1. Who controls the data processing and who can you contact?


voestalpine AG
voestalpine-Strasse 1
A-4020 Linz
Email address:

Email address of the Data Protection Officer/Data Protection Manager:


  1. What is personal data?

Personal data (“data”) means any information relating to an identified or identifiable natural person (“data subject”). This includes, for example, their name, email address or IP address.


  1. Processing of data in the context of the use of our website

Your data will be processed for the following purposes:

3.1 Provision and protection of the website

You can visit our website without providing us with information about your identity. When you use our website, your device sends data to our web servers. Each time you visit our website, our system automatically collects data and information from the device accessing it (such as a computer, cell phone, tablet, etc.) This data is processed by our web servers and automatically stored in what are known as “log files”.

Purpose: The temporary (automated) storage of the data is necessary for the duration of a website visit to enable the website to be provided. The storage and processing of personal data also takes place to maintain the compatibility of our website for as many visitors as possible and to combat misuse and troubleshooting. For this purpose, it is necessary to log the technical data of the accessing computer to be able to respond as quickly as possible in the case of display errors, attacks on our IT systems and/or errors in the functionality of our website. In addition, the data serves the purpose of optimizing our website and generally ensuring the security of our IT systems.

Data categories: IT protocol and identification data (IP address, HTTP header fields, browser type, previously visited website (referrer), date and time of access, other traffic data, such as device information, amount of data sent, etc.)

Legal basis: The provision of a secure, functional and user-friendly website is our legitimate business interest. The processing therefore takes place in accordance with point (f) of Article 6 (1) GDPR.

Storage period: The aforementioned data will be stored for 8 months and deleted after this period, unless this data is still required to subsequently clarify a security incident (e.g. hacking attack) on our website.

Categories of recipient: Processors (such as IT service providers); may also be contacted in the event of a security incident: Law enforcement authorities, legal representatives, courts and administrative authorities.


3.2.  Use of cookies and Google Analytics
Please refer to the cookie banner for the data protection provisions on the use of cookies and Google Analytics. There we inform you, among other things, about the type, scope, purposes, data categories, legal bases, storage duration and recipient categories of the cookies used.


3.3 Contacting us

Purpose: You can contact us by e-mail, telephone or fax with inquiries about our company, our products and services. In this case, we process your data for the purpose of processing your inquiry, whereby your data may then also be processed in a customer management system operated by us.

Data categories: Personal master data (e.g. salutation, title, first name and surname); contact data (e.g. address, telephone number, e-mail address); correspondence data (e.g. content of the request), IT log and identification data (e.g. date and time of the request), as well as any data that you make available to us by uploading or attaching documents.

Legal basis: Inquiries are processed either to implement (pre-) contractual measures (point (b) of Art. 6 GDPR) or on the basis of our legitimate business interests (point (f) of Art. 6 (1) GDPR), specifically, communication with our customers and website users.

Storage period: We store your data for as long as is necessary to process your request. After your request has been fully processed, your data will be deleted in compliance with statutory retention periods, unless this is necessary for the assertion, defense or defense of legal claims and their enforcement in official or judicial proceedings.

Categories of recipient: Processors (IT service providers). In order to achieve the intended purposes, it may also be necessary for us to forward your data to certain group-internal companies ( on a case-by-case basis to ensure that your request is processed quickly.


  1. Data transfer to third countries

Due to the complexity of today's data processing processes, we commission processors to process your data. As far as possible, we only use processors that are based within the European Union (EU) or the European Economic Area (EEA) and are therefore subject to the GDPR.
As part of data processing, your data may also be transferred to recipients in countries outside the European Union (so-called third countries). If these tools are active, your personal data may be transferred to these (third) countries and processed there. We would like to point out that in some countries it is not possible to guarantee a level of data protection that is fully comparable to that in the EU, but that all possible data protection measures are taken.
However, we always ensure that the European level of data protection and European data security standards are maintained.
First of all, we may, under certain circumstances, transfer data to third countries that have been certified by the European Commission as having an adequate level of data protection by means of an adequacy decision in accordance with Art. 45 GDPR. Such a decision is only issued if an adequate level of data protection is guaranteed in the country. There is currently (as of July 2023) an adequacy decision for the following third countries Andorra, Argentina, Faroe Islands, United Kingdom (initially until 28.06.2025), Guernsey, Israel, Isle of Man, Japan, Jersey, Canada (only commercial organizations), New Zealand, Switzerland, South Korea, Uruguay. Since July 10, 2023, such an adequacy decision also exists between the EU and the US if recipients are certified under the EU-US Data Privacy Framework. In principle, US companies may be obliged to disclose personal data to security authorities in cases relating to national security. We have no influence on these processing activities. However, the new adequacy decision now provides legal remedies for EU citizens. In addition, the EU Commission considers US companies that are certified and included in the Data Privacy Framework list to be secure data recipients. US companies that have self-certified to the Ministry and have committed to complying with the principles of the EU-US Data Privacy Framework can be found at:

If there is no adequacy decision by the European Commission in relation to a third country, we only transfer data subject to appropriate safeguards in accordance with Art. 46 GDPR. In particular, we use the standard data protection clauses approved by the European Commission, binding internal data protection regulations or we take other measures to ensure that an adequate level of data protection is established (e.g. participation of the recipient in an approved certification system).
In individual cases, the aforementioned appropriate safeguards pursuant to Art. 46 GDPR and the additional measures may not be effective enough, leaving gaps in legal protection. In such cases, we process your data in accordance with the derogation in Art 49 GDPR. This means that, depending on the individual case, we rely on (i) your express consent (Art 49(1)(a) GDPR), (ii) the necessity for the performance of a contract (Art 49(1)(b) GDPR) or (iii) the establishment, exercise or defense of legal claims (Art 49(1)(e) GDPR) to legitimize the transfer.

You can obtain further information and a copy of the measures implemented via the contact details listed under point 6.


  1. Rights of data subjects and the right to lodge a complaint
  • In accordance with Art. 15 GDPR, you have the right to request confirmation as to whether data is being processed by the controller and the right of access regarding this data.
  • In accordance with Art. 16 GDPR, you have the right to request the rectification of inaccurate data concerning you and/or the completion of incomplete data without undue delay.
  • In accordance with Art. 17 GDPR, you have the right to erasure of your data.
  • In accordance with Art. 18 GDPR, you have the right to the restriction of processing.
  • In accordance with Art. 20 GDPR, you have a right to data portability.
  • In accordance with Art. 21 GDPR, you have the right to object to the data processing.

Finally, you have the option to lodge a complaint with the supervisory authority responsible for you.

If the processing of your data takes place on the basis of your consent, you have the right to withdraw your consent at any time, without this affecting the lawfulness of the processing based on the consent before its withdrawal.


  1. Contact data

If you have any questions about data protection and the assertion of your above-mentioned rights, you can contact our data protection organization at or by post at voestalpine AG, Legal, Shareholdings and Compliance, voestalpine-Strasse 1, 4020 Linz.

This privacy policy will be updated from time to time.