Information for Suppliers

Data Protection Information for Suppliers of AT&S Group

Dear Supplier,

Regulation (EU) 2016/679, General Data Protection Regulation (“EU GDPR”), which entered into force on May 25, 2018, and various national laws as applicable, provide for increased safeguards to the rights of individuals over their personal data and place obligations on businesses to protect personal data as defined in article 4(1) of the regulation (“Personal Data”), that they collect or process.

In the course of our business relationship we need to collect and process certain Personal Data such as contact details related to our suppliers’ staff to fulfill and administer our mutual contractual obligations. This Data Protection Information (“Information”) is to inform our suppliers and their staff about the type of data collected and the purpose for which they are processed. It is valid for AT&S Group worldwide. We may provide additional data protection information that is valid only in specific countries, if required by local law. In that case, this Information would be complementary, and the local law will prevail.

Controller of the processed Personal Data:

AT & S Austria Technologie & Systemtechnik Aktiengesellschaft or its Affiliates, listed in Annex A, together referred to as “AT&S” or “AT&S Group”.

Contact person for data protection matters:

AT&S Compliance Office

I. Types of personal data processed

The following types of Personal Data will be processed as part of our business relationship:

a. Name details (in particular title, first name and surname, gender/salutation);
b. Contact details (in particular business address, email address, phone number);
c. Organizational data (in particular job title/function, department);
d. Identification/authentication data (in particular user ID, password, birth date, ID card).

AT&S does not process sensitive Personal Data, except necessary under mandatory legal requirements or for compelling reasons to secure the personal safety and security of a data subject, AT&S personnel and premises, or in the public interest.

II. Purpose and legal basis of data processing

AT&S is committed to observing the processing principles of Art 5 of the EU GDPR. Processing Personal Data is based on the following lawfulness purposes provided in Article 6 of the EU GDPR:

  1. Fulfilling contractual obligations under the supply agreement
    a. Ordering and order processing via the AT&S Supplier Network;
    b. Sending and receiving products or services to or from specifically named (contact) persons;
    c. Accounting, invoicing and invoice control;
    d. Routine business communications through e-mail and other electronic portals or third party platforms;
  1. Fulfilling legal and regulatory obligations, as required
    a. Tax filings related to our business transactions;
    b. Administration of customs declarations and export controls;
    c. Other proceedings with authorities and courts related to our business relation;
  1. Safeguarding our legitimate interests
    a. Administration, including security and performance monitoring, of the AT&S Supplier Network and related systems;
    b. Protection of our property, business operations and employees in cases of visits to our premises;
    c. Obtaining and administering insurance for our business transactions;
    d. Processing of damages claims;
  1. With consent, e.g. for the purpose of cultural and social events.

Personal Data will not be processed or transmitted for other purposes. We do not sell Personal Data to third parties nor misuse it. In the case that we intend to further process Personal Data for a purpose other than that for which the data has been collected we will inform you accordingly.

III. Third party recipients

Your personal data may be transmitted to the following third party recipients based on applicable laws or contractual agreements:

a. Forwarding and customs agents;
b. Carriers, feeders and other transportation companies;
c. Warehouse operators;
d. Banks and insurers;
e. Tax advisors and public accountants;
f. Legal counsels;
g. Other consultants;
h. IT service providers;
i. Customs, tax and other regulatory authorities and courts.

We exclusively employ IT service providers (“Data Processors”) with whom we have concluded contractual agreements and that ensure compliance with applicable data protection laws. Our Data Processors are, in particular, obliged to (i) maintain data secrecy and confidentiality, (ii) take sufficient and adequate technical and organizational measures, and (iii) process data only in connection and to the extent necessary with the service that is rendered from time to time.

IV. Transfer of personal data to third countries

To the extent necessary for fulfilling its contractual obligations, AT&S might disclose or transfer Personal Data to its EU and non-EU Affiliates (see Annex A) and Data Processors employed. Such disclosure or transfer takes place on a “need-to-know” basis and only to the personnel that is charged with the duties related to the carrying out of our business relationship. The level of protection of Personal Data in accordance with the standards of the data protection laws is secured through intercompany Standard Contractual Clauses. Additionally, AT&S has taken the necessary steps to contractually bind its personnel to general confidentiality obligations, including a prohibition to disclose Personal Data to unauthorized internal personnel and third parties.

V. Storage periods

The above-listed categories of Personal Data are stored for the period of the contractual relationship and for statutory periods as provided for in the applicable laws. As far as the processing of collected Personal Data is necessary for accounting, controlling or tax purposes, the storage period for it is defined in accordance with the mandatory legal requirements.

Personal Data collected on the occasion of supplier visits to the AT&S premises or of other events hosted by AT&S are stored for a period of 6 months, unless indicated separately in a written instruction of AT&S, or unless expressly consented otherwise by the affected person(s).

Notwithstanding the foregoing, the limitations of the rights of the data subjects to obtain erasure as provided Article 17, para. 3 of the EU GDPR shall respectively apply.

VI. Rights of the Affected Subjects

To the extent AT&S is the controller of the collected Personal Data, AT&S warrants the rights of the data subjects under Section II of the EU GDPR to access, rectification, deletion and objection of the processing or storage of their Personal Data, except for requests which are manifestly abusive, based on unreasonable intervals or their number or repetitive or systematic nature, or for which access need not be granted under the applicable laws. Access might also not be granted when doing so would be likely to seriously harm the interests of AT&S or other organizations dealing with AT&S and such interests are not overridden by the interests for fundamental rights and freedoms of the data subject. The sources of the personal data will not be identified when this is not possible by reasonable efforts, or where the rights of persons other than the individual would be violated. If faced with a rectification or deletion request, if there are compelling grounds to doubt the legitimacy of the request, AT&S may require further justifications before proceeding to rectification, amendment or deletion. Notification of any rectification, amendment or deletion to third parties to whom the data have been disclosed might not be made when, at AT&S own discretion, this involves a disproportionate effort.

If you have any such request or believe that your rights have been infringed in any way, you may lodge a complaint with us by using the contact details stated above. You may also file complaints with your country’s data protection authority as listed in Annex B. We would, however, kindly ask you to contact us first, we shall endeavor to handle your concerns with the highest care.

Further details on the AT&S Data Protection Policy can be found at:

APPENDIX A – AT & S Austria Technologie & Systemtechnik AG and its Affiliates

AT & S Austria Technologie & Systemtechnik Aktiengesellschaft
Fabriksgasse 13, 8700 Leoben, Austria
Company Registry: 55638x

AT&S Americas LLC
1735 N First Street Ste 245
San Jose, CA 95112, USA
Company Registry: 200807510060

AT&S Asia Pacific Limited
1617-19 16F, Tower 3 China Hong Kong City,
33 Canton Road Tsim Sha Tsui, Kowloon, Hong Kong
Company Registry: 33695674

AT&S (China) Company Limited
5000 Jin Du Road, Xinzhuang Industry Park, Minhang District
Shanghai 201108, P.R. China
Company Registry: 310000400521346 (Municipal)

AT&S (Chongqing) Company Limited
No.58, Chang He Road, Yuzui Town, Jiangbei District
Chongqing 401133, P.R. China
Company Registry: 500000400059622

AT&S Deutschland GmbH
Schenkelstraße 23, 52349 Düren
Company Registry: HRB 4209

AT&S India Private Limited
12A, Industrial Area, Nanjangud
571301 Karnataka, India
Company Registry: U85110KA1988PTC025863

AT&S Japan KK
White Akasaka 8F, 5-4-13 Akasaka
Minato-ku, Tokyo 107-0052, Japan
Company Registry: 0104-01-056753

AT&S Korea Company Limited
289, Sinwon-ro, Danwon-gu,
Ansan-City, Gyeonggi-do, South Korea
Company Registry: 131411-0151896

AT&S Austria Technologie & Systemtechnik (Malaysia) Sdn. Bhd.
Unit No. L25-1, Level 25, TSLAW Tower, No. 39, Jalan Kamuning,
55100, Kuala Lumpur W.P. Kuala Lumpur.
Company Registry: 202101018497 (1418797-X)

AT&S (Taiwan) Company Limited
Shin Kong Manhattan Building, Room 1412, 14F, No.8,
Sec.5, Xinyi Road,
Taipei 11049, Taiwan
Company Registry: 53561873

Appendix B – Data Protection Authorities within the European Economic Area (EEA)

Belgium Autorité de la protection des données
Bulgaria Commission for Personal Data Protection
Denmark Datatilsynet
Germany Der Bundesbeauftragte für den Datenschutz und die Informationsfreiheit
Estonia Andmekaitse Inspektsioon
Finland Office of the Data Protection Ombudsman
France Commission Nationale de l’Informatique et des Libertés
Greece Data Protection Authority
Ireland Data Protection Commission
Iceland Persónuvernd
Italy Garante per la protezione dei dati personali
Croatia Personal Data Protection Agency
Latvia Data State Inspectorate
Liechtenstein Data Protection Authority
Lithuania State Data Protection Inspectorate
Luxembourg Commission Nationale pour la Protection des Données
Malta Information and Data Protection Commissioner
Netherlands Autoriteit Persoonsgegevens
Norway Datatilsynet
Austria Datenschutzbehörde
Poland Urząd Ochrony Danych Osobowych
Portugal Comissão Nacional de Protecção de Dados
Romania Supervisory Authority for Personal Data Processing
Slovakia Office for Personal Data Protection
Slovenia Information Commissioner
Spain Agencia Española de Protección de Datos
Sweden Datainspektionen
Switzerland Federal Data Protection and Information Commissioner
Czech Republic Office for Personal Data Protection
UK Information Commissioner’s Office
Hungary Authority for Data Protection and Freedom of Information
Cyprus Commissioner for Personal Data Protection