Information Letter for Customers

AT&S Statement on Data Protection

Dear Customer,

The EU General Data Protection Regulation (EU GDPR) which entered into force on May 25, 2018 provides for increased safeguards to the rights of individuals over their personal data and places obligations on the business to protect personal data that they collect or process on third party’s behalf.

In order to support our mutual compliance with the EU GDPR with the current statement AT & S Austria Technologie & Systemtechnik Aktiengeselschaft (AT&S) on behalf of the AT&S Group would like to inform you firstly, of the types of personal data collected by AT&S, of the purposes for which it is collected and secondly, would like to ask you to grant your consent, respectively to ensure the consent of the affected individuals for the AT&S’ lawfully processing of personal data, obtained in the course of our business relationship.

Controller of the collected personal data:

AT & S Austria Technologie & Systemtechnik Aktiengesellschaft or its Affiliates, listed in Appendix A.
The term “affiliate” includes any entity belonging through direct or indirect majority ownership to the group of entities in which a party is a member through direct or indirect majority ownership interest.

Contact person for data protection matters:

Mr. Andreas Steiner
Information Security Officer
Email: privacy@ats.net

I. Types of personal data:

Typically, the personal data collected, processed and stored by AT&S in the course of our business relationship includes, but is not limited to: Name, address, phone number, e-mail address, function of the person at your company, personal ID number, nationality, ID document number.
AT&S does not process sensitive personal data, but occasionally, if necessary under mandatory legal requirements or for compelling reasons to secure the personal safety and the security of a data subject, the AT&S personnel, premises or in the public interest.

II. Basis for and purposes of the processing:

AT&S is committed to observing the processing principles of Art 5 of the EU GDPR. The processing of the above listed personal data is based on the following lawfulness grounds provided in Article 6 of the EU GDPR:

1) Processing is necessary for our contractual performance, namely for the purposes of:

  1. Ordering and order processing by AT&S.
  2. Logistics: sending and receiving the AT&S products or services to or from specifically named (contact) persons; submitting the names of such contact persons to transport companies and forwarders, as well as to customs and other regulatory authorities, if required from the nature of the delivered AT&S performance;
  3. Invoicing and invoice’s control: inside the AT&S and by external auditors in accordance with mandatory legal requirements and regulatory authorities’ requests, instructions or other mandatory acts directed at AT&S;
  4. Processing of damages claims: submitting data to the AT&S insurer and other AT&S Legal and other consultants and experts, where necessary;
  5. Daily business communications through e-mail and other electronic portals or third party platforms;
  6. In cases of joint development projects: names and other data of inventors, necessary for making patent applications or otherwise necessary for protecting the AT&S Intellectual Property Rights before competent patent offices. As this data is processed electronically, the data is administered within a third party application located in the EU. For the purposes of making patent application and other formalities the data is transferred to AT&S patent attorney offices.

2) Processing under letter c) of Art. 6 EU GDPR:

  1. As AT&S is listed on the Vienna Stock Exchange AT&S is legally obliged to be compliant with the Austrian and other international laws on Capital Market Compliance. In accordance with Article 18 para 2 of the Regulation (EU) No 596/2014 of the European Parliament and of the Council of 16 April 2014 on market abuse (market abuse regulation – “MAR”) the following type of information is collected: names, birth date, professional and personal telephone numbers, function, e-mail, national ID number, if applicable. The personal data collected on this basis is processed internally by AT&S and could be disclosed to regulatory authorities or external auditors.

III. Transfer of personal data to third countries:

To the extent necessary for fulfilling its contractual obligations to you under our current business relationship, AT&S might disclose or transfer personal data to its non-EU Affiliates. Such disclosure or transfer takes place on a “need-to-know” basis and only to the AT&S personnel that is charged with the duties related to the carrying out of our business relationship. The level of protection of personal data within the AT&S Group in accordance with the standards of the date protection laws is secured through intercompany Model Contractual Clauses. Additionally, AT&S has taken the necessary steps to contractually bind its personnel to general confidentiality obligations, including a prohibition to disclose personal data to unauthorized internal personnel and third parties.

IV. Storage periods:

The above-listed categories of personal data is stored for the period of the contractual relationship and for statutory periods as provided for in the applicable laws. As far as the processing of collected personal data is necessary for accounting, controlling or tax purposes, the storage period for it is defined in accordance with the mandatory legal requirements.

Personal data collected on the occasion of customer visits to the AT&S premises or of other events hosted by AT&S is stored for a period of 6 months, unless indicated separately in a written instruction of AT&S, or unless expressly consented otherwise by the affected person(s).
Notwithstanding the foregoing, the limitations of the rights of the data subjects to obtain erasure as provided Article 17, para. 3 of the EU GDPR shall respectively apply.

V. Rights of the Affected Subjects:

To the extent AT&S is the controller of the collected personal data, AT&S warrants the rights of the data subjects under Section II of the EU GDPR to access, rectification, deletion and objection of the processing or storage of their personal data, except for requests which are manifestly abusive, based on unreasonable intervals or their number or repetitive or systematic nature, or for which access need not be granted under the laws of Austria. Access might also not be granted when doing so would be likely to seriously harm the interests of AT&S or other organizations dealing with AT&S and such interests are not overridden by the interests for fundamental rights and freedoms of the data subject. The sources of the personal data will not be identified when this is not possible by reasonable efforts, or where the rights of persons other than the individual would be violated. If faced with a rectification or deletion request, if there are compelling grounds to doubt the legitimacy of the request, AT&S may require further justifications before proceeding to rectification, amendment or deletion. Notification of any rectification, amendment or deletion to third parties to whom the data have been disclosed might not be made when, at AT&S own discretion, this involves a disproportionate effort.

Further details on the AT&S data Protection Policy can be found at: https://ats.net/privacy-statement/

APPENDIX A

AT & S Austria Technologie  & Systemtechnik AG’s Affiliates
AT&S Americas LLC
1735 N First Street Ste 245
San Jose, CA 95112, USA
Company Registry: 200807510060

AT&S Asia Pacific Limited
1617-19 16F, Tower 3 China Hong Kong City,
33 Canton Road Tsim Sha Tsui, Kowloon, Hong Kong
Company Registry: 33695674

AT&S (China) Company Limited
5000 Jin Du Road, Xinzhuang Industry Park, Minhang District
Shanghai 201108, P.R. China
Company Registry: 310000400521346 (Municipal)

AT&S (Chongqing) Company Limited
No.58, Chang He Road, Yuzui Town, Jiangbei District
Chongqing 401133, P.R. China
Company Registry: 500000400059622

AT&S Deutschland GmbH
Schenkelstraße 23, 52349 Düren
Germany
Company Registry: HRB 4209

AT&S India Private Limited
12A, Industrial Area, Nanjangud
571301 Karnataka, India
Company Registry: U85110KA1988PTC025863

AT&S Japan KK
White Akasaka 8F, 5-4-13 Akasaka
Minato-ku, Tokyo 107-0052, Japan
Company Registry: 0104-01-056753

AT&S Korea Company Limited
289, Sinwon-ro, Danwon-gu,
Ansan-City, Gyeonggi-do, South Korea
Company Registry: 131411-0151896

AT&S (Taiwan) Company Limited
Shin Kong Manhattan Building, Room 1412, 14F, No.8,
Sec.5, Xinyi Road,
Taipei 11049, Taiwan
Company Registry: 53561873