Information Letter for Suppliers

AT&S Statement on Data Protection

Dear Supplier,

The EU General Data Protection Regulation (EU GDPR) which entered into force on May 25, 2018 provides for increased safeguards to the rights of individuals over their personal data and places obligations on the business to protect personal data that they collect or process on third party’s behalf.

In order to support our mutual compliance with the EU GDPR with the current statement AT & S Austria Technologie & Systemtechnik Aktiengesselschaft (AT&S) on behalf of the AT&S Group would like to inform you firstly, of the types of personal data collected by AT&S, of the purposes for which it is collected and secondly, would like to ask you to grant your consent, respectively to ensure the consent of the affected individuals for the AT&S’ lawfully processing of personal data, obtained in the course of our business relationship.

Controller of the collected personal data:

AT & S Austria Technologie & Systemtechnik Aktiengesellschaft or its Affiliates, listed in Appendix A.
The term “affiliate” includes any entity belonging through direct or indirect majority ownership to the group of entities in which a party is a member through direct or indirect majority ownership interest.

Contact person for data protection matters:

Mr. Andreas Steiner
Information Security Officer

I. Types of personal data:

Typically, the personal data collected, processed and stored by AT&S in the course of our business relationship includes, but is not limited to: Name, address, phone number, e-mail address, function of the person at your company, personal ID number, nationality, ID document number.
AT&S does not process sensitive personal data, but occasionally, if necessary under mandatory legal requirements or for compelling reasons to secure the personal safety and the security of a data subject, the AT&S personnel, premises or in the public interest.

II. Basis for and purposes of the processing:

AT&S is committed to observing the processing principles of Art 5 of the EU GDPR. The processing of the above listed personal data is based on the following lawfulness grounds provided in Article 6 of the EU GDPR:

1) Processing is necessary for our contractual performance, namely for the purposes of:

  1.  Ordering and order processing via the AT&S Supplier Portal Pool4Tool.
  2. Logistics: sending and receiving products or services to or from specifically named (contact) persons; submitting the names of such contact persons to transport companies and forwarders, as well as to customs and other regulatory authorities, if required from the nature of your contractual performance;
  3. Invoicing and invoice’s control: inside the AT&S and by external auditors in accordance with mandatory legal requirements and regulatory authorities requests, instructions or other mandatory acts directed at AT&S;
  4. Processing of damages claims: submitting data to the AT&S insurer and other AT&S Legal and other consultants and experts, where necessary;
  5. Daily business communications through e-mail and other electronic portals or third party platforms;
  6. In cases of joint development projects: names and other data of inventors, necessary for making patent applications or otherwise necessary for protecting the AT&S Intellectual Property Rights before competent patent offices. As this data is processed electronically, the data is administered within a third party application located in the EU. For the purposes of making patent application and other formalities the data is transferred to AT&S patent attorney offices.

2) Processing under letter c) of Art. 6 EU GDPR:

  1. As AT&S is listed on the Vienna Stock Exchange AT&S is legally obliged to be compliant with the Austrian and other international laws on Capital Market Compliance. In accordance with Article 18 para 2 of the Regulation (EU) No 596/2014 of the European Parliament and of the Council of 16 April 2014 on market abuse (market abuse regulation – “MAR”) the following type of information is collected: names, birth date, professional and personal telephone numbers, function, e-mail, national ID number, if applicable. The personal data collected on this basis is processed internally by AT&S and could be disclosed to regulatory authorities or external auditors.

III. Transfer of personal data to third countries:

To the extent necessary for fulfilling its contractual obligations to you under our current business relationship, AT&S might disclose or transfer personal data to its non-EU Affiliates. Such disclosure or transfer takes place on a “need-to-know” basis and only to the AT&S personnel that is charged with the duties related to the carrying out of our business relationship. The level of protection of personal data within the AT&S Group in accordance with the standards of the date protection laws is secured through intercompany Model Contractual Clauses. Additionally, AT&S has taken the necessary steps to contractually bind its personnel to general confidentiality obligations, including a prohibition to disclose personal data to unauthorized internal personnel and third parties.

IV. Storage periods:

The above-listed categories of personal data is stored for the period of the contractual relationship and for statutory periods as provided for in the applicable laws. As far as the processing of collected personal data is necessary for accounting, controlling or tax purposes, the storage period for it is defined in accordance with the mandatory legal requirements.

Personal data collected on the occasion of customer/supplier visits to the AT&S premises or of other events hosted by AT&S is stored for a period of 6 months, unless indicated separately in a written instruction of AT&S, or unless expressly consented otherwise by the affected person(s).
Notwithstanding the foregoing, the limitations of the rights of the data subjects to obtain erasure as provided Article 17, para. 3 of the EU GDPR shall respectively apply.

V. Rights of the Affected Subjects:

To the extent AT&S is the controller of the collected personal data, AT&S warrants the rights of the data subjects under Section II of the EU GDPR to access, rectification, deletion and objection of the processing or storage of their personal data, except for requests which are manifestly abusive, based on unreasonable intervals or their number or repetitive or systematic nature, or for which access need not be granted under the laws of Austria. Access might also not be granted when doing so would be likely to seriously harm the interests of AT&S or other organizations dealing with AT&S and such interests are not overridden by the interests for fundamental rights and freedoms of the data subject. The sources of the personal data will not be identified when this is not possible by reasonable efforts, or where the rights of persons other than the individual would be violated. If faced with a rectification or deletion request, if there are compelling grounds to doubt the legitimacy of the request, AT&S may require further justifications before proceeding to rectification, amendment or deletion. Notification of any rectification, amendment or deletion to third parties to whom the data have been disclosed might not be made when, at AT&S own discretion, this involves a disproportionate effort.

Further details on the AT&S data Protection Policy can be found at:


Agreement on Processing of Personal Data

AT & S Austria Technologie & Systemtechnik Aktiengesellschaft
Fabriksgasse 13, 8700 Leoben
(hereinafter “AT&S”)
The Supplier

AT&S and Supplier are individually referred to as a “Party” and collectively as the “Parties”.

AT&S and Supplier agree on the collection, processing, transfer and storage of the categories of personal data, listed in the AT&S Statement on Data Protection to the extent necessary to conduct their business relationship and in accordance with the instructions of the Party disclosing the personal data to the other. If a Party cannot comply with this requirement for whatever reason, it will promptly inform the other Party and the other Party will be entitled to suspend the transfer of personal data or terminate the agreement for which execution such collection, processing, transfer or storage of personal data is needed.
The Party receiving personal data further agrees that it will promptly notify the Party disclosing such data about: (a) any legally binding request for disclosure of the personal data by a law enforcement authority (unless otherwise prohibited); (b) any accidental or unauthorized processing of personal data; and (c) any requests received from an individual to whom the personal data relates without responding to that request, unless it has been otherwise authorized to do so. The Party receiving personal data will take appropriate technical and organizational security measures as are required by the disclosing Party to protect the personal data. In case of data breach caused by or attributable to a Party, the latter shall inform the other Party thereof immediately and within the legally provided timeframe undertake the necessary steps to notify the affected data subject(s) and the competent regulatory authority of the breach.
Supplier hereby acknowledges the receipt of the above AT&S information Statement on Data Protection and consents to the collection, processing, transfer and storage of personal data by AT&S under the terms and conditions of the AT&S Statement on Data Protection.
Supplier herewith represents and warrants to AT&S to have obtained the consent of its employees and its other representatives for the collection, processing, transfer and storage of their personal data by AT&S for the purposes listed under Section II of the AT&S Statement on Data Protection or for other purposes, which might require express written consent of the data subject.
Supplier shall meet its obligations under Articles 13 and 14 of the EU GDPR to inform the data subjects of the processing of their personal data by AT&S and respectively inform them of the above AT&S Statement on Data Protection.



AT & S Austria Technologie  & Systemtechnik AG’s Affiliate

AT&S Americas LLC
1735 N First Street Ste 245
San Jose, CA 95112, USA
Company Registry: 200807510060

AT&S Asia Pacific Limited
1617-19 16F, Tower 3 China Hong Kong City,
33 Canton Road Tsim Sha Tsui, Kowloon, Hong Kong
Company Registry: 33695674

AT&S (China) Company Limited
5000 Jin Du Road, Xinzhuang Industry Park, Minhang District
Shanghai 201108, P.R. China
Company Registry: 310000400521346 (Municipal)

AT&S (Chongqing) Company Limited
No.58, Chang He Road, Yuzui Town, Jiangbei District
Chongqing 401133, P.R. China
Company Registry: 500000400059622

AT&S Deutschland GmbH
Schenkelstraße 23, 52349 Düren
Company Registry: HRB 4209

AT&S India Private Limited
12A, Industrial Area, Nanjangud
571301 Karnataka, India
Company Registry: U85110KA1988PTC025863

AT&S Japan KK
White Akasaka 8F, 5-4-13 Akasaka
Minato-ku, Tokyo 107-0052, Japan
Company Registry: 0104-01-056753

AT&S Korea Company Limited
289, Sinwon-ro, Danwon-gu,
Ansan-City, Gyeonggi-do, South Korea
Company Registry: 131411-0151896

AT&S (Taiwan) Company Limited
Shin Kong Manhattan Building, Room 1412, 14F, No.8,
Sec.5, Xinyi Road,
Taipei 11049, Taiwan
Company Registry: 53561873