GDPR for Suppliers

Information on data protection for Suppliers, Service Providers, Dealers and Business Partners of W. R. Grace & Co.

The data security and data protection for those with whom we are in contact (hereinafter referred to as "our contact persons") are of paramount importance to W. R. Grace & Co. ("Grace," "we," "us") are key priorities. We process personal data only in accordance with applicable laws, including the European Union's Basic Data Protection Regulation (GDPR), which came into force on May 25, 2018.

1. Who is responsible for data processing and whom can I contact?

The body responsible for data processing is
Grace GmbH
In the Hollerhecke 1
67547 Worms
Germany
Phone: +49 6241.403.00

Our data protection officer, Mr. Hans-Dieter Martin, can be contacted by post to Grace GmbH, Data Protection Officer, In der Hollerhecke 1, 67547 Worms, Germany or E-mail to DataProtectionOfficer@grace.com

2. What sources and data do we use?

We collect the personal information of our contact persons directly from our contact persons or from our suppliers, service providers, vendors and partners within the scope of our contractual relationship. We process the following categories of personal data: 

• Contact information of our contact persons (first and last name; address and phone number, mobile phone number, fax number and e-mail address);
• Other personal data required to fulfil a contract or to conclude a contract.
• Log data recorded during the use of IT systems provided by GRACE
• Results of safety tests and contract fulfilment if our contact persons work at our sites

We process personal data of our business partners and other affected persons only to the extent necessary for the management of our business relations, including the delivery of products and services.

If our contact persons enter our sites, additional personal information is collected to ensure site security. For detailed information on how GRACE processes and uses personal information about individuals who enter GRACE sites, please refer to the appropriate privacy notices posted on the sites.

3. For what purpose and on what legal basis do we process personal data? 

In accordance with the provisions of the EU Data Protection Basic Regulation (EU-GDPR) and the German Federal Data Protection Act (BDSG), we process personal data for the purposes and on the basis of the legal bases stated below. 

The data processing serves the following purposes:

• Planning, executing or managing our contractual relationships with our suppliers, service providers, vendors and partners, for example, to process orders, for accounting purposes, or to execute and organize the provision of services or transportation;
• Planning, execution or management of transport and delivery of our products and goods;
• Maintaining and protecting the security of our network and the security and functionality of our websites; preventing and detecting security risks, fraudulent activities or other criminal or malicious acts;
• Maintaining and protecting the security of our company premises and facilities (e.g. carrying out access controls, granting temporary access authorizations)
• Compliance with legal requirements (e.g. compliance with tax or commercial law retention obligations; prevention of money laundering or economic crime)
• Solving legal disputes and legal proceedings, enforcement of or defence against legal claims or legal proceedings, enforcement of existing contracts.

The processing of the above-mentioned categories of data is necessary to achieve these purposes.

The legal basis for the processing is, unless explicitly stated otherwise, Article 6(1) (a) based on your consent and/or (b) to comply with contractual obligations and/or (f) in the context of the balance of interests of the EU data protection basic regulation.

If we intend to use the personal data of our contact persons for purposes other than those listed above, we will inform our contact persons prior to such processing.

If we do not receive the categories of data mentioned above, we may not be able to achieve the purposes described.

4. With whom will Grace share my data?

Within Grace, only those people who need to access your information to conduct business as described above are authorized to access your information. Service providers and agents engaged by us may also have access to data for these purposes, provided they comply with applicable regulations, including banking secrecy. These agents and service providers include companies in the areas of purchasing, finance, production and security, IT services and logistics.

With respect to sharing data outside of Grace, all supplier-related facts and assessments that come to our attention are kept confidential.

We only share information about our suppliers to the extent required by law, with the supplier's consent or if we are entitled to do so.

In these circumstances, we may share personal information with the following recipients, for example:

• processors employed by us (Art. 28 GDPR), in particular in the areas of IT services, logistics and printing, who process your data on our behalf in accordance with our specifications
• Data processing service provider

5. Is data transferred to another country or international organisation?

Where we transfer personal data to service providers or the Grace Group of companies outside the European Economic Area (EEA), such a transfer will only take place if the EU Commission has confirmed that the third country provides adequate data protection or that other appropriate data protection safeguards (e.g. binding company rules or EU standard contractual clauses) are in place. You can request further information at the contact details above.

That means:

In case of transfer to a third country for which a decision of the EU Commission on the adequacy of data protection has been issued:

Data will only be transferred to countries outside the EU or the EEA (referred to as "third countries") if this is necessary for the performance of business or in accordance with legal requirements, if the user has given his consent or in the context of processing on behalf of Grace (the "data controller").  These transfers are in accordance with the adequacy decisions of the European Commission regarding the transfer of data to the third countries of the service providers or third parties.

In the case of transfer to a third country for which no decision of the EU Commission on the adequacy of data protection has been made:

Data will only be transferred to countries outside the EU or the EEA (referred to as "third countries") if this is necessary for the performance of business transactions or in accordance with statutory provisions, if the consent of the user has been obtained or in the context of processing on behalf of the data controller. The data will be transferred to the third countries of the service providers or third parties based on EU standard contractual clauses covering compliance with adequate and appropriate safeguards.

The transfer of data to entities in third countries is foreseen in the following cases:

• Insofar as necessary in individual cases, personal data may be transferred to an IT service provider in the USA or in another third country in order to enable IT operations in compliance with the European data protection level.
• With the consent of the data subject, personal data of suppliers may also be processed in the SAP Ariba supplier portal in the USA.
• With the consent of the person concerned or based on statutory provisions to combat money laundering, the financing of terrorism and other criminal acts, and as part of the balancing of interests, personal data is transferred in individual cases in compliance with the European level of data protection.

6. How long does Grace keep my data?

Grace will delete your personal information as soon as it is no longer needed for the above purposes. After termination of the contractual or service relationship, your personal data will be stored as long as we are legally obliged to store them. Corresponding legal documentation and storage obligations are laid down in the local commercial code and tax regulations, among others. Accordingly, the data must generally be stored for a period of up to 10 years. In addition, personal data may be stored for the duration of the assertion of claims against us (statutory limitation period between 3 and 30 years).

In addition, we may be subject to retention obligations under commercial and tax law. The retention and/or documentation periods stipulated therein are generally between 2 and 10 years.

7. What data protection rights do I have?

Every data subject has a right of access pursuant to Article 15 GDPR, a right of rectification pursuant to Article 16 GDPR, a right of deletion pursuant to Article 17 GDPR, a right to restrict processing pursuant to Article 18 GDPR, a right of objection pursuant to Article 21 GDPR and a right to data transferability pursuant to Article 20 GDPR. Regarding the right of information and deletion, the restrictions in accordance with local data protection regulations apply. There is the right to lodge a complaint with a competent supervisory authority (Article 77 GDPR). You may revoke your consent to the processing of personal data at any time. This also applies to the revocation of declarations of consent that were issued to us before the GDPR came into force (25 May 2018). The withdrawal is only effective after the revocation. Data processing carried out before the revocation is not affected.

8. Do I have to provide data?

Within the scope of our business relationship, you are obliged to provide us with those personal data which are necessary for the establishment, fulfilment and termination of a business relationship as well as for the fulfilment of the associated contractual obligations or which we are required to collect by law. Without this data, we are generally not able to conclude, fulfil and terminate a contract with you.

9. To what extent is automated decision making used?

As a rule, we do not use fully automated decision-making processes in accordance with Article 22 GDPR to establish and fulfil the business relationship. Insofar as we use such procedures in individual cases, we will inform you about this and about your rights associated with it to the extent required by law.

10. Is profiling used?

We process some data automatically with the aim of evaluating certain personal aspects ("profiling").

For example, we use profiling as part of supplier evaluations and due to legal and regulatory requirements to combat money laundering, terrorist financing and property rights crimes. In doing so, we carry out data analyses (e.g. on data in payment transactions). These measures also serve to protect you.

11. Where can complaints be filed?

Independently of any other administrative or judicial remedy, you have the right to lodge a complaint with the supervisory authority, in particular in the Member State where you are established or where the alleged breach has taken place, if you consider that the processing of your personal data is contrary to the EU data protection basic regulation.

The supervisory authority to which the complaint is lodged shall inform the complainant of the situation and the outcome of the complaint, including the possibility of an appeal under Article 78 EU CDIR.

The regulatory agency responsible for Grace is:

The State Commissioner for Data Protection and Freedom of Information Rhineland-Palatinate
Hintere Bleiche 34
55116 Mainz
Germany