Information on Data Protection for Customers, Interested Parties and Business Partners of W. R. Grace & Co.
Data security and the protection of data privacy for those with whom we are in contact are vital priorities for W. R. Grace & Co. (Grace, "we," "us"). We process personal data only in strict compliance with the applicable laws including the European Union General Data Protection Regulation (GDPR), effective from 25 May 2018.
1. Who is responsible for data processing and who can I contact?
The entity responsible for data processing is
Grace GmbH
In der Hollerhecke 1
67547 Worms
Germany
Tel. +49 6241.403.00
Our Data Protection Officer, Mr. Hans-Dieter Martin, can be contacted
by mail at: Grace GmbH, Data Protection Officer, In der Hollerhecke 1, 67547 Worms, Germany
by email at: DataProtectionOfficer@grace.com
2. What sources and data do we use?
We process personal data, which we receive from our customers or other parties (including "data subjects" as defined by the GDPR) within the scope of our business relationships.
We process personal data, 1) which we legitimately obtain from publicly accessible sources (e.g. credit agencies, commercial registers, and registers of associations, news media, Internet) 2) which are legitimately provided to us by other companies of the Grace group of companies (Grace) or by third parties to promote and conduct our business in compliance with our contractual obligations, our policies, and applicable laws.
Specifically, we process the following personal data relevant to our business:
- Customer master data including points of contact designated by the customer (e.g. name, address, contact details, account numbers);
- Data in connection with the fulfilment of orders and contracts;
- Tax-relevant data (tax identification numbers);
- Customer correspondence;
- Advertising and sales data (e.g. products in which customers may be interested);
- Data arising from compliance with our contractual obligations;
- Financial information (e.g. credit standing, scoring or rating data, origin of assets);
- Documentation data (e.g. quality management, audits);
- As well as other comparable categories of data.
We only process personal data of our customers as well as other data subjects to the extent necessary for the management of our business relationships including the delivery of products and services...
We only process personal data of our customers as well as other data subjects based on consent. An exception is made in cases where obtaining a prior consent is not possible and the processing of such data is permitted by law.
3. For what purpose and on what legal basis do we process personal data?
In compliance with the provisions of the EU General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG), we process personal data for the purposes and on the legal bases provide below.
a. For compliance with contractual obligations (point (b) of Art. 6 (1) GDPR)
The data are processed for the performance of the contracts with our customers or in order to take steps at the request of the data subject prior to entering into a contract. The purposes of data processing are determined primarily by the product or service and its scope of application. It may include product-related data, such as certificates of analysis, as well as regulatory (e.g. REACH) monitoring and compliance data. The purposes of data processing are determined by the specific product and the contractual agreements, terms, and conditions.
b. Within the scope of the balancing of interests (point (f) of Art. 6 (1) GDPR)
To the extent necessary, we process personal data beyond the scope of the actual performance of a contract for the purposes of the legitimate interests pursued by us or by a third party.
This is done for the following purposes:
- Consultation of and exchange of data with credit bureaus (e.g. Dun & Bradstreet) to identify credit and default risks in connection with financial agreements;
- Analysis and optimisation of processes to analyse and fulfil customer needs;
- Advertising or market and opinion research, unless you have objected to the use of your data for this purpose;
- Measures to protect buildings and systems (e.g. physical access controls);
- Measures to safeguard the domiciliary right;
- Measures of business management and development of services and products;
- Risk management within the group;
- To address complaints, accommodate the long-term needs of our customers and to improve our performance;
- For quality management and the production of products by our business partners and others in the supply chain.
Our interest in processing relevant data can be inferred from the above-referenced purposes and is of an economic or legal nature.
To the extent possible for a specific purpose, we process customer data in pseudonymised or anonymised form.
c. Based on your consent (point (a) of Art. 6 (1) GDPR)
To the extent that you have consented to the processing of personal data for certain purposes (e.g. sharing data within the Grace group of companies, trade show contacts, customer visits for marketing purposes, photographs taken at events, sending newsletters, etc.), such processing is lawful based on your consent. This consent can be withdrawn at any time. This also applies to the withdrawal of declarations of consent given to us before the effective date of the GDPR (25 May 2018). The withdrawal of consent is only effective thereafter and does not affect the lawfulness of data processing before the withdrawal.
d. For compliance with legal obligations (point (c) of Art. 6 (1) GDPR) or in the public interest (point (e) of Art. 6 (1) GDPR)
We process data to assess and manage risks in the Grace group of companies in compliance with various legal obligations, statutory requirements (e.g. REACH), and regulatory requirements (e.g. SOX).
4. With whom will Grace share my data?
Within Grace, the only those persons granted access to your data are those who need it to conduct business as described above. Service providers and agents employed by us also may be granted access to data for these purposes, provided that they observe applicable regulations including banking secrecy. Such agents and service providers include companies in production-related and security services, IT services, logistics, printing, telecommunication, debt collection, consultation, as well as sales and marketing.
Regarding the sharing of data outside of Grace, we keep confidential all customer-related facts and assessments of which we become aware.
We only share information about our customers to the extent required by law, with the customer's consent, or if we are authorised to do so.
Under these circumstances, recipients of personal data may include, for example:
- Processors employed by us (Art. 28 GDPR), in particular in the field of IT services, logistics, and printing, who process your data on our behalf according to our instructions;
- Data processing service providers.
5. Will data be transferred to another country or international organisation?
To the extent that we transfer personal data to service providers or the Grace group of companies outside the European Economic Area (EEA), such transfer will only take place if the EU Commission has confirmed that the third country has adequate data protection or if other appropriate data protection safeguards (e.g. binding corporate rules or EU standard contractual clauses) are in place. You may request more information using the contact details provided above.
This means:
In the event of transfer to a third country for which an EU Commission data protection adequacy decision is available:
Data are only transferred to countries outside the EU or the EEA (referred to as third countries) to the extent necessary to conduct business or as required by law, when the user's consent is available, or within the scope of processing on behalf of Grace (the data controller). These transfers are consistent with the adequacy decisions of the EU Commission regarding the transfer of data to the third countries of the service providers or third parties.
In the event of transfer to a third country for which an adequacy decision of the EU Commission is not available:
Data are only transferred to countries outside the EU or the EEA (referred to as third countries) to the extent necessary to conduct business or as required by law, when the user's consent is available, or within the scope of processing on behalf of the controller. The data are transferred to the third countries of the service providers or third parties based on EU standard contractual clauses that cover compliance through appropriate and suitable safeguards.
Data transfer to entities in third countries is envisaged in the following cases:
- To the extent necessary in individual cases, personal data may be transmitted to an IT service provider in the U.S. or in another third country to enable IT operations while observing the European level of data protection.
- With the consent of the data subject, personal data of customers interested in Grace products may also be processed within a CRM system in the U.S.
- With the consent of the data subject or under statutory provisions designed to fight money laundering, financing of terrorism, and other criminal acts as well as within the scope of the balancing of interests, personal data will be transferred in individual cases while observing the European level of data protection.
6. How long will my data be retained by Grace?
Grace will delete your personal data once they are no longer necessary for the above-mentioned purposes. After termination of the contractual or service relationship, your personal data will be stored as long as we are legally required to do so. Corresponding legal documentation and retention obligations are set forth in the local Commercial Code and Fiscal Codes, among other laws. According to these, the data usually must be stored for a period of up to 10 years. In addition, personal data may be stored for the period during which claims can be asserted against us (statutory limitation period ranging from three to 30 years).
In addition, we may be subject to retention obligations under commercial and tax law. The retention and/or documentation periods stipulated therein usually range from two to 10 years.
7. What data protection rights do I have?
Every data subject has the right of access pursuant to Article 15 GDPR, the right to rectification pursuant to Article 16 GDPR, the right to erasure pursuant to Article 17 GDPR, the right to restriction of processing pursuant to Article 18 GDPR, the right to object pursuant to Article 21 GDPR, as well as the right to data portability pursuant to Article 20 GDPR. Regarding the right of access and the right to erasure, the limitations pursuant to local data protection regulations apply. There is a right to lodge a complaint with a competent supervisory authority (Article 77 GDPR). You can withdraw your consent to the processing of personal data at any time. This also applies to the withdrawal of declarations of consent given to us before the effective date of the GDPR (25 May 2018). The withdrawal is only effective after the withdrawal. Data processing carried out before the withdrawal is not affected.
8. Am I obliged to provide data?
Within the scope of our business relationship, you are obliged to provide those personal data, which are necessary for the establishment, performance, and termination of a business relationship and for compliance with the associated contractual obligations or which we are legally required to collect. Without these data, we generally will not be able to conclude, perform, and terminate a contract with you.
9. To what extent is automated decision-making used?
As a rule, we do not use fully automated decision-making processes pursuant to Article 22 GDPR for the establishment and performance of the business relationship. Where we use such processes in individual cases, we will inform you thereof and of your related rights to the extent required by law.
10. Is profiling used?
We process some data automatically with the goal of evaluating certain personal aspects (profiling).
We use profiling in the following cases, for example:
- We use analysis tools to provide you with specific information and advice. These allow for need-based communication and advertising including market and opinion research.
- Due to statutory and regulatory requirements, we are obliged to fight money laundering, financing of terrorism, and criminal acts jeopardising property. In doing so, we conduct data analyses (e.g. data in payment transactions). These measures also serve to protect you.
Information on Your Right to Object Pursuant to Article 21 GDPR
Right to object based on individual cases
You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on point (e) of Article 6 (1) GDPR (data processing in the public interest) or point (f) of Article 6 (1) GDPR (data processing based on the balancing of interests), including profiling based on these provisions, as defined in Article 4 (4) GDPR.
If you exercise your right to object, we will no longer process your personal data, unless we can demonstrate compelling legitimate grounds to do so that override your interests, rights, and freedoms; or for the establishment, exercise, or defence of legal claims.
Right to object to processing for direct marketing purposes
In individual cases, we process your data for direct marketing purposes. You have the right to object at any time to processing of personal data concerning you for such marketing, which includes profiling to the extent that it is related to such direct marketing.
If you exercise your right to object to processing for direct marketing purposes, we will no longer process your data for such purposes.
Recipient of an objection
The objection can be made informally, indicating your name, address and date of birth, and should be addressed to:
Grace GmbH, Data Protection Officer, In der Hollerhecke 1, 67547 Worms, Germany
11. Where can complaints be submitted?
Irrespective of any other legal remedy under administrative law or judicial remedy, you are entitled to file a complaint with the supervisory authority, particularly in the member state in which you are a resident or where the alleged violation took place, if you believe the processing of your personal data is in violation of the EU General Data Protection Regulation.
The supervisory authority to which the complaint is submitted shall notify the appellant of the situation and the results of the complaint, including the option of a legal remedy in accordance with article 78 of the EU General Data Protection Regulation.
The supervisory authority in charge for Grace is:
Der Landesbeauftragte für den Datenschutz und die Informationsfreiheit Rheinland-Pfalz
Hintere Bleiche 34
55116 Mainz
Germany