Personal Data: shall mean any information that may, directly or indirectly, identify an individual, such as a name, contact details, function, identification number, online identifier;
Data Controller: shall mean the legal entity which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data;
Processing means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
2. Data Controller
The Data controller is the legal entity responsible for the collection, use and Processing of your Personal Data and in charge of ensuring compliance with applicable data protection law.
Oerlikon Surface Solutions AG, and each of its Oerlikon Balzers affiliates, act individually as a Data Controller in relation with the management of its own clients, prospective clients, external contacts. The Oerlikon entity which is legally responsible for the collection, use, Processing of your Personal Data is the Oerlikon Balzers entity with whom you are in contact with or have a contract with.
For the avoidance of doubts, the responsible Legal entity (Data controller) in Thailand is: Oerlikon Balzers Coating (Thailand) Co.Ltd, Chonburi, Thailand.
However, when different Oerlikon Balzers entities share clients data in order to propose or provide services collectively to the same client, the concerned Oerlikon Balzers entities do act as joint Data controllers in relation with the use of the same client’s personal data, it means that they are collectively responsible for the use of such data.
3. When do we record Personal Data about You in our CRM?
We will record your Personal Data in our systems if You:
- gave your professional contact details to us during a conference, meeting or any other event or through our website contact forms AND;
- let us know that you are interested in being one of our business contacts, get information or discuss how we could work together OR
- are an existing client, partner.
4. What Personal Data do we collect about You?
Given that we sell our products and services to corporate clients only, we do collect limited Personal Data.
The Personal Data we generally collect about You are mainly:
- Identification data (e. g. first name, surname, title);
- Professional contact details (e. g. e-mail address, phone number, address, country);
- Professional data as your function, title, department, company for whom you work, projects discussed or contracts followed together and related communications (e.g. negotiation, service cases, request on services, products, follow up of services execution, information on planned and/or past deadlines);
- Information about any consent granted in particular for direct marketing activities (e. g. date of submission, scope of consent).
5. Why do we collect and use Personal Data about You?
We will use your Personal Data to the extent necessary for the following purposes:
- Centralizing our contact details, documents and communications with each of our clients, prospective clients, external contacts including partners;
- Managing our relationship with you in an efficient way;
- Evaluating opportunities and whether we are interested in doing business with you;
- Negotiating, concluding and executing and managing our contracts (e. g. billings, delivery of services; guarantee, account administration, meetings);
- Fulfilling our legal obligations (e. g. fighting against bribery, conflicts of interest, disclosing required Personal Data to governmental institutions, competent authorities or courts upon request),
- Protecting our rights and interests in case of a litigation
- Protecting the security of our systems and information;
- Managing direct marketing activities (subject to prior consent) and organize events, trade shows and customer meetings.
6. Legal Bases for Data Processing
We Process your Personal Data based on applicable data protection law.
Outside of the EU/EEA, when the legal ground for processing Personal Data is only consent, we will collect your personal data based on consent. If consent is not the only possible legal ground for collecting, using your personal data, we will collect your personal data based on applicable legal ground.
Within the EU/EEA, the applicable data protection law is the EU General Data Protection Regulation 2016/679 (GDPR), and we process your personal data based on the following GDPR legal grounds:
- Your consent (Art. 6 para. 1 S. 1 lit. a), Art. 7, Art. 9 para. 2 lit. a) GDPR).
- This is the case for direct marketing activities. If we refer to your consent as legal basis for processing your Personal Data, then you can revoke your consent anytime with the future;
- The necessity to enter a contractual relationship with you and to fulfil our contractual obligations (Art. 6 para. 1 S. 1 lit. b) GDPR) as for example, when we follow any payment, read and record communications with you or your company in relation with the delivery of a service.
- The necessity to pursue our legitimate interests, or the legitimate interests of third parties (Art. 6 Abs. 1 S. 1 lit. f) GDPR), especially:
- recording Your Personal Data in our systems used for the management of our relationship with you and using such Personal Data in order to manage our relationship with you, communicate with You
- when we engage suppliers to obtain support from an IT perspective;
- when we organize business meetings or tradeshows, events, dinners and record your registration and dietary requirements for this purpose;
- when we use Personal Data to improve the way we interact with You and our service and sales processes;
- when we archive our communications in order to defend our rights and interest before a court or regulator in case of an audit or litigation;
- A legal obligation (Art. 6 para. 1 c) GDPR) : this is the case when we archive information for tax reasons, keep evidence of a payment made by a client, indicate the final beneficiary of a contract, make any due diligence concerning clients in our systems.
7. Disclosure of Personal Data
We will share your Personal Data with the below entities, where and to the extent necessary, to obtain support in our activity and ensure the purposes mentioned in Section 5:
- OC Oerlikon Management AG for reporting purposes, and support in our operations;
- Oerlikon IT Solutions (OIS) and external suppliers for IT support, maintenance, storage purposes;
- External suppliers who support us concerning our operations;
- Professional consultants, banks, insurance companies, certified accountants, lawyers, tax consultants;
- Co-organizers of events to which you want to participate, with your consent;
- Competent governmental institutions, authorities or courts upon request, if legally required or if necessary, to defend our rights in a litigation.
External service providers only have access to Personal Data they need for the execution of their specific tasks, we sign a data processing agreement with them to ensure the protection of Personal Data in line with applicable data protection laws.
In case of a merger, fusion, restructuring, joint venture, similar procedure, your Personal Data may be shared with the acquiring or merged company, subject to the terms of our agreement with your company and any required consent.
8. Data Transfer to a Foreign Country
Our systems used for customer relationship management purposes are stored and maintained in Liechtenstein.
However, due to our global foot print, our decentralized organization and human resources, and global IT infrastructure, the entities having access to Personal Data as listed in above Section 7 may be located overseas and in countries that may not provide the same level of data protection as your own country.
Please note that where your Personal Data must be transferred overseas (and in particular outside the EU/EEA/Switzerland, to “non adequate” countries according to the European Commission) your Personal Data will be protected either by:
- Oerlikon Intra Group Data Transfer and Processing Agreement which has been signed by all Oerlikon entities of the group. This agreement is based on the standard contractual clauses of the European Commission and protect your Personal Data when transferred overseas to Oerlikon entities.
- A data transfer agreement if the recipient of your Personal Data is not a member of the Oerlikon Group or any other appropriate agreement if a data transfer agreement is not required by applicable data protection law.
9. Data retention period
We store your Personal Data only for the period of time necessary to fulfil the purposes listed in Section 5.
Generally, for prospective clients, we keep their Personal Data as long as we are in contact, we analyze their needs, they share their expectations with us. If after evaluation of their needs as a prospective client, we consider than we are not able to answer positively to it, we may unilaterally decide to delete their Personal Data from our systems. We will also delete their Personal Data if they ask us to do so (provided that we do not have to archive it for legal reasons).
For clients, we will generally keep their Personal Data for the duration of our contractual relationship and then archive it for the statute of limitation period, if there is a legal obligation to keep it or if necessary to defend our rights before a court or regulator. If you are a regular client since a long date, we may also keep your Personal Data after the end of an agreement for the purpose of facilitating the management of your future orders.
The emails recorded in our customer relationship management systems are deleted after closure of the case (e.g. Case, Opportunity, Quote) after 6 years. Information which may become relevant with respect to product liability are deleted 12 years after contract fulfilment. If your Personal Data is archived for the abovementioned purposes, it will be kept securely and accessed only for the above purposes. In addition, if Personal Data included in documents with relevance to accountancy and tax matters will be kept for legal retention periods of five or ten years with a safety period of 2 years.
Every year, at the end of the respective calendar year, we analyze all our contacts and verify whether it is still relevant and necessary to keep them. If there is no business need, contractual or legal requirement for further storage of your Personal Data, then it will be deleted. For example, if we haven’t heard about a prospective client or external contact other than a client during one year, and she/he does respond anymore to our messages, his/her Personal Data will be deleted from our systems.
10. How to manage your consent to direct marketing messages and unsubscribe?
If you want to receive invitations to our events, greeting cards, materials about our services, you can click on the corresponding link, inserted in the automatic CRM message you receive as soon as you are recorded in our systems, or send your request by email to the Sales person you are in contact with.
If you subscribed to receive marketing activities such as invitations to events, newsletters, greeting cards or marketing materials related to our services you may revoke your consent at any moment by clicking on the “Unsubscribe” link included either in the confirmation email you have received after the subscription or in any commercial email sent to you.
11. Your Rights on your Personal Data
Depending on the applicable data protection law1, You may have the rights to2:
- know whether we collect Personal Data about you and for which purposes and obtain a copy of it**;
- request the correction or deletion of your Personal Data if they are incorrect, incomplete, outdated or if there is no legal ground anymore for Oerlikon to store them** ;
- request the restriction or termination of use of your Personal Data and/or object to our use of your Personal Data if you have a legitimate interest to do so. In case of an objection we will end processing your Personal Data, unless we can provide mandatory reasons which override your interests, rights, or liberties, as for example if we need to keep it for legal reasons, defend our rights before a court, cover a guarantee obligation or comply with our contractual obligations**.
- if we use certain of your Personal Data, based on your consent, you have the right to data portability on this Personal Data. In this case you can demand to obtain from us the Personal Data provided to us in a structured, general and machine-readable form, or to have them transmitted to another entity of your choice **
- If we have collected Personal Data about you based on your consent, you can revoke your consent at any time ( for example if you do not want to receive anymore commercial messages from us)**;
- You may also challenge and ask for the verification of any decision that would be taken about you based on an automated process if it significantly affects your own rights;
- You may file a claim with your supervisory authority if you consider that your Personal Data have been processed in violation of applicable data protection law or your rights have been violated**.
To unsubscribe to our marketing emails, please follow the guidance in Section 10.
To obtain a simple confirmation that Oerlikon holds Personal Data about you or to obtain the correction of your professional contact details, please contact the Sales person you are in contact with by email . You must provide relevant information to prove your identity, as a copy of an ID .
When you contact our Data Protection Officer Global Data Protection Officer for your request, please indicate: your name, surname, name of the company for whom you work, your professional contact details (the response will be sent at these contact details), the Oerlikon company and/or sales person you are in contact with, your concern or request, the Personal Data covered by your request , relevant information to prove your identity as a copy of an ID (it will be used only the time necessary to verify your identity and then deleted).
Date: May 2020
1 In Thailand, the applicable data protection law is the Personal Data Protection Act B.E. 2562 (2019) (PDPA) published on 27 May 2019.The rights flagged with this symbol **apply in Thailand:
2 These rights are based on GDPR but they do not necessary all apply in every country. Generally countries provide at least a right of access to Personal Data and a right to obtain correction of Personal Data that are incorrect or uncomplete.