The increasing processing of data by electronic means and the growing body of legal requirements on privacy and data protection are placing increased demands on the way Novelis handles personal data. Novelis complies with data privacy protection requirements when collecting and processing personal data of customers, Suppliers and other business partners. With this information, we would like to explain and give an overview on how we collect and process customers’, Suppliers’ and other business partners’ personal data and which rights and options you and your organization have under applicable data protection law.

Who is responsible for lawful processing of personal data at Novelis?

The Novelis data protection office can be reached at:

In Europe:

Novelis Deutschland GmbH
Datenschutzbeauftragte/Data Protection Officer
Hannoversche Straße 1,
D – 37075 Göttingen, Germany
NovelisPrivacyOffice@novelis.adityabirla.com

Outside Europe:

Novelis Data Privacy Office
Novelis Inc.
3560 Lenox Road NE
Suite 2000
Atlanta, Georgia 30326
USA

How does Novelis collect personal data?

Novelis may receive personal data from you in a number of circumstances, including when you offer to provide or provide services or products to us. We further receive personal data when you use our websites, mobile device apps, web chat or telephone services, email and other communication services in connection with our business relationship.

Novelis also processes personal data legitimately obtained from publicly accessible sources (such as registers of commercial establishments and associations, press, Internet and social networks) or which have been legitimately transmitted to us from other companies of Novelis or third parties (for example professional service providers or other business partners).

Which personal data does Novelis collect?

Novelis may collect your contact information (such as your name, postal address, job title, telephone number, mobile phone number, fax number, email address and other contact data) personal details (such as date and place of birth and nationality), legitimization data (such as data from ID cards), payment data (such as data necessary for processing of payments, including credit/debit card numbers, bank account information and other related billing information), passwords for our password protected platforms and services and further business information necessarily processed in a project or business relationship with Novelis. In addition, we may collect documentation data (such as details of your access to and visits of our premises) and other data comparable with the above-mentioned categories of personal data or personal data voluntarily provided by you.

We do not collect or process sensitive personal data from you or your organization such as personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic or biometric data, or data concerning a natural person’s sex life or sexual orientation. In connection with an event or onsite visit, we may ask you for information about your health for the purpose of identifying and being considerate of any disabilities or special dietary requirements you may have. Providing such information will be voluntary. However, if you do not provide any such information about disabilities or special dietary requirements, we will not be able to take any respective precautions.

What is the purpose of processing personal data?

Novelis may process personal data in accordance with applicable law for the following purposes:

• Managing and administering Novelis’ business relationship with Suppliers;
• Supporting procurement and sales and marketing activities (g. processing of contact information of customers and Suppliers, order procedure management, and accounts receivable and accounts payable processes);
• Supporting video surveillance to protect our domiciliary rights and supporting onsite visits and attendance of internal and external events,
• Supporting compliance with our legal and tax obligations (g. record keeping obligations, reporting obligations to authorities, providing information to authorities for in the context of audits, screeningobligations);
• Supporting our internal and external financial reporting obligations, including internal cost allocation procedures;
• Supporting internal and external communication (g. external newsletters, customer/Supplier surveys, external communication);
• Supporting internal auditing requirements, including fraud detection and prevention;
• Supporting corporate reorganizations, joint ventures, cooperation, sales, transfers or other dispositions of all or any portion of Novelis’ businesses; and

For any purpose related to the foregoing purposes or any other purpose for which personal data was provided to us.

On which legal basis does Novelis process personal data?

Depending on the specific purpose or purposes for the processing of personal data, we rely on one or more of the following legal grounds:

• Because processing is necessary for the performance of your contractual relationship with Novelis or other contractual obligations or in order to take steps prior to entering into such contracts with you;
• Because processing is necessary for compliance with a legal obligation (such as record obligations for commercial or tax purposes or other regulatory obligations);
• Because processing is necessary in order to protect your vital interests or the vital interests of another natural person (such as in an emergency case); or
• Because processing is necessary for the purposes of our legitimate interests or those of any third party recipients that receive your or your organization’s personal data, provided that such interests are not overridden by your or your organization’s interests or fundamental rights and freedoms.

In addition, we may process personal data on the basis of your consent where you have expressly given that to us for certain purposes.

Who will receive your personal data?

Within Novelis, affiliated group companies and departments may be provided with your or your organization’s personal data in order to comply with our internal, contractual and statutory obligations, depending on the specific purpose. In addition, third party service providers and agents engaged by us may also receive your or your organization’s personal data for these purposes.

Will personal data be transferred to a third country?

Novelis is a globally active group of companies engaged in global business activities. Our European headquarters office is located in Switzerland, certain Novelis companies are located in the United States and our ultimate shareholder is located in India. Accordingly, we may transfer your or your organization’s personal data to affiliated group companies or departments and third parties to third countries if required for our business and in order to comply with our internal, contractual and statutory obligations.

Any such international transfers of your or your organization’s personal data will be protected by appropriate and suitable safeguards as required by applicable law. 

For how long will personal data be processed and stored?

We process and store your or your organization’s personal data only as long as is necessary for our relationship with you or your organization or as is required to meet our contractual and statutory obligations in accordance with our retention policies and applicable laws. After the lapse of the relevant retention periods, your personal data may either be erased (on a regular basis), anonymized, or transferred to an archive. In such archive, your personal data may be used for historical, scientific or statistical purposes, audits, dispute resolution and investigations.

How does Novelis protect personal data?

Novelis has implemented a data protection policy and various technical and organizational measures in order to keep your and your organization’s personal data confidential and secure in accordance with our internal procedures and applicable data privacy laws. Our technical and organizational security measures are designed to prevent accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored or otherwise processed.

What are your rights with respect to personal data?

You or the individuals in your organization may have certain rights, including a right of access to personal data which we hold, a right to rectification of inaccurate personal data, a right to withdraw consent, and a right to erasure of personal data in certain circumstances where Novelis has no overriding legitimate grounds for processing.

All requests regarding the above-mentioned rights should be addressed either to your usual contact at the relevant Novelis entity or to the Novelis data protection officer at:

Novelis Deutschland GmbH
Datenschutzbeauftragte/Data Protection Officer
Hannoversche Straße 1, 37075 Göttingen, Germany
NovelisPrivacyOffice@novelis.adityabirla.com