Privacy Policy

As a responsible group, Novelis will comply with data privacy protection requirements when collecting and processing your personal data when you visit our website. With this Privacy Policy, we would like to explain and give you an overview on how we collect and process your personal data and which rights and options you have under data protection law including the EU General Data Protection Regulation (GDPR) effective since 25 May 2018.

Who is responsible for your personal data?

Novelis is responsible for your personal data. Novelis group comprises Novelis Inc., 3550 Peachtree Rd NE, Suite 1100, Atlanta, Georgia 30326 USA and its respective affiliates (“Novelis”). Specifically, your data will be controlled by Novelis Inc.

You can reach the Novelis data protection officer at:

Novelis Deutschland GmbH
Datenschutzbeauftragte/Data Protection Officer
Hannoversche Straße 1, 37075 Göttingen, Germany
Telephone: +49(0)551 304-4919
NovelisPrivacyOffice@novelis.adityabirla.com

Where Novelis collects your personal data from?

Novelis receives personal data from you when you visit Novelis.com and other Novelis websites. We further receive personal data when you use our services, mobile device apps, web chat or telephone services, email and other communication services.

Which personal data does Novelis collect?

Novelis collects your contact information (such as your name, email address, IP address, postal address, telephone number and other contact data), personal details, login credentials and passwords for our password protected platforms and services.

What is the purpose of processing your personal data?

We process personal data in accordance with the EU General Data Protection Regulation (GDPR) and any relevant Member State law for the following purposes:

• Providing you with access to our website and our online network, checking your security clearance status in this regard
• Supporting compliance with our legal and tax obligations (g. record keeping obligations, reporting obligations to authorities, providing information to authorities for in the context of audits, screening obligations);
• Supporting internal and external communication (g. responding to your inquiries, providing online-subscribers of investor communications with business updates)
• Supporting internal auditing requirements, including fraud detection and prevention
• For any purpose related to the foregoing purposes or any other purpose for which your personal data was provided to us or for which you have expressly given your consent (such as online applications for a job or position at Novelis).

On which legal basis does Novelis process your personal data?

Depending on the specific purpose or purposes for the processing of your personal data above, we rely on the legal ground that processing is necessary for the purposes of our legitimate interests, provided that such interests are not overridden by your interests or fundamental rights and freedoms.

Legitimate interests comprise, for example, developing and improving our internal administration, marketing activities, internal and external communications, and compliance with internal and legal regulations that apply to us.

In addition, we may process your personal data on the basis of your consent where you have expressly given that to us for certain purposes (such as online applications for a job or position at Novelis).

Who will receive your personal data?

Within Novelis, affiliated group companies and departments may be provided with your personal data in order to comply with our internal, contractual and statutory obligations, depending on the specific purpose. In addition, third party service providers engaged by us may also receive your personal data for these purposes.

Categories of external recipients of your personal data are for example:

• Public, governmental or regulatory authorities and institutions (such as tax authorities and including to meet national security or law enforcement requirements);
• Service providers for services such as IT services, logistics, printing services, communication services, financial services, legal services; or
• Courts, law enforcement authorities, regulators or attorneys or other third parties in connection with the establishment, exercise or defence of legal claims.

Will your personal data be transferred to a third country?

Novelis is a globally active group of companies engaged in global business activities. Our European headquarter is located in Switzerland, certain Novelis companies are located in the United States and our ultimate shareholder is located in India. Accordingly, we may transfer your personal data to affiliated group companies or departments and third parties outside the European Union (so-called third countries) if required for our business and in order to comply with our internal, contractual and statutory obligations.

Any such international transfers of your personal data will be protected by appropriate and suitable safeguards as required by the EU General Data Protection Regulation (GDPR) or other relevant data privacy laws, which may include:

• the adequacy decision by the European Commission for transfers of personal data to our European headquarter or a third party in Switzerland which is available at http://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32000D0518&from=EN;

• Novelis binding corporate rules for transfers of personal data to our companies in the United States or other Novelis companies or departments in third countries which will be available on the Novelis website after approval by the competent data protection authorities; and
• EU standard data protection clauses adopted by the European Commission for transfers of your personal data to a Novelis company or a third party in the United States or any other third country which are available at https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/model-contracts-transfer-personal-data-third-countries_en.

Moreover, where a transfer of your personal data could not be based on the safeguards listed above, including binding corporate rules, such transfer may in exceptional cases be necessary in order to perform a contract with you or in individual cases for the purposes of Novelis’ compelling legitimate business interests, provided that such business interests are not overridden by your interests or rights and freedoms.

For how long will your personal data be processed and stored?

We process and store your personal data only as long as is necessary for our relationship with you or as is required to meet our contractual and statutory obligations in accordance with our retention policies and applicable laws (such as obligations of retention under commercial or tax laws). As a rule, the time limit for retention or documentation specified in applicable laws is generally 2 to 10 years. After the lapse of the relevant retention periods, your personal data may either be erased (on a regular basis), anonymized, or transferred to an archive. In such archive, your personal data may be used for historical, scientific or statistical purposes, audits, dispute resolution and investigations.

How Novelis protects your personal data?

Novelis has implemented a data protection policy and various technical and organizational measures in order to keep your personal data confidential and secure in accordance with our internal procedures and the EU General Data Protection Regulation (GDPR) and other applicable data privacy laws. Our technical and organizational security measures are designed to prevent accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.

These include inter alia as appropriate, pseudonymization and encryption of personal data, the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services, the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident and a process for regularly testing the effectiveness of our technical and organisational measures for ensuring the security of the processing.

Am I obliged to provide personal data?

If you have a contractual relationship with Novelis, you are obliged to provide those personal data which are required for such contractual relationship with Novelis and for compliance with the associated contractual obligations and applicable law. Without these data, we will generally not be able to enter into an agreement with you or to perform under such agreement. Other than for the aforementioned purposes for processing your personal data, you will provide us with your personal data entirely voluntarily and there are generally no detrimental effects if you choose not to provide such personal data to us.

What are my rights with respect to my personal data?

If you are an EU citizen or non-EU national residing in the EU, subject to certain conditions, you may have a right of access to your personal data which we hold (Article 15 GDPR subject to the restrictions under applicable local law), a right to rectification of inaccurate personal data which we hold (Article 16 GDPR), a right to erasure of your personal data in certain circumstances where Novelis has no overriding legitimate grounds for the processing (Article 17 GDPR subject to the restrictions under applicable local law), a right to restriction and to object to the processing of your personal data which we hold (Article 18 and 21 GDPR) and a right to data portability (Article 20 GDPR). Further, you have a right to lodge a complaint with a competent data protection supervisory authority (Article 77 GDPR in conjunction with applicable local law).

All requests regarding the above mentioned rights should be addressed either to your usual contact at Novelis or to the Novelis data protection officer at:

Novelis Deutschland GmbH
Datenschutzbeauftragte/Data Protection Officer
Hannoversche Straße 1, 37075 Göttingen, Germany
NovelisPrivacyOffice@novelis.adityabirla.com

We ask that you provide such information which we may reasonably require in order to confirm your identity and in order to locate the information that you seek. Where we have reasonable doubts concerning your identity, we will request the provision of additional information in order to prevent unauthorized disclosure of personal data. Where requests are manifestly unfounded or excessive, we reserve the right to either charge a reasonable fee taking into account the administrative costs of providing the information or communication of taking the action requested or refuse to act on the request.

Information about your right to withdraw your consent pursuant to Article 7 (3) GDPR

In case you have granted your consent to us for the processing of your personal data, your consent may be withdrawn at any time. This also applies to consents given to us before the GDPR enters into force, i.e. before 25 May 2018. The withdrawal of your consent has an effect only for the future and does not affect the lawfulness of the processing of your personal data based on your consent before its withdrawal.

Information about your right to object pursuant to Article 21 GDPR

If you are an EU citizen or non-EU national residing in the EU, you have the right to object, on grounds relating to your particular situation, at any time to the processing of your personal data which is based on point (e) of Article 6 (1) (processing in the public interest) and point (f) of Article 6 (1) GDPR (processing based on legitimate interests). If you object to the processing of your personal data, we will no longer process your personal data unless we have compelling legitimate grounds for such processing which override your interests, rights and freedom or, alternatively, such processing serves to assert, exercise or defend legal claims.

Any withdrawal of consent or objection to the processing of personal data should be submitted informally, indicating your name, your address and your date of birth and should be addressed to:

Novelis Deutschland GmbH
Datenschutzbeauftragte/Data Protection Officer
Hannoversche Straße 1, 37075 Göttingen, Germany
NovelisPrivacyOffice@novelis.adityabirla.com.

Non-Personal Data

We occasionally collect certain aggregate and non-personal data when you visit a Novelis website. Aggregate and non-personal data does not relate to a single identifiable visitor. It tells us such things as how many visitors visited our website and the pages accessed. By collecting this information, we learn how to best tailor our website to our visitors. We collect this information either through “cookie” technology or with “web beacons,” as explained below.

Cookies

Like many businesses, we may use browser cookies on this website. Browser cookies are bits of text that are placed on your computer’s hard drive when you visit certain websites. We use browser cookies to tell us, for example, whether you’ve visited us before or if you’re a new visitor and to help us identify website features in which you may have the greatest interest. Browser cookies may enhance your online experience by saving your preferences while you are visiting a particular website. The “help” portion of the toolbar on most browsers will tell you how to stop accepting new browser cookies, how to be notified when you receive a new browser cookie, and how to disable existing browser cookies. Remember though, without browser cookies, you may not be able to take full advantage of all our website features.

Web Beacons

Certain pages on our website contain “web beacons” (also known as internet tags, pixel tags and clear GIFs). These web beacons allow third parties to obtain information such as the IP address of the computer that downloaded the page on which the beacon appears, the URL of the page on which the beacon appears, the time the page containing the beacon was viewed, the type of browser used to view the page, and the information in cookies set by the third party. We use log files to store the data that is collected through web beacons. With both cookies and web beacon technology, the information that we collect and share is anonymous and not personally identifiable. It does not contain your name, address, telephone number, or email address.

Links to Other Sites

From time-to-time we provide links to other websites for your convenience and information. These sites may have their own privacy policies in place, which we recommend you review if you visit any linked websites. We are not responsible for the content of linked non-Novelis sites or any use of the sites. Links to various non-Novelis websites do not constitute or imply endorsement by Novelis of these websites, any products or services described on these sites, or of any other material contained in them.

Links to other Novelis websites may also be provided. These websites may collect personal data for the purposes described in this information or for other purposes, including the sale of goods and services. These websites may have their own privacy policies in place, which we recommend you review if you visit any linked websites.

Changes to this statement

Novelis may change this Privacy Policy from time to time; when updates are made, the Privacy Policy version date (located at the bottom of this Privacy Policy) will also be updated to reflect that a revision occurred. We encourage you to periodically reread this Privacy Policy to see if there have been any changes that may affect you. Changes to the Privacy Policy do not apply retroactively. This statement is not intended to and does not create any contractual or other legal rights in or on behalf of any party.

How to Contact Us

If you have any questions or comments about this Privacy Policy, please contact the Novelis data protection officer at:

Novelis Deutschland GmbH
Datenschutzbeauftragte/Data Protection Officer
Hannoversche Straße 1, 37075 Göttingen, Germany
NovelisPrivacyOffice@novelis.adityabirla.com

This Privacy Policy was last updated on August 9, 2018