Privacy Notice for Business Partners and Visitors
Last updated: July 2023
Transparency is paramount
We are committed to being transparent about the data we process about you. For example, we will inform you about the way our company applies data protection principles and your privacy rights.
The right reasons
We only process your personal data for specific purposes and when we have a justified reason to do so, for example, in order to welcome you to our premises or to provide access to our systems.
Share with care
We only allow access to your personal data to third parties when it is necessary. In such cases, it is only disclosed to third parties that provide us with services under confidentiality obligations.
Keeping it safe
We understand how valuable your personal data is and therefore only keep it for as long as we need it and take appropriate measures to keep it safe. For example, we do this by deleting data when no longer needed and by applying encryption methods, among others.
Stay in control
We enable you to exercise your privacy rights and encourage you to keep your personal data up to date. For example, by providing you with means for you to submit a privacy right request and by being transparent.
Let us know
We are open to any questions, comments and complaints you might have about the processing of your personal data or our Privacy Notice. You can contact us via [email protected] and via the contact form on asml.com/privacy.
This Privacy Notice for Business Partners and Visitors (‘Privacy Notice’) describes how ASML Holding N.V. – based at De Run 6501, 5504 DR, Veldhoven, the Netherlands – and its group companies (‘ASML’, ‘us’, ‘our’ or ‘we’) processes the personal data of individuals who are not workers or job applicants, such as customers, suppliers and visitors of ASML premises, collaboration portals and website.
We have carefully drafted this Privacy Notice to inform you in plain language about our privacy practices. The Privacy Notice tells you what personal data we process about you, why we process it and how we use it. We encourage you to read the Privacy Notice in full.
Translated versions of this Privacy Notice are available. The translated versions are provided for convenience only. In the event of any difference in meaning between the English language version and any translated version, the English language version will prevail.
Assistance For The Disabled
2. When does this privacy notice apply?
This Privacy Notice applies to the processing of personal data of Business Partners and Visitors by ASML, as set out in chapter one of this Privacy Notice. Processing personal data is a broad term and includes (amongst other things) collecting, recording, storing, amending, reviewing, using and deleting personal data.
Some countries may have stricter or deviating local legal requirements. For example, local law may impose different requirements on how long we have to keep your data (data retention). In case of a conflict between this Privacy Notice and local legislation, the latter will prevail.
3. Who is ASML?
ASML is a supplier of semiconductor manufacturing equipment and the innovator behind lithography systems. We provide chipmakers with everything they need – hardware, software and services – to mass produce patterns on silicon through lithography.
4. What is personal data?
It is important for you to know that ‘personal data’ (or: ‘data’, ‘personal information’, or ‘your data’), means: any information relating to an identified or identifiable natural person (‘data subject’).
An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier – or by reference to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
5. What personal data do we process about you?
As a business partner or visitor to ASML, we process and use your information to do business with you, to facilitate your access to our premises or website and to manage our processes. We may process personal data about you, such as:
a. Government-issued data and documentation required under immigration laws, such as passport number and expiry date, nationality, social security/national insurance/equivalent identification number and work permit;
b. Identifiers, such as contact details (i.e., name, alias, telephone number, postal address, e-mail address), gender, date of birth;
c. Sensory or surveillance data, such as on premise information collected through access control and CCTV recordings;
d. Organizational information such as your employer and role, Chamber of Commerce, VAT and tax information;
e. System logs and data generated when transmitting information over an ASML network or while using an ASML asset, such as IP addresses, telecom data, device information, user account information and user’s activity logs, time and date of your logins and the type of information and files exchanged;
f. Geolocation data, such as geographical location identifiers (e.g. to verify your access rights to high risk or export-controlled data);;
g. Information from screening and background checks;
h. Information provided by you during ASML’s customer and/or supplier onboarding process;
i. Order history, credit and payment information ;
j. Information regarding suspected and actual criminal behavior, criminal records or proceedings regarding criminal or unlawful behavior;
k. Information and results regarding surveys, tests and trainings;
l. Information provided by you in order to attend an ASML event, such as education details and dietary preferences;
m. Interaction data such as enquiries and complaints handling, management of business relationships and communications; and
n. Information obtained from cookies and similar tracking technologies used on our websites, from your use of our websites. For more information, please read our Cookie Notice.
Special categories of personal data and sensitive personal data
We may also process personal data that is considered as special categories of personal data or sensitive personal data. You may, for example, provide us with a photo that may reveal your race or ethnic origin, physical health (including disability) or religious beliefs. Furthermore, we may process personal data that is considered sensitive, such as veteran status or information relating to criminal convictions or offences (statement of conduct).
Please note that personal data required for our business processes may vary, depending on applicable local rules and regulations. We may process special category or sensitive personal data taking into account local legal requirements. In case we process special or sensitive personal data based on local requirements, we will notify you in advance.
We do not collect or process sensitive personal data or characteristics of protected classifications for the purpose of inferring characteristics about you.
How do we obtain your personal data?
We collect personal data directly from you when you do business with us or visit us. In addition, we may collect personal data through technical means such cookies or similar technologies on our website, CCTV, or the ASML systems and assets you might use. We also collect your personal data from third parties, such as professional screening agencies and background check providers, to the extent permitted by applicable law.
6. For which purposes do we process your personal data?
We may process your personal data for one or more of the following purposes:
a. Assessment and (re)screening of (potential) business partners;
b. The delivery of customer services, making travel arrangements and obtaining visas, permits and technology export licenses;
c. Management of (delivered) services, products and materials to and from ASML;
d. The development and improvement of products and/or services;
e. To efficiently manage and operate administrative, information technology, and communications systems, risk management and insurance functions, budgeting, financial management, and strategic planning;
f. To protect the health, safety, security and integrity of ASML and its business partners and visitors, (IT) facilities and assets, including occupational safety and health, and intellectual property;
g. For organizational analysis and development, management reporting and corporate or financial transactions, such as acquisitions and divestitures;
h. Financial and accounting management, archiving and insurance coverage, legal and business consulting and possible dispute resolution;
i. Sales, account management and marketing;
j. To promote diversity and inclusion;
k. To comply with the law, including the investigation of any possible cases of non-compliance with statutory or contractual obligations or the disclosure of personal data to government institutions or supervisory authorities, as well as to exercise or defend legal claims;
l. To protect the vital interests of business partners and visitors;
m. To comply with the ASML Code of Conduct and other ASML policies, including any internal investigations;
n. For business process, work execution, and internal management, including (company) audits.
Secondary use of personal data
When we have collected personal data, this data may be used for a secondary purpose, but only if the secondary purpose is compatible with the original purpose. For example, statistical analysis may constitute as a compatible secondary purpose.
7. What is the legal basis for processing your personal data?
The legal bases (or justified reasons) for processing your personal data are:
- The legitimate interest of business and management purposes;
- Entering into and managing a contract or business relationship;
- Compliance with our legal obligations;
- Protecting your vital interest or that of another natural person; and
- Your specific and informed consent.
In the event that the processing of your personal data is based on your consent, you have the right to withdraw you consent at any time. We would like to draw your attention to the fact that the withdrawal of your consent does not affect the lawfulness of the processing of your personal data prior to the withdrawal of your consent.
8. Who has access to your personal data?
Access to your personal data within ASML
Our workers are authorized to access personal data only to the extent necessary to serve one or more of the purposes set forth in Section 6 above and in so far as necessary within the scope of their roles and responsibilities as ASML workers.
Access to your personal data by third parties
Your personal data may be shared with third parties for the purpose of providing their products and/or services to ASML or vice versa. When we transfer personal data to third parties, we will only do so under strict confidentiality obligations and where necessary, we will have an agreement concerning the processing of your personal data in place. We may share your personal data with the following categories of third parties, including but not limited to:
- Banks, insurance companies, financial, tax and legal advisors and accountants;
- Training and development organizations or consultants;
- IT & Security Service Providers;
- Corporate transactions; and
- Agencies and organizations for making travel or relocation arrangements.
Your personal data may also be disclosed to competent public authorities, governments, regulatory or fiscal agencies where it is necessary to comply with rules or regulations to which ASML is subject. Additionally, we may disclose your personal data to third parties at your direction and we may also disclose your personal data when we believe disclosure is necessary to comply with the law or to protect the rights, property, or safety of ASML, its customers, or others.
ASML does not sell your personal data or disclose it for cross-context behavioral advertising to anyone.
International transfers of your personal data
Due to our company’s multinational nature, the data we process about you may be transferred to or accessed by ASML , ouraffiliates and trusted third parties from different countries around the world. Your personal data may be transferred to a country other than your country of residence if this is necessary for the fulfilment of the purposes described in this Privacy Notice. To protect your rights, we only transfer your personal data to a country where:
- An adequate level of data protection is provided based on a decision adopted by the European Commission (see here for the list of countries which the European Commission has recognized as providing adequate protection); or
- An instrument covers the requirements for the transfer of personal data,including: a. Standard Contractual Clauses;
- Where the transfer is otherwise permitted under applicable data protection laws.
b. Codes of conduct; and
c. Certification mechanisms; or
9. How long will we keep your personal data?
Your data will be kept only for the period required to serve the purposes mentioned under Section 6 above (and to comply with legal requirements – if any). After the applicable retention period your personal data will be securely deleted, destroyed or de-identified.
10. How is your personal data secured?
We have taken adequate measures to protect the confidentiality, integrity and availability of your personal data. The implementation of appropriate technical, physical and organizational measures protects your personal data against the following incidents:
- Accidental or unlawful destruction;
- Accidental loss, damage or alteration;
- Unauthorized disclosure or access; and
- Any other forms of unlawful processing (including, but not limited to improper use).
We have procedures in place to deal with any (potential) personal data breach. You and the relevant data protection authorities will be notified of a personal data breach, where we are legally required to do so.
11. What about your rights?
Where provided under the applicable law, you have rights in relation to your personal data, such as:
- The right to access the personal data we have about you;
- The right to know how we process your personal data;
- The right to have your personal data corrected;
- The right to have your personal data deleted (‘right to be forgotten’);
- The right to restrict processing of your personal data by us;
- The right to object to automated decisions;
- The right to withdraw consent at any time and without detriment;
- The right to object to certain data processing operations;
- The right to request a transfer of your personal data (‘right to data portability’); and
- The right to copy, correct, delete your personal data by your relative in case of your death (if applicable).
If you feel we are not handling your request appropriately you also have the right to lodge a complaint with the relevant data protection authority.
How to exercise your rights
If you wish to exercise any of these rights, please use our Privacy Rights Request Form, which can be found on the intranet page of the Privacy Office. Alternatively, you may email [email protected]. Some countries in which ASML operates require a single point of contact to address your requests or questions . When sending your request to [email protected], we will forward that question or request to the person located in your region.
We will always check your identity to ensure that it is you exercising your rights. To verify your identity, we match personal data that you provide us against personal data we maintain in our files. The more risk entailed by the request (e.g., a request for specific pieces of personal data), the more items of personal data we may request to reduce the risk that someone might try to impersonate you. If we cannot verify your identity to a sufficient level of certainty to respond to your request, we will let you know promptly and explain why we cannot verify your identity and what further information we might need from you in order to be able to properly verify your identity and comply with your request.
When exercising your right, the more specific you are, the better we can assist you with your request. In some cases, where permitted by law, we may deny your request, in which case we will notify you of the reason for denial.
ASML’s Non-Discrimination and Non-Retaliation Policy
ASML will not unlawfully discriminate or retaliate against you for exercising your rights.
Authorized Agents of California Business Partners and Visitors
If an authorized agent submits a request to know, correct, or delete on your behalf, the authorized agent must submit with the request either (a) a power of attorney that is valid under California law, or (b) document signed by you that authorizes the authorized agent to submit the request on your behalf. In addition, we may ask you to follow the applicable process described above for verifying your identity. You can obtain an “Authorized Agent Designation” form by contacting us at [email protected].
12. What about your responsibilities?
We would like to kindly remind you that you are responsible for providing us with accurate, complete and up-to-date data. In case you provide us with personal data of other individuals, you must comply with (local) legal and ASML requirements, including, informing the individuals concerned sufficiently about the processing of their data, providing them with this Privacy Notice and obtaining their agreement before sharing their data to us.
13. How to contact us
When you have a question about the use of your personal data or about this Privacy Notice we invite you to send an email to our Privacy Office via [email protected].
For business partners and visitors at ASML Berlin GmbH, the Controller with respect to the processing of your data is ASML Berlin GmbH (Waldkraiburger Straße 5, Waldkraiburger Straße 5, 12347 Berlin, Germany). If you want to address your enquiry directly to our German Data Protection Officer, you can also send your email to [email protected] for the attention of our German Data Protection Officer (please add “attn. German DPO” or similar in the subject line of your email).
This Privacy Notice may be amended from time to time. You can find previous versions of the Privacy Notice in the Privacy Notice Archive.