ONLINE PRIVACY NOTICE
I. GENERAL POLICY
1. Introduction
Howmet Aerospace is a manufacturer of high-performance advanced engineered solutions for the aerospace, defense and transportation markets. Howmet Aerospace Inc., having its headquarter in Pittsburgh, USA, and its international affiliates (collectively referred to as “Howmet, “we” and “us”) have a global business presence.
This means that:
- We generate revenue from selling products, not your data (see further details in our financial results).
- Your data will likely be stored in the USA, and/or accessed by a USA citizen.
- We are subject to multiple privacy laws and regulations.
Please note that the amount of information Howmet needs to collect in order to serve you in a particular business transaction will likely vary from case to case. If you choose not to provide some information it may not be possible for you to proceed with your chosen business activity with Howmet. Rest assured, as safety and integrity are amongst our core values, we apply them to the processing of your data and we are committed to its protection according to this Online Privacy Notice. It applies to Howmet.com and other external Howmet websites that link to this Notice (the “Websites”). In this General Policy section we focus on those matters that are generally applicable to your data. You can find relevant country-specific differences in the sections below.
2. Data privacy at a Glance
If you are only visiting our Websites
Purpose: gain visibility into our Websites’ usage
Legal basis: your consent
When you use our Websites, we may collect certain information using technologies such as cookies, web server logs, web beacons and JavaScript. For more information on how we collect and use this information, please review our Cookie Policy.
If you are contacting us
Purpose: enable Howmet to respond to your queries in an organized manner and to provide you with information on demand
Legal basis: a combination of your consent and legitimate interests
Context | Howmet recipients/contacts | Service providers | Personal data processed | Data retention |
Sending an e-mail to, or receiving from, a @howmet.com e-mail address | To whom you send your e-mail, the sender of an e-mail and Information Security for suspicious e-mails | Microsoft (US) and a secure e-mail gateway provider (US) | E-mail address, e-mail signature and the content of the e-mail | 850 days by default |
Completing and sending a contact form on a Website to: | Howmet location representatives and/or departments (e.g., Investor Relations, Media, Environment, Health and Safety, in addition to Business Unit sales for quotes or sales enquiries) addressed | Contact details you provide and your message | ||
Howmet Fastening Systems locations | QuickBase (US) | Until you request the deletion of your enquiry | ||
Howmet Wheel Systems locations | Salesforce (US) | Until you unsubscribe, or request the deletion of your enquiry | ||
Subscribing to e-mail alerts | Reachmail (US) | First name, last name, e-mail address | Until you unsubscribe | |
Wheel warranty claims | Regional Fleet Service Center, Quality, Sales, IT Support personnel (HU) | Salesforce (US), WordPress (US) | First name, last name, e-mail address + details of the claim | 10 years from the date the claim is received |
If you are a Howmet customer or supplier
Purpose: enable Howmet to maintain accurate customer and supplier records, to deliver its products to its customers, to receive the services necessary for its businesses and to manage third-party risks
Legal basis: a combination of legitimate interests and legal obligations
Context | Howmet recipients | Service providers | Personal data processed | Data retention |
Supplier registration | Location and Procurement representatives (Globally), Master Data Management (HU), IT Support personnel (US) | Tata Consultancy Services (IN), Oracle (US) | First name, last name, phone number and e-mail address | Personal data linked to invalid e-mail addresses are deleted |
Registration and interaction through HowmetDirect | Procurement representatives (Globally), Business Process Owners (Globally), IT Support personnel (US) | Tata Consultancy Services (IN) | Users being inactive for 12 months and registered users of inactive customers or suppliers are subject to monthly deletions | |
Conducting due diligence on intermediaries | Master Data Management (HU), Ethics and Compliance (US) | Dow Jones & Company (US) | In addition to the above contact details, the date of birth for sole entrepreneurs, if necessary for unique identification | Data is deleted upon request |
If you are applying for a job
Purpose: enable Howmet to manage our hiring process end-to-end, from submitting your application until accepting an offer.
Legal basis: your consent
Context | Howmet recipients | Service providers | Personal data processed | Data retention |
Optional: using tools to support the application process, such as resume parsing and profile importation | Draft application: none (until submitted)Submitted application: Recruiters globally within Howmet, Hiring manager, HR Technology (US) | Jobvite (US), LinkedIn (US), Indeed (US) | Information in your CV/Resume, or Indeed/LinkedIn profile | Temporary – until populating the application form |
Drafting and submitting your application online via Howmet’s Oracle Cloud instance to a specific position | Oracle (US) | Contact details you provide, any information in your CV/Resume you share | Until you delete your draft application or profile (instructions are sent via e-mail)Additionally, if you do not interact with your draft application for 30 days, it is removed automatically | |
Obtaining job specific background information, when relevant (US, CA, MX, DE) | Recruiters involved in the selection (US, CA, MX, DE), Legal department as needed | HireRight (US) | National identifier, Educational and criminal background. Credit check only if necessary | 6 months for Non-U.S. Candidates and 5 years for U.S. Candidates |
Employment verification process (US) | HR personnel involved in new hire management (US) | As determined by the U.S. Citizenship and Immigration Services. Details:I-9 Employment Eligibility Verification | As determined by the U.S. Citizenship and Immigration Services. Details:Retention and Storage | USCIS |
If you are submitting a data privacy request, complaint or an integrity concern
Purpose: enable Howmet to evaluate the request or reported matter and respond to it in accordance with applicable requirements
Legal basis: legal obligation
Context | Howmet recipients | Service providers | Personal data processed | Data retention |
Completing and sending the Data Subject Request form | Privacy Office (US, NL, HU) | OneTrust (US) | Contact details you provide and details of your request, complaint, or concern | In accordance with civil law claim timeframes that varies country to country |
Contacting the Integrity Line | Ethics and Compliance (US) and other departments as necessary for investigating the report (Globally) | Navex (US) | 10 years |
3. Automated decision making
There is no automated decision making in the context of any of the above listed activities.
4. Transferring data globally
To the extent necessary, and in accordance with the tables above in this Policy, your data will be accessible from countries outside the European Economic Area, United Kingdom and Switzerland (including the United States, Mexico, China, Brazil, Australia) that are subject to different standards of data protection. Howmet will take appropriate steps to ensure that transfers of personal information are in accordance with applicable laws and carefully managed to protect your privacy rights and interests and transfers are limited to countries which are recognized as providing an adequate level of legal protection or where we can be satisfied that alternative arrangements are in place to protect your privacy rights. To this end:
- we ensure transfers within Howmet will be covered by an agreement entered into by members of Howmet (an intra-group agreement) which contractually obliges each member to ensure that personal data receives an adequate and consistent level of protection wherever it is transferred within Howmet including, where relevant, the EU Commission’s Standard Contractual Clauses or the UK’s International Data Transfer Agreement/Addendum;
- where we transfer your personal data outside Howmet or to third parties located globally, including outside of EEA/UK/Switzerland, who help provide our products and services, we obtain contractual commitments from them to protect your personal data, including, where relevant, the EU Commission’s Standard Contractual Clauses or the UK’s International Data Transfer Agreement/Addendum; or
- where we receive requests for information from law enforcement or regulators, we carefully validate these requests before any personal data are disclosed.
If you are located in the European Economic Area (“EEA”), United Kingdom (“UK”) or Switzerland, we will comply with applicable legal requirements providing adequate protection for the transfer of personal information to recipients in countries outside of these areas. With respect to transfers of personal information to the U.S., Howmet complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the U.K. Extension to the EU-U.S. DPF, as set forth by the U.S. Department of Commerce. Howmet has certified to the U.S. Department of Commerce that it adheres to the DPF Principles with regard to the processing of personal data received from the European Union and the United Kingdom in reliance on the EU-U.S. DPF and the U.K. Extension to the EU-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/. Note that data protection laws in the EEA, UK, Switzerland, and elsewhere may require those transferring personal data to Howmet in the US to enter into a separate agreement with Howmet before initiating such transfers.
You have a right to contact us at privacy@howmet.com for more information about the safeguards we have put in place to ensure the adequate protection of your Personal Data when this is transferred as mentioned above, as well as to receive a copy of such transfer mechanism.
5. Your Rights and Choices
You have certain rights in relation to your data that you can exercise through any reasonable means, including by completing our request form at https://www.howmet.com/privacy/dsr/ or by sending an e-mail to privacy@howmet.com. We will make every reasonable effort to honor your request promptly or inform you if we require further information in order to fulfil your request, e.g., we may ask you for additional information to confirm your identity and for security purposes, before disclosing any data requested to you.
While the name of these rights may vary from country to country (e.g., the right to access in the European Union is called the right to know in California), in essence their purpose is the same: to give you back your control over your personal data. While we are encouraging you to choose the request type that best describes what you aim to achieve, we will evaluate its details, and contact you for clarification if necessary, to understand the desired outcome of the matter and to proceed with managing your request or complaint, in each case in accordance with applicable law(s) and/or regulation(s). Thus, we will focus on the content of the request and the expected result(s), rather than the request types selected – and will never refuse to act on a request based on only its categorization.
In all cases we will provide additional details, relevant to your request or complaint, about any next steps and their timeline in our first attempt to contact you.
Right to access data
You have the right to request that we provide you with a description, and upon request a copy, of your data that we hold. In addition, you have the right to be informed of: (a) the source of the data; (b) the purposes, legal basis and methods of processing, including its collection; (c) the data controller’s identity; and (d) the entities or categories of entities to whom your data was transferred.
Right to rectify (correct) or erase (delete) data
You have a right to request that we rectify inaccurate data. We may seek to verify the accuracy of the data before rectifying it. You can also request that we erase your data – however, we will thoroughly evaluate such requests on a case-by-case basis and erase only when no exceptions apply, e.g., we have an obligation to retain the data.
Right to object to, or restrict the processing of, your data
You can object to any processing of your data, if you believe your rights and freedoms outweigh our interests. If you raise an objection, we will have an opportunity to demonstrate that we have compelling interests overriding your rights and freedoms. You can ask us to suspend processing your data, in which case we will only be allowed to store the data in scope for your request, when you:
- want us to confirm the accuracy,
- oppose, or want to delay the deletion
of your data; or you have objected to its use and we need to evaluate if we have an overriding legitimate basis.
Right to transfer your data
You can ask us to provide your data to you in a structured, commonly used, machine-readable format, or you can ask to have it transferred directly to another company.
Right to object to how we use your data for direct marketing purposes
You can request that we change the manner in which we contact you for marketing purposes. You can request that we do not transfer your data to unaffiliated third parties for direct marketing or other purposes.
Right to lodge a complaint with Howmet or with your local supervisory authority
If you have any complaints about how we process your personal data, we ask that you please attempt to resolve any issues with us first. Independently from our previous ask, you have the right to lodge a complaint with your local supervisory authority: a list of data protection authorities (DPAs), which, in our understanding are the most relevant from our Company’s perspective, can be found in the section below. Feel free to reach out to us if you do not find the contact details of your local data protection authority, or if a link is broken.
List of data protection authorities (DPAs)
Country | DPA Name | Website and Contact Information |
Australia | Office of the Australian Information Commissioner | Australian Information Commissioner W: oaic.gov.au E: Form available online Agency Contact Webpage |
Austria | Data Protection Authority (Österreichische Datenschutzbehörde (DSB)) | W: dsb.gv.at English Home Page E: dsb@dsb.gv.at Agency Contact Webpage |
Belgium | Data Protection Authority (Gegevens-beschermingsautoriteit) (Autorité de protection des données) | W: dataprotectionauthority.be Dutch Home Page German Home Page French Home Page E: contact@apd-gba.be Agency Contact Webpage |
Brazil | National Data Protection Authority (Autoridade Nacional de Proteção de Dados (ANPD)) | W: gov.br/anpd/pt-br E: anpd@anpd.gov.br Agency Contact Webpage |
Canada | Office of the Privacy Commissioner of Canada | W: priv.gc.ca E: Form available online Agency Contact Webpage |
Canada – Québec | Québec Information Access Commission | W: cai.gouv.qc.ca English Home Page E: cai.communications@cai.gouv.qc.ca Agency Contact Webpage |
China | The Cyberspace Administration of China (中国网络空间管理局) The Ministry of Industry and Information Technology (工业和信息化部) Ministry of Public Security (中华人民共和国公安部) | The Cyberspace Administration of China W: cac.gov.cn E: Form available online Agency Contact Webpage (scroll to the bottom) The Ministry of Industry and Information Technology W: miit.gov.cn Agency Contact Webpage Ministry of Public Security W: mps.gov.cn Agency Contact Webpage (scroll to the bottom) |
Czech Republic | The Office for Personal Data Protection (Úřad pro Ochranu Osobních Údajů (UOOU)). | W: uoou.cz English Home Page E: posta@uoou.cz Agency Contact Webpage |
France | National Commission for Data Protection (Commission Nationale de l’Informatique et des Libertés (CNIL)) | W: cnil.fr English Home Page Agency Contact Webpage |
Germany | Federal Commissioner for Data Protection and Freedom of Information (Bundesbeauftragter für den Datenschutz und die Informationsfreiheit (BfDI)) | W: bfdi.bund.de English Home Page E: poststelle@bfdi.bund.de Agency Contact Webpage |
Hong Kong | Office of the Privacy Commissioner for Personal Data (個人資料私隱專員公署) | W: pcpd.org.hk E: communications@pcpd.org.hk Agency Contact Webpage |
Hungary | Hungarian National Authority for Data Protection and Freedom of Information (Nemzeti Adatvédelmi és Információszabadság Hatóság (NAIH)) | W: naih.hu English Home Page E: ugyfelszolgalat@naih.hu Agency Contact Webpage |
Italy | Data Protection Authority (Garante per la Protezione dei Dati Personali) | W: garanteprivacy.it English Home Page E: protocollo@gpdp.it; urp@gpdp.it Agency Contact Webpage |
Japan | Personal Information Protection Commission (個人情報保護委員会) | W: ppc.go.jp English Home Page Agency Contact Webpage |
Mexico | National Institute for Transparency, Access to Information and Protection of Personal Data (Instituto Nacional de Transparencia, Acceso a la Información y Protección de Datos Personales (INAI)) | W: home.inai.org.mx/ E: atencion@inai.org.mx Agency Contact Webpage |
Morocco | National Commission for the Protection of Personal Data (Commission Nationale de Contrôle de la Protection des Données à Caractère Personnel) | W: cndp.ma E: contact@cndp.ma Agency Contact Webpage |
The Netherlands | Data Protection Authority (Autoriteit Persoonsgegevens) | W: autoriteitpersoonsgegevens.nl English Home Page Agency Contact Webpage |
Singapore | Personal Data Protection Commission (PDPC) | W: pdpc.gov.sg E: Form available here Agency Contact Webpage |
South Africa | The Information Regulator | W: inforegulator.org.za E: enquiries@inforegulator.org.za Agency Contact Webpage |
South Korea | Personal Information Protection Commission (PIPC) Financial Services Commission (FSC) | Personal Information Protection Commission W: pipc.go.kr/np English Home Page Agency Contact Webpage (scroll to the bottom) Financial Services Commission W: fsc.go.kr/index English Home Page E: fsc.ifd@korea.kr Agency Contact Webpage |
Spain | Spanish Data Protection Agency (Agencia Española de Protección de Datos (AEPD)) | W: aepd.es Agency Contact Webpage |
Switzerland | Federal Data Protection and Information Commissioner (Eidgenössischer Datenschutz- und Öffentlichkeitsbeauftragter (FDIPC)) | W: edoeb.admin.ch English Home Page E: info@edoeb.admin.ch Agency Contact Webpage |
Turkey | Personal Data Protection Authority (Kişisel Verileri Koruma Kurumu (KVKK)) | W: kvkk.gov.tr English Home Page Agency Contact Webpage |
United Kingdom (England & Wales) | Information Commissioner’s Office (ICO) | W: ico.org.uk Agency Contact Webpage |
United States | Federal Trade Commission (FTC) Department of Health and Human Services (HHS) Office of Civil Rights (OCR) California Attorney General California Privacy Protection Agency (once established) | Federal Trade Commission W: ftc.gov Agency Contact Webpage HHS Office of Civil Rights W: hhs.gov/ocr/index.html E: OCRPrivacy@hhs.gov Agency Contact Webpage California Attorney General W: oag.ca.gov/privacy/ccpa Agency Contact Webpage |
6. How we protect personal information
Security
We have implemented and will maintain appropriate technical and organizational security measures, policies and procedures designed to reduce the risk of accidental destruction or loss, or the unauthorized disclosure or access to such information appropriate to the nature of the information concerned. As the security of information depends in part on the security of the computer you use to communicate with us and the security you use to protect User IDs and passwords please take appropriate measures to protect this information.
Storing your personal information
We will store your personal data for as long as is reasonably necessary for the purposes for which it was collected, as explained in this notice. In some circumstances we may store your data for longer periods of time, for instance where we are required to do so in accordance with legal, regulatory, tax, or accounting requirements.
In specific circumstances we may store your personal data for longer periods of time so that we have an accurate record of your dealings with us in the event of any complaints or challenges, or if we reasonably believe there is a prospect of litigation relating to your personal data or dealings.
7. Links to other websites
Our Websites may provide links to other websites for your convenience and information. These websites may operate independently from us. Linked sites may have their own privacy notices or policies, which we strongly suggest you to review. To the extent any linked websites are not owned or controlled by us, we are not responsible for such websites’ content, any use of such websites, or the privacy practices of such websites, even though you may enter that website directly from visiting ours.
8. Updates to our Online Privacy Notice
This Online Privacy Notice may be updated periodically and without prior notice to you to reflect changes in our personal information practices. We will post the updated version on our Websites and indicate at the top of the notice when it was most recently updated.
9. How to contact us
Howmet Aerospace Inc. is the controller of your data. If you have any questions or comments about this Online Privacy Notice, or if you wish to exercise your rights, please contact us by writing to us at:
Howmet Aerospace Inc.
Howmet Privacy Office
Attn: Barry Lombarts
201 Isabella Street
Pittsburgh, PA 15212
privacy@howmet.com
10. EU/U.S., UK/U.S., and Swiss/U.S. Data Privacy Framework Related Information
Howmet Aerospace Inc. adheres to the Data Privacy Framework Principals. In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, Howmet Aerospace Inc. commits to:
(1) Resolve DPF Principles-related complaints about our collection and use of your personal information. EU and UK individuals with inquiries or complaints regarding our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, should first contact Howmet Aerospace Inc. at:
Howmet Aerospace Inc.
Howmet Privacy Office
Attn: Barry Lombarts
201 Isabella Street
Pittsburgh, PA 15212
privacy@howmet.com
(2) Refer unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF to the United States Council for International Business, an alternative dispute resolution provider based in the United States. If you do not receive timely acknowledgment of your DPF Principles-related complaint from us, or if we have not addressed your DPF Principles-related complaint to your satisfaction, please visit www.uscib.org for more information or to file a complaint. The services of the United States Council for International Business are provided at no cost to you.
(3) Cooperate and comply respectively with the advice of the panel established by the EU data protection authorities (DPAs) and the UK Information Commissioner’s Office (ICO) with regard to unresolved complaints concerning our handling of human resources data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF in the context of the employment relationship.
Please be advised that:
(a) Howmet Aerospace Inc. is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission (“FTC”), the U.S. Department of Transportation, and any other U.S. authorized statutory body and, therefore, might be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements;
(b) there is the possibility, under certain conditions, for individual to invoke binding arbitration for complaints for violation of this Notice; and
(c) Howmet Aerospace Inc. acknowledges the possibility of liability in cases of unprotected onward transfers to third parties.
The following U.S. subsidiaries of Howmet Aerospace Inc. agree to adhere to the foregoing provisions of this Notice including, without limitation, the recourse provisions set forth herein:
- ALUMAX INTERNATIONAL COMPANY B&C CASTING, INC.
- B&C RESEARCH, INC.
- CORDANT TECHNOLOGIES HOLDING LLC
- FIRTH RIXSON, INC.
- FIRTH RIXSON FORGINGS LLC
- FORGED METALS, INC.
- FORGED METALS HOLDINGS, INC.
- FR ACQUISITION CORPORATION (US), INC.
- HOWMET ALUMINUM CASTING INC.
- HOWMET CASTINGS & SERVICES, INC.
- HOWMET CHINA SERVICES CO. LLC
- HOWMET CORPORATION
- HOWMET DOMESTIC LLC
- HOWMET ENGINEERED STRUCTURES, INC.
- HOWMET GLOBAL FASTENING SYSTEMS INC.
- HOWMET HOLDINGS CORPORATION
- HOWMET INTER-AMERICA INC.
- HOWMET INTERNATIONAL HOLDING COMPANY LLC
- HOWMET INTERNATIONAL INC.
- HOWMET INTERNATIONAL LLC
- HOWMET LAUDEL INC.
- HOWMET MEXICAN OPERATIONS LLC
- HOWMET MEXICO HOLDINGS LLC
- HOWMET NORTH AMERICA HOLDINGS LLC
- HOWMET RECEIVABLES GUARANTY SPE LLC
- HOWMET SECURITIES LLC
- HOWMET TRANSPORT SERVICES, INC.
- HOWMET WHEELS INTERNATOINAL VIRGINIA, INC.
- HUCK INTERNATIONAL INC.
- HUCK PATENTS, INC.
- JFB FIRTH RIXSON, INC. NATI GAS CO.
- NEW CENTURY METALS, INC.
- NEW CENTURY METALS SOUTHEAST, INC.
- RTI FINANCE CORP
- REMMELE HOLDING, INC.
- RIPI LLC
- RMI DELAWARE, INC.
- RMI TITANIUM COMPANY, LLC
- RTI ADVANCED FORMING, INC.
- RTI CAPITAL, LLC
- RTI EXTRUSIONS, INC.
- RTI FABRICATION & DISTRIBUTION, INC.
- RTI MARTINSVILLE, INC.
- RTI REMMELE ENGINEERING, INC.
- SCHLOSSER FORGE COMPANY
- TEMPCRAFT CORPORATION
- THREE RIVERS INSURANCE COMPANY
- TURBINE COMPONENTS CORPORATION
- VALLEY TODECO INC.
- VIKING METALLURGICAL CORPORATION
II. CALIFORNIA SPECIFIC INFORMATION
This section amends the General Policy. Therefore, as an example, you will find the “how to” of exercising your rights in that Policy.
1. Disclosure of your personal information
In the preceding 12 months, your personal information was disclosed only for valid business purposes to recipients within the Howmet group and to external service providers as described in the relevant tables of this Policy.
2. Sale of your personal information
In the preceding 12 months, your personal information was not sold.
3. Sharing your personal information for cross-context behavioral advertising
In the preceding 12 months, your personal information was not shared for cross-context behavioral advertising.
4. Your rights
This section specifically amends the “Your Rights and Choices” section of the Policy.
Right to know, Right to delete and Right to correct inaccurate personal information
Please see the “Right to access data” and “Right to rectify (correct) or erase (delete) data” sections in the General Policy.
Right to be free from discrimination
You have the right not be discriminated against if you choose to exercise your rights granted by the CPRA – and Howmet hereby confirms that you will not be discriminated against for exercising such rights.
Last Revised: September 2023