Global Privacy Notice
Introduction
This Privacy Notice explains how Element Materials Technology (“Element”, “we”, “us”, or “our”) collects and uses personal data in connection with its relationships with customers, prospective customers, vendors, suppliers, and business partners, including their representatives, employees, and other individuals acting on their behalf (“you” or “your”).
Our Commitment
We are committed to complying with applicable data protection and privacy laws in the jurisdictions in which we operate, including the United Kingdom General Data Protection Regulation (UK GDPR), the European Union General Data Protection Regulation (EU GDPR), the California Consumer Privacy Act (CCPA), and other applicable local privacy and data protection laws.
California Residents
If you are a California resident, please read our California Privacy Notice.
Data controller
Each Element legal entity that provides services to you, or otherwise determines the purposes and means of processing your personal data, acts as an independent data controller.
The relevant Element entity acting as your contracting party will typically be identified in your contract, engagement documentation, invoices, order forms, or other communications with us.
In some circumstances, multiple Element entities may be involved in the same processing activities and may act as independent controllers, joint controllers, or processors, depending on the nature of the processing.
A list of Element entities that may process personal data is available in the “Element Legal Entities Processing Personal Information” document.
Corporate structure and trading name
Element is the trading name used by EM Topco Limited and its affiliated companies operating globally through multiple legal entities across different jurisdictions.
Our head office is located at 3rd Floor Davidson Building, 5 Southampton Street, London, United Kingdom.
Contact us
If you have any questions or comments about this Privacy Notice, you can contact us using the details below:
- Email: privacy@element.com
- Post: Data Privacy Manager, Element Materials Technology, 1 New Park Square, Airborne Place, Edinburgh Park, Edinburgh, UK, EH12 9GR
- Website: https://www.element.com/contact-us
- Telephone (freephone / toll-free lines):
- UK: +44 808 303 6606
- Germany: +49 800 000 5137
- Americas: +1 888 818 0395
- Middle East: +971 800 353 6368
Data Protection Officer (Germany only)
If you are based in Germany and wish to contact our German Data Protection Officer, you can use the details below:
- Email: regina@datenbeschuetzerin.de
- Postal address: Datenbeschützerin Regina Stoiber GmbH, Unterer Sand 9, 94209 Regen, Germany
- Further contact options are available at: http://www.datenbeschuetzerin.de
Principles for processing
We are committed to processing personal data fairly, lawfully, and transparently, and in accordance with applicable data protection laws. To support these commitments, we will:
- Collect and process personal data only for specified, explicit, and legitimate purposes, and not process it in a manner incompatible with those purposes.
- Process only personal data that is adequate, relevant, and limited to what is necessary for the purposes for which it is processed;
- Take reasonable steps to ensure that personal data is accurate, complete, and kept up to date where necessary; and retain personal data only for as long as necessary for the purposes for which it was collected and processed, including to satisfy legal, regulatory, accounting, or reporting requirements and applicable limitation periods.
Categories of personal data we process
The table below explains the circumstances in which we may collect and use personal data, the categories of personal data involved, the purposes for which personal data is processed, and the legal bases relied upon under applicable data protection laws.
|
In what context is your personal data collected? |
Categories of personal data |
Purposes of processing |
Legal basis |
|
Provision of products and services Information collected when you enquire about, purchase, access, or receive our products and services |
|
|
Performance of a contract Legitimate interests |
|
Billing, invoicing, and financial administration Information collected in connection with payments, invoicing, and financial management activities |
|
|
Performance of a contract Compliance with legal obligations |
|
Identity verification and compliance activities Information collected to verify identity, conduct due diligence, or comply with legal and regulatory obligations |
|
|
Compliance with legal obligations Legitimate interests |
|
Audits, inspections, testing, certification, and conformity assessment activities Information collected in the course of delivering professional and technical services |
|
|
Performance of a contract Compliance with legal obligations
Legitimate interests |
|
Website use, portals, and online services Information collected when you visit our websites, use online portals, or interact with digital services |
|
|
Legitimate interests Consent where required by law |
|
Marketing and business relationship management Information collected when you subscribe to communications, attend events, interact with us, or express interest in our services |
|
|
Legitimate interests Consent where required by law |
|
Security monitoring and business protection Information collected through security and monitoring measures implemented at our premises or communications systems |
|
|
Legitimate interests Compliance with legal obligations |
|
Recruitment and employment-related activities Information collected when you apply for a role or participate in recruitment processes |
|
|
Legitimate interests Performance of a contract Compliance with legal obligations |
|
Legal, regulatory, and compliance matters Information collected or used in connection with disputes, investigations, legal proceedings, or regulatory requests |
|
|
Compliance with legal obligations Legitimate interests |
Sensitive categories of personal information
We do not ordinarily collect or process sensitive categories of personal information as part of our usual business activities.
However, in limited circumstances, we may receive or process sensitive personal information where necessary for the provision of services, compliance with legal or regulatory obligations, the establishment, exercise or defence of legal claims, or where otherwise permitted or required by applicable law. Depending on the context, this may include:
- Health data
- Biometric data
- Data revealing racial or ethnic origin
- Religious or philosophical beliefs
- Trade union membership
- Government-issued identifiers (such as passport or driver’s licence numbers)
- Precise geolocation data
- Login credentials or account access information
Where required under applicable law, such information may constitute “special category personal data” under EU and UK data protection laws or “sensitive personal information” under California law. We will only process such information where a valid lawful basis applies and only to the extent necessary for permitted purposes.
Criminal offence data
We may process information relating to criminal convictions or offences where this is necessary to comply with legal or regulatory obligations, or where required for screening, compliance, or security purposes.
How we obtain information
We collect personal data in a variety of ways, including:
- Directly from you, including when you enquire about or purchase products or services, request support, attend events, use our websites or portals, provide feedback, or apply for a role
- Through your use of our websites, portals, and online services, including information collected through forms, cookies, server logs, and other automated technologies
- Through business relationships where your organisation engages with us and you act in a professional capacity
- From third parties, including service providers, industry, trade, or regulatory bodies
- From publicly available sources, including professional networking platforms, company websites, press publications, public registers, and search engines
- Through our client portals and online reporting platforms, including where you access test results, certificates, or other service-related documentation, or submit information in connection with sample submissions or service requests
Purpose and legal basis for processing
We process personal data only where we have a lawful basis to do so under applicable data protection laws. Depending on the circumstances, these legal bases may include:
A) Performance of a contract
Processing necessary to enter into or perform a contract with you or your organisation.
B) Legitimate interests
Processing necessary for our legitimate business interests, including operating and improving our services, maintaining business relationships, ensuring security, preventing fraud, and protecting legal rights, provided such interests are not overridden by your rights and freedoms.
C) Legal obligation
Processing necessary to comply with legal and regulatory obligations.
D) Consent
Where required by law, we rely on consent for certain processing activities, such as certain marketing communications or cookies. Where consent is used, it may be withdrawn at any time.
Failure to provide personal data
Where personal data is required to enter into or perform a contract, or to comply with legal obligations, failure to provide such data may prevent or delay us from providing products or services to you or your organisation.
Who personal data is shared with
We may share personal data where necessary to carry out business activities, provide products and services, operate systems, or comply with legal and regulatory obligations.
Personal data may be shared with:
A) Companies within our group
We may share personal data within our group where necessary for internal administrative purposes, service delivery, customer management, marketing activities, or to maintain consistent service standards.
Depending on the context, these companies may act as independent controllers, joint controllers, or processors acting on our behalf.
B) Service providers and business partners
We may share personal data with third-party service providers and business partners who support our operations, including IT and hosting providers, customer support services, email distribution services, digital advertising and marketing platforms (such as search and display advertising tools used for audience targeting, ad relevance, and marketing suppression), professional advisers, payment processors, and subcontractors.
Where such parties act as processors on our behalf, they are required to implement appropriate technical and organisational measures and process personal data only in accordance with our instructions. In some cases, third-party platforms may process personal data as independent controllers in accordance with their own privacy policies. Where relevant, details of such third-party platforms are set out in our Cookies Policy.
C) Debt recovery and legal service providers
Where necessary, we may share personal data with debt recovery agencies, solicitors, and other professional advisers for debt recovery, dispute resolution, or enforcement of contractual rights.
D) Regulatory authorities and other third parties
We may disclose personal data to courts, law enforcement authorities, regulators, or government bodies where required or permitted by applicable law. We may also share personal data with accreditation and certification bodies where this is necessary in connection with the assessment, granting, or maintenance of accreditations and certifications. We may also disclose personal data where necessary to protect our rights, comply with legal obligations, or respond to lawful requests.
E) Corporate transactions
We may share personal data in connection with mergers, acquisitions, restructurings, joint ventures, or asset sales.
International transfers of personal data
As a global organisation, we may transfer personal data internationally in connection with our operations and service delivery.
We may transfer personal data to group companies and third-party service providers in countries outside the jurisdiction in which it was originally collected, where appropriate safeguards are in place to ensure personal data is protected in accordance with applicable data protection laws.
We will only transfer personal data where one or more of the following applies:
A) The destination country or recipient has been recognised as providing an adequate level of data protection under applicable law (including, where relevant, under UK adequacy regulations or EU Commission adequacy decisions)
B) Appropriate safeguards have been implemented, such as:
- Standard Contractual Clauses (SCCs) approved by the European Commission, for transfers subject to EU GDPR
- The UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU SCCs, for transfers subject to UK GDPR
- Binding Corporate Rules (BCRs), or other legally approved transfer mechanisms
C) the transfer is otherwise permitted under applicable data protection law, for example where necessary for contract performance, legal compliance, or where valid consent has been obtained
Where required, we apply additional technical, organisational, and contractual measures to protect personal data during international transfers.
How we protect personal data
We implement appropriate technical and organisational measures to protect personal data against unauthorised or unlawful processing and against accidental loss, destruction, damage, alteration, or disclosure.
These measures are designed based on the nature of the data, associated risks, and applicable legal requirements, and are reviewed and updated where appropriate.
Access to personal data is restricted to authorised personnel who require access for their role and who are subject to confidentiality obligations.
We also maintain security policies covering access control, system security, and internal governance.
While we apply appropriate safeguards, no system is completely secure and we cannot guarantee absolute security.
How long we retain personal data
We retain personal data only for as long as necessary for the purposes for which it was collected, including to provide services, manage relationships, and comply with legal obligations.
Retention periods are determined based on legal, regulatory, contractual, and business requirements. In determining appropriate retention periods, we consider the nature and sensitivity of the personal data, the purposes for which it is processed, applicable legal and regulatory requirements, and relevant limitation periods.
Where statutory or regulatory retention periods apply, we retain personal data for the required duration.
We may retain personal data for longer where necessary to comply with legal obligations or to establish, exercise, or defend legal claims.
Cookies and online tracking
We use cookies and similar technologies to operate our websites, improve functionality and performance, analyse usage, and support security.
This may involve processing personal data such as IP addresses, browser information, and browsing behaviour.
Where required by law, we obtain consent for the use of non-essential cookies. Further information about the cookies we use and how to manage your preferences is available in our Cookies Policy at http://www.element.com/cookies-policy. Please note that disabling certain cookies may affect website functionality.
Marketing communications
You may opt out of receiving marketing communications at any time by contacting tactical.marketing@element.com.
Data subject rights
Depending on your location and subject to applicable legal limitations, you may have the following rights in relation to your personal data:
- Right of access – to obtain confirmation of whether personal data is processed and to receive a copy of that data
- Right to rectification – to request correction of inaccurate or incomplete personal data
- Right to erasure – to request deletion of personal data where legally applicable
- Right to restriction of processing – to request limitation of processing in certain circumstances
- Right to object – to object to processing where it is based on legitimate interests or where otherwise permitted by law
- Right to data portability – to receive personal data you have provided in a structured, commonly used, machine-readable format and/or request its transfer where technically feasible
- Right to withdraw consent – where processing is based on consent, to withdraw that consent at any time without affecting the lawfulness of processing prior to withdrawal
These rights may be subject to legal or regulatory limitations depending on the jurisdiction in which you are located. For clarity, we do not carry out automated decision-making or profiling that produces legal or similarly significant effects on individuals, and accordingly the right under Article 22 of the UK/EU GDPR does not apply to our processing activities.
How to exercise your rights
To exercise your rights, contact us using the details provided above. We may need to verify your identity before responding. In some cases, legal exemptions may apply. We will respond to your request within one month of receipt, as required by applicable law. In complex or multiple requests, this period may be extended by a further two months, in which case we will notify you.
Complaints and supervisory authorities
We are committed to resolving any concerns you may have about how your personal data is handled.
If you have concerns, please contact us using the contact details above. If you are not satisfied with our response, you may also have the right to lodge a complaint with a relevant data protection supervisory authority in your jurisdiction.
Privacy notice updates
We may update this Privacy Notice from time to time. Updates will be published on our website and take effect upon publication.