ONLINE PRIVACY NOTICE

I.                   GENERAL POLICY

1. Introduction

Howmet Aerospace is a manufacturer of high-performance advanced engineered solutions for the aerospace, defense and transportation markets. Howmet Aerospace Inc., having its headquarter in Pittsburgh, USA, and its international affiliates (collectively referred to as “Howmet, “we” and “us”) have a global business presence.

This means that:

  1. We generate revenue from selling products, not your data (see further details in our financial results).
  2. Your data will likely be stored in the USA, and/or accessed by a USA citizen.
  3. We are subject to multiple privacy laws and regulations.

Please note that the amount of information Howmet needs to collect in order to serve you in a particular business transaction will likely vary from case to case. If you choose not to provide some information it may not be possible for you to proceed with your chosen business activity with Howmet. Rest assured, as safety and integrity are amongst our core values, we apply them to the processing of your data and we are committed to its protection according to this Online Privacy Notice. It applies to Howmet.com and other external Howmet websites that link to this Notice (the “Websites”). In this General Policy section we focus on those matters that are generally applicable to your data. You can find relevant country-specific differences in the sections below.

2. Data privacy at a Glance

If you are only visiting our Websites

Purpose: gain visibility into our Websites’ usage

Legal basis: your consent

When you use our Websites, we may collect certain information using technologies such as cookies, web server logs, web beacons and JavaScript. For more information on how we collect and use this information, please review our Cookie Policy.

If you are contacting us

Purpose: enable Howmet to respond to your queries in an organized manner and to provide you with information on demand

Legal basis: a combination of your consent and legitimate interests

ContextHowmet recipients/contactsService providersPersonal data processedData retention
Sending an e-mail to, or receiving from, a @howmet.com e-mail addressTo whom you send your e-mail, the sender of an e-mail and Information Security for suspicious e-mailsMicrosoft (US) and a secure e-mail gateway provider (US)E-mail address, e-mail signature and the content of the e-mail850 days by default
Completing and sending a contact form on a Website to:Howmet location representatives and/or departments (e.g., Investor RelationsMediaEnvironment, Health and Safety, in addition to Business Unit sales for quotes or sales enquiries) addressedContact details you provide and your message
Howmet Fastening Systems locationsQuickBase (US)Until you request the deletion of your enquiry
Howmet Wheel Systems locationsSalesforce (US)Until you unsubscribe, or request the deletion of your enquiry
Subscribing to e-mail alertsReachmail (US)First name, last name, e-mail addressUntil you unsubscribe
Wheel warranty claimsRegional Fleet Service Center, Quality, Sales, IT Support personnel (HU)Salesforce (US), WordPress (US)First name, last name, e-mail address + details of the claim10 years from the date the claim is received

If you are a Howmet customer or supplier

Purpose: enable Howmet to maintain accurate customer and supplier records, to deliver its products to its customers, to receive the services necessary for its businesses and to manage third-party risks

Legal basis: a combination of legitimate interests and legal obligations

ContextHowmet recipientsService providersPersonal data processedData retention
Supplier registrationLocation and Procurement representatives (Globally), Master Data Management (HU), IT Support personnel (US)Tata Consultancy Services (IN), Oracle (US)First name, last name, phone number and e-mail addressPersonal data linked to invalid e-mail addresses are deleted
Registration and interaction through HowmetDirectProcurement representatives (Globally), Business Process Owners (Globally), IT Support personnel (US)Tata Consultancy Services (IN)Users being inactive for 12 months and registered users of inactive customers or suppliers are subject to monthly deletions
Conducting due diligence on intermediariesMaster Data Management (HU), Ethics and Compliance (US)Dow Jones & Company (US)In addition to the above contact details, the date of birth for sole entrepreneurs, if necessary for unique identificationData is deleted upon request

If you are applying for a job

Purpose: enable Howmet to manage our hiring process end-to-end, from submitting your application until accepting an offer.

Legal basis: your consent

ContextHowmet recipientsService providersPersonal data processedData retention
Optional: using tools to support the application process, such as resume parsing and profile importationDraft application: none (until submitted)Submitted application: Recruiters globally within Howmet, Hiring manager, HR Technology (US)Jobvite (US), LinkedIn (US), Indeed (US)Information in your CV/Resume, or Indeed/LinkedIn profileTemporary – until populating the application form
Drafting and submitting your application online via Howmet’s Oracle Cloud instance to a specific positionOracle (US)Contact details you provide, any information in your CV/Resume you shareUntil you delete your draft application or profile (instructions are sent via e-mail)Additionally, if you do not interact with your draft application for 30 days, it is removed automatically
Obtaining job specific background information, when relevant (US, CA, MX, DE)Recruiters involved in the selection (US, CA, MX, DE), Legal department as neededHireRight (US)National identifier, Educational and criminal background. Credit check only if necessary6 months for Non-U.S. Candidates and 5 years for U.S. Candidates 
Employment verification process (US)HR personnel involved in new hire management (US)As determined by the U.S. Citizenship and Immigration Services. Details:I-9 Employment Eligibility VerificationAs determined by the U.S. Citizenship and Immigration Services. Details:Retention and Storage | USCIS

If you are submitting a data privacy request, complaint or an integrity concern

Purpose: enable Howmet to evaluate the request or reported matter and respond to it in accordance with applicable requirements

Legal basis: legal obligation

ContextHowmet recipientsService providersPersonal data processedData retention
Completing and sending the Data Subject Request formPrivacy Office (US, NL, HU)OneTrust (US)Contact details you provide and details of your request, complaint, or concernIn accordance with civil law claim timeframes that varies country to country
Contacting the Integrity LineEthics and Compliance (US) and other departments as necessary for investigating the report (Globally)Navex (US)10 years
3. Automated decision making

There is no automated decision making in the context of any of the above listed activities.

4. Transferring data globally

To the extent necessary, and in accordance with the tables above in this Policy, your data will be accessible from countries outside the European Economic Area, United Kingdom and Switzerland (including the United States, Mexico, China, Brazil, Australia) that are subject to different standards of data protection. Howmet will take appropriate steps to ensure that transfers of personal information are in accordance with applicable laws and carefully managed to protect your privacy rights and interests and transfers are limited to countries which are recognized as providing an adequate level of legal protection or where we can be satisfied that alternative arrangements are in place to protect your privacy rights. To this end:  

If you are located in the European Economic Area (“EEA”), United Kingdom (“UK”) or Switzerland, we will comply with applicable legal requirements providing adequate protection for the transfer of personal information to recipients in countries outside of these areas. With respect to transfers of personal information to the U.S., Howmet complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the U.K. Extension to the EU-U.S. DPF, as set forth by the U.S. Department of Commerce.  Howmet has certified to the U.S. Department of Commerce that it adheres to the DPF Principles with regard to the processing of personal data received from the European Union and the United Kingdom in reliance on the EU-U.S. DPF and the U.K. Extension to the EU-U.S. DPF.  If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles, the Principles shall govern.  To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/. Note that data protection laws in the EEA, UK, Switzerland, and elsewhere may require those transferring personal data to Howmet in the US to enter into a separate agreement with Howmet before initiating such transfers.

You have a right to contact us at privacy@howmet.com for more information about the safeguards we have put in place to ensure the adequate protection of your Personal Data when this is transferred as mentioned above, as well as to receive a copy of such transfer mechanism.

5. Your Rights and Choices

You have certain rights in relation to your data that you can exercise through any reasonable means, including by completing our request form at https://www.howmet.com/privacy/dsr/ or by sending an e-mail to privacy@howmet.com. We will make every reasonable effort to honor your request promptly or inform you if we require further information in order to fulfil your request, e.g., we may ask you for additional information to confirm your identity and for security purposes, before disclosing any data requested to you.

While the name of these rights may vary from country to country (e.g., the right to access in the European Union is called the right to know in California), in essence their purpose is the same: to give you back your control over your personal data. While we are encouraging you to choose the request type that best describes what you aim to achieve, we will evaluate its details, and contact you for clarification if necessary, to understand the desired outcome of the matter and to proceed with managing your request or complaint, in each case in accordance with applicable law(s) and/or regulation(s). Thus, we will focus on the content of the request and the expected result(s), rather than the request types selected – and will never refuse to act on a request based on only its categorization.

In all cases we will provide additional details, relevant to your request or complaint, about any next steps and their timeline in our first attempt to contact you.

Right to access data

You have the right to request that we provide you with a description, and upon request a copy, of your data that we hold. In addition, you have the right to be informed of: (a) the source of the data; (b) the purposes, legal basis and methods of processing, including its collection; (c) the data controller’s identity; and (d) the entities or categories of entities to whom your data was transferred.

Right to rectify (correct) or erase (delete) data

You have a right to request that we rectify inaccurate data. We may seek to verify the accuracy of the data before rectifying it. You can also request that we erase your data – however, we will thoroughly evaluate such requests on a case-by-case basis and erase only when no exceptions apply, e.g., we have an obligation to retain the data.

Right to object to, or restrict the processing of, your data

You can object to any processing of your data, if you believe your rights and freedoms outweigh our interests. If you raise an objection, we will have an opportunity to demonstrate that we have compelling interests overriding your rights and freedoms.  You can ask us to suspend processing your data, in which case we will only be allowed to store the data in scope for your request, when you:

  • want us to confirm the accuracy,
  • oppose, or want to delay the deletion

of your data; or you have objected to its use and we need to evaluate if we have an overriding legitimate basis.

Right to transfer your data 

You can ask us to provide your data to you in a structured, commonly used, machine-readable format, or you can ask to have it transferred directly to another company.

Right to object to how we use your data for direct marketing purposes 

You can request that we change the manner in which we contact you for marketing purposes. You can request that we do not transfer your data to unaffiliated third parties for direct marketing or other purposes. 

Right to lodge a complaint with Howmet or with your local supervisory authority

If you have any complaints about how we process your personal data, we ask that you please attempt to resolve any issues with us first. Independently from our previous ask, you have the right to lodge a complaint with your local supervisory authority: a list of data protection authorities (DPAs), which, in our understanding are the most relevant from our Company’s perspective, can be found in the section below. Feel free to reach out to us if you do not find the contact details of your local data protection authority, or if a link is broken.

List of data protection authorities (DPAs)

CountryDPA NameWebsite and Contact Information
Australia Office of the Australian Information Commissioner Australian Information Commissioner 
W: oaic.gov.au 
E: Form available online 
Agency Contact Webpage 
Austria Data Protection Authority (Österreichische Datenschutzbehörde (DSB)W: dsb.gv.at 
English Home Page 
E: dsb@dsb.gv.at 
Agency Contact Webpage
Belgium Data Protection Authority (Gegevens-beschermingsautoriteit) (Autorité de protection des données)W: dataprotectionauthority.be 
Dutch Home Page 
German Home Page 
French Home Page 
E: contact@apd-gba.be 
Agency Contact Webpage
Brazil National Data Protection Authority (Autoridade Nacional de Proteção de Dados (ANPD))W: gov.br/anpd/pt-br 
E: anpd@anpd.gov.br 
Agency Contact Webpage
Canada Office of the Privacy Commissioner of CanadaW: priv.gc.ca 
E: Form available online 
Agency Contact Webpage
Canada – Québec Québec Information Access CommissionW: cai.gouv.qc.ca 
English Home Page 
E: cai.communications@cai.gouv.qc.ca 
Agency Contact Webpage
China The Cyberspace Administration of China (中国网络空间管理局) The Ministry of Industry and Information Technology (业和信息化部) Ministry of Public Security (中华人民共和国公安部)The Cyberspace Administration of China 
W: cac.gov.cn 
E: Form available online 
Agency Contact Webpage (scroll to the bottom) 
The Ministry of Industry and Information Technology 
W: miit.gov.cn 
Agency Contact Webpage 
Ministry of Public Security 
W: mps.gov.cn 
Agency Contact Webpage (scroll to the bottom)
Czech Republic The Office for Personal Data Protection (Úřad pro Ochranu Osobních Údajů (UOOU)). W: uoou.cz 
English Home Page 
E: posta@uoou.cz 
Agency Contact Webpage
France National Commission for Data Protection (Commission Nationale de l’Informatique et des Libertés (CNIL))W: cnil.fr 
English Home Page 
Agency Contact Webpage
Germany Federal Commissioner for Data Protection and Freedom of Information (Bundesbeauftragter für den Datenschutz und die Informationsfreiheit (BfDI)W: bfdi.bund.de 
English Home Page 
E: poststelle@bfdi.bund.de 
Agency Contact Webpage
Hong Kong Office of the Privacy Commissioner for Personal Data (個人資料私隱專員公署W: pcpd.org.hk 
E: communications@pcpd.org.hk 
Agency Contact Webpage 
Hungary Hungarian National Authority for Data Protection and Freedom of Information (Nemzeti Adatvédelmi és Információszabadság Hatóság (NAIH))W: naih.hu 
English Home Page 
E: ugyfelszolgalat@naih.hu 
Agency Contact Webpage
Italy Data Protection Authority (Garante per la Protezione dei Dati Personali)W: garanteprivacy.it 
English Home Page 
E: protocollo@gpdp.iturp@gpdp.it 
Agency Contact Webpage
Japan Personal Information Protection Commission (個人情報保護委員会W: ppc.go.jp 
English Home Page 
Agency Contact Webpage
Mexico National Institute for Transparency, Access to Information and Protection of Personal Data (Instituto Nacional de Transparencia, Acceso a la Información y Protección de Datos Personales (INAI))W: home.inai.org.mx/ 
E: atencion@inai.org.mx 
Agency Contact Webpage
Morocco National Commission for the Protection of Personal Data (Commission Nationale de Contrôle de la Protection des Données à Caractère Personnel)W: cndp.ma 
E: contact@cndp.ma 
Agency Contact Webpage
The Netherlands Data Protection Authority (Autoriteit Persoonsgegevens)W: autoriteitpersoonsgegevens.nl 
English Home Page 
Agency Contact Webpage
Singapore Personal Data Protection Commission (PDPC)W: pdpc.gov.sg 
E: Form available here 
Agency Contact Webpage
South Africa The Information RegulatorW: inforegulator.org.za 
E: enquiries@inforegulator.org.za 
Agency Contact Webpage
South Korea Personal Information Protection Commission (PIPC) Financial Services Commission (FSC)Personal Information Protection Commission 
W: pipc.go.kr/np 
English Home Page 
Agency Contact Webpage (scroll to the bottom) 
Financial Services Commission 
W: fsc.go.kr/index 
English Home Page 
E: fsc.ifd@korea.kr 
Agency Contact Webpage
Spain Spanish Data Protection Agency (Agencia Española de Protección de Datos (AEPD))W: aepd.es 
Agency Contact Webpage
Switzerland Federal Data Protection and Information Commissioner (Eidgenössischer Datenschutz- und Öffentlichkeitsbeauftragter (FDIPC))W: edoeb.admin.ch 
English Home Page 
E: info@edoeb.admin.ch
Agency Contact Webpage
Turkey Personal Data Protection Authority (Kişisel Verileri Koruma Kurumu (KVKK)W: kvkk.gov.tr 
English Home Page 
Agency Contact Webpage
United Kingdom (England & Wales) Information Commissioner’s Office (ICO)W: ico.org.uk 
Agency Contact Webpage
United States Federal Trade Commission (FTC) Department of Health and Human Services (HHS) Office of Civil Rights (OCR) California Attorney General California Privacy Protection Agency (once established) Federal Trade Commission 
W: ftc.gov 
Agency Contact Webpage 
HHS Office of Civil Rights 
W: hhs.gov/ocr/index.html 
E: OCRPrivacy@hhs.gov 
Agency Contact Webpage 
California Attorney General 
W: oag.ca.gov/privacy/ccpa 
Agency Contact Webpage
6. How we protect personal information
Security 

We have implemented and will maintain appropriate technical and organizational security measures, policies and procedures designed to reduce the risk of accidental destruction or loss, or the unauthorized disclosure or access to such information appropriate to the nature of the information concerned. As the security of information depends in part on the security of the computer you use to communicate with us and the security you use to protect User IDs and passwords please take appropriate measures to protect this information.  

Storing your personal information 

We will store your personal data for as long as is reasonably necessary for the purposes for which it was collected, as explained in this notice. In some circumstances we may store your data for longer periods of time, for instance where we are required to do so in accordance with legal, regulatory, tax, or accounting requirements.  

In specific circumstances we may store your personal data for longer periods of time so that we have an accurate record of your dealings with us in the event of any complaints or challenges, or if we reasonably believe there is a prospect of litigation relating to your personal data or dealings.

Our Websites may provide links to other websites for your convenience and information. These websites may operate independently from us. Linked sites may have their own privacy notices or policies, which we strongly suggest you to review. To the extent any linked websites are not owned or controlled by us, we are not responsible for such websites’ content, any use of such websites, or the privacy practices of such websites, even though you may enter that website directly from visiting ours.

8. Updates to our Online Privacy Notice

This Online Privacy Notice may be updated periodically and without prior notice to you to reflect changes in our personal information practices. We will post the updated version on our Websites and indicate at the top of the notice when it was most recently updated.

9. How to contact us

Howmet Aerospace Inc. is the controller of your data. If you have any questions or comments about this Online Privacy Notice, or if you wish to exercise your rights, please contact us by writing to us at:

Howmet Aerospace Inc.
Howmet Privacy Office
Attn: Barry Lombarts
201 Isabella Street
Pittsburgh, PA 15212
privacy@howmet.com

Howmet Aerospace Inc. adheres to the Data Privacy Framework Principals. In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, Howmet Aerospace Inc. commits to:

(1)    Resolve DPF Principles-related complaints about our collection and use of your personal information.  EU and UK individuals with inquiries or complaints regarding our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, should first contact Howmet Aerospace Inc. at:

Howmet Aerospace Inc.
Howmet Privacy Office
Attn: Barry Lombarts
201 Isabella Street
Pittsburgh, PA 15212
privacy@howmet.com

(2)    Refer unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF to the United States Council for International Business, an alternative dispute resolution provider based in the United States.  If you do not receive timely acknowledgment of your DPF Principles-related complaint from us, or if we have not addressed your DPF Principles-related complaint to your satisfaction, please visit www.uscib.org for more information or to file a complaint. The services of the United States Council for International Business are provided at no cost to you.

(3)    Cooperate and comply respectively with the advice of the panel established by the EU data protection authorities (DPAs) and the UK Information Commissioner’s Office (ICO) with regard to unresolved complaints concerning our handling of human resources data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF in the context of the employment relationship.

Please be advised that:

(a)      Howmet Aerospace Inc. is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission (“FTC”), the U.S. Department of Transportation, and any other U.S. authorized statutory body and, therefore, might be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements;

(b)      there is the possibility, under certain conditions, for individual to invoke binding arbitration for complaints for violation of this Notice; and

(c)      Howmet Aerospace Inc. acknowledges the possibility of liability in cases of unprotected onward transfers to third parties.

The following U.S. subsidiaries of Howmet Aerospace Inc. agree to adhere to the foregoing provisions of this Notice including, without limitation, the recourse provisions set forth herein:

  • ALUMAX INTERNATIONAL COMPANY B&C CASTING, INC.
  • B&C RESEARCH, INC.
  • CORDANT TECHNOLOGIES HOLDING LLC
  • FIRTH RIXSON, INC.
  • FIRTH RIXSON FORGINGS LLC
  • FORGED METALS, INC.
  • FORGED METALS HOLDINGS, INC.
  • FR ACQUISITION CORPORATION (US), INC.
  • HOWMET ALUMINUM CASTING INC.
  • HOWMET CASTINGS & SERVICES, INC.
  • HOWMET CHINA SERVICES CO. LLC
  • HOWMET CORPORATION
  • HOWMET DOMESTIC LLC
  • HOWMET ENGINEERED STRUCTURES, INC.
  • HOWMET GLOBAL FASTENING SYSTEMS INC.
  • HOWMET HOLDINGS CORPORATION
  • HOWMET INTER-AMERICA INC.
  • HOWMET INTERNATIONAL HOLDING COMPANY LLC
  • HOWMET INTERNATIONAL INC.
  • HOWMET INTERNATIONAL LLC
  • HOWMET LAUDEL INC.
  • HOWMET MEXICAN OPERATIONS LLC
  • HOWMET MEXICO HOLDINGS LLC
  • HOWMET NORTH AMERICA HOLDINGS LLC
  • HOWMET RECEIVABLES GUARANTY SPE LLC
  • HOWMET SECURITIES LLC
  • HOWMET TRANSPORT SERVICES, INC.
  • HOWMET WHEELS INTERNATOINAL VIRGINIA, INC.
  • HUCK INTERNATIONAL INC.
  • HUCK PATENTS, INC.
  • JFB FIRTH RIXSON, INC. NATI GAS CO.
  • NEW CENTURY METALS, INC.
  • NEW CENTURY METALS SOUTHEAST, INC.
  • RTI FINANCE CORP
  • REMMELE HOLDING, INC.
  • RIPI LLC
  • RMI DELAWARE, INC.
  • RMI TITANIUM COMPANY, LLC
  • RTI ADVANCED FORMING, INC.
  • RTI CAPITAL, LLC
  • RTI EXTRUSIONS, INC.
  • RTI FABRICATION & DISTRIBUTION, INC.
  • RTI MARTINSVILLE, INC.
  • RTI REMMELE ENGINEERING, INC.
  • SCHLOSSER FORGE COMPANY
  • TEMPCRAFT CORPORATION
  • THREE RIVERS INSURANCE COMPANY
  • TURBINE COMPONENTS CORPORATION
  • VALLEY TODECO INC.
  • VIKING METALLURGICAL CORPORATION

II.                 CALIFORNIA SPECIFIC INFORMATION

This section amends the General Policy. Therefore, as an example, you will find the “how to” of exercising your rights in that Policy.

1. Disclosure of your personal information

In the preceding 12 months, your personal information was disclosed only for valid business purposes to recipients within the Howmet group and to external service providers as described in the relevant tables of this Policy.

2. Sale of your personal information

In the preceding 12 months, your personal information was not sold.

3. Sharing your personal information for cross-context behavioral advertising

In the preceding 12 months, your personal information was not shared for cross-context behavioral advertising.

4. Your rights

This section specifically amends the “Your Rights and Choices” section of the Policy.

Right to know, Right to delete and Right to correct inaccurate personal information

Please see the “Right to access data” and “Right to rectify (correct) or erase (delete) data” sections in the General Policy.

Right to be free from discrimination

You have the right not be discriminated against if you choose to exercise your rights granted by the CPRA – and Howmet hereby confirms that you will not be discriminated against for exercising such rights.

Last Revised: September 2023