21 October 2020
In September 2020, Barry-Wehmiller Group was the victim of a ransomware attack. The attack occurred from 1st to 10th September 2020, during which time the attackers likely had access to BW's network.
During the attack, the attackers had access to a small portion of our servers that may have contained some limited personal data of our customers, current and former employees, and job applicants, which may have been viewed and/or exfiltrated. We reached a negotiated settlement with the cybercriminals,; as a part of the settlement, they provided a decryption key, which has allowed us to restore access to the impacted parts of our system and agreed not to publicly release any exfiltrated data. We are not aware of any fraud, abuse or public exposure of any data accessed in our system.
We sincerely regret any concern that this incident may cause. We take the privacy and security of personal data seriously. We have taken steps to address this incident promptly after it was discovered and have been working with an independent forensic analysis firm to assist us in the investigation of and response to this incident. In addition, we have consulted with data privacy professionals to mitigate the harm that may have been caused to individuals. We have also deployed the next-generation malware prevention software to all BW servers and personal computers.
Where required based on risk of exposure, we have informed our employees and other stakeholders about the incident by a separate notice. Should any of our former employees or candidates have additional questions, they can reach Barry-Wehmiller's Group Data Protecting Officer by submitting an inquiry here http://bit.ly/inquirybw . Again, we sincerely regret any concern this incident may cause.
Effective date: April 23, 2020
This Privacy Notice describes how Winkler+Dünnebier GmbH, and its subsidiaries and affiliates, including the ultimate parent company Barry-Wehmiller Group, Inc., (together “the Company”, “we” or “us”) processes Personal Data of Individuals who browse our websites or who represent our current, former or future customers, suppliers/vendors or other stakeholders (“Stakeholders”). The description of how we process Personal Data in recruitment can be found in our Careers site. In this Privacy Notice, Personal Data refers to any information relating to an identified or identifiable person.
We collect Personal Data directly from Stakeholders and Individuals as well as through their interactions and use of our products and services. We do not knowingly collect Personal Data about Individuals who are minors. The Personal Data we collect depends on the context of the interactions. In limited circumstances we may also collect Personal Data from third parties, for example for lead generation, customer/supplier due diligence or credit checks.
2. How Personal Data is Used
2.1 Daily Business Purposes
Personal Data may be processed for the following purposes: Providing products and services; logistics and customs; billing, debt collection, financial and tax reporting and analysis; insurance; Stakeholder due diligence; customer and Individual financial checks in relation to loans to customers; Stakeholder relationship management; sales and marketing activities (including newsletters and events at trade shows); corporate compliance; compliance with contractual or legal obligations; to protect against legal liability; to protect and defend the rights or property of the Company; to prevent and investigate wrongdoings in connection with the property or services; litigations; to protect the health and safety of our team members, external stakeholders and the public; privacy, information security and operational and information technology management; or any other related purposes.
For these purposes, categories of Personal Data may typically include the following: Individual’s name, contact details and marketing preferences; preferred language; photos or videos (with prior written permission) in relation to some marketing activities; information about the role and job location; billing information (including credit card data); financial information in relation to loans to customers; Stakeholder’s name and other information about the Stakeholder, their business and the machine/equipment/service they are using/providing; or any other type of information that is necessary for the purposes above.
2.2 Customer Support
Personal Data may be processed for the following purposes: Machine/equipment installation; machine/equipment monitoring, diagnostics, fault analysis and debugging in order to optimize machine operations and to reduce support response times and costs; production and service team management (including applying for visas that are needed in customer’s location) and training; customer care and support activities; analyzing data for offering predictive and preventive maintenance; to facilitate spare parts ordering; backups and recovery as part of normal maintenance practice for the service; providing notifications internally and/or to the customer for certain alarm conditions or status/fault updates; auditing the machine/equipment remotely to verify the condition of the machine/equipment to determine if changes or adaptations are needed; or any other related purposes.
For these purposes, categories of Personal Data may typically include the following: Individual’s name and contact details; sound recordings or photos that may include the Individual in addition to machine/equipment related data; or any other type of information that is necessary for the purposes above, along with Stakeholder’s name and information about their machine/equipment/service and business.
Operator identifier (i.e. identifier that is created by the customer and that the machine operator uses to log in to the machine) is linked with machine related data in order to understand how the machine is used and how operator behavior may affect the machine, in order to better utilize the machine and make it run better.
2.3. Services (Including Digital Services and Websites)
Personal Data may be processed for the following purposes: Access permission control (to provide and manage access to the service); tracking usage to monitor how service is used and to develop it; technical and security management and handling issues; providing a contact form and communicating to users; to enable ordering of machines, services, equipment or spare parts; or any other related purposes.
For these purposes, categories of Personal Data may typically include the following: Individual’s name, contact details and marketing preferences; preferred language; login details; information about how the Individual is using the service (for example when and which part of the service); Individual’s IP address, browser, network, device, web pages visited prior to coming to the service; or any other type of information that is necessary for the purposes above, along with Stakeholder and machine/equipment/service related data.
2.4 Product Development
Personal Data may be processed for the analysis and improvement of machines, equipment and services, or for other related purposes. For these purposes, information about machines, equipment and services are mainly used. However, Personal Data, as listed above in 2.1 - 2.3, may also be used if necessary for the purposes.
2.6 Consulting and IIoT Services
Further, we may provide services, for example in relation to consulting or IIoT (Industrial Internet of Things), where we process Personal Data as the “data processor” on behalf of our customer. In these situations, the customer is the “data controller” and carries the responsibilities under applicable legislation, including providing a privacy notice to individuals describing how their Personal Data is processed.
3. Sharing and Transfer
Personal Data may be accessed and processed, when necessary for the purposes described above, by our relevant team members. When necessary, Personal Data may also be shared with, for example, external advisors including, but not limited to, legal and tax advisors, auditors, creditors, banks, credit insurance partners or relevant authorities. Further, we may use third party service providers (including, for example, software and cloud providers, sales agents or debt collection agencies) to process Personal Data on our behalf.
Personal Data may be stored, transferred to, and processed in any country where we have team members or facilities or in which we engage service providers, including in the United States of America. We implement appropriate safeguards to protect Personal Data as required when transferred, including transfers outside the European Union (EU) and European Economic Area (EEA).
4. Legal Basis and Retention
Processing of Personal Data is mainly based on a performance of a contract or legitimate interests of the Company.
Personal Data will be retained in accordance with applicable records retention policies of the Company, or as long as reasonably necessary for the purposes in accordance with applicable legislation, whichever is longer.
We implement and maintain industry standard technical and organizational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access. We make reasonable efforts to ensure a level of security appropriate to the risk of the processing, taking into account the costs of implementation and the nature, scope, context and purposes of processing of Personal Data.
6. More Information
Individuals may contact us for more information on how their Personal Data is collected, used, and disclosed. Individuals may also request copies of or rectification or deletion of their Personal Data or to opt out from marketing messages, when applicable. Depending on the applicable legislation, Individuals may also have the right to lodge a complaint with an applicable supervisory authority regarding how their Personal Data is used.
Contact details for more information and requests:
|By post:||Group Data Protection Officer|
8020 Forsyth Blvd
St. Louis, MO 63105
United States of America
7. Changes to this Privacy Notice
We may update this Privacy Notice from time to time. Any changes will be posted on the applicable websites.