EU – US Privacy Shield Policy

Website Privacy Shield Policy 

Afton has adopted this Privacy Shield Policy ("Policy") to establish and maintain an adequate level of Personal Data privacy protection. This Policy applies to the processing of Personal Data that Afton obtains from Data Subjects located in Europe. Afton has committed to handling Personal Data in accordance with the EU-US Privacy Shield principles (the “Principles”).

Afton complies with the EU-US Privacy Shield program as set forth by the US Department of Commerce regarding the collection, use, and retention of Personal Data from Europe. Afton has certified that it adheres to the Principles of notice, choice, onward transfer, security, data integrity, access, and enforcement. If there is any conflict between the policies in this Policy and the Principles, the Principles shall govern. To learn more about the EU-US Privacy Shield program, and to view Afton’s certification page, please visit

All Afton employees who handle Personal Data from Europe are required to comply with the Principles. 

Capitalized terms are defined in Section XIII of this Policy. 


This Policy applies to the processing of Personal Data of Data Subjects that Afton receives in the United States concerning Data Subjects who reside in Europe. This Policy does not cover data from which a Data Subject cannot be identified.


Afton has designated the Legal Department to oversee its information security program, including its compliance with the Principles and this Policy. The Legal Department shall review and approve any material changes to this Policy as necessary. Any questions, concerns, or comments regarding this Policy may be directed to the Afton Legal Department via phone at (804)788-5000 or by email at [email protected]

Afton will maintain, monitor, test, and upgrade information security policies, practices, and systems to assist in protecting the Personal Data that it collects. The relevant Afton personnel will be instructed on how to implement this Policy. Please refer to Section VI for a discussion of the steps that Afton has undertaken to protect Personal Data. 


Afton will renew its EU-US Privacy Shield annually, unless it subsequently determines that it no longer needs such certification or if it employs a different adequacy mechanism. 

Prior to the re-certification, Afton will conduct an in-house verification to ensure that its attestations and assertions with regard to its treatment of Personal Data of Data Subjects are accurate and that Afton has appropriately implemented these practices. 


Afton collects Personal Data from Data Subjects when they purchase its products, register with its website, or otherwise communicate with them.  Such Personal Data may include an individual's name in combination with address, phone number, e-mail address and password.

Afton uses Personal Data that it collects directly from Data Subjects for the following business purposes, without limitation: (1) maintaining and supporting its products, delivering and providing the requested products/services, and complying with its contractual obligations related thereto; (2) internal management and budgets analysis; (3) satisfying governmental reporting, tax, and other requirements (e.g., import/export); (4) storing and processing data, including Personal Data, in computer databases and servers located in the United States; (5) as requested by a Data Subject; (6) for other business-related purposes permitted or required under applicable local law and regulation; and (7) as otherwise required by law. 


Except as otherwise provided herein, Afton discloses Personal Data only to Third Parties who reasonably need to know such data. 

Afton may be required to disclose Personal Data in response to a lawful request by public or regulatory authorities, including to meet national security or law enforcement requirements. The US Federal Trade Commission has jurisdiction over Afton’s compliance with the EU-US Privacy Shield.

Afton also may disclose Personal Data for other purposes or to other Third Parties when a Data Subject has consented to or requested such disclosure. Afton remains responsible and liable for onward transfers of Personal Data to Third Parties received pursuant to the EU-US Privacy Shield.


Afton uses reasonable efforts to maintain the accuracy and integrity of Personal Data and to update it as appropriate. Afton has implemented physical and technical safeguards to protect Personal Data from loss, misuse, and unauthorized access, disclosure, alternation, or destruction. Afton also employs access restrictions, limiting the scope of employees who have access to Personal Data. Further, Afton uses secure encryption technology to protect certain categories of personal data. 

Despite these precautions, no data security safeguards guarantee 100% security all of the time. 


Afton notifies Customers about its adherence to the Principles through this Policy which is publicly posted and available at  


Afton personnel may access and use Personal Data only if they are authorized to do so and only for the purpose for which they are authorized. 


A. Right to Access. Data Subjects have the right to know what Personal Data about them has been       collected and to ensure that such Personal Data is accurate and relevant for the purposes for which Afton collected the Personal Data. Upon reasonable request, Data Subjects may review their own Personal Data and correct, amend or erase it as permitted by applicable law. 

Data Subjects may edit their Personal Data by contacting the Legal Department by phone at (804)788-5000 or by email at [email protected]. In making modifications to their Personal Data, Data Subjects must provide only truthful, complete, and accurate information. Data Subjects that have submitted their Personal Data to a Customer should contact the Customer in the first instance to update their data.

B. Choices. Subject to applicable law permitting or requiring Afton to process or maintain Personal Data of Date Subjects, Data Subjects may have the right in certain circumstances to require Afton not to share their Personal Data with Third Parties or use it for a purpose materially different from the purpose(s) for which Afton originally collected or the Data Subject subsequently authorized. Data Subjects can exercise their rights under the Principles in respect of how Afton process their Personal Data by contacting Afton’s legal department. When a Data Subject contacts Afton it will explain the options available to the Data Subject and, subject to applicable law, Afton will process the Data Subject’s request as required by the Principles.

C. Requests for Personal Data. Afton will track each of the following and will provide notice to the appropriate parties under law and contract when either of the following circumstances arises: (a) legally binding request for disclosure of the Personal Data by a law enforcement authority unless prohibited by law or regulation; or (b) requests received from a Data Subject. If Afton receives a request for access to his/her Personal Data from a Data Subject who is a Customer's customer, then, unless otherwise required under law or by contract with such Customer, Afton will refer such Data Subject to the Customer.  

D. Satisfying Requests for Access, Modifications, and Corrections. Afton will endeavor to respond in a timely manner to all reasonable written requests to view, modify, or inactivate Personal Data. 


This Policy may be amended from time to time, consistent with the Principles and applicable data protection and privacy laws and principles. Afton will notify Data Subjects if it make changes that materially affect the way it handles Personal Data previously collected, and will allow them to choose whether Personal Data supplied by them may be used in any materially different manner. 


Customers and Data Subjects may contact Afton with questions or complaints concerning this Policy or the use of any Personal Data provided by them, at the following address: 

330 South Fourth Street
Richmond, VA 23226
Attn: Law Department


Afton has committed to refer unresolved complaints under the Privacy Shield Principles to the EU data protection authorities. If a Data Subject's question or concern cannot be satisfied by Afton, they may contact the EU data protection authorities, whose details can be found at Afton will cooperate with the appropriate EU data protection authorities during investigation and resolution of complaints brought under the Privacy Shield Principles. 

Under certain limited conditions, it may be possible for Data Subjects to invoke binding arbitration before the Privacy Shield Panel to be created by the U.S. Department of Commerce and the European Commission.


Capitalized terms in this Privacy Policy have the following meanings: 

Afton” means Afton Chemical Corporation and its affiliates and subsidiaries to which the Principles apply.  A list of the entities covered by the Principles is available at

"Data Subject" means an identified or identifiable natural living person. An identifiable person is one who can be identified, directly or indirectly, by reference to a name, or to one or more factors unique to his or her personal physical, psychological, mental, economic, cultural or social characteristics. For Customers residing in Switzerland, a Data Subject also may include a legal entity. 

"Customer" means a prospective, current, or former partner (distributor or reseller), vendor, supplier, customer, or client of Afton from Europe. The term also shall include any individual agent, employee, representative, customer, or client of a Customer of Afton where Afton has obtained his or her Personal Data from such Customer as part of its business relationship with the Customer. 

"Europe" or "European" refers to a country in the European Economic Area which, for the purposes of this Policy, includes the United Kingdom and Switzerland. 

Legal Department” means Afton’s legal department who can be contacted by phone on at (804)788-5000 or emai at [email protected].

"Personal Data" means personal data as defined by applicable data privacy laws in Europe (including the General Data Protection Regulation (EU2016/679) and includes any information relating to an identified or identifiable person; an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person;. For Switzerland, the term "person" includes both a natural person and a legal entity, regardless of the form of the legal entity.

"Third Party" means any individual or entity that is neither Afton nor an Afton employee, agent, contractor, or representative.