Employee Privacy Notice - Austria
1. Introduction
This Employee Privacy Notice ("Notice") applies to the ABB Group of companies, which means ABB Ltd, Switzerland and each entity in which ABB Ltd, Switzerland, directly or indirectly, has a majority holding or owns or controls the majority of voting rights. The ABB company that is your employer (referred to as "ABB") is responsible for the processing of your personal data and controls how it is used, in accordance with this Notice.
At ABB respecting your data protection rights is a top priority. This Notice explains how we use personal data about you and what rights you have regarding your personal data.
2. Who is responsible for the processing of your personal data?
ABB Asea Brown Boveri Ltd and its subsidiary companies are responsible for your personal data. For applicable privacy and data protection laws, the primary controller of your data is the ABB subsidiary company which is your current (or former) employer and has a contractual employment relationship with you (hereinafter referred to as “employment”). Other subsidiary companies of ABB may also receive and process your personal data, either in the capacity of controller or processor, and this Notice applies equally to them.
In your case, ABB AG, Brown-Boveri-Straße 3, 2351 Wiener Neudorf, Austria, or any respective company affiliated with ABB AG, having an employment relationship with you, decides as "controller" within the meaning of the EU General Data Protection Regulation (“GDPR”) and the Austrian Data Protection Act (Datenschutzgesetz – “DSG”) how and for which purpose your personal data will be used in accordance with this Notice (hereinafter: “ABB”, "we" or "us").
3. The types of information we collect and use?
We collect and use personal data that we receive from you in the course of or in connection with your employment at ABB. In addition, and to the extent necessary for the purposes mentioned in this Notice, we process personal data which we may obtain from publicly accessible sources or which are legitimately transmitted by other third parties (e.g. commercial and association registers, press, etc.). We may use the following categories of your personal data, as applicable and necessary for the purposes of processing under this Notice:
-
Personal details and identification data such as name, personal and business address, personal and business telephone number, personal and business email address or any other contact details, date and country of birth.
-
Personal data related to family, lifestyle and social circumstances such as gender, age, marital and family status (including also the name and contact details of the next of kin).
-
Employment related personal data such as employee number, signature, employment status, social security and tax numbers, insurance number, country of residence, nationality, photo, emergency contacts and passport information, work and residence permit, immigration status and travel visa information.
-
Qualifications such as qualifications and certifications including current and previous positions, education and training courses, resume/CV, records of education and work achievements, in some cases: contact details of referees and results of capability assessments and interview assessment/feedback.
-
Job information and work metrics such as position, title, employment contract, payroll ID, line manager, job band, performance history, employment status, leave of absence information, working time logging, training records, performance targets and development goals. In some cases, we may also record results of capability assessments, safety reports and incidents, professional feedback.
-
Compensation, allowances, benefits and expense related information such as salary data, payroll data, pension plan number and contributions, non-salary benefits, bonus, compensation, share options, dependents, beneficiaries or health benefit nomination, bank statements, expense claims and receipts, bank account details, credit card data, phone expenses and insurance data.
-
Electronic identification data and information (where employee has access or is affected by such systems or applications) such as access logs, IT and internet usage, device identifiers (mobile device ID, PC ID etc.), registration and login credentials, IP address, geolocation data, tracking and analytics data, recordings (e.g. CCTV footage, voice mail/call recordings), posts on corporate platforms (e.g. Yammer), password recovery data, information obtained via IT security tools.
-
Financial and other details (notably where it concerns staff members with access to or control of ABB financial business accounts) such as account information, credit checks, payment details and transactions (the latter for Know Your Customer ("KYC")/ Anti Money Laundering ("AML") monitoring purposes as explained further in this Notice), investigation information.
-
Other personal data (which may include special categories of information as mentioned below) namely where you or others (such as your colleagues) may register these data on or in our systems, programs and application such as business documents containing personal information (e.g. queries, questions, complaints, orders and related records; emails; reports; contracts; presentations, minutes; work products), photos, images and/or videos.
The below mentioned types of personal data are only collected and processed, if at all, in accordance with applicable local laws in your country of residence
-
Special categories of personal data such as:
-
membership of religious congregations (e.g. if required for tax purposes);
-
health and medical information, including disability status, special working conditions (such as use of a standing desk) and medical devices needed on the premises, work related injury and illness information, data for travel emergency support (blood type, medical history, allergies);
-
race or ethnicity (e.g. where this is used for diversity purposes);
-
in some cases: trade union membership.
-
-
Data about criminal convictions and offences such as criminal background information and sanction list information to the extent required for the purposes of criminal background screening and KYC and AML or other legal obligations.
In case you would like to be provided with information about a specific personal data processing activity, you can request that by submitting a request at www.abb.com/privacy.
4. Why do we need and use your personal data?
We primarily process your personal data to fulfil and perform our employment relationship with you. As part of the employment relationship between you and us, we need to process your personal data which is required by us to commence, complete or terminate the employment relationship with you or to perform the contractual and legal obligations associated therewith, or which we are required by law to collect and process (mainly based on social security laws).
Without processing of certain of such personal data, ABB will generally not be able to establish, maintain or terminate an employment relationship with you or to take any contractual or legal action on your request. Furthermore, where it concerns processing operations related to your employment (as described above), ABB will not be able to adequately perform such operation at your request without certain personal data and you may not be able to exercise your employee or social security rights if you do not provide the personal data requested. Whenever you are asked to provide us with any personal data related to you, we will indicate which personal data is required and which personal data may be provided voluntarily and on which legal basis such personal data is required to be processed.
We may use your personal data as listed above in particular for the following purposes:
-
human resources management including organization and personal administration, working hours management, improving and maintaining effective staff administration, internal workforce analysis, reporting and planning;
-
staff transfer management from different affiliates and succession planning;
-
payroll, compensation and benefits management including providing staff benefits and maintaining salary, compensations, allowances, benefits, insurances, pensions and performance reviews;
-
talent management and acquisition including recruitment, assessing suitability and working capacity, background checks and verification of qualifications, obtaining and providing references;
-
learning and development management including certifications, training staff and performing assessments and employee satisfaction surveys;
-
processes related to joining and leaving including internal moves and terminations;
-
sickness and other leave and vacations management;
-
internal health and safety programs including health and safety and accident records or reporting and managing process quality;
-
travel and expenses management and organization of business trips including monitoring of travelers to provide support during security or medical emergencies; providing travel security, health and safety training and on a voluntary basis assistance in giving security support during emergencies;
-
carrying out the obligations and exercising specific rights in the field of employment and social security law or a collective agreement;
-
internal and external communication of ABB’s organization and representation of ABB;
-
organizing ABB events and documentation of such events including managing and organizing internal non-marketing related campaigns, events and meetings;
-
managing ABB assets including pictures and videos depicting employees or other individuals available for download on the ABB intranet, ABB website, etc.;
-
finance and shared accounting services providing record to report, order to cash and purchase to pay services;
-
reorganization, acquisition and sale of activities, business units and companies;
-
business reporting, statistics and analytics;
-
monitoring and auditing compliance of employees’ activities in the workplace with ABB’s corporate policies, contractual obligations and legal requirements including disciplinary actions;
-
carrying out audits, reviews and regulatory checks to meet obligations to regulators;
-
governance, risk and compliance, including compliance with laws, law enforcement, court and regulatory bodies’ requirements (such as KYC, AML, customs and global trade compliance and security obligations) and prevention, detection, investigation and remediation of crime and fraud or prohibited activities or to otherwise protect legal rights and to establish, exercise or defend legal claims;
-
managing the customer relationship, processing customer orders and providing customer support, processing, evaluating and responding to requests and inquiries;
-
managing the suppliers, contractors, advisers and other professional experts including contact interaction, processing and fulfilling purchases and invoices, and contract lifecycle management;
-
making use of work performance and products and for references on documents, such as drawings, purchase orders, sales orders, invoices, reports;
-
video surveillance or CCTV for the purposes of public and staff safety, building security and crime prevention and detection;
-
access control system providing electronically controlled ingress and/or egress for authorized individuals to locations that have access restrictions and a registry of personnel on site in case of emergencies;
-
intrusion detection including 3rd party monitoring of duress, perimeter, internal security points and ancillary supervisory monitors for site maintenance/automated systems;
-
maintaining and protecting the security of products, facilities, services, systems, networks, computers and information, preventing and detecting security threats, fraud or other criminal or malicious activities, and ensuring business continuity; and
-
managing IT resources, including infrastructure management including data back-up, information systems’ support and service operations for application management, end user support, testing, maintenance, security (incident response, risk, vulnerability, breach response), master data and workplace including user accounts management, software licenses assignment, security and performance testing and business continuity.
We only collect the personal data from you that we need for the above purposes described. Certain personal data collected from you relates to your next of kin and emergency contacts. In these cases, you are requested to inform such persons about this Notice.
We may also anonymously collect your personal information so that we can no longer (in)directly identify you or single you out as an individual by that information and then use that information for further processing purposes, including statistical purposes, improvement of our services and testing of our IT systems.
In case you are working at a third-party site (for example ABB customer location or facility), such third party may need to process your personal data for their purposes acting as a data controller. In these cases, you will receive or may request a separate privacy notice from the relevant data controller.
5. On which legal basis do we process your personal data?
We process your personal data for the purposes described above (in section 4) in accordance with the provisions of the GDPR and the DSG, in particular according to the following legal bases, as applicable:
-
Primarily we process your personal data for the purpose of establishment, execution or termination of an employment relationship as well as for the enforcement of rights and fulfilment of obligations under your employment contract with us, the legal basis for such processing is Art. 6 (1) b) GDPR.
-
Additionally, if we process your personal data (including special categories of personal data) for the purpose of exercising of rights or fulfilment of legal obligations derived from labour law, social security and social protection law, the legal basis for such data processing is Art. 6 (1) c) and 9 (2) b), f) and h) GDPR).
-
If we process your personal data (including special categories of personal data) for purposes of health care, occupational medicine or assessment of your ability to work and such processing is done by health professionals or other persons subject to an obligation of professional secrecy, the legal basis is Art. 9 (2) lit. h), (3) GDPR.
-
In some cases and where necessary, we process your personal data within the employment relationship in order to safeguard legitimate interests of us or third parties. This requires a weighing of interests pursuant to Art. 6 (1) f) GDPR, according to which a processing of personal data is permissible if it is necessary to safeguard the legitimate interests and does not outweigh the interests or fundamental rights and freedoms of the data subject which require the protection of personal data. Such legitimate interests may include the:
-
monitoring (for example through CCTV or IT systems), investigating and ensuring compliance with legal, regulatory, standard and ABB internal requirements and policies;
-
prevention of fraud and criminal activity including investigations of such activity, misuse of ABB assets, products and services, and as strictly necessary and proportionate for ensuring network and information security;
-
if otherwise necessary for establishment, exercise and defense of legal claims of and against ABB related to your working tasks and duties at ABB; and
-
transmitting personal data within the ABB group for internal administrative purposes as necessary, for example to provide centralized services.
-
You may obtain a copy of our assessment regarding our legitimate interest to process your personal data, including a documented balancing of interests, by submitting a request at www.abb.com/privacy.
-
In some cases and if we process your personal data on the basis of statutory requirements, for example, on the basis of tax or reporting obligations, cooperation obligations with authorities or statutory retention periods in order to carry out our contractual and legal responsibilities as an employer, the legal basis for such processing is Art. 6 (1) c) GDPR);
-
In exceptional circumstances and if we process your personal data (including special categories of personal data) for purposes which are not covered by the aforementioned legal bases we may ask your consent in accordance with Art. 6 (1) a) and 9 (2) a) GDPR) as a legal basis for such data processing, for example photos, communications materials and events. Your consent is always on a voluntary basis, so that you are not obliged to provide personal data for such purposes of processing. You can also withdraw your consent at any time in accordance with Art. 7 (3) GDPR without stating reasons with effect for the future. If we ask you for consent in order to use your personal data for a particular purpose, we will remind you that you are free to withdraw your consent at any time and we will tell you how you can do this.
With regard to personal data concerning criminal convictions and offences, we will only process such data where such processing is permitted by applicable (local) law.
6. Which parties do we share your personal data with (in and outside the EEA)?
As part of a global group, we have business relationships with ABB Group companies and external service providers, both within and outside the European Economic Area (EEA), which we may also use to process your personal data as necessary for the purposes described in this notice. We only share your personal data with other ABB affiliates or third parties as necessary for the purposes described in the table below. In addition, when processing your personal data for these purposes through the use of external service providers as data processors (e.g. computer centers, software companies, etc.) these data processors are engaged within the framework of an existing contractual relationship, bound by instructions, and receive your personal data only to the extent and for the period required for the provision of the service.
Where we share your personal data with an affiliate or third party outside the European Economic Area ("EEA"), we always put adequate safeguards in place to protect your personal data. Examples of these safeguards are an adequacy decision of the European Commission (read more here), Standard Contractual Clauses (read more here), Privacy Shield certification (read more here), and the Binding Corporate Rules that some of our suppliers have adopted (read more here). We have taken additional measures for the transfer of data outside the EEA to protect your personal data. If you would like an overview of the safeguards which are in place, please submit a request at www.abb.com/privacy.
Recipient category |
Recipient location |
Purposes |
ABB affiliates and subsidiaries |
See the list of ABB subsidiaries |
The purposes described in section 4, including human resource management, talent management and organizing internal trainings and events. |
ABB customers, distributors, agents and other business partners |
EU/EEA and non-EU/EEA (global) |
The purposes described in section 4, including project placements, carrying out audits, reviews and regulatory checks, customer relationship management and travel and expense management. |
Service providers |
EU/EEA and non-EU/EEA (global) |
IT services, HR and training, payroll and payment processors, professional and advisory services including accountants, auditors, lawyers, insurers, bankers, recruiters, travel agents and other advisors working on ABB’s behalf. |
Pension funds, labor and industry organizations and associations |
EU/EEA and non-EU/EEA (global) |
The purposes described in section 4. |
Potential or actual acquirers of ABB businesses or assets |
EU/EEA and non-EU/EEA (global) |
For the evaluation of the business or assets in question or for the purposes described in section 4. |
Recipients as required by applicable law or legal process, to law enforcement or government authorities, etc. |
EU/EEA and non-EU/EEA (global) |
Where required by applicable law or a legitimate request by government authorities, or a valid legal requirement. |
You may obtain a copy of the safeguards which we use to protect your personal data by submitting a request at www.abb.com/privacy.
7. How long do we process and keep your personal data?
In principle, we process and store your personal data only as long as this is necessary for the processing purposes mentioned in this Notice, until you withdraw your consent (Art. 6 (1) a) GDPR) or until you object to the use of your personal data in case of a legitimate interest being the legal basis for processing (Art. 6 (1) f) GDPR).
However, based on mandatory legislation, ABB must keep certain personal data for a minimum period of time. For example, employment contracts, information about salary payments and reimbursements need to be kept for a minimum period based on local corporate and tax legislation.
At the same time, applicable data protection laws require that we do not keep and process your personal data in an identifiable form for any longer than is necessary for the purpose for which the personal data has been collected and to perform regular reviews in this respect. Through the setting of IT applications and policies we ensure that your personal data is deleted when we no longer need it.
The retention periods for the information that we hold can be found in our Directive Records Management GD/LI-44 (add link) or your local Directive Records. After an applicable retention period has lapsed, we will securely delete your personal data, unless there are specific circumstances that require us to keep such personal data, such as legal or regulatory obligations or to resolve potential disputes.
For more information regarding specific retention periods that apply to your personal data, please submit a request at www.abb.com/privacy.
8. Security and monitoring of ABB systems and sites
ABB takes the security of its data very seriously, including your information and ABB's digital business assets. ABB sees this as a shared responsibility, where it takes the necessary steps to secure such data, and where it expects its staff members to do the same. You can read more about our security measures and your responsibilities [here/ End User Security Policy]
Monitoring of ABB's systems
The use of corporate systems by employees, including telephone (mobile and fixed network) and computer systems (including e-mails and Internet access) is only permitted for business purposes at ABB and private use is therefore expressly prohibited. Information for personal use is collected, monitored and used for business purposes and to maintain IT security measures as required for the security of ABB systems and compliance with ABB Security Group Policy and applicable law. Therefore, your access data may be viewed by ABB when you log into ABB's IT and communications systems using passwords and user accounts for services.
Monitoring will only be performed if and to the extent permitted or required by applicable law and justified for business purposes. The minimum storage periods set forth in Section 7 shall also apply to the resulting log files. This is necessary to detect attempted data misuse and other security incidents and to permit subsequent investigations and actions.
Where permitted by applicable law and internal policies, disciplinary action may be taken. For this purpose, it may be necessary to transfer such personal data to the police or other law enforcement agencies. Investigations and the transfer of information to the relevant authorities will only take place in accordance with applicable law.
CCTV
As explained in this Notice, some ABB buildings and sites use CCTV video surveillance systems to monitor the indoor and outdoor areas of their corporate locations for security and operational purposes. We generally do not retain the footage for more than 14 days unless necessary, e.g. due to a security incident. In general, collective agreements are concluded for the respective sites and regulate further details.
9. Which data protection rights do you have with regards to your personal data?
You are entitled to certain data protection rights regarding your personal data, of which you find a summary in the table below.
Data protection rights |
What it means |
The right to access your data |
You are entitled to ask ABB for an overview of or to obtain a copy of the personal data we hold about you. |
The right to have your data corrected |
You may request immediate correction of inaccurate or incomplete personal data we hold about you. |
The right to have your data erased |
You may request that personal data be erased when it is no longer needed, where applicable law obliges us to delete the data or the processing of it is unlawful. |
The right to restrict data processing |
You have the right to restrict the processing of your personal data in specific circumstances. |
The right to data portability |
You have the right to receive your personal data in a structured, machine-readable format for your own purposes, or to request us to transfer it to a third party. |
The right to object to data processing |
You have the right to object at any time, for reasons arising from your particular situation, to our processing of your personal data based on the legitimate interests. |
The right to withdraw consent |
Where ABB has asked for your consent to process personal data, you may withdraw your consent at any time. |
Please note that the rights described above are not absolute, and that your request cannot always be met entirely. If you want to know more about your data protection rights as well as the conditions and restrictions under which they are available to you, you may want to refer to the Annex to this Notice.
You may request to enforce any of your data protection rights at www.abb.com/privacy.
10. Remedies, contact and further information
If you want to access your personal data, make use of any of your other rights mentioned above or if you have any questions or concerns about how ABB processes your personal data, please contact your Data Protection Officer at privacy@abb.com, or submit your complaint at www.abb.com/privacy.
Should you not be satisfied with our response or believe we are processing your personal data against the law, you have the right to file a complaint in accordance with Art. 77 GDPR with the competent Data Protection Authority in your country of residence or work, or seek a remedy through the courts where you believe an infringement of data protection laws (and your rights) may have taken place.
Date of publication: August 24, 2019
Annex to the Data Protection Notice: Your rights as a data subject
1) Right of access
You have the right to receive from us at any time upon request (text form) information about your personal data processed by us within the scope of Art. 15 GDPR.
This right is limited by the statutory exceptions of § 4 (6) DSG, according to which the right of access is excluded, in particular if the access to personal data and the provision of this information would endanger a business or company secret of the controller or third parties.
2) Right to rectification
You have the right, pursuant to Art. 16 GDPR, to obtain from us the immediate rectification of personal data concerning you, should it be incorrect.
This right is limited by the statutory exceptions of § 4 (2) DSG, according to which in case that the rectification of personal data processed by automated means cannot be carried out immediately because this is only possible at certain times for economic or technical reasons, the processing of the relevant personal data is to be restricted up to this point in time with effect pursuant to Art. 18 (2) GDPR.
3) Right to erasure
You have the right to obtain from us, under the conditions set out in Art. 17 GDPR, the deletion of any personal data relating to you.
These conditions apply in particular if a) the respective processing purpose has been achieved or otherwise ceases to apply, b) we have unlawfully processed your personal data, c) you have withdrawn your consent without another legal basis applying to the data processing, d) you have successfully objected to the data processing or e) in cases where there is an obligation to delete personal data on the basis of EU law or the law of an EU member state to which we are subject.
This right is limited by the statutory exceptions of § 4 (2) DSG, according to which in case that the rectification of personal data processed by automated means cannot be carried out immediately because this is only possible at certain times for economic or technical reasons, the processing of the relevant personal data is to be restricted up to this point in time with effect pursuant to Art. 18 (2) GDPR.
4) Right to restriction of processing
In accordance with Art. 18 GDPR, you can request us to process your personal data only to a restricted extent.
This right exists in particular if a) the correctness of your personal data is disputed, b) you request limited processing instead of deletion under the conditions of a justified right of erasure, c) the data is no longer required for the purposes pursued by us, but you need the data to assert, exercise or defend legal claims or d) the success of an objection is still disputed.
5) Right to data portability
In accordance with Art. 20 GDPR, you have the right to receive from us the personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format, as well as the right to request us to forward this personal data to another controller.
6) Right to object
In accordance with Art. 21 GDPR, you have the right to object at any time, for reasons arising from your particular situation, to the processing of your personal data, which is either based on a public interest pursuant to Art. 6 (1) e) GDPR or a legitimate interest pursuant to Art. 6 (1) f) GDPR.
Upon receipt of your objection notice, we will then cease processing your personal data unless we can prove that there are compelling legitimate reasons for the processing which outweigh your interests, rights and freedoms, or the processing serves to establish, exercise or defend legal claims. If you object to the processing of your personal data for marketing purposes, we will cease such processing in any case.