1. Introduction
This Visitor and CCTV Privacy Notice ("Notice") applies to the ABB Group of companies, which means ABB Ltd, Switzerland and each entity in which ABB Ltd, Switzerland, directly or indirectly, has a majority holding or owns or controls the majority of voting rights. The ABB company that is hosting you (referred to as "ABB" or "we"), is responsible for the processing of your personal data and controls how it is used, in accordance with this Notice.
At ABB, respecting your data protection rights is a top priority. This Notice explains how we use personal data about you, how we process such data, and what rights you have regarding your personal data.
2. Who is responsible for the processing of your personal data?
ABB Asea Brown Boveri Ltd and its subsidiary companies are responsible for your personal data. For applicable privacy and data protection laws, the primary controller of your data is the ABB subsidiary company, which is hosting you. Other subsidiary companies of ABB may also receive and process your personal data, either in the capacity of controller or processor and this Notice applies equally to them.
In your case, ABB AG, , Brown-Boveri-Straße 3, 2351 Wiener Neudorf, Austria, or any respective company affiliated with ABB AG, decides as "controller" within the meaning of the EU General Data Protection Regulation (“GDPR”) and the Austrian Data Protection Act (Datenschutzgesetz – “DSG”) how and for which purpose your personal data will be used in accordance with this notice (hereinafter: “ABB”, "we" or "us").
3. Which of your personal data do we collect and use?
We collect and use personal data that concerns you and we receive from you in the course of or in connection with your visit. We may also process personal data that we receive from you either because of your contact enquiry, specific pre-contractual enquiry or registration for a specific event via our websites, by e-mail or telephone or at a trade fair, roadshow or other event. In addition, and to the extent necessary for the purposes mentioned in this Notice, we process personal data which we may obtain from publicly accessible sources or which are legitimately transmitted by other third parties such as official register data (e.g. commercial register data).
We may collect the following categories of personal data:
-
Identification data and business contact information, you share with us such as first name, last name, job/position/title, business email address, business address, telephone number, mobile telephone number, telefax number, private telephone number, gender, date of birth, vehicle license plate
-
Additional information you provide to us related to or during your visit such as logging details for facilities and locations, employee hosting, purpose of visit, records relating to your visit. To a certain extend this information might also cover your interests in ABB products or marketing preferences in connection with your visit at trainings, events or fairs.
-
Image and video recordings from closed circuit television system (CCTV) footage.
-
Electronic identification data and information collected by the communications systems, IT applications and website browser (where visitor has access or is affected by such systems or applications) such as information technology usage (system access, IT and internet usage), device identifier (mobile device ID, PC ID), registration and login credentials, IP address, login data and log files, Analytics ID, time and url, searches, website registration and cookie data.
The below mentioned types of personal data are only collected and processed, if at all, in accordance with applicable local laws in your country of residence and where relevant depending on your visit.
4. Why do we need and use your personal data?
We primarily process your personal data to enter and conduct a business relationship with you or your company (hereinafter: “you”) and to guarantee the security within our offices and premises. As part of this business relationship with you and your visit to our offices and premises, we need to process your personal data which is required by us to perform the contractual and legal obligations associated therewith, or which we are required by law to collect and process (e.g. health and safety or security laws, legal insurance requirements).
We may use your personal data as described above in particular for the following purposes:
-
visitor management, registration and visitor access management including related contact interaction;
-
health and safety management including medical emergencies;
-
closed circuit television system (CCTV) capture for the purposes of public and staff safety, building security and crime prevention and detection;
-
access control system providing electronically controlled ingress and/or egress for authorized individuals to locations that have access restrictions and a registry of personnel on site in case of emergencies;
-
maintain and protect the security of products, facilities, services, systems, networks, computers and information, preventing and detecting security threats, and fraud or other criminal or malicious activities;
-
references on documents, such as drawings, purchase or sales orders, invoices, reports;
-
reorganization, acquisition and sale of activities, business units and companies;
-
monitoring and auditing compliance with ABB’s corporate policies, contractual obligations and legal requirements;
-
carrying out audits, reviews and regulatory checks to meet obligations to regulators; and
-
manage IT resources, including infrastructure management including data back-up, information systems’ support and service operations for application management, end user support, testing, maintenance, security (incident response, risk, vulnerability, breach response), master data and workplace including user accounts management, software licenses assignment, security and performance testing and business continuity.
We only collect the personal data from you that we need for the above purposes. For statistical purposes, improvement of our services and testing of our IT systems we only use anonymized data. This means that these data can no longer (in)directly identify you or single you out as an individual.
5. What happens if you do not provide us with the personal data we had asked you for or if you ask us to stop processing your information?
Where it concerns processing operations related to your visit at ABB (as described above), ABB will not be able to adequately ensure the safety of you and other persons in the facility, monitor the security of the facilities or comply with the legal obligations associated with it and generally perform the purposes described above without certain personal data. Although we cannot obligate you to share your personal data with us, please note that this then may have consequences which could affect your visit, such as not being able to allow you to enter certain or all ABB facilities and locations.
6. On which legal basis we rely on?
We use your personal data for the purposes described in this Notice in accordance with the provisions of the GDPR and the DSG, in particular on the following legal bases, as applicable:
-
We may process your personal data for the fulfilment of contractual obligations resulting from contracts with you or your company, or as part of pre-contractual measures we take, Art. 6 (1) b) GDPR.
-
In some cases, we process your personal data on the basis of legal obligations and statutory requirements, Art. 6 (1) c) GDPR, for example, on the basis of health and safety or security laws, legal insurance requirements, cooperation obligations with authorities, statutory retention periods or the disclosure of personal data within the scope of official or judicial measures required for the purposes of taking evidence, prosecution or enforcement of civil law claims.
-
Art. 6 (1) f) GDPR, if processing within our offices and premises is necessary in order to protect the legitimate interests of us or third parties. This requires a weighing of interests pursuant to Art. 6 para. 1 lit. f) DSGVO, according to which a processing of personal data is permissible if it is necessary to safeguard the legitimate interests and does not outweigh the interests or fundamental rights and freedoms of the data subject which require the protection of personal data. We will rely on our legitimate interests to process your personal data within the scope of your visit at ABB, if they do not unduly affect your interests or fundamental rights and freedoms. Our legitimate interests to collect and use the personal data for this purpose are to:
-
conduct, management, development and furtherance of our business in the broadest sense possible including visitor, facilities and locations management, ensuring safety and security, acquisition and sale of activities, business divisions and companies;
-
monitor, investigate and ensure compliance with legal, regulatory, standard and ABB internal requirements and policies;
-
prevent fraud and criminal activity including investigations of such activity, misuse of ABB assets, products and services, and as strictly necessary and proportionate for ensuring network and information security; and
-
transmitting personal data within the ABB group for internal administrative purposes as necessary for example to provide centralized services.
You may obtain a copy of our assessment of why we may process your personal data for these interests by submitting a request at www.abb.com/privacy.
-
If and to the extent we process your personal data in exceptional cases for purposes not covered by the aforementioned legal bases, we may require your consent as legal basis for such data processing, Art. 6 (1) a) GDPR. You may of course withdraw such consent at any time in accordance with Art. 7 (3) GDPR with effect for the future. If and to the extent we send you marketing information by electronic mail, we may also require your further consent according to § 107 (2) Austrian Telecommunication Act (Telekommunikationsgesetz – TKG).
The following applies to the use of photographs or video recordings on which you are depicted (referred to as “recordings”): If we process such recordings for internal and external business purposes, in particular public relations and internal communication, we require your consent pursuant to Art. 6 (1) a) GDPR as legal basis for such data processing, which you may withdraw at any time in accordance with Art. 7 (3) GDPR with effect for the future. The use of such recordings as necessary for the implementation of security measures, in particular through the use on visitor passes, which serve your identification and security on the premises of ABB, are covered by our legitimate interest pursuant to Art. 6 (1) f) GDPR. It may also represent a legitimate interest on our part if recordings are processed for purely internal purposes without appropriate publication (e.g. a group photo for participants of a training course) or if the recordings are made as part of a publicly advertised event and you are not the focus of the recording, but can only be seen together with other persons.
With regard to personal data concerning criminal convictions and offences, we will only process such data where such processing is permitted by applicable (local) law.
7. Which parties do we share your personal data with (in and outside the EEA)?
As part of a global group, we have business relationships with ABB Group companies and external service providers, both within and outside the European Economic Area (EEA), which we may also use to process your personal data as necessary for the purposes described in this Notice. We only share your personal data with other ABB affiliates or third parties as necessary for the purposes described in the table below. In addition, when processing your personal data for these purposes through the use of external service providers as data processors (e.g. facility management or security service providers) these data processors are engaged within the framework of an existing contractual relationship, bound by instructions, and receive your personal data only to the extent and for the period required for the provision of the service.
In the event of suspicion of criminal offences, we may also pass on your personal data to law enforcement authorities. Otherwise, your personal data will only be transferred to third parties if there is a legal basis for this transfer. This may be the case in particular if the police or other security authorities take action within their legal duties of public order and demand access to the video surveillance data.
Where we share your personal data with an affiliate or third party outside the European Economic Area ("EEA"), we always put adequate safeguards in place to protect your personal data. Examples of these safeguards are an adequacy decision of the European Commission (read more here), Standard Contractual Clauses (read more here), Privacy Shield certification (read more here), and the Binding Corporate Rules that some of our suppliers have adopted (read more here). We have taken additional measures for the transfer of data outside the EEA to protect your personal data. If you would like an overview of the safeguards which are in place, please submit a request at www.abb.com/privacy.
8. How long do we process and keep your personal data?
In principle, we process and store your personal data only as long as this is necessary for the processing purposes mentioned in this Notice, until you withdraw your consent (Art. 6 (1) a) GDPR) or until you object to the use of your personal data in case of a legitimate interest being the legal basis for processing (Art. 6 (1) f) GDPR).
However, based on mandatory legislation, ABB must keep certain personal data for a minimum period of time. We only keep your personal data for as long as necessary for the purposes described in this privacy notice. In general, your personal data is kept used for visitor management for the duration of 3 to 12 months and is only retained for a longer period of time if required by local laws and regulatory requirements or to defend legal claims. Some of ABB's buildings and sites use CCTV systems to monitor their inside and outside for security and operational purposes. Video surveillance data is deleted after a maximum of 14 days. A longer storage period may be necessary if facts justify the assumption that recordings from a limited period of time show actions which are prosecuted as criminal offences or the use of which is necessary for the assertion of civil claims.
At the same time, applicable data protection laws require that we do not keep and process your personal data in an identifiable form for any longer than is necessary for the purpose for which the personal data has been collected and to perform regular reviews in this respect. Through the setting of IT applications and policies we ensure that our keeping of your personal data is deleted when we no longer need it.
9. Which data privacy rights do you have with regards to your personal data?
Depending on the jurisdiction in which you are located and in which your personal data is processed, you may have the following rights:
Please note that the rights described above are not absolute, and that your request cannot always be met entirely. If you want to know more about your data protection rights as well as the conditions and restrictions under which they are available to you, you may want to refer to the Annex to this Notice.
10. Remedies, contact and further information
If you have any questions about how we use your personal data or wish to make a complaint about how we handle it, you may contact our Data Protection Officer at privacy@abb.com, or submit your complaint at www.abb.com/privacy.
Should you not be satisfied with our response or believe we are processing your personal data against the law, you may, in accordance with your right of complaint under Art. 77 GDPR, also contact the competent Data Privacy Authority in your country of residence or work or where you believe an infringement of data privacy laws may have taken place.
Date of publication: October 22, 2019
Annex to the Data Protection Notice: Your rights as a data subject
You have the right to receive from us at any time upon request (text form) information about your personal data processed by us within the scope of Art. 15 GDPR.
This right is limited by the statutory exceptions of § 4 (6) DSG, according to which the right of access is excluded, in particular if the access to personal data and the provision of this information would endanger a business or company secret of the controller or third parties.
2. Right to rectification
You have the right, pursuant to Art. 16 GDPR, to obtain from us the immediate rectification of personal data concerning you, should it be incorrect.
This right is limited by the statutory exceptions of § 4 (2) DSG, according to which in case that the rectification of personal data processed by automated means cannot be carried out immediately because this is only possible at certain times for economic or technical reasons, the processing of the relevant personal data is to be restricted up to this point in time with effect pursuant to Art. 18 (2) GDPR.
You have the right to obtain from us, under the conditions set out in Art. 17 GDPR, the deletion of any personal data relating to you.
These conditions apply in particular if a) the respective processing purpose has been achieved or otherwise ceases to apply, b) we have unlawfully processed your personal data, c) you have withdrawn your consent without another legal basis applying to the data processing, d) you have successfully objected to the data processing or e) in cases where there is an obligation to delete personal data on the basis of EU law or the law of an EU member state to which we are subject.
This right is limited by the statutory exceptions of § 4 (2) DSG, according to which in case that the rectification of personal data processed by automated means cannot be carried out immediately because this is only possible at certain times for economic or technical reasons, the processing of the relevant personal data is to be restricted up to this point in time with effect pursuant to Art. 18 (2) GDPR.
4. Right to restriction of processing
In accordance with Art. 18 GDPR, you can request us to process your personal data only to a restricted extent.
This right exists in particular if a) the correctness of your personal data is disputed, b) you request limited processing instead of deletion under the conditions of a justified right of erasure, c) the data is no longer required for the purposes pursued by us, but you need the data to assert, exercise or defend legal claims or d) the success of an objection is still disputed.
5. Right to data portability
In accordance with Art. 20 GDPR, you have the right to receive from us the personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format, as well as the right to request us to forward this personal data to another controller.
In accordance with Art. 21 GDPR, you have the right to object at any time, for reasons arising from your particular situation, to the processing of your personal data, which is either based on a public interest pursuant to Art. 6 (1) e) GDPR or a legitimate interest pursuant to Art. 6 (1) f) GDPR.
Upon receipt of your objection notice, we will then cease processing your personal data unless we can prove that there are compelling legitimate reasons for the processing which outweigh your interests, rights and freedoms, or the processing serves to establish, exercise or defend legal claims. If you object to the processing of your personal data for marketing purposes, we will cease such processing in any case.