This privacy notice for contractors ("Privacy notice") applies to the B&R Group, i.e. B&R Industrial Automation GmbH and any company in which B&R Industrial Automation GmbH, directly or indirectly, holds a majority interest or owns or controls the majority of voting rights. B&R Industrial Automation GmbH is in turn part of the ABB Group (a 100% subsidiary of ABB Asea Brown Boveri Ltd.). The B&R company with which you, your employer or the company through which you are assigned to B&R have a contractual relationship (hereinafter referred to as "B&R") is responsible for processing your personal data and controls its use in accordance with this privacy notice.
At B&R, protecting your personal data is a top priority. This privacy notice explains how we process your personal data and what rights you have in relation to your personal data.
1. Who is responsible for processing your personal data?
B&R Industrial Automation GmbH and all B&R subsidiaries are responsible for processing your personal data. In accordance with applicable data protection laws, the B&R subsidiary with which you, your employer or the company through which you are assigned to B&R have a contractual relationship is responsible for processing your personal data. Furthermore, other B&R subsidiaries may receive and process your data, either as the data controller or the data processor. Accordingly, this privacy notice applies equally to them.
In your case, B&R Industrial Automation GmbH, B&R Strasse 1, 5142 Eggelsberg, Austria or the respective company affiliated with B&R Industrial Automation GmbH will decide, as the "data controller" within the meaning of the General Data Protection Regulation ("GDPR") and the Austrian Data Protection Act or other applicable national data protection laws at the headquarters of the respective subsidiary, for what and how your personal data will be used in accordance with this privacy notice (hereinafter also referred to as "B&R", "we" or "us").
2. What kind of personal data do we collect and process?
We collect and use personal data that we receive from you within the scope of or in connection with service and construction agreements or a contractual relationship with you, your employer or the company through which you are assigned to B&R (hereinafter: "you"). We may also process personal data that we receive from you either as a result of your contact request, a specific precontractual inquiry or a registration for a specific event via our websites, by email or telephone or at a trade fair or product event. In addition, to the extent required for the purposes stated in this privacy notice, we process personal data that we can obtain from publicly available sources or that is lawfully transmitted by other third parties (e.g. a credit agency), such as commercial register data or creditworthiness data.
We process the following categories of your personal data to the extent required for the purposes of processing in accordance with this privacy notice:
- Identification data and business contact information that you provide us with, such as first name, last name, profession / position / title, employer, address of employer, nationality, tax number, information about work permit / visa, business email address, business address, telephone, cell phone and fax numbers, private telephone number, gender, date of birth.
- Additional information that you provide us with in order to fulfill your work order, such as data in connection with fulfilling your work order, our contractual obligations and precontractual measures, including correspondence data, offers, cost estimates, resume, information about background checks, conditions, qualifications / certificates, contract and order data, invoices, payments, business partner history, records of inquiries / questions / complaints / orders, working time records, records of training courses and further education, license plate, insurance data.
- Expense-related information, such as bank statements, payment details, transactions, expense reports and receipts, account information, credit card information.
- Electronic identification data and information collected by communications systems, IT applications and web browsers (provided that the contractor has access to or is affected by such systems or applications and in accordance with applicable laws), such as use of information technology (system access, IT and Internet use), device identification (mobile device ID, PC ID), registration and login information, IP address, login data and log files, analytics ID, digital alias / signature, time and URL, search queries, website registration records and cookie data, sound recordings (e.g. voice messages / phone calls) and RFID data.
- Other personal data that may be entered by you or others in our systems, programs and applications. This also includes business documents containing personal information (e.g. inquiries, questions, complaints, orders and related files, emails, reports, contracts, presentations, minutes, work results), photos, images and/or videos. To a certain extent, this information may also include your interests in B&R products, marketing preferences and registration information provided at training sessions, events or trade fairs, etc.
The types of personal data listed below will be collected and processed, if at all, only in accordance with local laws applicable in your country of residence, to the extent that they are relevant depending on your work order.
- Special categories of personal data, such as work-related health data or data needed for emergency assistance (blood group, medical findings, allergies).
- If we conduct a background check on you as part of the contractor relationship, we will only process this data in accordance with applicable law. Data on criminal convictions and offenses, such as information about previous convictions and sanction lists, are only processed to the extent that is required for a criminal background check according to money laundering laws or other legal obligations.
3. Why do we use your personal data?
We process your personal data primarily for the purpose of carrying out and fulfilling our business and contractual relationships with you. Within the framework of this business and contractual relationship between you and us, you must provide personal data that is required for the initiation, execution or termination of contracts with our contractors and for the fulfillment of the associated contractual obligations or which we are legally obliged to collect and process (e.g. tax laws).
In particular, we process the personal data listed above for the following purposes:
- Personnel planning and management if relevant to your contract on the provision of tasks and/or services, the work order and services you provide directly to B&R within the scope of the contract / work order / service description, including organization and personnel administration, work time management, improvement and maintenance of effective personnel administration, internal personnel analysis, reporting and planning
- Contractor, supplier and service provider management throughout provision, logistics and the supply chain, including contact interaction, bid processing, contracting, order processing, processing and execution of procurement transactions, administration and management of suppliers, vendors, contractors, consultants and other commercial professionals as well as contract lifecycle management
- Training of contractors
- Internal occupational safety programs
- Financial and joint accounting services that include records of reporting, purchase and payment of services
- Use of work services and products and for references to documents such as drawings, orders, purchase orders, invoices, reports
- Reorganization, purchase or sale of activities, business units and companies
- Monitoring and auditing compliance with company guidelines, contractual obligations and legal requirements of ABB and B&R
- Conducting audits, reviews and regulatory checks to fulfill obligations to regulatory authorities
- Maintaining and protecting the security of products, facilities, services, systems, networks, computers and information, preventing and detecting security threats, fraud or other criminal or harmful activities and ensuring business continuity
- Managing IT resources, including infrastructure management, such as data protection, data systems support and application management service activities, end user support, testing, maintenance, security (response to security incidents, risks, vulnerabilities, data breaches), master data and areas of activity including user account management, software licensing, security and performance testing and business continuity
We only collect the personal data from you that we require for the purposes described above. For statistical purposes, to improve our services and to test our IT systems, we use anonymous data as much as reasonably possible. This means that you can no longer be directly or indirectly identified as an individual using this data.
If you work at the location of a third party (e.g. the property or facility of a B&R customer), it is possible that this third party, as the data controller, may collect and process your data for their own purposes. In such cases, you will receive or be able to request a separate privacy notice from that external data controller.
4. What happens if you do not provide us with the personal data we request or if you request us not to use your data?
In the case of processing operations in direct relationship to your work order (as described above), B&R is not in a position to adequately establish, maintain or terminate a business relationship with you, your employer or the company through which you are assigned to B&R and to fulfill the purposes described above without certain personal data. Although we cannot oblige you to provide us with your personal data, please bear in mind that your refusal could have consequences that may result in a negative impact on the work order. We would not be able to take the requested precontractual or contractual measures to conclude or fulfill a contract with you or establish and continue the business relationship you have requested.
5. On what legal basis do we process your personal data?
We process your personal data for the purposes described above (in Question 3) in accordance with the provisions of the GDPR and the Austrian Data Protection Act, especially in accordance with the following applicable legal bases:
- Insofar as we process your personal data for the fulfillment of contractual obligations arising from contracts concluded with you or your company or within the framework of precontractual measures, the legal basis for such data processing is Art. 6 (1) b) of the GDPR.
- Insofar as we process your personal data on the basis of legal requirements or official measures, for example, with regard to tax or notification obligations, cooperation obligations with authorities, legal retention periods or the disclosure of personal data within the scope of official or judicial measures for taking evidence, prosecuting or enforcing civil law claims, the legal basis for such data processing is Art. 6 (1) c) of the GDPR.
- In the event that vital interests of the data subject or another natural person make it necessary to process personal data, Art. 6 (1) d) of the GDPR be the legal basis (e.g. notification of an accident on the premises of B&R).
Where required, we process your personal data within the scope of concrete supply contracts and/or an existing business relationship with you or your company to safeguard our legitimate interests or that of third parties. This is done in the context of balancing interests in accordance with Art. 6 (1) f) of the GDPR, according to which processing is permissible if it is necessary to safeguard legitimate interests and if the interests or basic rights and freedoms of the data subject, which require the protection of personal data, do not prevail. Such legitimate interests may include the following processing purposes:
- Implementation, management, development and promotion of our business in the broadest sense, including the supply of products and services, fulfillment of agreements and management of orders with suppliers, processing and execution of purchases, process quality management and improvement of products or services, analytics and market intelligence, reduction of default risks in our procurement processes and reorganization, acquisition and sale of activities, divisions and companies
- Monitoring, checking and ensuring compliance with legal, regulatory, normative and ABB and B&R internal specifications and guidelines
- Prevention of fraud and criminal activity, including verification of such activity, misuse of B&R's assets, products and services and where strictly necessary and appropriate to ensure network and data security
- Establishment, exercise and defense of legal claims by and against B&R in connection with the performance of supply contracts with us
- Transfer of personal data within the B&R Group for internal administrative purposes, if required, for example, to provide centralized services
To obtain a copy of our assessment of our legitimate interest in processing your personal data, including documented balancing of interests, please send a request to www.abb.com/privacy.
In exceptional cases and insofar as we process your personal data (including special categories of personal data) for purposes that are not covered by the aforementioned legal bases (e.g. photos, marketing material and events), we require your consent according to Art. 6 (1) a) of the GDPR as the legal basis for such data processing. In accordance with Art. 7 (3) of the GDPR, you can withdraw this consent at any time with future effect. If we send you marketing information via email, e.g. a newsletter, we may require further consent under applicable law in accordance with Art. 107 (2) of the Austrian Telecommunications Act.
We will process special categories of personal data only in accordance with applicable law and under the following conditions:
- You have explicitly given us your consent to process this personal data in accordance with Art. 9 (2) a) of the GDPR.
- Processing such personal data is required for establishing, exercising and defending legal claims in accordance with Art. 9 (2) f) of the GDPR.
- Processing this personal data is necessary to comply with our obligations under applicable employment, social security and social protection law as well as preventive medicine, medical diagnostics or health or social services (e.g. minimum wage laws, employer's liability insurance, etc.) in accordance with Art. 9 (2) b) & h) of the DSGVO.
- Processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent in accordance with Art. 9 (2) f) of the GDPR.
We will only process personal data relating to criminal convictions or offenses in accordance with (locally) applicable law.
6. Who receives and processes your personal data (within and outside the EU and EEA)?
As part of a global corporation, we have business relationships with companies in the B&R and ABB Group and external service providers, both within and outside the European Economic Area (EEA), which we may also use to process your personal data. We will only share your personal data with other B&R companies or third parties if this is required for the purposes listed in the table below.
In this regard, your personal data may also be made available to companies of the B&R Group in countries within and outside of the EEA for the aforementioned processing purposes. In addition, when processing your personal data for the aforementioned purposes, we may use external service providers as data processors (e.g. computer centers, software companies and marketing automation providers). They are generally used with binding instructions within the framework of an existing contractual relationship and receive your personal data only to the extent and for the period of time required to provide the service.
If we share your personal data with a B&R company or third party and it is transferred or becomes accessible outside of the European Union ("EU") and the European Economic Area ("EEA") or outside the country in which the B&R company controlling your information is located, we will protect your personal data with appropriate safeguards. Examples of such safeguards include a determination of suitability by the European Commission or Standard Contractual Clauses. We have taken additional measures to protect your personal data when it is transferred outside the EU, EEA or the country where the B&R company controlling your data is located. If you would like an overview of the safeguards applied, please send a request to www.abb.com/privacy.
Companies and subsidiaries affiliated with B&R
The purposes described in this privacy notice by your B&R manager / supervisor, by B&R Human Resources, B&R Finances, B&R IT Support, ABB Global Business Services Centers (GBSs) supporting Human Resources / Finances / Global Sourcing, as well as the B&R procurement departments dealing with contractors
B&R business partners (e.g. temporary employment agencies and recruiters / your employer or the company through which you were assigned to B&R), distributors and dealers
EU/EEA and non-EU/EEA (global)
The purposes stated in this privacy notice
Service providers, such as IT services including IT Support, consulting and outsourcing services, independent dealers, payment processors, rating and evaluation services, commercial and consulting services including accountants, auditors, lawyers, insurers, bankers, recruiters, travel agencies and other consultants or service providers working on behalf of B&R
EU/EEA and non-EU/EEA (global)
The purposes stated in this privacy notice
Potential or actual buyers of B&R business units or assets
EU/EEA and non-EU/EEA (global)
For the evaluation of the companies or assets concerned or for the purposes specified in this privacy notice
Recipients required according to applicable law or legal proceedings, such as law enforcement agencies or other authorities
EU/EEA and non-EU/EEA (global)
Where required by applicable law, legitimate requests from public authorities or under applicable legal requirements
If you would like an overview of the safeguards applied to protect your personal data, please send a request to www.abb.com/privacy.
7. How long do we process and store your personal data?
We generally process and store your personal data only as long as is necessary for the processing purposes stated in this notice, until you withdraw your consent granted under Art. 6 (1) a) of the GDPR or until you object to the use of your personal data if a legitimate interest is the legal basis for processing (Art. 6 (1) f) of the GDPR).
However, legal provisions require B&R to store certain personal data for minimum retention periods. In general, personal data is stored for the duration of the contractual relationship and for a minimum period (usually between 5 and 10 years after the end of the contractual relationship) or for a longer period if this is required by local laws and official requirements.
At the same time, applicable data protection laws require that we store and process your personal data in a form that identifies you for no longer than is necessary for the purpose for which the personal data was collected and that we carry out regular checks in this regard. Through settings in IT systems and guidelines, we ensure that your personal data is deleted as soon as it is no longer needed.
8. What rules apply to the processing of your personal data in the context of security and surveillance of B&R systems and locations?
At B&R, data security for company data, personal data and digital assets of the company has the highest priority. B&R views data security as a shared responsibility. B&R takes the necessary precautions for data protection and expects the same from all employees.
Monitoring company systems
For business reasons and to maintain IT security measures, information about the use of B&R systems, including telephone (mobile and landline) and computer systems (including email and Internet access) and the private use of these systems is collected and monitored and used, provided that this is required to ensure the security of B&R systems and compliance with the B&R security policy under applicable law. It is therefore possible that your access data can be viewed by B&R when you log in to B&R's IT and communication systems using passwords and user accounts for services.
Monitoring shall only be carried out if and to the extent permitted or required by applicable law and justified by business purposes. The minimum retention periods according to Question 7 also apply to the resulting log files. This is necessary to detect cases of attempted data misuse and other security incidents and to allow subsequent investigations and subsequent action.
If necessary, the relevant information and personal data will be handed over to the police or law enforcement agencies. Investigations are only carried out and information is only passed on to the relevant authorities in accordance with applicable law.
9. Which rights do you have with regard to your personal data?
If you have questions about data protection, complaints about how we are handling your personal data or wish to exercise the rights of data subjects listed below, you can contact us at www.abb.com/privacy. Under certain circumstances, we may have to restrict these rights of data subjects in order to safeguard the public interest (e.g. the prevention or detection of criminal offenses) or our business interests (e.g. maintaining legal privilege). Should you not be satisfied with our response or believe we are processing your personal data unlawfully, you may also contact the Data Protection Authority in your country of residence or work or in which you believe the data breach may have taken place in accordance with your right to lodge a complaint per Art. 77 of the GDPR. In addition to your right to lodge a complaint, you also have the following rights:
- Right to information: In accordance with Art. 15 of the GDPR, you have the right to receive information from us regarding your personal data that we process at any time upon request (in text form). This right is limited by the exceptions of Art. 4 (6) of the Austrian Data Protection Act, according to which the right of information is not applicable in particular if the provision of this information would endanger a business or trade secret of the data controller or of a third party.
- Right to rectification: In accordance with Art. 16 of the GDPR, you have the right to request that we rectify your personal data without delay if it is incorrect. This right is subject to the restrictions set out in Art. 4 (2) of the Austrian Data Protection Act, according to which, in the event that the correction of personal data processed with the aid of automation cannot be carried out immediately because it is only possible at certain times for economic or technical reasons, the processing of the personal data in question must be restricted with the effect of Art. 18 (2) of the GDPR until this point in time.
- Right to erasure: You have the right to request us to delete your personal data under the conditions set out in Art. 17 of the GDPR. These conditions are particularly met if a) the respective processing purpose has been achieved or otherwise ceases to apply, b) we have processed your data unlawfully, c) you have withdrawn your consent without the data processing being able to be continued on another legal basis, d) you successfully object to the data processing or e) in cases where there is an obligation to delete the data on the basis of EU law or the law of an EU member state to which we are subject. This right is subject to the restrictions set out in Art. 4 (2) of the Austrian Data Protection Act, according to which, in the event that the deletion of personal data processed with the aid of automation cannot be carried out immediately because it is only possible at certain times for economic or technical reasons, the processing of the personal data in question must be restricted with the effect of Art. 18 (2) of the GDPR until this point in time.
- Right to restrict processing: In accordance with Art. 18 of the GDPR, you can request that we only process your personal data to a limited extent. This right exists in particular under the conditions that a) the accuracy of the personal data is disputed, b) you request limited processing instead of deletion under the conditions of a justified request for deletion, c) the data is no longer necessary for the purposes we pursue, but you need the data to assert, exercise or defend legal claims, or d) the success of an objection is still disputed.
- Right to data portability: In accordance with Art. 20 of the GDPR, you have the right to receive your personal data that you provided us in a structured, common, machine-readable format, as well as the right to have us transfer this data to another data controller.
- Right to object: In accordance with Art. 21 of the GDPR, you have the right to object at any time, on grounds relating to your particular situation, to the processing of your personal data, either in the public interest or to safeguard our legitimate interests. Thereafter, we will stop processing your personal data unless we can prove compelling reasons for processing your personal data that are worthy of protection, which outweigh your interests, rights and freedoms or unless such processing serves to assert, exercise or defend legal claims. If you object to the processing of your personal data for marketing purposes, we will stop processing your data in any case.
10. Updates to this document
This Privacy Notice may be updated from time to time as a result of required developments. In case of such updates, we will undertake necessary actions to inform you about them depending on the importance of changes done. If and where required by applicable laws we will also ask for your consent to any material Privacy Notice changes describing our up-to-date practices. Please check the "date of publication" to see when this Privacy Notice was updated.
Date of publication: February 15, 2021