This privacy notice for employees ("Privacy notice") applies to all companies in the B&R Group (business units in which B&R Industrial Automation GmbH directly or indirectly holds a majority interest or controls the majority of voting rights). B&R Industrial Automation GmbH is in turn part of the ABB Group (a 100% subsidiary of ABB Asea Brown Boveri Ltd.). The B&R company that employs you is responsible for processing personal data and monitors data processing in accordance with this privacy notice. Furthermore, other B&R subsidiaries can receive and process your data, i.e. this privacy notice also applies accordingly to these B&R companies (a corresponding list can be found on the B&R website.
At B&R, compliance with your data protection rights has the highest priority. This privacy notice explains why and how we collect and process your personal data and what your rights are with regard to this data.
1. Who is responsible for processing your personal data?
In your case, B&R Industrial Automation GmbH, B&R Strasse 1, 5142 Eggelsberg, Austria or the company affiliated with B&R Industrial Automation GmbH with whom you have an employment contract (hereinafter referred to as "employment relationship") will decide, as the "responsible party" within the meaning of the General Data Protection Regulation ("GDPR") and the Austrian Data Protection Act or other applicable national data protection laws at the headquarters of the respective subsidiary, for what and how your personal data will be used in accordance with this privacy notice (hereinafter also referred to as "B&R", "we" or "us").
2. What kind of personal data do we collect and process?
We collect and use personal data that we receive from you in connection with your employment at B&R. In addition, we process personal data that we can obtain from publicly accessible sources or that is lawfully transmitted by other third parties (trade and association registers, press, etc.), insofar as this is necessary for the purposes stated in this privacy notice. We process the following categories of your personal data to the extent required for the purposes of processing in accordance with this privacy notice:
- Personal details and identification information, such as your name, home and business address, home and business telephone number, personal and company email address or other contact information, as well as date and place of birth
- Personal data relating to family and social circumstances, e.g. gender, age, marital status (including names and contact details of relatives)
- Job-related personal data, such as employee number, signature, employment status, social security and tax number, insurance number, place of residence, nationality, photograph, emergency contacts, passport details, work and residence permit, immigration status and visa data
- Qualifications, e.g. qualifications and certifications, including current and past employment, education, training and education courses, resume, files and documents pertaining to education and work experience, contact details of references, results of aptitude tests and interviews and feedback
- Job information and work data, such as position, title, employment contract, personal ID for payroll, supervisor, salary level, current and past performance, employment status, leave of absence information, working time information, training materials, performance and development goals In some cases, we also store the results of aptitude tests, safety reports and accidents and professional feedback.
- Remuneration, allowances, benefits and cost information, such as income data, payroll data, retirement savings account and contributions, non-cash benefits and benefits in kind, bonuses, remuneration, stock options, dependents, heirs or beneficiaries for health care services, bank statements, expense reports and receipts, bank details, credit card data, telephone charges and insurance data.
- Electronic identification data and information (where employees have access to or are affected by systems or applications), e.g. access logs, IT and Internet usage, device identifiers (mobile device ID, PC ID, etc.), registration and login data, IP addresses, tracking and analysis data, records (e.g. mailboxes/call records), postings on corporate platforms (e.g. Yammer), password recovery information, data from IT security tools and RFID data.
- Financial data and other details, such as account information, credit checks, payment details and transactions, investigation data and past disciplinary actions
- Other personal data if such data is entered into our systems and programs by you or others (such as, among others, your colleagues). This includes business documents containing personal information (e.g. inquiries, questions, complaints, orders and related files, emails, reports, contracts, presentations, protocols, work results), photos, images and/or videos. If your personal data in the categories listed below is used at all, it will be collected and processed exclusively in accordance with the laws applicable in your country of residence.
- Special categories of personal data, e.g. membership of religious communities (if required, e.g. for tax purposes); health and medical data, including disability status, special working conditions (e.g. use of a stand-up desk) and medical equipment needed at the place of work, work-related illnesses and injuries, data for assistance in travel emergencies (blood group, medical records, allergies); ethnicity (e.g. if required for diversity purposes); in some cases trade union membership, political opinion and sexual orientation (e.g. when such information is required investigating discrimination cases)
- Data regarding criminal convictions and offenses, e.g. information regarding previous convictions and lists of sanctions, insofar as such information is required for due diligence, in particular a review of criminal history (Know your customer - "KYC") and under money laundering laws (Anti-money laundering - "AML").
If you wish to obtain information about a specific data processing activity, please send a request to www.abb.com/privacy.
3. Why do we use your personal data?
We process your personal data primarily for the purpose of carrying out and fulfilling our employment relationship with you. Within the framework of the employment relationship between you and us, you must provide personal data that is necessary for the initiation, execution or termination of the employment relationship and for the fulfillment of the associated contractual obligations or that we are legally obliged to collect.
Without processing certain personal data, B&R will generally not be able to enter into, maintain or terminate an employment relationship with you or to take contractual or legal action at your request. If you do not provide certain personal data, B&R may not be able to process your personal data at your request in connection with your employment, or you may not be able to exercise your employee or social security rights. If you are requested to provide us with personal data about yourself, we will indicate which personal data is required, which personal data can be provided voluntarily and on what legal basis it will be processed.
In particular, we process the personal data listed above for the following purposes:
- Personnel management, including organization and personnel administration, work time management, improvement and maintenance of effective personnel administration, internal personnel analysis, reporting and planning
- Personnel transfer management of various subsidiaries and succession planning
- Payroll, compensation and performance management, including the provision of social services and the maintenance of salary, compensation, allowances, benefits, insurances, pensions and appraisals
- Talent management and acquisition, including recruitment, assessment of suitability and work ability, background checks and verification of qualifications, procurement and provision of references
- Management of development and further education measures including certifications, employee training and conducting surveys and studies on employee satisfaction
- Work procedures and processes related to starting and ending a work relationship, including internal transfers or terminations
- Sick leave or other leave of absence and holiday administration
- Internal health and safety programs, including occupational health and safety and accident records or reports and process quality management
- Travel and expense management and organization of business trips, including monitoring travelers for assistance in case of safety or medical emergencies; provision of training in travel safety, health and security and, on a voluntary basis, assistance with security support in the case of an emergency
- Fulfilling obligations and exercising specific rights in the field of labor and social security law or, for example, a collective agreement
- Internal and external communication of the B&R organization and representation of B&R, including entries in the commercial register and assignment of powers of attorney
- Organization of B&R events and their documentation, including management and organization of internal, non-advertising campaigns, events and meetings
- Managing B&R assets, including images and videos that represent employees and other people and can be downloaded via B&R's intranet, B&R's website, etc.
- Financial and joint settlement services that provide record to report, order to cash and purchase-to-pay services
- Reorganization, purchase or sale of activities, business units and companies.
- Annual reports, statistics and analyses
- Monitoring and verifying compliance with ABB and B&R corporate guidelines, contractual obligations and legal requirements through employee activities in the workplace, including disciplinary measures
- Conducting audits, reviews and regulatory checks to fulfill obligations to regulatory authorities
- Control, risk and compliance, including compliance with laws, rules of law enforcement agencies, courts and regulatory authorities (such as the process of verifying customer identities ("KYC"), measures to prevent money laundering ("AML"), compliance with customs and international trade regulations, rules for conflicts of interest and security obligations) and the prevention, detection, investigation and resolution of crime and fraud or other prohibited activities, or to protect, establish, exercise or defend legal rights and claims
- To manage customer relationships, execute customer orders and provide customer service, processing and to evaluate and respond to inquiries and requests
- To manage suppliers, contractors, consultants and other professional experts, including interaction with contacts, processing and fulfilling purchases and invoices and contract lifecycle management
- Use of work services and products and for references to documents such as drawings, orders, purchase orders, invoices, reports
- Access control systems with electronic entry and/or exit control for authorized persons in restricted areas and local attendance list for emergencies
- Intrusion detection systems including third-party monitoring of coercion, property, internal security, supporting surveillance monitors for site monitoring/automated systems
- Maintaining and protecting the security of products, facilities, services, systems, networks, computers and information, preventing and detecting security threats, fraud or other criminal or harmful activities and ensuring business continuity
- Management of IT resources, including infrastructure management, such as data protection, data systems support and application management service activities, end user support, testing, maintenance, security (response to security incidents, risks, vulnerabilities, data breaches), master data and areas of activity including user account management, software licensing, security and performance testing and business continuity
We only collect the personal data required for the above purposes. Some of your collected personal data concerns your relatives and emergency contacts. In these cases, we ask that you inform them of this privacy notice.
We may also collect your personal data anonymously so that you cannot be identified directly or indirectly by this data, and subsequently use this data for further processing purposes, including statistical purposes, improving our services and reviewing our IT systems.
If you work at the location of a third party (e.g. the property or facility of a B&R customer), it is possible that this third party, as the data controller, may collect and process your data for their own purposes. In such cases, you will receive or be able to request a separate privacy notice from that external data controller.
4. On what legal basis do we process your personal data?
We process your personal data for the purposes described above (in Question 3) in accordance with the provisions of the GDPR and the Austrian Data Protection Act, especially in accordance with the following applicable legal bases:
- We primarily process your personal data for the purpose of establishing, implementing or terminating the employment relationship with you as well as for the enforcement of rights and the fulfillment of obligations arising from your employment contract with us on the legal basis of Art. 6 (1) b) of the GDPR.
- If we process your personal data (including special categories of personal data) in order to exercise rights or fulfill legal obligations arising from employment, social security and social protection law, the legal basis for this data processing is Art. 6 (1) c) and Art. 9 (2) b), f) and h) of the GDPR.
- If we process your personal data (including special categories of personal data) for the purposes of health care, occupational medicine or the assessment of your ability to work, and if this processing is carried out by health care professionals or other persons subject to professional secrecy, the legal basis is Art. 9 (2) h) of the GDPR.
- In cases in which we process your personal data on the basis of other legal provisions and obligations, for example, with regard to allowances and tax, reporting or notification obligations, cooperation obligations with authorities or legal retention periods in order to fulfill our other contractual and legal obligations as an employer and company, the legal basis for this processing is Art. 6 (1) c) of the GDPR.
- In the event that vital interests of the data subject or another natural person make it necessary to process personal data, Art. 6 (1) d) and Art. 9 (2) c) of the GDPR be the legal basis (e.g. notification of an accident on the premises of B&R).
- Where required, we process your personal data within the scope of our employment relationship with you in order to safeguard our legitimate interests or those of third parties. This is done in the context of balancing interests in accordance with Art. 6 (1) f) of the GDPR, according to which processing is permissible if it is necessary to safeguard legitimate interests and if the interests or basic rights and freedoms of the data subject, which require the protection of personal data, do not prevail. Such legitimate interests may include the following processing purposes:
- Monitoring (e.g. by IT systems), checking and ensuring compliance with legal and regulatory standards and ABB's and B&R's internal specifications and guidelines
- Prevention of fraud and criminal activity, including verification of such activity, misuse of B&R's assets, products and services and where strictly necessary and appropriate to ensure network and data security
- Establishment, exercise and defense of legal claims by and against B&R in connection with your work tasks and obligations at B&R
- Transfer of personal data within the B&R Group for internal administrative purposes, wherever necessary, for example, to provide decentralized services
To obtain a copy of our assessment of our legitimate interest in processing your personal data, including documented balancing of interests, please send a request to www.abb.com/privacy.
In exceptional cases and insofar as we process your personal data (including special categories of personal data) for purposes that are not covered by the aforementioned legal bases, we will ask you, in accordance with Art. 6 (1) a) and Art. 9 (2) a) of the GDPR, for your consent as the legal basis for processing your personal data, for example when using photographs or video recordings that explicitly affect you. Your consent is always given on a voluntary basis so that you are not obliged to provide this data and need not fear any disadvantages if you refuse to give your consent. You can also withdraw your consent at any time per Art. 7 (3) of the GDPR without providing reasons with future effect. If we ask for your consent to the purpose-related use of your personal data, we will inform you of your right to object and about the possibility to exercise your right to object.
We will only process personal data relating to criminal convictions or offenses in accordance with (locally) applicable law.
5. Who receives and processes your personal data (within and outside the EU and EEA)?
As part of a global corporation, we have business relationships with companies in the B&R and ABB Group and external service providers, both within and outside the European Economic Area (EEA), which we may also use to process your personal data. We will generally only share your personal data with other B&R companies or third parties if this is necessary for the purposes listed in the table below.
In this regard, your personal data may also be made available to companies of the B&R Group in countries within and outside of the EEA for the aforementioned processing purposes. In addition, when processing your personal data for the aforementioned purposes, we may use external service providers as data processors (e.g. computer centers, software companies and marketing automation providers). They are generally used with binding instructions within the framework of an existing contractual relationship and receive your personal data only to the extent and for the period of time required to provide the service.
If we share your personal data with a B&R company or third party and it is transferred or becomes accessible outside of the European Union ("EU") and the European Economic Area ("EEA") or outside the country of the employer's location, we will protect your personal data with appropriate safeguards. Examples of such safeguards include a determination of suitability by the European Commission or Standard Contractual Clauses. We have taken additional measures to protect your personal data during transfers from within the EU, EEA or outside the country of the employer's location. If you would like an overview of the safeguards applied, please send a request to www.abb.com/privacy.
Companies and subsidiaries affiliated with B&R
List of B&R subsidiaries (see the B&R website)
The purposes stated under Question 3, including human resources management, talent management and the organization of internal training and events
B&R customers, wholesalers, representatives and other business partners
EU/EEA and non-EU/EEA (global)
The purposes stated under Question 3, including project assignments, conducting audits, reviews and regulatory checks, customer relationship management and travel expense reporting
EU/EEA and non-EU/EEA (global)
IT services, HR and training, payroll accounting, payment processors, professional and consulting services including accountants, auditors, lawyers, insurers, banks, recruiters, travel agencies and other consultants hired by B&R
Retirement funds, workers' and industry organizations and associations
EU/EEA and non-EU/EEA (global)
The purposes stated under Question 3
Potential or actual buyers of B&R business units or assets
EU/EEA and non-EU/EEA (global)
For the evaluation of the companies or assets concerned, or for the purposes stated under Question 3
Recipients required according to applicable law or in the context of legal proceedings, such as prosecutors and authorities
EU/EEA and non-EU/EEA (global)
Where required by applicable law, legitimate requests from public authorities or according to applicable legal requirements
If you would like an overview of the safeguards applied to protect your personal data, please send a request to www.abb.com/privacy.
6. How long do we process and store your personal data?
We generally process and store your personal data only as long as is necessary for the processing purposes stated in this notice, until you withdraw your consent granted under Art. 6 (1) a) of the GDPR or until you object to the use of your personal data if a legitimate interest is the legal basis for processing (Art. 6 (1) f) of the GDPR).
However, legal provisions require B&R to store certain personal data for minimum retention periods. This concerns, for example, employment contracts, information about remuneration and reimbursement of costs, for which minimum retention periods apply on the basis of company and tax law regulations.
At the same time, the applicable data protection laws require that we store and process your personal data in a form that identifies you for no longer than is necessary for the purpose for which the personal data was collected and that we carry out regular checks in this regard. Through settings in IT systems and guidelines, we ensure that your personal data is deleted as soon as it is no longer needed.
The retention periods for the information we store can be found under Corporate regulations or in your local company policy. After an applicable retention period has expired, we will ensure that your personal data is deleted or made anonymous, unless there are special circumstances that oblige us to retain this personal data, e.g. legal or regulatory requirements or legal disputes related to your employment.
For further information about the retention periods applicable to your personal data, please send a request to www.abb.com/privacy.
7. What rules apply to the processing of your personal data in the context of security and surveillance of B&R systems and locations?
At B&R, data security for company data, personal data and digital assets of the company has the highest priority. B&R views data security as a shared responsibility. B&R takes the necessary precautions for data protection and expects the same from all employees. Here, you can read more about our data security measures and your obligations: End user security policy.
Monitoring company systems
Use of the company systems by employees, including telephone (cellular and landline) and computer systems (including email and Internet access) is only permitted for business purposes at B&R. Private use is therefore only permitted until withdrawn to the extent that the business obligations are not neglected. Information regarding personal use of the company systems is collected, monitored and used for business purposes and to maintain IT security measures, provided that this is required to ensure the security of B&R systems and compliance with the B&R security policy under applicable law. It is therefore possible that your access data can be viewed by B&R when you log in to B&R's IT and communication systems using passwords and user accounts for services.
Monitoring shall only be carried out if and to the extent permitted or required by applicable law and justified by business purposes. The minimum storage periods according to Question 6 also apply to the resulting log files. This is necessary to detect cases of attempted data misuse and other security incidents and to allow subsequent investigations and subsequent action.
To the extent permitted by applicable law and internal guidelines, disciplinary action will follow where appropriate. This may require such personal data to be passed on to the police or other law enforcement agencies. Information is only evaluated and transferred to the relevant authorities if this is in accordance with applicable law.
As explained in this privacy notice, some B&R buildings and locations use CCTV video surveillance systems to monitor the interior and exterior of the respective company location for security and operational purposes. As a general rule, we do not keep the film material for longer than 7 days, unless this is necessary, e.g. due to a security incident. Further details are regulated by works agreements that are concluded for the respective locations.
8. Which rights do you have with regard to your personal data?
If you have questions about data protection, complaints about how we are handling your personal data or wish to exercise the rights of data subjects listed below, you can contact us at www.abb.com/privacy. Under certain circumstances, we may have to restrict these rights of data subjects in order to safeguard the public interest (e.g. the prevention or detection of criminal offenses) or our business interests (e.g. maintaining legal privilege). Should you not be satisfied with our response or believe we are processing your personal data unlawfully, you may also contact the Data Protection Authority in your country of residence or work or in which you believe the data breach may have taken place in accordance with your right to lodge a complaint per Art. 77 of the GDPR. In addition to your right to lodge a complaint, you also have the following rights:
- Right to information: In accordance with Art. 15 of the GDPR, you have the right to receive information from us regarding your personal data that we process at any time upon request (in text form). This right is limited by the exceptions of Art. 4 (6) of the Austrian Data Protection Act, according to which the right of information is not applicable in particular if the provision of this information would endanger a business or trade secret of the data controller or of a third party.
- Right to rectification: In accordance with Art. 16 of the GDPR, you have the right to request that we rectify your personal data without delay if it is incorrect. This right is subject to the restrictions set out in Art. 4 (2) of the Austrian Data Protection Act, according to which, in the event that the correction of personal data processed with the aid of automation cannot be carried out immediately because it is only possible at certain times for economic or technical reasons, the processing of the personal data in question must be restricted with the effect of Art. 18 (2) of the GDPR until this point in time.
- Right to erasure: You have the right to request us to delete your personal data under the conditions set out in Art. 17 of the GDPR. These conditions are particularly met if a) the respective processing purpose has been achieved or otherwise ceases to apply, b) we have processed your data unlawfully, c) you have withdrawn your consent without the data processing being able to be continued on another legal basis, d) you successfully object to the data processing or e) in cases where there is an obligation to delete the data on the basis of EU law or the law of an EU member state to which we are subject. This right is subject to the restrictions set out in Art. 4 (2) of the Austrian Data Protection Act, according to which, in the event that the deletion of personal data processed with the aid of automation cannot be carried out immediately because it is only possible at certain times for economic or technical reasons, the processing of the personal data in question must be restricted with the effect of Art. 18 (2) of the GDPR until this point in time.
- Right to restrict processing: In accordance with Art. 18 of the GDPR, you can request that we only process your personal data to a limited extent. This right exists in particular under the conditions that a) the accuracy of the personal data is disputed, b) you request limited processing instead of deletion under the conditions of a justified request for deletion, c) the data is no longer necessary for the purposes we pursue, but you need the data to assert, exercise or defend legal claims, or d) the success of an objection is still disputed.
- Right to data portability: In accordance with Art. 20 of the GDPR, you have the right to receive your personal data that you provided us in a structured, common, machine-readable format, as well as the right to have us transfer this data to another data controller.
- Right to object: In accordance with Art. 21 of the GDPR, you have the right to object at any time, on grounds relating to your particular situation, to the processing of your personal data, either in the public interest or to safeguard our legitimate interests. Thereafter, we will stop processing your personal data unless we can prove compelling reasons for processing your personal data that are worthy of protection, which outweigh your interests, rights and freedoms or unless such processing serves to assert, exercise or defend legal claims. If you object to the processing of your personal data for marketing purposes, we will stop processing your data in any case.
9. Updates to this document
This Privacy Notice may be updated from time to time as a result of required developments. In case of such updates, we will undertake necessary actions to inform you about them depending on the importance of changes done. If and where required by applicable laws we will also ask for your consent to any material Privacy Notice changes describing our up-to-date practices. Please check the "date of publication" to see when this Privacy Notice was updated.
Date of publication: February 15, 2021