This privacy notice for suppliers ("Privacy notice") applies to the B&R Group, i.e. B&R Industrial Automation GmbH and any company in which B&R Industrial Automation GmbH directly or indirectly holds a majority interest or owns or controls the majority of voting rights. B&R Industrial Automation GmbH is in turn part of the ABB Group (a 100% subsidiary of ABB Asea Brown Boveri Ltd.). The B&R company that you are in communication with or to which you deliver goods or provide services (hereinafter referred to as "B&R") is responsible for processing your personal data and controls its use in accordance with this privacy notice.
At B&R, protecting your personal data is a top priority. This privacy notice explains how we process your personal data and what rights you have in relation to your personal data.
1. Who is responsible for processing your personal data?
B&R Industrial Automation GmbH and all B&R subsidiaries are responsible for your personal data. In accordance with applicable data protection laws, the B&R subsidiary that is in communication with you or to which you deliver goods or for which you provide services is responsible for processing your personal data. Furthermore, other B&R subsidiaries may receive and process your data, either as the data controller or the data processor. Accordingly, this privacy notice applies equally to them.
In your case, B&R Industrial Automation GmbH, B&R Strasse 1, 5142 Eggelsberg, Austria or the respective company affiliated with B&R Industrial Automation will decide, as the "data controller" within the meaning of the General Data Protection Regulation ("GDPR") and the Austrian Data Protection Act or other applicable national data protection laws at the headquarters of the respective subsidiary, for what and how your personal data will be used in accordance with this privacy notice (hereinafter also referred to as "B&R", "we" or "us").
2. What kind of personal data do we collect and process?
We collect and use the personal data that we receive from you within the scope of or in connection with the agreements with our suppliers or an existing business relationship with you or your company (hereinafter: "you"). We may also process personal data that we receive from you either as a result of your contact request, a specific precontractual inquiry or a registration for a specific event via our websites, by email or telephone or at a trade fair or product event. In addition, to the extent required for the purposes stated in this privacy notice, we process personal data that we can obtain from publicly available sources or that is lawfully transmitted by other third parties (e.g. a credit agency), such as commercial register data or creditworthiness data.
We process the following categories of your personal data to the extent required for the purposes of processing in accordance with this privacy notice:
- Identification data and business contact information that you provide us with, such as first name, last name, profession / position / title, nationality, business email address, business address, telephone, cell phone and fax numbers, private telephone number, gender, date of birth
- Additional information that you provide us with in the course of our business relationship, such as data that correlates with fulfilling our contractual obligations and precontractual measures, including correspondence data, offers, quotes, resume, conditions, contract and order data, invoices, payments, business partner history, records of inquiries / questions / complaints / orders To a certain extent, this information may also include your interests in B&R products, marketing preferences and registration information provided at training sessions, events or trade fairs, etc.
- Electronic identification data and information collected from communications systems, IT applications and web browsers (provided that the supplier has access to or is affected by such systems or applications and in accordance with applicable laws), such as use of information technology (system access, IT and Internet use), device identification (mobile device ID, PC ID), registration and login information, IP address, access data and log files, analysis ID, time and URL, search queries, website registration records and cookie data, sound recordings (e.g. voice message / phone call recordings, Skype recordings) The types of personal data listed below will be collected and processed, if at all, only in accordance with the local laws applicable in your country of residence, to the extent that they are relevant depending on the agreements with our suppliers.
- Data regarding criminal convictions and offenses, e.g. information regarding previous convictions and lists of sanctions, insofar as such information is required for due diligence, in particular a review of criminal history (Know your customer - "KYC") and under money laundering laws (Anti-money laundering - "AML").
If you wish to obtain information about a specific data processing activity, please send a request to www.abb.com/privacy.
3. Why do we use your personal data?
We process your personal data primarily for the purpose of carrying out and fulfilling our business and contractual relationships with you. Within the framework of this business and contractual relationship between you and us, you must provide the personal data necessary for the initiation, execution or termination of contracts with our suppliers and for the fulfillment of the associated contractual obligations or that we are legally obliged to collect and process (e.g. tax laws).
In particular, we process the personal data listed above for the following purposes:
- Supplier and service provider management throughout the supply chain, including contact interaction, bid processing, contracting, order processing, processing and execution of procurement transactions, administration and management of suppliers, vendors, contractors, consultants and other commercial professionals
- Settlement of liabilities, management of supplier invoices and payments, purchase of direct and indirect services
- Reporting and analysis, including market information and the development and improvement of services or products by evaluating and analyzing this information.
- Process quality management
- References to documents such as quotes, orders, invoices and reports
- Contract life cycle management
- Collection and insolvency proceedings
- Supplier training
- Financial and joint accounting services that include records of reporting, purchase and payment of services
- Reorganization, purchase or sale of activities, business units and companies.
- Monitoring and auditing compliance with company guidelines, contractual obligations and legal requirements of B&R (including conflict commodities)
- Conducting audits, reviews and regulatory checks to fulfill obligations to regulatory authorities
- Governance, risk and compliance, including obligations relating to due diligence and anti-money laundering ("AML"), customs duties and compliance with international trade regulations and review of sanctions lists, security, including prevention, detection of crime and fraud
- Maintaining and protecting the security of products, facilities, services, systems, networks, computers and information, preventing and detecting security threats, fraud or other criminal or harmful activities
- Managing IT resources, including infrastructure management such as data protection, data systems support and application management service activities, end user support, testing, maintenance, security (response to security incidents, risks, vulnerabilities, data breaches), user account management, software licensing, security and performance testing and business continuity
We only collect the personal data from you that we require for the purposes described above. For statistical purposes, to improve our services and to test our IT systems, we use anonymous data as much as reasonably possible. This means that you can no longer be directly or indirectly identified as an individual using this data.
4. What happens if you do not provide us with the personal data we request or if you ask us to stop processing your data?
In the case of processing operations in direct relationship to agreements with our suppliers (as described above), B&R is not in a position to adequately establish, maintain or terminate a business relationship with you or your company and generally to fulfill the purposes described above without certain personal data. Although we cannot oblige you to provide us with your personal data, please bear in mind that your refusal could have consequences that may result in a negative impact on the business relationship. We would not be able to take requested precontractual or contractual measures to conclude or fulfill a contract with you, for example, or establish and continue the business relationship you have requested.
5. On what legal basis do we process your personal data?
We process your personal data for the purposes described above (in Question 3) in accordance with the provisions of the GDPR and the Austrian Data Protection Act, especially in accordance with the following applicable legal bases:
- Insofar as we process your personal data for the fulfillment of contractual obligations arising from contracts concluded with you or your company or within the framework of precontractual measures, the legal basis for such data processing is Art. 6 (1) b) of the GDPR.
- Insofar as we process your personal data on the basis of legal requirements or official measures, for example, with regard to tax or reporting obligations, cooperation obligations with authorities, legal retention periods or the disclosure of personal data within the scope of official or judicial measures for taking evidence, prosecuting or enforcing civil law claims, the legal basis for such data processing is Art. 6 (1) c) of the GDPR.
- Where required, we process your personal data within the scope of concrete supply contracts and/or an existing business relationship with you or your company to safeguard legitimate interests (ours and those of third parties). This is done in the context of balancing interests in accordance with Art. 6 (1) f) of the GDPR, according to which processing is permissible if it is necessary to safeguard legitimate interests and if the interests or basic rights and freedoms of the data subject, which require the protection of personal data, do not prevail. Such legitimate interests may include the following processing purposes:
- Implementation, management, development and promotion of our business in the broadest sense, including the supply of products and services, fulfillment of agreements and management of orders with suppliers, processing and execution of purchases, process quality management and improvement of products or services, analytics and market intelligence, reduction of default risks in our procurement processes and reorganization, acquisition and sale of activities, divisions and companies
- Monitoring, checking and ensuring compliance with legal, regulatory, normative and ABB and B&R internal specifications and guidelines
- Prevention of fraud and criminal activity, including verification of such activity, misuse of B&R's assets, products and services and where strictly necessary and appropriate to ensure network and data security
- Establishment, exercise and defense of legal claims by and against B&R in connection with the performance of supply contracts with us
- Transfer of personal data within the B&R Group for internal administrative purposes, if required, for example, to provide centralized services
To obtain a copy of our assessment of our legitimate interest in processing your personal data, including documented balancing of interests, please send a request to www.abb.com/privacy.
In exceptional cases and insofar as we process your personal data (including special categories of personal data) for purposes that are not covered by the aforementioned legal bases (e.g. photos, marketing material and events), we require your consent according to Art. 6 (1) a) of the GDPR as the legal basis for such data processing. In accordance with Art. 7 (3) of the GDPR, you can withdraw this consent at any time with future effect. If we send you marketing information via email, e.g. a newsletter, we may require further consent under the applicable law in accordance with Art. 107 (2) of the Austrian Telecommunications Act.
We will only process personal data relating to criminal convictions or offenses in accordance with (locally) applicable law.
6. Who receives and processes your personal data (within and outside the EU and EEA)?
As part of a global corporation, we have business relationships with companies in the B&R Group and external service providers, both within and outside the European Economic Area (EEA), which we may also use to process your personal data. We will only share your personal data with other B&R companies or third parties if this is required for the purposes listed in the table below.
In this regard, your personal data may also be made available to companies of the B&R Group in countries within and outside of the EEA for the aforementioned processing purposes. In addition, when processing your personal data for the aforementioned purposes, we may use external service providers as data processors (e.g. computer centers, software companies and marketing automation providers). They are generally used with binding instructions within the framework of an existing contractual relationship and receive your personal data only to the extent and for the period of time required to provide the service.
If we share your personal data with a B&R company or third party and it is transferred or becomes accessible outside the European Union ("EU") and the European Economic Area ("EEA") or outside the country in which the B&R company controlling your information is located, we will protect your personal data with appropriate safeguards. Examples of such safeguards include a determination of suitability by the European Commission or Standard Contractual Clauses. We have taken additional measures to protect your personal data when it is transferred outside the EU, EEA or the country where the B&R company controlling your data is located. If you would like an overview of the safeguards applied, please send a request to www.abb.com/privacy.
Companies and subsidiaries affiliated with B&R
See the list of B&R subsidiaries.
The purposes stated in this privacy notice
B&R partner companies, distribution partners and dealers
EU/EEA and non-EU/EEA (global)
The purposes stated in this privacy notice
Service providers such as IT services, independent dealers, payment processors, rating and evaluation services, commercial and consulting services including accountants, auditors, lawyers, insurers, bankers, recruiters, travel agencies and other consultants or service providers working on behalf of B&R
EU/EEA and non-EU/EEA (global)
The purposes stated in this privacy notice
Insolvency administrator or creditor
EU/EEA and non-EU/EEA (global)
Default and insolvency management
Potential or actual buyers of B&R business units or assets
EU/EEA and non-EU/EEA (global)
For the evaluation of the companies or assets concerned or for the purposes specified in this privacy notice
Recipients required according to applicable law or legal proceedings, such as law enforcement agencies or other authorities
EU/EEA and non-EU/EEA (global)
Where required by applicable law, legitimate requests from public authorities or under applicable legal requirements
If you would like an overview of the safeguards applied to protect your personal data, please send a request to www.abb.com/privacy.
7. How long do we process and store your personal data?
We generally process and store your personal data only as long as is necessary for the processing purposes stated in this notice, until you withdraw your consent granted under Art. 6 (1) a) of the GDPR or until you object to the use of your personal data if a legitimate interest is the legal basis for processing (Art. 6 (1) f) of the GDPR).
However, legal provisions require B&R to store certain personal data for minimum retention periods. In general, personal data is stored for the duration of the contractual relationship and for a minimum period (usually between 5 and 10 years after the end of the contractual relationship) or for a longer period if this is required by local laws and official requirements.
At the same time, applicable data protection laws require that we store and process your personal data in a form that identifies you for no longer than is necessary for the purpose for which the personal data was collected and that we carry out regular checks in this regard. Through settings in IT systems and guidelines, we ensure that your personal data is deleted as soon as it is no longer needed.
9. Which rights do you have with regard to your personal data?
If you have questions about data protection, complaints about how we are handling your personal data or wish to exercise the rights of data subjects listed below, you can contact us at www.abb.com/privacy. Under certain circumstances, we may have to restrict these rights of data subjects in order to safeguard the public interest (e.g. the prevention or detection of criminal offenses) or our business interests (e.g. maintaining legal privilege). Should you not be satisfied with our response or believe we are processing your personal data unlawfully, you may also contact the Data Protection Authority in your country of residence or work or in which you believe the data breach may have taken place in accordance with your right to lodge a complaint per Art. 77 of the GDPR. In addition to your right to lodge a complaint, you also have the following rights:
- Right to information: In accordance with Art. 15 of the GDPR, you have the right to receive information from us regarding your personal data that we process at any time upon request (in text form). This right is limited by the exceptions of Art. 4 (6) of the Austrian Data Protection Act, according to which the right of information is not applicable in particular if the provision of this information would endanger a business or trade secret of the data controller or of a third party.
- Right to rectification: In accordance with Art. 16 of the GDPR, you have the right to request that we rectify your personal data without delay if it is incorrect. These conditions are particularly met if a) the respective processing purpose has been achieved or otherwise ceases to apply, b) we have processed your data unlawfully, c) you have withdrawn your consent without the data processing being able to be continued on another legal basis, d) you successfully object to the data processing or e) in cases where there is an obligation to delete the data on the basis of EU law or the law of an EU member state to which we are subject. This right is subject to the restrictions set out in Art. 4 (2) of the Austrian Data Protection Act, according to which, in the event that the deletion of personal data processed with the aid of automation cannot be carried out immediately because it is only possible at certain times for economic or technical reasons, the processing of the personal data in question must be restricted with the effect of Art. 18 (2) of the GDPR until this point in time.
- Right to restrict processing: In accordance with Art. 18 of the GDPR, you can request that we only process your personal data to a limited extent. This right exists in particular under the conditions that a) the accuracy of the personal data is disputed, b) you request limited processing instead of deletion under the conditions of a justified request for deletion, c) the data is no longer necessary for the purposes we pursue, but you need the data to assert, exercise or defend legal claims, or d) the success of an objection is still disputed.
- Right to data portability: In accordance with Art. 20 of the GDPR, you have the right to receive your personal data that you provided us in a structured, common, machine-readable format, as well as the right to have us transfer this data to another data controller.
- Right to object: In accordance with Art. 21 of the GDPR, you have the right to object at any time, on grounds relating to your particular situation, to the processing of your personal data, either in the public interest or to safeguard our legitimate interests. Thereafter, we will stop processing your personal data unless we can prove compelling reasons for processing your personal data that are worthy of protection, which outweigh your interests, rights and freedoms or unless such processing serves to assert, exercise or defend legal claims. If you object to the processing of your personal data for marketing purposes, we will stop processing your data in any case.
10. Updates to this document
This Privacy Notice may be updated from time to time as a result of required developments. In case of such updates, we will undertake necessary actions to inform you about them depending on the importance of changes done. If and where required by applicable laws we will also ask for your consent to any material Privacy Notice changes describing our up-to-date practices. Please check the "date of publication" to see when this Privacy Notice was updated.
Date of publication: February 15, 2021