This privacy notice for visitors ("Privacy notice") applies to the B&R Group, i.e. B&R Industrial Automation GmbH, Austria and any company in which B&R Industrial Automation GmbH directly or indirectly holds a majority interest or owns or controls the majority of voting rights. B&R Industrial Automation GmbH is in turn part of the ABB Group (a 100% subsidiary of ABB Asea Brown Boveri Ltd.). The B&R company whose business premises you enter during your visit, or on which you are staying as a result of an invitation from B&R (event, contract negotiations, etc.) or for the purpose of providing a contractually agreed service (hereinafter referred to as "B&R"), is responsible for processing your personal data and controls its use in accordance with this privacy notice.
At B&R, protecting your personal data is a top priority. This privacy notice explains how we process your personal data and what rights you have in relation to your personal data.
1. Who is responsible for processing your personal data?
B&R Industrial Automation GmbH and all B&R subsidiaries are responsible for your personal data. In accordance with applicable data protection laws, the person responsible for processing your personal data is the B&R subsidiary on whose premises you are located and which communicates with you. Furthermore, other B&R subsidiaries may receive and process your data, either as the data controller or the data processor. Accordingly, this privacy notice applies equally to them.
In your case, B&R Industrial Automation GmbH, B&R Strasse 1, 5142 Eggelsberg, Austria or the respective company affiliated with B&R Industrial Automation GmbH will decide, as the "responsible party" within the meaning of the General Data Protection Regulation ("GDPR") and the Austrian Data Protection Act or other applicable national data protection laws at the headquarters of the respective subsidiary, for what and how your personal data will be used in accordance with this privacy notice (hereinafter also referred to as "B&R", "we" or "us").
2. What kind of personal data do we collect and process?
We collect and use the personal data that we receive from you within the scope of or in connection with your visit to our premises or an existing business relationship with you or your company (hereinafter: "you"). We may also process personal data that we receive from you either as a result of your contact request, a specific precontractual inquiry or a registration for a specific event via our websites, by email or telephone or at a trade fair or product event. In addition, to the extent necessary for the purposes stated in this privacy notice, we process personal data that we can obtain from publicly available sources or that is lawfully transmitted by other third parties (e.g. a credit agency), such as commercial register data or creditworthiness data.
We process the following categories of your personal data to the extent required for the purposes of processing in accordance with this privacy notice:
- Identifying information and business contact details that you provide us with, such as first name, last name, profession / position / title, business email address, postal address, telephone, cell phone and fax numbers, gender, date of birth, vehicle registration number and number of a valid identification document
- Additional information that you provide us with during or in connection with your visit, such as registration details for facilities and sites, visits to an employee, purpose of the visit, records of your visit or data relating to the fulfillment of our contractual obligations and precontractual measures To a certain extent, this information may also include your interests in B&R products, marketing preferences and registration information provided at training sessions, events or trade fairs, etc.
- Image and video recordings on which you are depicted ("recordings") and which are produced by our video surveillance systems (CCTV) or by photographers or B&R employees working on our behalf at events organized by B&R
- Electronic identification data and information collected from communications systems, IT applications and web browsers (provided that the supplier has access to or is affected by such systems or applications and in accordance with applicable laws), such as use of information technology (system access, IT and Internet use), device identification (mobile device ID, PC ID), registration and login information, IP address, access data and log files, analysis ID, time and URL, search queries, website registration records and cookie data, sound recordings (e.g. voice message / phone call recordings, Skype recordings)
If you wish to obtain information about a specific data processing activity, this can be requested from www.abb.com/privacy.
3. Why do we use your personal data?
We process your personal data primarily to carry out and fulfill our business and contractual relations with you and to ensure security in our offices and premises. In the context of this business relationship with you and your visit to our offices and premises, we must process your personal data, which we require in order to fulfill the associated contractual and legal obligations or which we are legally obliged to collect and process (e.g. health and safety laws, statutory insurance requirements).
In particular, we process the personal data listed above for the following purposes:
- Visitor management, management of registration and visitor access, including related contact interactions and references in documents
- Health and safety management, including medical emergencies
- Recording by video surveillance system (CCTV) for the purpose of public and employee safety, building security and the prevention and detection of crime
- Access control systems with electronic entry and/or exit control for authorized persons in places with limited access and attendance list for emergencies
- Maintaining and protecting the security of products, facilities, services, systems, networks, computers and information, preventing and detecting security threats and fraud or other criminal or harmful activities
- Monitoring and auditing of compliance with ABB and B&R's corporate guidelines, contractual obligations and legal requirements
- Conducting audits, evaluations and regulatory checks to ensure compliance with regulatory obligations
- Management of IT resources, including infrastructure management such as data protection, support for data processing systems and service activities for application management, end user support, testing, maintenance, security (response to security incidents/violations, risks, vulnerabilities), master data and areas of activity including user account management, software license allocation, security and performance testing and business continuity.
We only collect the personal data from you that we require for the purposes described above. For statistical purposes, to improve our services and to test our IT systems, we use anonymous data as much as reasonably possible. This means that you can no longer be directly or indirectly identified as an individual using this data.
4. What happens if you do not provide us with the personal data we request or if you ask us to stop processing your data?
In the case of processing operations in connection with your visit to B&R (as described above), without certain personal data, B&R may not be able to adequately ensure your security and the security of other persons in our offices and premises, monitor the security of the premises and its facilities, or fulfill the related legal obligations or the purposes described above in general. Although we cannot oblige you to provide us with your personal data, please be aware that your refusal could have consequences that could negatively affect your visit to our offices and premises or our business relationship. You will not be permitted, for example, to enter certain or any B&R facility or location for security reasons, nor will we be able to take requested precontractual or contractual measures to conclude or fulfill a contract with you.
5. On what legal basis do we process your personal data?
We process your personal data for the purposes described above (in Question 3) in accordance with the provisions of the GDPR and the Austrian Data Protection Act, especially in accordance with the following applicable legal bases:
- Insofar as we process your personal data for the fulfillment of contractual obligations arising from contracts concluded with you or your company or within the framework of precontractual measures, the legal basis for such data processing is Art. 6 (1) b) of the GDPR.
- Insofar as we process your personal data on the basis of legal requirements or official measures, for example, with regard to health and safety laws, legal insurance requirements, cooperation obligations with authorities, legal retention periods or the disclosure of personal data within the scope of official or judicial measures for taking evidence, prosecuting or enforcing civil law claims, the legal basis for such data processing is Art. 6 (1) c) of the GDPR.
- In the event that vital interests of the data subject or another natural person make it necessary to process personal data, Art. 6 (1) d) of the GDPR be the legal basis (e.g. notification of an accident on the premises of B&R).
- Where required, we process your personal data within the scope of your specific visit to our offices and premises, or your stay on our premises, as well as the existing business relationship with you or your company, in order to safeguard legitimate interests (ours and that of third parties). This is done in the context of balancing interests in accordance with Art. 6 (1) f) of the GDPR, according to which processing is permissible if it is necessary to safeguard legitimate interests and if the interests or basic rights and freedoms of the data subject, which require the protection of personal data, do not prevail. Such legitimate interests may include the following processing purposes:
- To conduct, manage, develop and promote our business activities in the broadest sense, including the management of visitors, facilities and sites, ensuring the protection and security of our premises, and the acquisition and sale of activities, businesses and companies
- Monitoring, checking and ensuring compliance with legal, regulatory, normative and ABB and B&R internal specifications and guidelines
- Prevention of fraud and criminal activity, including verification of such activity, misuse of B&R's assets, products and services and where strictly necessary and appropriate to ensure network and data security
- Establishment, exercise and defense of legal claims by and against B&R in connection with your visit and our business relationship
- Transfer of personal data within the B&R Group for internal administrative purposes, if required, for example, to provide centralized services
- To obtain a copy of our assessment of our legitimate interest in processing your personal data, including documented balancing of interests, please send a request to www.abb.com/privacy.
- In exceptional cases and insofar as we process your personal data (including special categories of personal data) for purposes that are not covered by the aforementioned legal bases (e.g. direct marketing), we require your consent under Art. 6 (1) a) of the GDPR as the legal basis for such data processing. In accordance with Art. 7 (3) of the GDPR, you can withdraw this consent at any time with future effect. If we send you marketing information via email, e.g. a newsletter, we may require further consent under applicable law in accordance with Art. 107 (2) of the Austrian Telecommunications Act.
The following applies to the use of images, i.e. photos or video recordings in which you are depicted: If and to the extent that we process such recordings for internal and external business purposes of public relations and internal communication, e.g. at events organized by B&R, we require your consent pursuant to Art. 6 (1) a) of the GDPR as the legal basis for such data processing, which you can withdraw at any time with effect for the future in accordance with Art. 7 (3) of the GDPR. If and insofar as we use such recordings for the implementation of necessary security measures, in particular via video surveillance systems (CCTV) or the creation of visitor identification cards that serve to identify you and ensure your safety on B&R premises, we will also process these recordings to safeguard legitimate interests of ourselves or third parties as part of balancing interests in accordance with Art. 6 (1) f) of the GDPR. Likewise, it may be a legitimate interest on our part if photos are processed for purely internal purposes without corresponding publication (e.g. a group photo for participants in a training course) or are taken as part of a publicly advertised event and you are not the main focus of the photo, but are only to be seen together with other people.
We will process special categories of personal data only in accordance with applicable law and under the following conditions:
- Processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent in accordance with Art. 9 (2) f) of the GDPR.
We will only process personal data relating to criminal offenses or criminal convictions based on (locally) applicable law.
6. Who receives and processes your personal data (within and outside the EU and EEA)?
As part of a global corporation, we have business relationships with companies in the B&R Group and external service providers, both within and outside the European Economic Area (EEA), which we may also use to process your personal data. We will only share your personal data with other B&R companies or third parties if this is required for the purposes listed in the table below.
In this regard, your personal data may also be made available to companies of the B&R Group in countries within and outside of the EEA for the aforementioned processing purposes. In addition, when processing your personal data for the aforementioned purposes, we may use external service providers as data processors (e.g. facility management or security companies). They are generally used with binding instructions within the framework of an existing contractual relationship and receive your personal data only to the extent and for the period of time required to provide the service.
In case of suspicion of criminal offenses, we may also pass on your personal data to law enforcement agencies. Otherwise, your personal data will only be transferred to third parties if there is a legal basis for this transfer. This can be the case especially if the police or other security authorities take action in the context of so-called emergency response and demand access to video surveillance data.
If we share your personal data with a B&R company or third party and it is transferred or becomes accessible outside of the European Union ("EU") and the European Economic Area ("EEA") or outside the country in which the B&R company controlling your information is located, we will protect your personal data with appropriate safeguards. Examples of such safeguards include a determination of suitability by the European Commission or Standard Contractual Clauses. We have taken additional measures to protect your personal data when it is transferred outside the EU, EEA or the country where the B&R company controlling your data is located. If you would like an overview of the safeguards applied, please send a request to www.abb.com/privacy.
Companies and subsidiaries affiliated with B&R
List of the B&R subsidiaries.
The purposes stated in this privacy notice
B&R business partner
EU and non-EU
The purposes stated in this privacy notice
EU/EEA and non-EU/EEA (global)
IT services, administrative services for the reception and facility, security services or other service providers working for B&R
Potential or actual buyers of B&R business units or assets
EU/EEA and non-EU/EEA (global)
For the evaluation of the companies or assets concerned or for the purposes specified in this privacy notice
Recipients required according to applicable law or legal proceedings, such as law enforcement agencies or other authorities
EU/EEA and non-EU/EEA (global)
Where required by applicable law, due to legitimate requests from public authorities or legal requirements
7. How long do we process and store your personal data?
In principle, we process and store your personal data only as long as is necessary for the processing purposes stated in this privacy notice, until you withdraw your consent granted under Art. 6 (1) a) of the GDPR or until you object to the use of your personal data if a legitimate interest is the legal basis for processing (Art. 6 (1), f) of the GDPR).
However, legal provisions require B&R to store certain personal data for minimum retention periods. In general, the personal data used for visitor management is stored for a period of 3 to 12 months and is only kept for a longer period if this is necessary due to local laws and official requirements or to defend legal claims. Some of B&R's buildings and locations use video surveillance systems (CCTV) to ensure security and operational procedures in our offices and premises and on our company grounds. Data from the video surveillance is always deleted after a maximum of 7 days. A longer storage period can be used for specific occasions, if facts justify the assumption that recordings from a limited period of time show actions that are prosecuted as criminal offenses or whose use is necessary for the assertion of civil law claims.
At the same time, applicable data protection laws require that we store and process your personal data in a form that identifies you for no longer than is necessary for the purpose for which the personal data was collected and that we carry out regular checks in this regard. Through settings in IT systems and guidelines, we ensure that your personal data is deleted as soon as it is no longer needed.
8. Which rights do you have with regard to your personal data?
If you have questions about data protection, complaints about how we are handling your personal data or wish to exercise the rights of data subjects listed below, you can contact us at www.abb.com/privacy. Under certain circumstances, we may have to restrict these rights of data subjects in order to safeguard the public interest (e.g. the prevention or detection of criminal offenses) or our business interests (e.g. maintaining legal privilege). Should you not be satisfied with our response or believe we are processing your personal data unlawfully, you may also contact the Data Protection Authority in your country of residence or work or in which you believe the data breach may have taken place in accordance with your right to lodge a complaint per Art. 77 of the GDPR. In addition to your right to lodge a complaint, you also have the following rights:
- Right to information: In accordance with Art. 15 of the GDPR, you have the right to receive information from us regarding your personal data that we process at any time upon request (in text form). This right is limited by the exceptions of Art. 4 (6) of the Austrian Data Protection Act, according to which the right of information is not applicable in particular if the provision of this information would endanger a business or trade secret of the data controller or of a third party.
- Right to rectification: In accordance with Art. 16 of the GDPR, you have the right to request that we rectify your personal data without delay if it is incorrect. This right is subject to the restrictions set out in Art. 4 (2) of the Austrian Data Protection Act, according to which, in the event that the correction of personal data processed with the aid of automation cannot be carried out immediately because it is only possible at certain times for economic or technical reasons, the processing of the personal data in question must be restricted with the effect of Art. 18 (2) of the GDPR until this point in time.
- Right to erasure: You have the right to request us to delete your personal data under the conditions set out in Art. 17 of the GDPR. These conditions are particularly met if a) the respective processing purpose has been achieved or otherwise ceases to apply, b) we have processed your data unlawfully, c) you have withdrawn your consent without the data processing being able to be continued on another legal basis, d) you successfully object to the data processing or e) in cases where there is an obligation to delete the data on the basis of EU law or the law of an EU member state to which we are subject. This right is subject to the restrictions set out in Art. 4 (2) of the Austrian Data Protection Act, according to which, in the event that the deletion of personal data processed with the aid of automation cannot be carried out immediately because it is only possible at certain times for economic or technical reasons, the processing of the personal data in question must be restricted with the effect of Art. 18 (2) of the GDPR until this point in time.
- Right to restrict processing: In accordance with Art. 18 of the GDPR, you can request that we only process your personal data to a limited extent. This right exists in particular under the conditions that a) the accuracy of the personal data is disputed, b) you request limited processing instead of deletion under the conditions of a justified request for deletion, c) the data is no longer necessary for the purposes we pursue, but you need the data to assert, exercise or defend legal claims, or d) the success of an objection is still disputed.
- Right to data portability: In accordance with Art. 20 of the GDPR, you have the right to receive your personal data that you provided us in a structured, common, machine-readable format, as well as the right to have us transfer this data to another data controller.
- Right to object: In accordance with Art. 21 of the GDPR, you have the right to object at any time, on grounds relating to your particular situation, to the processing of your personal data, either in the public interest or to safeguard our legitimate interests. Thereafter, we will stop processing your personal data unless we can prove compelling reasons for processing your personal data that are worthy of protection, which outweigh your interests, rights and freedoms or unless such processing serves to assert, exercise or defend legal claims. If you object to the processing of your personal data for marketing purposes, we will stop processing your data in any case.
9. Updates to this document
This Privacy Notice may be updated from time to time as a result of required developments. In case of such updates, we will undertake necessary actions to inform you about them depending on the importance of changes done. If and where required by applicable laws we will also ask for your consent to any material Privacy Notice changes describing our up-to-date practices. Please check the "date of publication" to see when this Privacy Notice was updated.
Date of publication: February 15, 2021