Privacy Notice for ASSA ABLOY Opening Solutions

ASSA ABLOY is committed to protecting your personal data. This privacy notice describes:

The types of personal data we collect from you;
How we use that information and why;
Who we share it with and where;
How long we store it for;
Your rights, including how you can contact us if you have additional questions about the processing of your personal data; and
How we can make changes to this notice.

ASSA ABLOY Opening Solutions Sweden AB, 556034-3161 of KUNGSGATAN 71, 632 21, Eskilstuna as “data controller” is responsible for the processing of your personal data.

Questions and answers

Definitions

Terms	Definitions
Personal data	Any information relating to an identified or identifiable natural person.
Processing	Any operation or set of operations which is performed on personal data or on sets of personal data, such as collection, recording, organisation, structuring, storage etc.
Legal ground	The grounds that enable PUA to process personal data.
Controller	The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
Processor	A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
Third party	A natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.
Third country	Country outside of EU/EEA.
Supervisory authority	An independent public authority which is established by a Member State to monitor compliance with GDPR. In Sweden this is Datainspektionen.
Data Protection Manager (DPM)	Role within ASSA ABLOY to promote compliance with GDPR. DPM is appointed at Group level, division level and regional level.
Data Processing Agreement (DPA)	Agreement between PUA and PUB in cases where PUB processes personal data on behalf of PUA.
Customer B2B	It refers to a legal person or contact person of a legal person whose personal data we process in connection with the purchase of our products and services, e.g. retailer, licensed customer, product recipient.
Customer B2C	It refers to the natural person whose personal data we process in connection with the purchase of our products and services, e.g. In-Home Service Consumer.
Potential customer	It refers to a natural or legal person whose personal data we process in connection with the marketing of our products and services.
Supplier	It refers to a natural or legal person whose personal data we process in connection with them performing a job or delivering a service to us, for remuneration, eg consultant, contact person
Test individuals	It refers to a natural person whose personal data we process in connection with conducting tests of our products and services, e.g. beta testers
Recruitment candidate	It refers to a natural person whose personal data we process in connection with them applying for a position at our company.
Visitor	It refers to a natural person whose personal data we process when they visit one of our premises.

What personal data will we collect?

Customers B2B

Purpose	Personal data	Legal ground	Retention period
Administrate training and certification where ASSA ABLOY Opening Solutions Sweden is controller, and also keep and on request supply the data subject with copies of diploma and certificate	Name Email address Phone number Company Results	Performance of a contract, the data is necessary for us to fulfill obligations in a contract, if the contract was entered into with the data subject Legitimate interest, when concerning a contact person at a customer who is controller. Our interest in administrating training and certification outweighs the data subject’s interest in not having their personal data processed for thos purpose.	During the training + 3 years
Manage data subject’s rights according to GDPR	Name Identifier	Legal obligation, the data is necessary for us to fulfill obligations according to swedish law	During the case + 10 years
Manage personal data breaches according to GDPR	Name Email address Phone number	Legal obligation, the data is necessary for us to fulfill obligations according to swedish law	During the case + 10 years
Manage financial information	Name Email address Phone number Company Registration number	Legal obligation, the data is necessary for us to fulfill obligations according to swedish law	During the financial year to which the data refers + 7 years
Administrate credit reports sole traders for the purpose of assessing the suitability of the firm in connection to any ASSA certification, whereby the financial stability of the firm constitutes an element	Name Email address Phone number Company Financial data Registration number	Legitimate interest, our interest in being able to make financial risk assessments in connection to certifications outweighs the data subject's interest in not having their personal data processed for this purpose. In addition, the processing can be said to be in the data subject's interest in cases where certification is issued.	Deleted directly after decision
Administrate business partner controls in order to assess their suitability in connection with possible business relationships	Name Company commitment Information appearing when searching in screening databases	Legitimate interest or legal obligation, depending on whether or not the obligation to assess business partners follows from EU or Swedish law or not	During the contract period or from business decision + 10 years
Manage dept collection for sole traders	Name Email address Phone number Company Registration number	Legitimate interest, our interest in being able to get paid for our claims outweighs the data subject's interest in not having their personal data processed for this purpose	Until payment is recieved + 3 months
Administrate complaints/claims (where ASSA ABLOY Opening Solutions Sweden is controller)	Name Email address Phone number	Legitimate interest, When concerning a contact person at a customer who is controller. Our interest in being able to manage claims and improve our products outweighs the data subject's interest in not having their personal data processed for this purpose	During the case + 1 year
Manage testing and troubleshooting where ASSA ABLOY Opening Solutions Sweden is controller	Name Email address Phone number	Performance of a contract, the data is necessary for us to fulfill obligations where the data subject is the customer Legitimate interest, When the customer is a company. Our interest in being able to manage claims and improve our products outweighs the data subject's interest in not having their personal data processed for this purpose	While testing or troubleshooting are ongoing
Administrate helpdesk matters	Name Email address Phone number	Legitimate interest - When concerning a contact person at a customer who is controller. Our interest in administrating helpdesk matters outweighs the data subject's interest in not having their personal data processed for this purpose	During the contract period + 6 month
Manage NDA's	Name	Legitimate interest Our interest in ensuring no disclosure outweighs the data subject's interest in not having their personal data processed for this purpose	During the contract period + 10 years
Administrate licenses to be able to give customer, e.g. locksmith, access to systems with high security levels.	Name Social security number Phone number Email address Company	Legitimate interest, When concerning a contact person at a customer who is controller. Our interest in administrating customer licenses outweighs the data subject's interest in not having their personal data processed for this purpose	During the license period + 1 year
Administrate order processing	Name Email address Phone number Address	Legitimate interest, When concerning a contact person at a customer who is controller. Our interest in administrating orders outweighs the data subject's interest in not having their personal data processed for this purpose	During the contract period + 3 years
Enable delivery of goods to end users/consumers	Name Email address Phone number Address	Legitimate interest, Our interest in being able to deliver goods outweighs the data subject's interest in not having their personal data processed for this purpose	Delivery + 10 years
Contact existing customers (B2B) with news letters and marketing, who have not requested the information/signed up for mailings	Name Email address Address Company	Legitimate interest, Our interest in being able to inform our customer about news and/or changes in our products outweighs the data subject's interest in not having their personal data processed for this purpose	If the data subject has requested the information: From opt-out + 1 year (mailings will cease immediately) If the data subject has not requested the information: During contract period + 1 year
Administrate events	Name Email address Phone number Special diets	Legitimate interest, If it concern obligations toward companies or our employees, our interest in being able to conduct events for visitors/employees outweighs the data subject's interest in not having their personal data processed for this purpose Consent, in case participant lists are to be saved for a longer period than specified here	During the event + 1 month
To market our company on our external web	Name Company Picture	Legitimate interest, If it concern obligations towards companies or our employees, our interest in being able to market our company outweighs the data subject's interest in not having their personal data processed for this purpose	During the campaign + 3 month
Administrate customer quotations (B2B)	Name Email address Phone number Company	Legitimate interest, Our interest in processing this information to promote an efficient bidding process outweighs the data subject's interest in not having their personal data processed for this purpose	During the validity period of the quote + 6 month or according to confidentiality agreement in procurement
Administrate customer agreements (B2B)	Name Email address Phone number Company	Legitimate interest, When concerning a contact person at a customer who is controller. Our interest in administrate customer agreements outweighs the data subject's interest in not having their personal data processed for this purpose	During the contract period + 10 years
Manage market research to contact persons at customers	Name E-mail Company Position Survey responses Possibly indirect identifiers in the reports Information regarding whether the person concerned has been asked to participate in the survey	Legitimate interest, Our interest in being able to research new business opportunities outweighs the data subject’s interest in not having their personal data processed for this purpose	Contact information, position, company affiliation and information about invite to the survey: During the contract persiod + 10 years Reports: From the point of receiving the report + 1 year
For access, maintenance and development of the company's IT environment	Name User name	Legitimate interest, Our interest in being able to handle access, maintenance and development of the company's IT environment outweighs the data subject’s interest in not having their personal data processed for this purpose	for as long as it is necessary for the purposes

Customers B2C

Purpose	Personal data	Legal ground	Retention period
To provide, manage and support the In-Home Service	Name home address email address phone number Insurance details information on your digital lock Any additional information you share with us	Performance of contract insofar as the processing is required to fulfill the contractual obligations (e.g. guarantees) towards the data subject.	During the contract period + 10 months
To market our services e.g. through the mobile application, text messages and emails	Name home address email address phone number Any additional information you share with us	Legitimate interest, our interest in being able to market our company outweighs the data subject's interest in not having their personal data processed for this purpose	From the time of collection or last contact + 1 year
To prevent fraud and other abuse	Name home address email address phone number Insurance details information on your digital lock Any additional information you share with us	Legitimate interest, our interest in being able to prevent fraud and other abuse outweighs the data subject's interest in not having their personal data processed for this purpose	During the contract period + 10 years
To establish and defend legal claims	Name home address email address phone number Insurance details information on your digital lock Any additional information you share with us	Legitimate interest, our interest in being able to establish and defend legal claims outweighs the data subject's interest in not having their personal data processed for this purpose	During the contract/warranty period + 10 years
Manage data subject’s rights according to GDPR	Name Identifier	Legal obligation, the data is necessary for us to fulfill obligations according to swedish law	During the case + 10 years
Manage personal data breaches according to GDPR	Name Email address Phone number	Legal obligation, the data is necessary for us to fulfill obligations according to swedish law	During the case + 10 years
Manage financial information	Name Email address Phone number Company Registration number	Legal obligation, the data is necessary for us to fulfill obligations according to swedish law	During the financial year to which the data refers + 7 years
Administrate complaints/claims	Name Email address Phone number	Legitimate interest, When concerning a contact person at a customer who is controller. Our interest in being able to manage claims and improve our products outweighs the data subject's interest in not having their personal data processed for this purpose	During the case + 3 year
Administrate customer agreements	Name Email address Phone number Address	Performance of contract insofar as the processing is required to fulfill the contractual obligations (e.g. guarantees) towards the data subject.	During the contract period + 10 years

Potential customers

Purpose	Personal data	Legal ground	Retention period
Manage data subject’s rights according to GDPR	Name Identifier	Legal obligation, the data is necessary for us to fulfill obligations according to swedish law	During the case + 10 years
Manage personal data breaches according to GDPR	Name Email address Phone number	Legal obligation, the data is necessary for us to fulfill obligations according to swedish law	During the case + 10 years
Administrate marketing mailings to contact person at potential customers (B2B), who have requested the information/signed up for mailings	Name Email address Address Company	Legitimate interest, Our interest in being able to conduct marketing outweighs the data subject's interest in not having their personal data processed for this purpose	From opt-out + 1 year (mailings will cease immediately)
Administrate an initial marketing mailing/campaign to contact person at potential customer (B2B), who have not requested the information/signed up for mailings	Name Email address Address Company	Legitimate interest, Our interest in being able to conduct marketing outweighs the data subject's interest in not having their personal data processed for this purpose	From the point of collection + 1 month until first contact, then 2 month
Manage market research to contact persons at potential customers	Name E-mail Company Position Survey responses Possibly indirect identifiers in the reports Information regarding whether the person concerned has been asked to participate in the survey	Legitimate interest, Our interest in being able to research new business opportunities outweighs the data subject’s interest in not having their personal data processed for this purpose	Contact information, position, company affiliation and information about invite to the survey: During the contract period + 3 months Reports: From the point of receiving the report + 1 year

Suppliers

Purpose	Personal data	Legal ground	Retention period
Manage data subject’s rights according to GDPR	Name Identifier	Legal obligation, the data is necessary for us to fulfill obligations according to swedish law	During the case + 10 years
Manage personal data breaches according to GDPR	Name Email address Phone number	Legal obligation, the data is necessary for us to fulfill obligations according to swedish law	During the case + 10 years
Manage financial information	Name Email address Address Company Registration number	Legal obligation, the data is necessary for us to fulfill obligations according to swedish law	During the financial year to which the data refers + 7 years
Manage purchasing of goods and services	Name Email address Phone number	Legitimate interest, Our interest in being able to procure new suppliers outweighs the data subject's interest in not having their personal data processed for this purpose	Delivery + 10 years
Manage procurement	Name Email address Phone number	Legitimate interest, Our interest in being able to procure new suppliers outweighs the data subject's interest in not having their personal data processed for this purpose	Contract award decision + 6 months

Test individuals

Purpose	Personal data	Legal ground	Retention period
Documentation to be able to manage beta testing	Name Email address Phone number Address	Legitimate interest, Our interest in being able to perform beta testing outweighs the data subject's interest in not having their personal data processed for this purpose	During test period + 2 years
Manage data subject’s rights according to GDPR	Name Identifier	Legal obligation, the data is necessary for us to fulfill obligations according to swedish law	During the case + 10 years
Manage personal data breaches according to GDPR	Name Email address Phone number	Legal obligation, the data is necessary for us to fulfill obligations according to swedish law	During the case + 10 years

Recruitment candidates

Purpose	Personal data	Legal ground	Retention period
Manage data subject’s rights according to GDPR	Name Identifier	Legal obligation, the data is necessary for us to fulfill obligations according to swedish law	During the case + 10 years
Manage personal data breaches according to GDPR	Name Email address Phone number	Legal obligation, the data is necessary for us to fulfill obligations according to swedish law	During the case + 10 years
Receive, evaluate and decide on job applications	Name Email address Phone number Social security number + CV and personal letter	Performance of contract, the data is necessary for us to be able to fulfill obligations in employment contracts and collective agreements	During recruitment + 2 years

Visitors

Purpose	Personal data	Legal ground	Retention period
Manage data subject’s rights according to GDPR	Name Identifier	Legal obligation, the data is necessary for us to fulfill obligations according to swedish law	During the case + 10 years
Manage personal data breaches according to GDPR	Name Email address Phone number	Legal obligation, the data is necessary for us to fulfill obligations according to swedish law	During the case + 10 years
Manage camera surveillance (CCTV) to secure our premises	Picture	Legitimate interest, Our interest in securing our premises outweighs the data subject's interest in not having their personal data processed for this purpose	From the time of the recording + 30 days
To administrate visits to our premises	Name Phone number Company	Legitimate interest, Our interest in processing this information to be able to inform the person who recieves a visit, and to be able to know who is on our premises outweighs the data subject's/visitors interest in not having their personal data processed for this purpose. In case of fire, we also need to be able to produce an evacuation list	During the visit + 24 hours

Protection of personal data

ASSA ABLOY Opening Solutions Sweden has taken appropriate technical and organizational measures to protect your personal data and to prevent your personal data from being used for illegal purposes or being disclosed to unauthorized persons.

Our employees, and our data processors and sub processors are obligated to follow our internal guidelines for data protection.

Who and where is your personal data transferred to?

We may transfer your personal data for the purposes set out above:

To other companies within the ASSA ABLOY group
To suppliers that provides services within market research
When required by law; and/or
To a buyer or a potential future buyer of our business.

Processors

ASSA ABLOY Opening Solutions Sweden may in some cases use processors who provide services for us, e.g. IT services and security solutions. In these cases, we undertake to have personal data processor agreements with all processors and that these processors comply with the Data Protection Regulation (GDPR).

Third country

ASSA ABLOY Group has companies located in countries outside the EU/EEA. As in some cases these countries have a lower level of protection than that within EU/EEA, when transferring personal data to countries outside the EU/EEA we use standard contractual clauses approved by the European Commission to ensure a sufficient level of protection for your personal data. These Standard Contractual Clauses can be found via the following link: https://ec.europa.eu/justice/data-protection/international-transfers/transfer/index_en.htm

Your rights

In relation to the personal data that we hold about you, you have the right to:

Request a copy of your personal data from our records;
Ask that we correct or erase your personal data (though this may mean that we cannot process requests or orders, or that your account expires);
Ask us to stop processing your personal data (for example as regards the use of the data to improve our website), or restrict how we process it (for example if you deem the data to be incorrect);
Request the personal data used to provide you with information you requested, process an order, or manage your account or our relationship in a machine readable format, which you are entitled to transfer to another data controller; and
Withdraw your consent to us processing your data for marketing purposes at any time.

We may not accept a request to erase your personal data where we require it to comply with a legal obligation or in relation to a legal claim.

Requests to exercise your rights should be addressed to "Att: ASSA ABLOY DPM” on our contact page.

If you have a complaint regarding our processing of your personal data you are entitled to report this to relevant supervisory authority or to the supervisory authority where you live or work if different.

How can we make changes to this privacy notice?

We may update this privacy notice from time to time in response to changing legal, regulatory or operational requirements. When we make changes that are not just linguistic or editorial, you will get clear information about the changes.