Privacy Notice – Personnel General This document describes the processing of personal data in Abloy Oy’s human resources administration. This privacy notice provides the data subject and the supervisory authority with the information required by the European Union’s General Data Protection Regulation (GDPR 679/2016). Privacy notices for M365 (Microsoft office software package) that ASSA ABLOY Group uses can be accessed through ASSA ABLOY’s intranet page. Controller and contact details Name: Abloy OyPostal address: Wahlforssinkatu 20, 80100 Joensuu, Finland.Telephone (exchange): +358 20 599 2501Business ID: 0774324-5Email address: email@example.comThis email address is to be used only for addressing matters related to data protection. For all other matters, the correct contact information can be found from www.abloy.com. Whose data is processed? The data subjects are individuals who are or have been in an employment or managerial relationship with Abloy Oy and, with limited information, temporary agency workers and consultants. What is the purpose and legal basis for processing personal data? The processing of personal data is necessary in order to fulfil the data controller's statutory ob-ligations, to implement an employment or management contract to which the data subject is party, and to fulfil the legitimate interests of the data controller. The processing of personal data of temporary agency workers and consultants is necessary based on the legitimate interests of the data controller in order to fulfil the service agreement. The data controller ensures that processing based on legitimate interests is correctly propor-tional to the interests of data subjects and is in line with their reasonable expectations. Personal data is used to maintain information about data subject's employment relationship with Abloy Oy, exercise the employer's supervisory and direction rights, process and pay com-pensation for travel and other expenses, forward calls and contact, maintain records of working hours, provide occupational healthcare services, manage skills, training and employee benefits, pay salaries, maintain contact with the authorities, compile statistics, process requests for certif-icates and salary information, manage equipments and define information about the access rights to data systems required by employees. Personal data groups of the data subject Purpose of processing a data group Basis of data processing Basic personal data Identification of individuals, granting user and access rights, mailing (e.g. salary certificates), contact (e.g. in emergencies), and statistics Contractual and statutory obligations Legitimate interest of the data controller. Part of the information is necessary to enable ASSA ABLOY to publish your name, photo (if applicable), video (if applicable), and title on ASSA ABLOY's intranet, webpage and in external communication during employment Work contact information Carrying out work-related tasks via email and/or by telephone Contract Legitimate interest of the data controller. The information is necessary to enable the controller to manage an effective protocol in case of emergency situations and crisis management and to enable the controller to publish your business contact details on the controller and ASSA ABLOY's intranet, webpage and in external communication during employment Employment information Basic employment information for payroll accounting, paying compensation for travel and general expenses and maintaining records of working hours. Background information for calculating pensions, collecting employee association fees and compiling statistics Contractual and statutory obligations Photo, video and audio of an employee Usage of photo, video and audio for editorial, commercial, advertising and information purposes. Contract Investigations carried out at the beginning of employment (internal recruitment) Study certificates and other important documents considering the position are verified. The occupational healthcare service provider assesses the applicant’s state of health. Credit information is checked in positions where the applicant is required to show special trust and direct financial responsibility. A concise security clearance or a security officer identity card must be applied for in positions, for which background information needs to be checked. In addition, an aptitude test can be conducted. Legitimate interest of the data controller. The information is necessary in order to succeed in the recruitment process and to assess the applicant’s suitability. The processing of credit information during the recruitment process is based on the applicant’s consent. Introduction information Verifying introduction regarding the employee’s work and working conditions, the correct use of tools and safe working methods Verifying introduction regarding the employee’s work and working conditions, the correct use of equipments and safe working methods IT user Information about equipments and access rights Management of equipments and access rights Legitimate interest of the data controller. By recording IT user information about equipments and access rights, it is ensured that personnel has adequate equipments and access rights with respect to their working tasks. Additionally, the access rights’ traceability is ensured. Salary information and payroll accounting results Payroll accounting, taxation, pensions, statistics and other official purposes Contractual and statutory obligations Information about absences and holidays Management and monitoring of absences and holidays Contractual and statutory obligations Working hours registrations Working hours monitoring and hourly registrations for payroll accounting Contractual and statutory obligations Information about substitute arrangements Defining the right to substitutes and carrying out tasks during substitute arrangements Legitimate interest of the data controller Exposure information regarding carcinogenic working methods and mutagenic substances and compounds. Maintaining a list of employees exposes to carcinogenic working methods and mutagenic substances and compounds and reporting the information gathered to the ASA register. Statutory obligation Discussions of the ability to work Assessing the ability to work after an extended absence Legitimate interest of the data controller and statutory obligation. With discussions of the ability to work, it is ensured whether something can be done at the workplace in order to prevent falling sick. Performance development and Succession planning Defining task-specific goals and preparing a competence development plan and follow up the realization of the plan Legitimate interest of the data controller. An individual’s work and know-how can be improved and his/her personal goals achievement followed based on performance appraisals. Job descriptions Describing the content of tasks and defining the difficulty of tasks in accordance with the collective agreement Legitimate interest of the data controller. The job requirements, as provided in the collective bargaining agreements, affect the salaries directly and are defined in the job descriptions. Culture and exercise benefits Granting and managing employee benefits Agreement and the legitimate interest of the data controller. Personal data is required in order to grant the benefits to the right persons. Work- and training-related travel and expense reports Monitoring working hours during travel and paying travel expense compensation, daily allowances and other expense compensation Legitimate interest of the data controller and statutory obligation. In order to ensure the validity of the payment of travel time pay, daily allowance and reimbursement of expenses. Skills (job qualifications, educational background, trainings during the employment and performance information) Securing the skills required in business activities and tasks To be able to check that necessary trainings have been completed. Contract Legitimate interest of the data controller. Maintaining information related to skills is required in order to ensure adequate know-how in different working tasks and substitution. To enable the controller to publish competences, where necessary, on the controller and ASSA ABLOY's intranet and in external communication during the employment. Contact information of the next of kin Establishing contact in the case of an accident or illness Protecting the vital interests of data subjects Feedback from employees The employer may collect feedback from employees e.g. in order to improve processes and to measure job satisfaction and well-being at work Legitimate interest of the data controller to improve processes and operation and to ensure the job satisfaction and well-being at work of employees. Exit interview information When an employee is leaving, the employer collects information from the leaving employee with an interview to help the employer in developing its activities and in enhancing employer image Legitimate interest of the controller to develop its activities and to enhance employer image Employee information relat-ing to personnel webshop. Delivery, handling, archiving the order Contract The data controller does not carry out any automated decision making. What personal data is processed? Abloy job applicants and employees Personal data group Data content Basic personal data First names, calling name, last name, telephone number (work/home), address, email address (work) Personal identity code, date of birth, ID number (work), gender, native language, nationality. Contact details of a next of kin provided by the person Date of joining the companyPhoto and/or video (if applicable) Work contact information Tasks, work mobile number, extension and substitute arrangements Employment information Bank account, tax card, pension insurance, employee association fee information, basic employment data, fringe benefits, statistical groups, posting data, location and supervisor Photo, video and audio of an employee Marketing photos, marketing videos and audio, webinars, printed materials and electronic materials, other photos and video, written and verbal testimonials and other Works. Exposure information regarding carcinogenic working methods and mutagenic substances and compounds. Names of the exposed employees, personal identity code, occupation and the basis for the exposure information. Investigations carried out at the beginning of employment References, state of health, aptitude test, credit information, security clearance and verification of identity Introduction training information Introduction completed and approved Information about equipments and access rights Information about given and returned equipments, access rights and their approval Salary information and payroll accounting results Euro-denominated hourly and/or monthly salary used as the basis of salary payments Suggestion and invention compensation paid, travel time, alarm and on-call duty compensation, non-recurring items and euro-denominated values of fringe benefits Realised hours and amounts in payroll accounting (salary transactions, gross and net salary, deductions and manual corrections) Information about absences and holidays Sick leave, parental leave, study leave, alternation leave and other absences affecting payroll accounting, accumulated holidays and holiday periods Discussions of the ability to work Discussion date, estimate of factors leading to absence from work, opportunities to prevent such factors and approval Working hours registrations Background settings for working hours registrations, registered working hours and resulting working hours Information about substitute arrangements Substitutes during holidays and absences Educational and work history Education, studies, previous work experience and certificates Performance appraisals Content and date of performance appraisals, goals and competence development plan Job descriptions Most recent revision, position and its content Culture and exercise benefits Granted benefits, validity date and information about specific benefits Skills Skills in tasks, goals and realization of goals. Telephone directory of the ASSA ABLOY Group First and last names, title, company, location of company, address of company, work telephone number, Skype address, department, skills, email, language and photo. Feedback from employees The level of satisfaction, open feedback. Additionally the employee’s name and email address, unless the feedback is collected anonymously. Exit interview information Feedback from induction training, reasons for leaving, overall job and workplace satisfaction Employee information relat-ing to personnel webshop. Name, contact information such as address, email address, phone number and billing and shipping address. Temporary agency workers and consultants Personal data group Data content Basic personal data First names, calling name, last name, date of joining the company Work contact information Tasks, work phone number, work email address Information about equipments and access rights Information about given and returned equipments, access rights and their approval Information about absences and holidays Sick leave, parental leave, study leave, alternation leave and other absences affecting payroll accounting, accumulated holidays and holiday periods Working hours registrations Background settings for working hours registrations, registered working hours and resulting working hours Telephone directory of the ASSA ABLOY Group Title, company, location of company, address of company, work telephone number, Skype address, department, email, language How is personal data collected? The data stored on data subjects is data provided by the data subjects themselves. Those data subjects who have access rights to the personal data register system can maintain their own basic personal data. The basic personal data of temporary agency workers and consultants are received from respective employers. In addition, data is maintained and updated using data produced by the authorities, partners and the data controller during the employment relationships of data subjects. When data is collected from sources other than data subjects, the consent of each data subject must be requested for the collection of data in accordance with the Act on the Protection of Privacy in Working Life (759/2004). However, no consent is needed when an authority transfers data to Abloy in order to carry out a task defined in the legislation or when the employer obtains credit information or information from criminal records in order to identify the reliability of an individual. If Abloy identifies the reliability of an individual, it will notify data subjects of this beforehand. If data is collected from sources other than data subjects, Abloy will notify data subjects of the data obtained before it uses it to make decisions on employees. Who will the data be transferred to? Abloy employees Recipient Purpose of the disclosure Tax administration Paying taxes Social Insurance Institution (Kela) Paying compensation for sick, family and other leave Employee associations Paying employee association membership fees Execution authorities Paying execution costs Insurance broker Processing the company’s insurance data Insurance companies Calculating employee pensions and processing compensation to be paid for accidents Unemployment office services Alternation leave notifications Occupational health and safety authority Occupational health and safety inspection records Occupational healthcare Maintaining health records Security services Maintaining facility security Online salary calculation operator Electronic payslips for employees Telecom operator Mobile services, exchange services and internet subscriptions Travel agency Booking and invoicing work travel Exercise and culture benefit provider Management of employee benefits Printing shop Address information for the personnel magazine Training service provider Personnel training Patent office Processing invention reports ASSA ABLOY Group Salary information about managerial relationships and specifications to personnel reporting Telephone directory of the ASSA ABLOY Group Contact within the Group Service providers Maintenance and support tasks for data systems Central statistical office of Finland Statistics Conferedation of Finnish Industries Statistics Finnish Institute of Occupational Health Registration of the ASA-register information. Temporary agency workers and consultants Recipient Purpose of the disclosure ASSA ABLOY konsernin puhelinluettelo Konsernin sisäinen työhteydenpito Is personal data processed outside the European Union? Abloy Oy transfers and discloses personal data to the ASSA ABLOY Group outside EU / EEA area for Group control purposes and for the organization of the Group’s operations. The service provider of the employees’ travel booking and travel expense services may give access to personal data of the services to its support organizations located in India, the U.S.A. and Australia. The service provider of the HR system may give access to personal data processed in the system to its support organization located in the U.S.A. When transferring data outside the EU or EEA, we use standard contractual clauses approved by the EU Commission in order to protect the data properly. For further information, please visit EU Commission’s web site. What are the storage periods for personal data? The data collected in the register will be kept for as long as necessary, and to the extent necessary, for fulfilment of the original or compatible purposes for which the personal data was collected. Personal data groups Storage time Basic personal data 10 years after the end of employment Exposure information regarding carcinogenic working methods and mutagenic substances and compounds. 2 years from the year that the information was collected Work contact information 3 months after the end of employment Employment information and exit interview information 10 years after the end of employment Photo, video and audio of an employee 6 years after end of employment Investigations carried out at the beginning of employment 5 years after the end of employment Introduction information 3 years after the end of employment Information about tools and access rights 3 months after the end of employment Salary information and/or history (euro-denominated values on which salary payments are based) 6 years from the end of the year during which salary was paid Payroll accounting 10 years after the end of the financial period Pay sheets 50 years after the end of the financial period Statement of accounts listings for memberships 10 years after the end of the financial period Information about absences 10 years after the end of employment Discussions of the ability to work 2 years after the discussion Working hours registrations 5 years after the expiry of salary receivables Holidays 6 years from the end of the year during which salary was paid Information about substitute arrangements 3 months after the end of employment Educational and work history 10 years after the end of employment Performance appraisals 3 months after the end of employment Job descriptions 3 months after the end of employment Culture and exercise benefits 3 months after the end of employment Working hours records 10 years after the end of the financial period Work- and training-related travel and expense reports 10 years after the end of the financial period Skills 1 year after the end of employment Results of occupational health and safety elections 10 years after the end of employment Feedback from employees 1 year from the collection of feedback Employee information relating to personnel webshop. 6 years from the end of the year during which the order was made. The aforementioned storage periods can be deviated from if it is necessary in order to investigate any misuse or to fulfil the data controller’s lawful claim. What are data subject’s rights? Right of Access The data subject is entitled to obtain confirmation from the controller as to whether the personal data of the data subject is being or has been processed. If the data controller processes the personal data of the data subject, the latter is entitled to the information of this document, as well as to a copy of the personal data that is being or has been processed. If a data subject makes a request electronically and has not requested any other form of delivery, the data will be provided in a generally available electronic format that is compatible with secure delivery of the data. Right to Correct or Erase Data Data subjects have the right to request the controller to correct or erase their personal data. Under certain circumstances, data subjects have the right to request processing of their personal data to be restricted, or to otherwise object to the processing of data. In addition, data subjects may request the transfer of data submitted by the data subjects themselves in a machine-readable form based on the General Data Protection Regulation. Consent withdrawal If the processing of personal data is based on the data subject’s consent, the data subject has the right to withdraw their consent at any time. The right to object to the processing The data subject has the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data when the processing is based on the legitimate interest of the controller or a third party. How can data subjects exercise their rights? In all matters involving the processing of personal data, data subjects have the right to contact the controller. All requests mentioned in the present document must be submitted to the above mentioned contact point of the controller. Data subjects also have the right to file a complaint with the supervisory authority if their personal data is or has been processed unlawfully. How is personal information protected? Abloy Oy processes personal data safely and in compliance with the applicable legislation. Protection of personal data by Abloy Oy is adequate both technically and organisationally. The data is stored in locked premises that are accessible only to authorised persons. Personal data stored in the systems is accessible only to pre-designated persons who need the information for work-related tasks. IT environments are protected by adequate firewalls and other forms of technical protection. With regard to the processing of personal data, Abloy Oy’s employees and other persons must abide by their obligation of secrecy and must handle personal data confidentially. Updating Privacy Notice We will update and change this privacy notice when necessary. We will notify you of such changes at Abloy’s www-site https://www.abloy.com/en/site-functions/privacy-centre/privacy-notices/. 22th December 2020. This privacy notice has been made: 8th October 2019.This privacy notice has been updated: 22 December 2020, 31 March 2021, 3 May 2021 and 30 September.