Privacy Notice on the use of Microsoft 365 in the ASSA ABLOY Group

Version 3, October 10, 2025

We, ASSA ABLOY (hereafter "We", "ASSA ABLOY", "Us", or "Our") provide this Privacy Notice on the use of Microsoft 365 in the ASSA ABLOY Group (hereafter “Microsoft 365 Notice”) in order to inform you about Our practices with respect to the collection, storage, use, disclosure or erasure (hereafter jointly “Process or Processing“) of information of any kind (e.g., contact data, authentication data, business information, photos, videos and audio) related to you (hereinafter jointly “Personal Data”) in connection with the use of Microsoft 365 in the ASSA ABLOY Group.

This Microsoft 365 Notice applies to you if you are in a B2B collaboration with Us via Our Microsoft environment as a cooperation partner, or if you are an employee or consultant, (hereafter “Users”, or “You”) and contains specific information on Our data Processing practices related to the use of Microsoft 365.

1. Legal justification for Processing of your Personal Data and Processing Purposes

For the Processing of Personal Data in connection with Microsoft 365, We generally rely on the justification of realizing a legitimate interest. Our legitimate interest is to equip employees and consultants with state of the art software solutions aimed to increase personal and organizational productivity, including the interaction with cooperation partners. For certain user groups and tools, We also rely on the justification of performance of service agreement and/or the employment contract, especially regarding such tools that are necessary to enable cooperation partners and employees to fulfil or which support them in fulfilling their individual duties and responsibilities under their service agreement or employment contract.

In addition to the general information collected and processed about you and to the extent you have access to the tools, We collect and process the following Personal Data about you in connection with the tools for the purposes laid out in the table below.

Processing of special categories of Personal Data in the connection with the use of Microsoft 365 is not anticipated.

Tool category	Processing Purposes	Personal Data Processed	Source of Personal Data	Legal justification
Standard office applications e.g., Word, Excel, PowerPoint, OneNote	provide You with standard office data processing applications; increase personal and organizational productivity;	Data processed by you when using the Tools, such as contact data, authentication data, business information, photos, videos and audio; IT information, such as user names, passwords, computer log data, entry access information and diagnostic data or service-generated data, provided that they are personal	Personal Data Processed have been provided by you or are collected directly from you in the context of the use of the tools; ASSA ABLOY	Contract justification (service agreement, employment agreement); Legitimate interest to the extent that Processing of Personal Data is not strictly necessary for contractual purposes
Office applications for special user groups e.g., Access, Publisher, Visio Online, Power Apps, Power Automate	provide special software solutions to specific user groups; increase personal and organizational productivity	Data processed by you when using the Tools, such as contact data, authentication data, business information, photos, videos and audio; IT information, such as user names, passwords, computer log data, entry access information and diagnostic data or service-generated data, provided that they are personal	Personal Data Processed have been provided by you or are collected directly from you in the context of the use of the tools; ASSA ABLOY	Contract justification (service agreement, employment agreement); Legitimate interest to the extent that Processing of Personal Data is not strictly necessary for contractual purposes
Tools for efficient collaboration and communication e.g., SharePoint, Teams (incl Webcast), OneDrive, Planner	provide applications for IT-based cooperation of Users; increase personal and organizational productivity and collaboration efficiency between Users	Data processed by you when using the Tools, such as contact data, authentication data, business information, photos, videos and audio; IT information, such as user names, passwords, computer log data, entry access information and diagnostic data or service-generated data, provided that they are personal	Personal Data Processed have been provided by you or are collected directly from you in the context of the use of the tools; ASSA ABLOY	Legitimate interest
E-mail & calendar tools, contact management e.g., Outlook (incl Calendar and Tasks), Exchange, People	provide standard applications for electronic communication, administration of contacts and user specific tasks; increase personal and organizational productivity	Data processed by you when using the Tools, such as contact data, authentication data, business information, photos, videos and audio; IT information, such as user names, passwords, computer log data, entry access information and diagnostic data or service-generated data, provided that they are personal	Personal Data Processed have been provided by you or are collected directly from you in the context of the use of the tools; ASSA ABLOY	Contract justification (service agreement, employment agreement); Legitimate interest to the extent that Processing of Personal Data is not strictly necessary for contractual purposes
Video & Web presentation tools e.g., Sway, Stream	provide special software solutions for specific user groups increase personal and organizational productivity	Data processed by you when using the Tools, such as contact data, authentication data, business information, photos, videos and audio; IT information, such as user names, passwords, computer log data, entry access information and diagnostic data or service-generated data, provided that they are personal	Personal Data Processed have been provided by you or are collected directly from you in the context of the use of the tools; ASSA ABLOY	Legitimate interest
Analysis and evaluation tools¹ e.g., Power BI, Delve, Graph, MyAnalytics	provide special software solutions for specific user groups; increase knowledge transfer within the organization and collaboration efficiency between User increase personal and organizational productivity	Data processed by you when using the Tools, such as contact data, authentication data, business information, photos, videos and audio; IT information, such as user names, passwords, computer log data, entry access information and diagnostic data or service-generated data, provided that they are personal	Personal Data Processed have been provided by you or are collected directly from you in the context of the use of the tools; ASSA ABLOY	Legitimate interest
Device and application management e.g., Intune	Unified management and control of enterprise mobile devices for application delivery, policy management and IT security	Data processed with the tool by the Controller or the end users, respectively, such as contact data, authentication data, business information, photos, videos and audio; IT and hardware related information, such as user / device name, hardware inventory information, device diagnostics data, managed application information, provided that they are personal	Personal Data Processed have been provided by you or are collected directly from you in the context of the use of the tools; ASSA ABLOY	Legitimate interest

1) Access to Personal Data processed by Graph, Delve and MyAnalytics is generally limited to you and details regarding the Processing of Personal Data by Delve may be subject to your individual configuration of Delve.

2. Data transfers and recipients and legal justifications for such transfers

Microsoft Corporation acting as a processor, is located in the US, and subject to the EU – U.S. Data Privacy Framework which provides an adequate level of data protection for the Personal Data and that appropriate technical and organizational security measures are in place to protect Personal Data against accidental or unlawful destruction, accidental loss or alteration, unauthorized disclosure or access, and against all other unlawful forms of processing. Any onward transfer (including Our affiliates outside the EU/EEA) is subject to appropriate onward transfer requirements as required by applicable law.

During IT-support the data might be transferred. 1:st and 2:nd line support located in EU, while 3:rd line support is located globally.

3. Retention periods for and deletion of your Personal Data

Communication between co-worker and external person. The personal data is saved for this purpose under a period of twelve (12) month calculated from the time of the last communication in the same conversation and then for a period of ten (10) years to fulfill our legitimate interest to manage and respond to legal requirements.

Participate in training, events and other activities. The personal data is saved for this purpose during the time of the activity and for up to 13 months thereafter, calculated from the time the activity took place. It is kept to fulfill our legitimate interest to follow up the participation and evaluate the activity, as well as for planning of any follow up activities. Photos, videos, or audios collected to satisfy our legitimate interest to document our business is kept until further notice.

Having a digital identity at ASSA ABLOY When one leaves ASSA ABLOY ones digital identity is deactivated. Email is deleted 60 days after the deactivation and OneDrive is deleted 153 days after the deactivation. NOTE: All default retention periods are overruled if there's a litigation hold, E-discovery case, or a retention policy applied to the specific account data.

Secure the technical functionality and safety The personal data is saved under the same period as stated per purpose above. Logs are kept for support and incident handling for twelve (12) months calculated from the time of the logging. The personal data in security copies are saved for twelve (12) months calculated from the time of the copy was taken.

4. Monitoring

We maintain the right to monitor and review Service/System operations to ensure compliance with our directive of acceptable use, as well as to fulfill ASSA ABLOY's responsibilities under the laws and regulations of the jurisdictions in which it operates.

5. Your statutory rights

5.1 Withdrawal of consent

You have the right to withdraw any consent given to us allowing us to use your personal data in a specific way. If you choose to withdraw such a consent, we shall immediately cease the related use of your personal data and delete or anonymise the associated personal data immediately. 

5.2 Right of access

You have the right to obtain confirmation from us as to whether we are processing personal data about you, and, where that is the case, access to a copy of the personal data together with information about our use of your personal data.

5.3 Right to rectification

You have the right to obtain without undue delay the rectification of inaccurate personal data about you. Considering the purposes of the processing, you have the right to have incomplete personal data completed.

5.4 Right to erasure

You have in certain situations the right to right to request erasure or deletion of your personal data ("the right to be forgotten"). 

5.5 Right to restriction

You have in certain situations the right to request that the use of your personal data is restricted, which means that you can, at least for a certain period, stop us from using your personal data in other ways than just storing your personal data. 

5.6 Right to data portability

You have the right to a copy of certain personal data about you in a structured, commonly used and machine-readable format and, if it is technically feasible, the right to request that the copy of your personal data is transferred directly to an external recipient.

5.7 Right to object

In certain situations, you have the right to object to our use of your personal data. Where the right to object applies, this means that we must stop using your personal data in the specific situation.

5.8 Right to object to automated individuation decision-making

You have the right to object to decisions based solely on automated processing, including profiling, which produces legal effects concerning you or which similarly significantly affects you. 

5.9 Right to Opt-out of "Sale" or "Sharing"

You have the right to opt-out of “sale” or “sharing”. Your personal data is “sold” when it is provided with a third party for monetary or other valuable consideration for a purpose that is not a “business purpose” as set forth in the CCPA or other U.S. state data privacy laws. Please note a “sale” does not include when we disclose your personal data at your direction, or when otherwise permitted under law.

We do not sell your personal data so we don’t offer any opt-out.

5.10 Right to non-discrimination

We support the right to non-discrimination, which is a fundamental human right that prohibits any discrimination based on any ground such as sex, race, colour, ethnic or social origin, genetic features, language, religion or belief, political or any other opinion, membership of a national minority, property, birth, disability, age or sexual orientation.

We don’t discriminate against you for exercising your rights under the law. Such discrimination may include denying a good or service, providing a different level or quality of service, or charging different prices. The CCPA permits businesses to provide differing levels or quality or different prices where the business can demonstrate that the difference is reasonably related to the value to the business of the consumer’s personal information.

5.11 US state data privacy laws

These states give residents the right to obtain their personal data from companies, request to have it deleted, and opt out of having it sold to third party.

6. Changes of this notice

This Microsoft 365 Notice is subject to change. You will be notified adequately of any such changes.

7. How to contact us

If you wish to exercise your data subject rights or if you have any other questions concerning this Microsoft 365 Notice, please address your request to gc.privacy@assaabloy.com or ASSA ABLOY AB, Att: Group Center Data Protection Manager, Box 70340, 107 23 Stockholm, Sweden.

8. Supervisory Authority

In case of any complaints, you also have the right to lodge a complaint with the competent supervisory authority, in particular in the Member State of your habitual residence or alleged infringement of the GDPR.

List of supervisory authority per country Our Members | European Data Protection Board (europa.eu)

Sweden: Swedish Authority for Privacy Protection | IMY