Privacy notice
Revised: June 17, 2025
We, ASSA ABLOY AB (556059-3575), are committed to protecting your personal data. All processing of personal data takes place in accordance with current and applicable data protection legislations, including the EU General Data Protection Regulation (GDPR).
This privacy notice describes how we collect and process the personal data that we receive about you in connection with this website, when you visit our events, web casts, or when you correspond with us. This notice also describes how you can contact us if you have additional questions regarding our processing of your personal data.
Please note that, in addition to the recipients specified for each processing activity, we may also share your personal data with the recipients specified in the section Recipients of personal data.
Click here for:
Summary of situations where we will process your personal data
Summary of situations where we will process your personal data
We will process your personal data in the following situations:
- When you visit our public website
- When you subscribe to our press releases
- When you subscribe to our investor relations events
- When you attend our webcast for investors and analysts
- When you attend any of our events for investors and analysts
- When you attend our Annual General Meeting (AGM) for shareholders
- When you order our annual report
- When you contact us via our “Contact me” form
- When you communicate with us on social media
- When you submit a Data Subject Access Request
When you visit our public website
Summary
When you visit our public website, some personal data may be collected resulting from your visit:
- Session management
Information required to provide you with the website contents that you have requested from us. - Cookie preference and consent management
Information required to collect and then comply to your cookie preferences when accessing our website. - Logging for IT security and maintenance
Logging of the actions taken by you on our website for the purposes of detecting and preventing activities that may disrupt or damage the website, and resolving eventual technical problems on the website.
Detailed descriptions
SESSION MANAGEMENT
| Purpose | Handling information on the origin of your request for contents from our website to be able to provide your browser with the contents that you have requested. |
| Personal data categories |
|
| Personal data sources | Collected from the connection request from your browser. |
| Legal ground | Legitimate Interest (GDPR Article 6.1.f). We have a legitimate interest in ensuring that our website provides our visitors with a seamless and efficient user experience that allows our visitors to find the information they are looking for easily. As we believe that this will have limited or no negative impact on you while providing us with vital information, we have concluded that our legitimate interest outweighs the impact to you. |
| Retention | For the duration of your visit to our website. |
| Recipients | To our website service provider in their capacity as Processor acting on our behalf. |
COOKIE PREFERENCE AND CONSENT MANAGEMENT
| Purpose | Collecting your preferences with regards to cookies that are used on our website and ensuring that only those cookies that are either functionally necessary or have been approved by you are being used. |
| Personal data categories |
|
| Personal data sources | Collected from the connection request from your browser. Provided by you. |
| Legal ground | Consent (GDPR Article 6.1.a). This as you consent to which cookies you decide to accept from time to time. |
| Retention | For cookies you have consented to, 12 months. More information is found in our Cookie policy. |
| Recipients | To our cookie consent management tool provider in their capacity as Processor acting on our behalf. |
LOGGING FOR IT SECURITY AND MAINTENANCE
| Purpose | Ensuring secure and stable operations of our website for the purpose of resolving eventual technical problems. |
| Personal data categories |
|
| Personal data sources | Collected from the connection request from your browser. Provided by you. |
| Legal ground | Legitimate Interest (GDPR Article 6.1.f). We have a legitimate interest in ensuring that our website provides our visitors with a seamless and efficient user experience that allows our visitors to find the information they are looking for easily. While we are tracking how you are using our website, we are not in any way using your identity or doing anything that will have any impact on you. We are using your Session ID for the sole purpose of being able to identify which connections requests are made from the same visitor. As we believe that this will have limited or no negative impact on you while providing us with vital information, we have concluded that our legitimate interest outweighs the impact to you. |
| Retention | For the duration of your visit to our website. |
| Recipients | To our website service provider in their capacity as Processor acting on our behalf. |
When you subscribe to our press releases
Summary
If we believe that you are eligible for a subscription of our press releases, some personal data will be used to verify your consent as well as actually providing you with our press releases:
- Press release consent management and distribution
Collecting and storing information on your choice to receive or not to receive press releases from us.
Detailed descriptions
PRESS RELEASE CONSENT MANAGEMENT AND DISTRIBUTION
| Purpose | To send out information and educate about company offerings, solutions or campaigns. We also process data to segment our contacts to provide more relevant content and to ensure the legal basis for sending information. |
| Personal data categories |
|
| Personal data sources | Collected from you, when you filled in our subscription form. |
| Legal ground | Consent (GDPR Article 6.1.a). You have the right to withdraw your consent at any time. |
| Retention | For as long as you have consented to receive press releases from us. |
| Recipients | To our forms provider, and our corporate communications partner in their capacity as processor acting on our behalf. |
When you subscribe to our investor relations events
Summary
If we believe that you are eligible for a subscription of our investor relations events, some personal data will be used to verify your consent as well as actually providing you with notifications:
- Consent management and distribution
Collecting and storing information on your choice to receive or not to receive notifications from us about upcoming investor relations events.
Detailed descriptions
CONSENT MANAGEMENT AND DISTRIBUTION
| Purpose | To notify you when there is a new investor relations event. |
| Personal data categories |
|
| Personal data sources | Collected from you, when you filled in our subscription form. |
| Legal ground | Consent (GDPR Article 6.1.a). You have the right to withdraw your consent at any time. |
| Retention | For as long as you have consented to receive press releases from us. |
| Recipients | To our corporate investor relations platform provider, forms provider, and our corporate communications partner in their capacity as Processor acting on our behalf. |
When you attend our webcast for investors and analysts
Summary
When you register to attend a webcast hosted by us, we collect data about you to ensure the applicability of the event to you as well as data necessary to facilitate the event for you.
- Event administration
We process your personal data in order to communicate our offering and to facilitate our events.
Detailed descriptions
EVENT ADMINISTRATION
| Purpose | In order to inform and educate about our company as well as to ensure good communication with our stakeholders. |
| Personal data categories |
|
| Personal data sources | Provided by you.
|
| Legal ground | Legitimate Interest (GDPR Article 6.1.f). We have a legitimate interest in developing our product offering and to tailor events to suit our customers’ wishes, which requires us to understand who our participants are and what industry they represent. As we believe that the processing will have no or limited negative impact on you while providing us with vital information, we have concluded that our legitimate interest outweighs the impact to you. |
| Retention | For the duration of the event and until such time any follow-up communications have been resolved. |
| Recipients | Our forms provider, corporate communications partner and our virtual event system provider acting as a processors on our behalf, as well as internally within the ASSA ABLOY Group through our email and calendar provider. |
When you attend any of our events for investors and analysts
Summary
When you choose to register to and attend our Capital Market Day (CMD), Sustainability event or any other corporate events offered by ASSA ABLOY from time to time, we will use your personal data for the following purposes:
- Event registration and management
We process your personal data in order to communicate our offering and to facilitate our events.
Detailed descriptions
EVENT REGISTRATION AND MANAGEMENT
| Purpose | To tailor communication and offerings to our investors and other stakeholders attending ASSA ABLOY events. |
| Personal data categories |
|
| Personal data sources | Provided directly by you, or through our corporate investor relations platform provider. |
| Legal ground | Legitimate Interest (GDPR Article 6.1.f). We have a legitimate interest in developing our product offering and to tailor events to suit our customers’ wishes, which requires us to understand who our participants are and what industry they represent. As we believe that the processing will have no or limited negative impact on you while providing us with vital information, we have concluded that our legitimate interest outweighs the impact to you. |
| Retention | Contact details are kept for the duration of the event and until such time any follow-up communications have been resolved, including but not limited to sending invitations to upcoming events. Participation details, such as dietary restrictions and similar, are only processed for the duration of the event and for some time after to ensure the purposes are fulfilled. |
| Recipients | Our marketing campaign partners, forms provider, corporate communications partner, and our corporate investor relations platform provider in their capacity as processor acting on our behalf. |
When you attend our Annual General Meeting (AGM) for shareholders
Summary
When you as a shareholder choose to register to and attend an Annual General Meeting (AGM), we will use your personal data.
For information on how your personal data is processed, see:
When you order our annual report
Summary
If you order a printed version of our annual report, then we will need your address to be able to distribute it to you.
- Collection and distribution
Collecting and storing information to be able to distribute our annual report to you.
Detailed descriptions
COLLECTION AND DISTRIBUTION
| Purpose | We collect some personal data about you to be able to distribute a printed version of our annual report. |
| Personal data categories |
|
| Personal data sources | Collected from you, when you filled in our order form. |
| Legal ground | Legitimate Interest (GDPR Article 6.1.f). We have a legitimate interest in processing your data to provide the annual report you have ordered. As we believe that the processing will have no or limited negative impact on you while providing us with vital information, we have concluded that our legitimate interest outweighs the impact to you. |
| Retention | For the duration of the request and for some time after to ensure delivery. |
| Recipients | To our forms provider and our corporate email and calendar provider in their capacity as processors acting on our behalf. |
When you contact us via our “Contact me” form
Summary
If you have filled in our “Contact me” form on our website some personal data will be used to fulfil your request:
- Contact request fulfilment
We will respond to your contact request and either send you the requested information or contact you in person depending on what you have requested.
Detailed descriptions
CONTACT REQUEST FULFILMENT
| Purpose | To process your questions or comments and respond. |
| Personal data categories |
|
| Personal data sources | Provided by you. |
| Legal ground | Legitimate Interest (GDPR Article 6.1.f). We process your data and share it internally to ensure your request is responded to in a timely manner and by the ASSA ABLOY employee best suited to facilitate your query. As we believe that this processing will have limited negative impact on you while we have an interest of responding to your query and provide you with great customer service, we have concluded that our legitimate interest outweighs the impact to you. |
| Retention | For the duration of the response process and for a period of 12 months after. |
| Recipients | Our forms provider in their capacity as processor acting on our behalf, and internally within the ASSA ABLOY Group through our corporate email and calendar system. |
When you communicate with us on social media
Summary
ASSA ABLOY may collect and process data provided by you on social media connected to us. This can be made through: - Direct communication (posting on our social media channels or direct messaging), or - Indirect communication (for example, tagging ASSA ABLOY in your social media posts).
- Social media communication management
We will engage in communication with you on social media to process queries and to protect the ASSA ABLOY brand, prevent fraudulent behavior and to support existing clients/customers.
Detailed descriptions
SOCIAL MEDIA COMMUNICATION MANAGEMENT
| Purpose | To engage with you, protect our brand, and to provide information. |
| Personal data categories |
|
| Personal data sources | Provided by you. |
| Legal ground | Legitimate Interest (GDPR Article 6.1.f). We process your direct communication data to provide services and to support you. Because the processing of personal data is limited and the fact that you have freely contacted us through our social media platform, we have concluded that our legitimate interest outweighs the impact to you. We process your indirect communication data to protect the ASSA ABLOY brand, prevent fraudulent behavior and support existing clients/customers. Because the processing of personal data is limited and the fact that personal data posted on social media platforms is posted freely, we have concluded that that our legitimate interest outweighs the impact to you. |
| Retention | We will retain your personal data for as long as is necessary to fulfil the purpose for which it was collected and 30 days thereafter. |
| Recipients | Your personal data will not be disclosed outside ASSA ABLOY, except where we identify that users are not adhering to the terms and conditions provided by the social media platforms. If we identify a breach of the terms and conditions, ASSA ABLOY will report the breach to the social media platform for further investigation. |
When you submit a Data Subject Access Request
Summary
If you have submitted a data subject access request, ASSA ABLOY AB will process your personal data regarding your request in the following way:
- Data Subject Access Request fulfilment
We will process your data provided by you as well as the personal data needed to answer your request.
Detailed descriptions
DATA SUBJECT ACCESS REQUEST FULFILMENT
| Purpose | To process your request in accordance with your data protection rights. |
| Personal data categories |
|
| Personal data sources | Provided by you, and, if applicable, systems and records in which we process your personal data. |
| Legal ground | Legal Obligation (GDPR Article 6.1.c). Our collection and processing of your personal data is based on the requirement to fulfil the legal obligation to respond to a subject access request in accordance with Regulation (EU) 2016/679 (GDPR) and other applicable data protection laws and regulations. |
| Retention | We store the personal data which is processed in connection with your request for eighteen (18) months after our final response has been sent. If we answer your request and it does not lead to further communication, we delete your emails within three (3) months. |
| Recipients | We transfer your data, to the extent necessary to fulfil your request, to external service suppliers or other partner who execute services on our behalf. Service suppliers and other partners may only process personal data according to our instructions. |
Recipients and transfers of personal data
Recipients and transfers of personal data
Recipients of personal data
In addition to the recipients specifically stated for each processing activity, we may also transfer data to other third parties on a general basis, i.e., for all processing activities. These third parties may include the following categories of recipients:
(i) Authorities: We may disclose your personal data to public authorities – such as the Police Authority or the Swedish Authority for Privacy Protection (IMY) – if necessary to comply with applicable laws, legal obligations, or binding decisions from courts or regulatory bodies. The purpose of this disclosure is to fulfil our legal responsibilities.
(ii) Group companies: We may share your personal data with other companies within the ASSA ABLOY Group. The purpose of this sharing is to support internal collaboration and efficiency, as we use shared systems, resources, and business processes across the group.
(iii) Sale or transfer of business: In connection with a potential or actual sale, merger, or other transfer of all or part of our shares, assets, or business, we may transfer your personal data to the buyer/investor or potential buyer/investor. The purpose of this transfer is to enable due diligence, strategic evaluation, and preparations related to the transaction. We will ensure that any recipient processes your personal data in a manner consistent with this privacy notice.
(iv) Suppliers: We use trusted third-party suppliers to perform certain services on our behalf, such as providing IT infrastructure, business systems (e.g., email), or customer support services. The purpose of sharing your personal data with these suppliers is to enable them to deliver contracted services that support our daily operations. We enter into data processing agreements and implement appropriate safeguards to protect your personal data.
(v) Consultants and legal advisors: We may share your personal data with external consultants, such as legal, financial, and strategic advisors. The purpose of this sharing is to obtain professional advice, manage legal claims, ensure regulatory compliance, or support strategic business planning. These parties are contractually obligated to process your data securely and only for the agreed purposes.
Transfers of personal data
We strive to ensure that processing of personal data is done within the EU/EEA. However, since we are a global company and since some of our suppliers operate internationally, your personal data may be transferred to countries outside the EU/EEA in accordance with applicable rules for such transfers.
We will in such cases verify the level of protection in the country to which data is transferred. Such level of protection may be sufficient based on a decision by the European Commission:
Data protection adequacy for non-EU countries
If no such decision is available, we take additional measures to ensure such protections are equivalent to the level of protection in the EU/EEA.
Such level of protection may be reached based on the European Commission’s Standard Contractual Clauses:
Standard Contractual Clauses (SCC) - European Commission
Some services, such as Microsoft email services, may in certain cases be subject to transfers outside the EU/EEA, for example to the United States, such as when technical support is requested.
If you have any additional questions regarding data transfers, please contact us.
Security of personal data
Security of personal data
We take security measures to ensure that our processing of your personal data is carried out in a secure and lawful manner. For example, the systems in which personal data is processed are only accessible to our employees and service providers who need the information to fulfil their duties. These individuals are also informed about the importance of security and confidentiality in relation to the personal data we process. We implement appropriate security measures and standards to protect your personal data against unauthorised access, unauthorised disclosure and other misuse. We also monitor our systems to detect vulnerabilities.
All individuals who process personal data on our behalf do so under strict instructions. These instructions outline how personal data should be handled, stored, accessed and deleted, in compliance with applicable data protection laws and our internal policies.
Your rights under GDPR
Your rights under GDPR
You have the following rights according to the GDPR.
If you wish to exercise these rights, then please contact us via gc.privacy@assaabloy.com or using the contact information provided in the next section.
We normally respond to your request within one month following the date we received your request. However, if your request is complicated or if you have submitted several requests, we may need additional time to handle your request. We will in such a case notify you and the reasons of the delay. If we cannot, wholly or in part, comply with your request we will notify you and the reasons for this.
| Description of Right | When and how the Right Applies |
|---|---|
| Withdrawal of consent (Article 7.3 of the GDPR): You have the right to withdraw any consent given to us allowing us to use your personal data in a specific way. If you choose to withdraw such a consent, we shall immediately cease the related use of your personal data and delete or anonymise the associated personal data immediately. | This will only apply to those uses of your personal data that are based on you having given us consent for that use. If we rely on other legal bases than consent for the use of your personal data, then withdrawing a consent will not affect those uses. Please see each relevant section regarding our use of personal data for information on which legal bases we rely on in each situation and thus which use of your personal data that is based on your consent. |
| Right of access (Article 15 of the GDPR): You have the right to obtain confirmation from us as to whether we are processing personal data about you, and, where that is the case, access to a copy of the personal data together with information about our use of your personal data. | Please note that Business information or personal data belonging to other individuals will not be included in an access request response. |
| Right to rectification (Article 16 of the GDPR): You have the right to obtain without undue delay the rectification of inaccurate personal data about you. Considering the purposes of the processing, you have the right to have incomplete personal data completed, including by means of providing a supplementary statement. | Please note that historical information may not necessarily be incorrect, meaning that the right to rectification may not in a specific case apply to such historical information. This depends on the purposes of the use of the personal data. |
| Right to erasure (Article 17 of the GDPR): You have in certain situations the right to request erasure or deletion of your personal data ("the right to be forgotten"). | The right to erasure will only apply in certain situations. For example, the right to erasure applies where we do not have a valid justification for retaining and continuing to use the personal data. This will typically be cases where we have failed to delete personal data after you have withdrawn your consent or when we have failed to observe the retention period of personal data. It may also be a case where you have successfully objected to our use of personal data and we cannot show a compelling reason to continue using your personal data despite your objection. There are also several exemptions from the right to erasure, including if we are obligated under law to keep your personal data or if the personal data is needed to exercise, manage, and defend legal claims. |
| Right to restriction (Article 18 of the GDPR): You have in certain situations the right to request that the use of your personal data is restricted, which means that you can, at least for a certain period, stop us from using your personal data in other ways than just storing your personal data. | The right to restriction of the use of your personal data will only apply in certain situations. The right to restriction applies if you have objected to our use or if you consider that your personal data is incorrect or incomplete and during the period that we manage your objection or verify whether the personal data is incorrect or incomplete. The right to restriction also applies if we no longer need the personal data for the purposes that we collected the personal data, but you need the personal data to manage, defend or exercise legal claims and rights. In such a case we will continue to store your personal data for as long as you need the personal data for this purpose. If the use of your personal data has been restricted, we may normally only store your personal data and not use them for any other purpose than to manage, defend or exercise legal claims and rights. We can also use your personal data for other purposes if you have given your consent to such use. |
| Right to data portability (Article 20 of the GDPR): You have the right to a copy of certain personal data about you in a structured, commonly used and machine-readable format and, if it is technically feasible, the right to request that the copy of your personal data is transferred directly to an external recipient. | The right to data portability only applies to personal data that we have collected, and use based on your consent (Article 6.1 (a) of the GDPR) or in order to fulfil an agreement with you (Article 6.1 (b) of the GDPR). Moreover, the right is limited to personal data that you yourself has provided to us. Please see each relevant section regarding our use of personal data for information on which legal bases we rely on in each situation. |
| Right to object (Article 21 of the GDPR): In certain situations, you have the right to object to our use of your personal data. Where the right to object applies, this means that we must stop using your personal data in the specific situation. | The right to object applies under specific circumstances. You always have the right to object to our use of your personal data for direct marketing purposes. In marketing communications, we always include an opt-out link that you can use to unsubscribe to such communications. Moreover, where we rely on a legitimate interest for the use of your personal data, you have the right to object to the use for reasons which relates to your particular situation. If we in such a situation cannot show a compelling reason to continue to use your personal data, we will stop using your personal data for the relevant purpose. Please note that the right to object does not apply if the personal data is needed to exercise, manage, and defend legal claims. |
| Right to object to automated individuation decision-making (Article 22 of the GDPR): You have the right to object to decisions based solely on automated processing, including profiling, which produces legal effects concerning you or which similarly significantly affects you. | This means that if we have made a decision that will significantly affect you or which produces legal effects, and that decision was made automatically, you have the right to object to the automated decision and request a manual review of the decision. |
How to contact us
How to contact us
If you have questions, complaints or want to exercise your rights according to the GDPR then please use one of the proposed channels below to contact us.
When you write to us, please provide information about the relationship that you have or have had with ASSA ABLOY including the nature of the relationship and the subsidiary/subsidiaries that you have had that relationship with. This will help us respond to your question or request.
We will in most cases need to verify your identity. This is a legal obligation which we must adhere to. When verifying your identity, we may need to request additional information from you. We only request the information that is necessary to verify your identity in the specific situation.
Physical Letter:
ASSA ABLOY AB
Attention: Data Protection Manager
Box 70340
107 23 Stockholm
SWEDEN
E-mail:
Your supervisory authority
Your supervisory authority
Each EU/EEA member state shall have its own supervisory authority for data protection. You have the right to contact or lodge a complaint with the supervisory authority in your country.
Given that ASSA ABLOY AB is a Swedish legal entity, the supervisory authority that supervises our use of personal data is the Swedish data protection authority, the Swedish Authority for Privacy Protection (IMY).