Landis+Gyr | Global Privacy Policy
TABLE OF CONTENTS
1| Introduction
2| Compliance with the Law
3| Collecting & Processing Personal Data
3.1 Personal Data Collected
3.2 Purposes of the Processing and Legal Basis
3.3 Retention of Personal Data
3.4 Disclosure of Personal Data
3.5 Transfer of Personal Data
3.6 Personal Data Security
4| Privacy rights related to Personal Data
5| California Privacy Rights
6| Specific requirements for China
7| Updates to this Policy
8| How to contact us
1| Introduction
Landis+Gyr Group AG is incorporated under the laws of Switzerland, with its registered address at Alte Steinhauserstrasse 18, 6330 Cham, Switzerland, and operates via its subsidiaries located around the world (collectively referred to as the “Company”), and may act as Data Controller or Data Processor.
The Company collects and processes Personal Data in the day-to-day operations of its business. This Global Privacy Policy (“Policy”) has been drafted and implemented in order to describe the Company’s practices and the relevant data privacy principles for the protection of Personal Data during the processing of Personal Data of its customers, contractors and other business partners (“Data Subjects”).
For the purposes of the scope of this Policy, Company shall mean Landis+Gyr Group AG and its affiliates (“Affiliates”), all considered as part of the group companies.
“Applicable Law” refers to the relevant country data protection law or applicable regulation relating to data protection.
“Personal Data” means any information relating to an identified or identifiable natural person;
“Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
2| Compliance with the Law
The Company is a global leader in smart grid and smart metering products and related services, and strives to be a good corporate citizen. The Company recognizes the relevant privacy rights, and complies with Applicable Law. Certain requirements may vary from an Affiliate to another depending on the Applicable Law. This Policy constitutes a global guideline to which the Company is committed and is an integral part of the Company’s internal codes of conduct.
The Company is committed to complying with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (“GDPR”), EU Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the Processing of Personal Data and the protection of privacy in the electronic communications sector, UK General Data Protection Regulation (Regulation (EU) (2016/679) ('UK GDPR') and the Data Protection Act 2018, the Swiss Federal Act on Data Protection 235.1 of 25 September 2020, the California Consumer Privacy Act of 2018 (“CCPA”), as amended by the California Privacy Rights Act of 2020 (“CPPA”), the Personal Information Protection Law of the People's Republic of China (“PIPL”), the Brazil law No. 13.709 of 14 August 2018 (General Personal Data Protection Law as amended by Law No. 13.853 of 8 July 2019) ('LGPD'), the Digital Personal Data Protection Act of India, and all other relevant data protection regulations where the company operates according to Applicable Law.
3| Collecting & Processing Personal Data
3.1 Personal Data Collected
This Policy is applicable to the Company’s customers (including its customer’s end-users), suppliers and other business partners. The Company may process the following categories of Personal Data:
- Identity data: last name, first name, gender, nationality and date of birth
- Data relating to the product purchased: model, serial number, usage data
- Data relating to the service provided, including metering data
- Data relating to the feedback a partner provides
- Metering-related data, including electricity consumption
- Invoicing and customer relationship Personal Data
3.2 Purposes of the Processing and Legal Basis
Personal Data may be processed on the legal basis of the execution of a contract or pre-contractual measures, which include:
- Fulfillment of the Company’s contractual obligations
- Provision of after-sales services after the purchase of a product by a customer
- Processing customer requests and service support
- Claims management
- Invoicing and billing management
Personal Data may also be processed on the basis of the Company’s legitimate interests, in particular in order to improve its products and services, customer experience and internal processes. The Processing includes:
- Marketing purposes (for example, sending newsletters or updates) within the context of our business-to-business relationship, in accordance with Applicable Law
- Interacting with the Data Subject such as for account and customer management purposes
- Conducting statistical/usage analysis
- Performing internal administrative functions
- Processing customer requests
- Improving security concerning the Protection of Personal Data, and preventing fraudulent activities
- Customer relationship management with Data Subjects
- Profiling to better manage customer relations, not subject to automated decision making
- Evaluation of data collected by our products
- Video-surveillance on the Company’s premises for security purposes
The Company may also process Personal Data on the basis of fulfilling legal obligations for due diligence know-your-customer requirements, depending on Applicable Law. In the event of marketing to prospective customers, as may be conducted by the Company or its partners, the Company will first obtain Data Subject consent and ensure provisions are made to opt-out of such marketing at any time.
3.3 Retention of Personal Data
Personal Data will be kept for the duration of the Processing and in accordance with the Company’s Data Retention Policy and related Data Retention Schedule. Personal Data will be deleted as soon as the purpose of the Processing of Personal Data has been achieved as defined by the Data Retention Policy and Schedule but may be retained longer, if necessary, in order to comply with legal obligations or other Applicable Law or, if necessary, to protect or exercise the Company’s rights to the extent permitted by Applicable Law.
At the end of the retention period, and depending on the nature of the Personal Data, the Company may archive Personal Data to comply with Applicable Law for a limited period with restricted access.
The retention period may vary depending on the country where the Data Subject resides and on the Applicable Law.
3.4 Disclosure of Personal Data
Personal Data may be shared with other Company Affiliates, government agencies and third parties to meet the Company’s contractual obligations, for legitimate business reasons or as otherwise allowed or required by Applicable Law.
3.5 Transfer of Personal Data
The use of third parties may involve the transfer of Personal Data across country borders. Also, business processes may require the transfer of Personal Data within the Company internationally.
If Personal Data is processed within the EU/ EEA, and in the event Personal Data is disclosed to third parties or to a country not considered as providing a sufficient level of protection according to Applicable Law then the Company will ensure, as necessary, that it:
- adopts Binding Corporate Rules for intragroup data transfers;
- implements Standard Contractual Clauses (SCC) as approved by the EU Commission or as approved by another Supervisory Authority according to Applicable Law;
- completes self-certification registration under the EU-US Data Privacy Framework Agreement;
- takes supplementary measures, such as an adequacy assessment, or adopts a Data Processing Addendum.
For Personal Data not processed within the EU/EEA, and in the event Personal Data are disclosed to third parties located outside the Data Subject’s jurisdiction, the Company will ensure it obtains the required consents, implements necessary safeguards to protect Personal Data, and / or obtains Supervisory Authority approval as may be required. Those mechanisms may differ depending on the country and relevant Applicable Law.
3.6 Personal Data Security
The Company implements security measures in order to protect Personal Data from security incidents and unauthorized disclosure. These security measures include, inter alia, access controls, password protection, encryption, security assessments and audits.
In the event of a data breach incident, the Company has procedures in place in order to:
- Investigate and analyze a Data Breach to determine its consequences on the rights and freedoms of the Data Subjects;
- Notify the competent authority and, if necessary, those affected if the rights and freedoms of the Data Subjects are at risk;
- Implement necessary measures to remediate and mitigate the Data Breach;
- Ensure traceability of the incident.
Appropriate measures may differ depending on Applicable Law.
4| Privacy rights related to Personal Data
In accordance with Applicable Law, any person whose Personal Data is processed by the Company has rights related to their data, including:
- Right of access
- Right to rectification
- Right to erasure, subject to regulatory limitations
- Objection or restriction of Processing
- Personal Data portability
- Object to automated individual decision-making
- Provide instructions on how to process Personal Data posthumously (as may be relevant based on Applicable Law)
The exercise of such rights is not absolute and is subject to the limitations provided by Applicable Law.
Depending on Applicable Law, the Data Subject may have the right to lodge a complaint with the competent Supervisory Authority in his or her jurisdiction if not satisfied by the Company’s response.
To exercise the above rights, the Data Subject may contact the Company as described in the section “8| How to contact us.”
5| California Privacy Rights
The California Civil Code Section 1798 allows California residents to ask companies with whom they have an established business relationship to provide certain information about the Company’s sharing of Personal Data with third parties for direct marketing purposes. The Company does not share any California consumer Personal Data with third parties for marketing purposes without consent.
6| Specific requirements for China
This section applies when Personal Data is located within the borders of the People’s Republic of China (PRC) or when Personal Data is processed by one of the Company’s Affiliates incorporated in the PRC.
In accordance with Article 13 of the PIPL, Personal Data may be collected for the following purposes:
- based on an individuals’ consent;
- for the performance of contracts;
- for legitimate business interests; or
- to fulfill statutory duties and responsibilities or statutory obligations.
Following the requirements set out under Article 23 of the PIPL and the contents mentioned under Section 4, the transfer and sharing of Personal Data to a third party will not be made without (1) Data Subject specific consent if applicable, or (2) to fulfill the statutory duties under Applicable Law.
Business purposes may require the Company to transfer and process Personal Data outside of the PRC.
Based on the purposes prescribed in this Policy, Personal Data may be transferred to a country or region outside the Data Subject’s place of residence for Processing. At such time, the Company will protect the security of the Personal Data in accordance with Applicable Law, including but not limited to implementing access controls, passwords, encryption standards, strict time limits for retention periods, logging mechanisms and regular security assessments.
The Company will fully inform the Data Subject of the cross-border data transfer in accordance with Article 39 of the PIPL prior to transferring Personal Data outside the PRC and will obtain consent, informing the Data Subject of the following: the name of the outbound receiver, the contact information, the purpose of the Processing, the method of Processing, the type of Personal Data, and reminding the Data Subject of the methods and procedures to exercise rights under the PIPL.
As may be required, the Company will carry out a cross-border data transfer risk assessment in accordance with Applicable Law if Personal Data is transferred outside of the PRC.
7| Updates to this Policy
The Company may need to update this Policy in order to comply with new regulatory requirements. An updated version of this Policy will be made available via an appropriate channel and will apply only to data collected and processed subsequent to its effective date.
8| How to contact us
For any concerns about this Policy or in order to exercise Data Subject rights, please contact the Company’s Data Protection Officer at the following address: Landis+Gyr AG, Alte Steinhauserstrasse 18, 6330 Cham, Switzerland, or by completing this form.