Code of Conduct Privacy Notice 1. What is the purpose of this notice? The purpose of this Privacy Notice is to protect the rights of all individuals that are concerned by a Code of Conduct investigation (including those reporting suspected violations of ASSA ABLOY’s Code of Conduct), ensure equal and secure treatment of these individuals’ personal data, provide information about ASSA ABLOY's rights, and ensure ASSA ABLOY is in compliance with applicable data protection law.ASSA ABLOY has a need to detect Code of Conduct violations, to investigate reported suspected Code of Conduct violations, and to take remedial actions, and need therefore to process certain personal information about individuals concerned by a Code of Conduct investigation (referred to as "personal data"). This notice includes information on the kind of personal data that is processed by ASSA ABLOY in relation to such individuals where ASSA ABLOY is the "data controller". Personal data is processed in accordance with this notice and data protection law. By reading this notice, you confirm that you have been informed about how your personal data is processed by us. You have several rights related to how we handle your personal data. Your rights include: rights of access and rectification of your personal data right to object to the processing of personal data right to restrict the processing of personal data right to request deletion of your personal data right to data portability to another controller, where technically feasible. Please note that you may not be allowed to use your rights in all situations. If you are dissatisfied with how we process your personal data you have a right to lodge a complaint with a data protection authority. Your rights are further explained below. ASSA ABLOY has appointed a so called Data Protection Manager ("DPM"). If you have any questions about how ASSA ABLOY collects, processes and stores your personal data, please contact the DPM as listed in Schedule B. 2. What is "personal data" and "processing of personal data"? The term "personal data" as used in this notice is any piece of information that, either on its own or together with any other pieces of information, can be traced back to a living individual, and any other data that qualifies as personal data in accordance with data protection law applicable to ASSA ABLOY. This notice includes information on all personal data that is in any form considered processed under the relevant law in relation to you as reporter of a suspected Code of Conduct violation, including personal data that is kept, stored, collected, transferred, disclosed or in any other way handled. 3. What kind of personal data will ASSA ABLOY process? We process personal data in order to investigate suspected Code of Conduct violations, and to take remedial actions. More specifically, we will only collect and process personal data about an individual who reports a potential Code of Conduct violation as set out in the "Data Processing Matrix" in Schedule A. We will only process this personal data to fulfill the purposes stated in this notice and the Data Processing Matrix, and to comply with applicable law. 4. How is my personal data processed? ASSA ABLOY will only process personal data for the purposes for which it was collected and as set out in the Data Processing Matrix. We have taken suitable technical and organizational measures for the protection of the personal data to ensure that only a limited number of authorized persons (set out in Schedule B) are given access to personal data. We use technical security systems, such as firewalls, encryption technologies, passwords and anti-virus programs, to prevent and avoid unauthorized use of personal data. The organizational measures taken are described in further detail in the Data Protection Compliance Program. 5. To what categories of third parties will my personal data be disclosed? Authorities In connection with investigations or legal proceedings ASSA ABLOY may need to provide personal data to authorities, regulators, and courts. Such disclosures will be carried out in accordance with mandatory law and in order to fulfill legal obligations. ASSA ABLOY Group Companies Furthermore, due to the fact that the ASSA ABLOY group carries out business activities in a number of different countries, personal data may need to be transferred to ASSA ABLOY companies outside of your own home country that need to receive the personal data for the purposes stated in the Data Processing Matrix. Companies engaged by ASSA ABLOY Your personal data may also be transferred to and processed by third party providers and suppliers which perform services for ASSA ABLOY, to enable these companies to perform the services requested by us. Services which may be requested include the provision of forensic services and advice related to investigations. Only personal data that is necessary to fulfil the purposes stated in the Data Processing Matrix will be provided to these companies. All third party providers and suppliers must follow our instructions and the applicable written data processor agreement and any other agreements that are in place between ASSA ABLOY and its third party providers/suppliers, and must implement suitable technical and organizational measures for the protection of the personal data of our employees. 6. To what countries will my personal data be transferred? A legal entity that receives personal data may be located in a country that offers a lower level of protection for personal data than the country in which you are located or a citizen. All personal data transferred to a country that offers a lower level of protection for personal data will be transferred in accordance with ASSA ABLOY's current policies regarding transfer of personal data, as applicable from time to time, to ensure that the transfer of personal data complies with the law. If personal data is transferred to a country that offers a lower level of protection for personal data, the personal data will be transferred in accordance with the "Transfer of Personal Data Matrix" in Schedule B. 7. Who has access to my personal data? Personal data will only be available to authorized employees and/or individuals engaged by ASSA ABLOY on a consultancy basis, holding a position that requires them to process personal data to perform their work. These employees and/or consultants will only be given access in accordance with the principle of "least privilege", meaning that they will only have access to personal data that is strictly necessary for the purpose of the processing to perform their work. Therefore, personal data will only be accessible to the positions listed in Schedule B. Personal data may also be available to employees and/or consultants of third parties to whom ASSA ABLOY has disclosed personal data as set out in Section 5. 8. For how long will my personal data be processed? We will not store or process personal data for a period longer than necessary to fulfill the purposes in the Data Processing Matrix or to comply with the relevant law in your country. Accordingly, when the purpose has been fulfilled in relation to a specific type of personal data, we will stop using the personal data for that purpose and, if the same data is not relevant for any other purpose, delete the relevant personal data as soon as reasonably possible. 9. What are my rights with regards to my personal data? Right to access and rectification As a reporter of a suspected Code of Conduct violation, you have the right to request access to the personal data relating to you. This includes the right to be informed whether or not personal data about you is being processed, what personal data is being processed, and the purpose of the processing. You also have the right to rectify or add personal data if the personal data is inaccurate or incomplete. As soon as we become aware of any inaccurate personal data being processed, we will always correct such personal data as soon as possible and notify you accordingly. Right to erasure You may also request that your personal data be erased for example in the following situations: if the personal data is no longer necessary for the purposes for which it was collected if you object to the processing of personal data where we do not have an overriding legitimate interest if the processing is unlawful, or if the personal data has to be erased to enable us to comply with a legal requirement. If you have any questions about your right to erasure, please contact the DPM (please see Schedule B for contact details). Please note that we may reject your request if the processing is permitted or required according to law or any other relevant legal ground. For further information please refer to section 11 regarding how we will act when receiving a request. Right to object You are also entitled to object to our use of your personal data that we base on our legitimate interest. If you object, we will no longer process your personal data unless we can show that we have compelling legitimate grounds for the processing that overrides your interests or rights and freedoms or if we need it to establish, exercise, or defend legal claims. Right to restriction You can request us to restrict the processing of your personal data in the following situations: if the processing is no longer necessary for the purposes it was collected or otherwise processed if you withdraw your consent for use of data that we base on your consent if you believe the personal data may not be correct if you believe that the processing is unlawful, or if we process your personal data based on our legitimate interest, where we do not have an overriding interest in relation to your privacy interest. Right to Data Portability If you request access to personal data about you that you yourself have provided and if the personal data is being processed automatically, you may request that the data is provided in a structured, commonly-used and machine-readable format and you may also request that the personal data is transferred to another controller, if this is technically possible. 10. How do I make use of my rights? Please send an email to the DPM, as specified in Schedule B, if you want to make a request in relation to the processing of your personal data. Please note that we may contact you and ask you to confirm your identity to ensure that we do not disclose your personal data to any unauthorized person, and that we may ask you to specify your request before we perform any actions. Once we have confirmed your identity, we will handle the request in accordance with applicable law. Please note that even if you object to certain processing of personal data, we may still continue this processing if permitted or required to do so by law, for example to be able to fulfill legal or contractual requirements. 11. How will ASSA ABLOY act when receiving a request? Once we have confirmed your identity, we will handle your request in accordance with law. Please note that even if you object to certain processing of personal data, we may still continue this processing if permitted or required to do so by law, for example to enable us to fulfill legal requirements, administer the employment or fulfill obligations under a contract with you. 12. What should I do if I have any complaints? If you have any complaints about the way in which the personal data is being processed, or would like further information, please contact the DPM (please see Schedule B for contact details). You can also make a complaint about the data processing to the relevant public authority, such as where you live, work or where an alleged infringement of the applicable data protection law has occurred, please see Schedule B for further information. 13. Updates to the notice or processed data, and non-compliance with this noticeIn order to ensure that we comply with data protection law, this notice may be changed by us at any time. We will inform you of any changes made. Any breach of this notice should be reported to the DPM, as specified in Schedule B. Any breach of this notice, including any processing or transfer of personal data for any purpose other than as stated in Schedule A and/or Schedule B, will be taken seriously and will result in necessary actions being taken (including a so called data breach notification being sent to the relevant data protection authority if required by law). Please notify us of any changes to the personal data relating to you to enable us to process personal data accurately and securely (please see Schedule B for contact details).