Customer Privacy

As a technology-oriented company, we place great importance on safeguarding our customers’ rights to privacy and security.

Why it matters

Customers and business partners place a great deal of trust in dormakaba as a premium partner for safe, smart and seamless access and security solutions. dormakaba takes the protection of data and information very seriously. Abuse and misuse of data and information can lead to major tangible and intangible damage due to, for example, relevant information being unavailable, rendered unusable or incorrect, or – in the worst-case scenario – made available or accessible to a malicious third party.

Key activities

Safeguarding our customers’ rights to data protection and privacy includes obtaining data by lawful and fair means, protecting the personal data of customers by adequate information security safeguards, and using customer data responsibly. dormakaba also considers the proliferation of new technologies and security risks because we understand we have a responsibility to protect sensitive information against unauthorized access, loss, or falsification. We place a strong focus on:

• Personal data, in particular customer and employee data
• Operating and business data
• IT systems
• Financial data

Considering all information and data available within dormakaba, we pursue the following security aims:

• Confidentiality: confirmation that access to information is limited to persons entitled to see it.
• Availability: entitled persons can access information during defined periods and from defined locations.
• Integrity: warranty that information is correct and complete.

The dormakaba Group Data Protection Officer, in cooperation with the Group Information Security Manager, oversees our approach to customer privacy.

Information Security Management System at the core

To meet our security aims, senior management introduced an Information Security Management System (ISMS) in line with best practice in the industry. Our Chief Technology Officer (CTO) also acts as the Chief Information Security Officer (CISO) within the ISMS. This management system is based on the international ISO/IEC standard 27001:2013, the most recognized standard in the field. Certification to the standard was achieved in the financial year 2019/20. The scope of the certification covers Group IT, dormakaba digital in Europe and the USA, and digital-based product development in Europe, such as for the Electronic Access & Data product cluster. In the financial year 2020/21, the scope was extended to include the workforce analytics IT tool.

As outlined in the Group Directive Information Security, the goal of the ISMS is to achieve and maintain an adequate security level by leveraging risk management methods, continuous improvement, and best practices – all adjusted to our needs. The risk management included in the ISMS is used to identify, assess, and treat risks adequately.

Reporting to the CISO, the Group Information Security Manager is responsible for anticipating and assessing new threats related to information security risks; and ise also responsible for implementing the necessary security levels for dormakaba, as defined by the Security Board in accordance to its Charter. Additionally, Information Security Coordinators (ISC) are responsible for the implementation of the ISMS within an assigned segment or Group function, and for providing support during security audits.

EU General Data Protection Regulation (GDPR)

Our internal compliance processes are aligned with the EU General Data Protection Regulation (GDPR). The GDPR aims primarily to give control to citizens and residents over their personal data, bringing with it a new set of “digital rights” for EU citizens at a time when the digital economy places increasing economic value on personal data.

We have set ourselves three objectives:

• Compliance with requirements: the legal and contractual requirements for the protection of personal data will be adequately implemented and complied with at all times.
• Embedding in the organization: the protection of personal data is a central component of all projects, activities, and processes in which this data is processed.
• Continuous improvement: guidelines, procedures, measures, and structures for the protection of personal data will follow uniform principles and be continuously developed and adapted to changing conditions.

We have established a Data Protection Management System (DPMS), a manual, and a document library to serve all employees. Where relevant, project managers must carry out GDPR assessments prior to any project being activated. This also applies to the development of new products or apps. Product managers are provided with a guideline of GDPR requirements, including of the legal requirement of applying Privacy by Design and Privacy by Default in the development process.

Raising employee awareness

We are aware that technological advances in IT security cannot always guarantee the security of the entire business environment and that human behavior can affect information security and the associated risks. Phishing and other social engineering techniques use the human risk factor. The trend has continued for such attacks, and we are seeing an increase in ransomware in society. Attackers are even using technologies such as artificial intelligence to develop their attack scenarios and make fraudulent e-mails and messages appear more real to the victim.

However, people can learn to deal with risks in a professional and smart way. Raising employee awareness of information security risks is a continuous process that, if done correctly, turns the root of the problem into part of the solution. With our information security training programs, in which all our employees must participate, we not only train employees to recognize suspicious messages, phone calls, and other social engineering tactics, we also build a culture of information security awareness that enables us to manage our risks in a targeted and effective way. The training series is made up of four modules: Information Security, Phishing, Social Engineering, and Cyber Security.

Our performance

We have continued the mitigation of information security risks through Group-wide security training in order to strengthen employee awareness. The eLearning for the four data protection modules was completed by around 5,600 employees in the 2019/20 and 2020/21 financial years.

We have published four new directives setting out the internal rules and regulations for data protection early in the financial year 2020/21. A reporting process with corresponding key performance indicators (KPIs) has been developed in order to provide standardized reports. The KPIs will be used to manage, monitor, and improve the data protection organization and the DPMS.

While the company is regularly subject to attempted malicious information security attacks or approaches, there have been no reported incidents resulting in breaches of customer privacy or losses of customer data nor substantiated relevant complaints concerning customer privacy within the financial year 2020/21.