This Contractor Privacy Notice ("Notice") applies to the ABB Group of companies, which means ABB Asea Brown Boveri Ltd, Switzerland and each entity in which ABB Ltd, Switzerland, directly or indirectly, has a majority holding or owns or controls the majority of voting rights. The ABB company with whom you, your employer or the company through which you are assigned to ABB have/has a contractual relationship (referred to as "ABB"), is responsible for the processing of your personal data and controls how it is used, in accordance with this Notice.
This Notice however does not apply to you if the contractual relationship between ABB and you is on the basis of temporary work or other dependent working relationship within the meaning of § 26 (8) Federal Data Protection Act (Bundesdatenschutzgesetz – “BDSG”), in which case the ABB employee privacy notice will give you the required information in accordance with Art. 13 of the EU General Data Protection Regulation (“GDPR”).
At ABB, respecting your data protection rights is a top priority. This Notice explains how we use personal data about you, how we process such data, and what rights you have regarding your personal data.
2. Who is responsible for the processing of your personal data?
ABB Asea Brown Boveri Ltd and its subsidiary companies are responsible for your personal data. For applicable privacy and data protection laws, the primary controller of your data is the ABB subsidiary company with whom you, your employer or the company through which you are assigned to ABB have/has a contractual relationship. Other subsidiary companies of ABB may also receive and process your personal data, either in the capacity of controller or processor and this Notice applies equally to them.
In your case, ABB AG, Kallstadter Straße 1, 68309 Mannheim, Germany, or any respective company affiliated with ABB AG pursuant to §§ 15 ff. of the German Stock Corporation Act (Aktiengesetz - AktG), having a business relationship with you, decides as "controller" within the meaning of the GDPR and the BDSG how and for which purpose your personal data will be used in accordance with this Notice (hereinafter: “ABB”, "we" or "us").
You can contact our data protection officer as follows:
Kallstadter Str. 1
3. Which of your personal data do we collect and use?
We collect and use personal data that concerns you and we receive from you in the course of or in connection with your or your company’s contract to provide works and/or services, the services you are providing under it directly to ABB or any other existing contractor business relationship with you, your employer or the company through which you are assigned to ABB (hereinafter: “you”). We may also process personal data that we receive from you either because of your contact enquiry, specific pre-contractual enquiry or registration for a specific event via our websites, by e-mail or telephone or at a trade fair, roadshow or other event. In addition, and to the extent necessary for the purposes mentioned in this Notice, we process personal data which we may obtain from publicly accessible sources or which are legitimately transmitted by other third parties (e.g. a credit agency) such as commercial register data, creditworthiness data.
We may collect the following categories of personal data:
Identification data and business contact information, you share with us such as first name, last name, job/position/title, employer, employer address, nationality, tax number, work permit/visa information, business email address, business address, telephone number, mobile telephone number, telefax number, private telephone number, private email address, gender, date of birth.
Additional information you provide to us in the course of your contract to provide works and/or services such as data concerning the fulfilment of your contract to provide works and/or services, our contractual obligations and pre-contractual measures including correspondence data, offers, tenders, resume/CV, background check data, conditions, qualifications/certificates, contract and order data, invoices, payments, business partner history, records relating to queries/questions/complaints/orders, working time logging, and training and education records, vehicle license plate, insurance data.
Expense related information such as bank statements, payment details, transactions, expense claims and receipts, bank account details, credit card data.
Electronic identification data and information collected by the communications systems, IT applications and website browser (where contractor has access or is affected by such systems or applications and in accordance with the applicable law) such as information technology usage (system access, IT and internet usage), device identifier (mobile device ID, PC ID), registration and login credentials, IP address, login data and log files, Analytics ID, digital alias/signature, time and url, searches, website registration and cookie data recordings (e.g. voice mail/phone recordings, Skype recordings).
Other personal data namely where you or others may register these data on or in our systems, programs and application such as business documents containing personal information (e.g. queries, questions, complaints, orders and related records, emails, reports, contracts, presentations, minutes, work products), photos, images and/or videos. To a certain extend this information might also cover your interests in ABB products, marketing preferences and registration information provided at trainings, events or fairs, etc.
The below mentioned types of personal data are only collected and processed, if at all, in accordance with applicable local laws in your country of residence and where relevant depending on your contract to provide works and/or services.
Special categories of personal data such as work-related health data or data for emergency support (blood type, medical history, allergies).
Data about criminal convictions and offences such as criminal background information for the purposes of criminal background screening.
In case you would like to be provided with information about a specific personal data processing activity, you can request that by submitting a request at www.abb.com/privacy.
4. Why we use your personal data?
We primarily process your personal data to fulfil and perform our business and contractual relationship with you. As part of this business and contractual relationship between you and us, we need to process your personal data which is required by us to commence, complete or terminate agreements with our contractors or to perform the contractual and legal obligations associated therewith, or which we are required by law to collect and process (e.g. tax laws).
We may use your personal data as described above for the following purposes:
Staff and human resources planning and management as relevant to your contract to provide works and/or services and the services you are providing under the contract to provide works and/or services directly to ABB including organization and personal administration, working hours management, improving and maintaining effective staff administration, internal workforce analysis, reporting and planning;
Contractor, supplier and service provider management throughout the procurement, logistics and supply chain including contact interaction including tendering, engagement, processing orders, process and fulfilment of purchases, administration and management of suppliers, vendors, contractors, advisers and other professional experts including contact interaction, processing and fulfilling purchases and invoices, and contract lifecycle management;
internal health and safety programs;
finance and shared accounting services providing record to report, order to cash and purchase to pay services;
making use of work performance and products and for references on documents, such as drawings, purchase orders, sales orders, invoices, reports;
reorganization, acquisition and sale of activities, business units and companies;
monitoring and auditing compliance with ABB’s corporate policies, contractual obligations and legal requirements;
carrying out audits, reviews and regulatory checks to meet obligations to regulators;
maintaining and protecting the security of products, facilities, services, systems, networks, computers and information, preventing and detecting security threats, fraud or other criminal or malicious activities, and ensuring business continuity; and
managing IT resources, including infrastructure management including data back-up, information systems’ support and service operations for application management, end user support, testing, maintenance, security (incident response, risk, vulnerability, breach response), master data and workplace including user accounts management, software licenses assignment, security and performance testing and business continuity.
We collect only the personal data from you that we need for the purposes described above. For statistical purposes, improvement of our services and testing of our IT systems we use as much as reasonably possible anonymized data. This means that these data can no longer (in)directly identify you or single you out as an individual. In case you are working at a third-party site (for example ABB customer location or facility), such third party may need to process your personal data for their purposes acting as a data controller. In these cases, you will receive or may request a separate privacy notice from the relevant data controller.
5. What happens if you do not provide us with the personal data we had asked you for or if you ask us to stop processing your information?
Where it concerns processing operations related to your contract to provide works and/or services (as described above), ABB will not be able to adequately establish, conduct or terminate a business relationship with you or your company and generally perform the purposes described above without certain personal data. Although we cannot obligate you to share your personal data with us, please note that this then may have consequences which could affect your contract to provide works and/or services in a negative manner, such as not being able to take requested pre-contractual or contractual measures to enter into or perform a contract with you or to establish and continue the business relationship you have asked for.
6. On which legal basis do we rely process your personal data?
We use your personal data for the purposes described in this Notice in accordance with the provisions of the GDPR and the BDSG, in particular on the following legal bases, as applicable:
We may process your personal data for the fulfilment of contractual obligations resulting from contracts to provide works with you or your company, or as part of pre-contractual measures we take, Art. 6 (1) b) GDPR.
In some cases, we process your personal data on the basis of legal obligations and statutory requirements, Art. 6 (1) c) GDPR, for example, on the basis of tax or reporting obligations, cooperation obligations with authorities, statutory retention periods or the disclosure of personal data within the scope of official or judicial measures required for the purposes of taking evidence, prosecution or enforcement of civil law claims.
Art. 6 (1) f) GDPR, if processing within our business relationship is necessary in order to protect the legitimate interests of us or third parties. This requires a weighing of interests pursuant to Art. 6 para. 1 lit. f) DSGVO, according to which a processing of personal data is permissible if it is necessary to safeguard the legitimate interests and does not outweigh the interests or fundamental rights and freedoms of the data subject which require the protection of personal data. We rely on our legitimate interests to process your personal data insofar as this is not overridden by your own privacy interests, which may include:
conduct, management, development and furtherance of our business in the broadest sense possible including supply of products and services, performance of agreements and order management with suppliers, process and fulfilment of purchases, process quality management and improvement of products or services, analytics and market intelligence, reduction of default risks in our procurement processes and reorganization, acquisition and sale of activities, business divisions and companies;
monitor, investigate and ensure compliance with legal, regulatory, standard and ABB internal requirements and policies;
prevent fraud and criminal activity including investigations of such activity, misuse of ABB assets, products and services, and as strictly necessary and proportionate for ensuring network and information security;
if otherwise necessary for establishment, exercise and defense of legal claims of and against ABB related to your performance of contracts with us; and
transmitting personal data within the ABB group for internal administrative purposes as necessary for example to provide centralized services.
You may obtain a copy of our assessment regarding our legitimate interest to process your personal data, including a documented balancing of interests, by submitting a request at www.abb.com/privacy.
If and to the extent we process your personal data in exceptional cases for purposes not covered by the aforementioned legal bases (e.g. photos, marketing materials and events), we may require your consent as legal basis for such data processing, Art. 6 (1) a) GDPR. You may of course withdraw such consent at any time in accordance with Art. 7 (3) GDPR with effect for the future. If and to the extent we send you marketing information by electronic mail, we may also require your consent according to § 7 (2) No. 3 Competition Act (Gesetz gegen den unlauteren Wettbewerb - UWG).
With regard to special categories of personal data we will only process such data in accordance with applicable law and:
you have given your explicit consent for processing such personal data in accordance with Art. 9 (2) a) GDPR;
processing of such personal data is necessary for the establishment, exercise and defense of legal claims, Art. 9 (2) f) GDPR; or
processing of such personal data is necessary for compliance with our obligations under applicable labor, social security and social protection law as well as preventive medicine, medical diagnosis or health or social care services (e.g.: minimum wage laws, employers’ liability insurance, etc.), Art. 9 (2) b) & h) GDPR.
With regard to personal data concerning criminal convictions and offences, we will only process such data where such processing is permitted by applicable (local) law.
7. Which parties do we share your personal data with (in and outside the EU and EEA)?
As part of a global group, we have business relationships with ABB Group companies and external service providers, both within and outside the European Economic Area (EEA), which we may also use to process your personal data as necessary for the purposes described in this Notice. We only share your personal data with other ABB affiliates or third parties as necessary for the purposes described in the table below. In addition, when processing your personal data for these purposes using external service providers as data processors (e.g. computer centers, software companies, etc.) these data processors are engaged within the framework of an existing contractual relationship, bound by instructions, and receive your personal data only to the extent and for the period required for the provision of the service.
Where we share your personal data with an affiliate or third party so that it is transferred to or becomes accessible from outside the European Union (“EU”) and the European Economic Area ("EEA") or outside the country where the ABB company that controls your data is located, we always put adequate safeguards in place to protect your personal data. Examples of these safeguards are an adequacy decision of the European Commission (read more here), Standard Contractual Clauses (read more here), Privacy Shield certification (read more here), and the Binding Corporate Rules that some of our suppliers have adopted (read more here). We have taken additional measures for the transfer of data from within to outside the EU, EEA and outside the country where the ABB company that controls your data is located to protect your personal data. If you would like an overview of the safeguards which are in place, please submit a request at
You may obtain a copy of the safeguards which we use to protect your personal data by submitting a request at www.abb.com/privacy.
8. How long do we process and keep your personal data?
In principle, we process and store your personal data only as long as this is necessary for the processing purposes mentioned in this Notice, until you withdraw your consent (Art. 6 (1) a) GDPR) or until you object to the use of your personal data in case of a legitimate interest being the legal basis for processing (Art. 6 (1) f) GDPR).
However, based on mandatory legislation, ABB must keep certain personal data for a minimum period of time. In general, personal data is kept for the duration of the contractual relationship and for a minimum period (typically between 5-10 years after the termination of the contract to provide works and/or services) or for longer period if required by local laws and regulatory requirements.
At the same time, applicable data protection laws require that we do not keep and process your personal data in an identifiable form for any longer than is necessary for the purpose for which the personal data has been collected and to perform regular reviews in this respect. Through the setting of IT applications and policies we ensure that our keeping of your personal data is deleted when we no longer need it.
9. Security and monitoring of ABB systems
ABB takes the security of its data very seriously, including your information and ABB's digital business assets. ABB sees this as a shared responsibility, where it takes the necessary steps to secure such data, and where it expects the contractors to do the same. You can read more about our security measures and your responsibilities End User Security Policy.
Monitoring of ABB's systems
For business reasons, and in order to maintain IT security measures, information about the use of ABB's systems including telephone (mobile and fixed) and computer systems (including email and internet access), and any personal use of them, is collected and monitored, and used when necessary for the security of ABB’s system and compliance with ABB security group policies and in accordance with the applicable law. If you access services by the use of passwords and login names on ABB's IT and communication systems, this might mean that your access details can be seen by ABB.
Monitoring is only carried out if and to the extent permitted or as required by law and as necessary and justifiable for business purposes. The resulting log files will be kept for a minimum period in accordance with section 7. This is required so that instances of attempted misuse and other security events can be detected, and that information is available to support any subsequent investigation and follow up actions.
If necessary, such information may be handed to the police or other law enforcement agencies. Investigations and disclosure of information to the relevant authorities shall be carried out only to the extent permitted by law.
10. Which data privacy rights do you have with regards to your personal data?
Depending on the jurisdiction in which you are located and in which your personal data is processed, you may have the following rights:
Please note that the rights described above are not absolute, and that your request cannot always be met entirely. If you want to know more about your data protection rights as well as the conditions and restrictions under which they are available to you, you may want to refer to the Annex to this Notice.
You may request to enforce your data privacy rights at www.abb.com/privacy.
1. Remedies, contact and further information
If you want to access your personal data, make use of any of your other rights mentioned above or if you have any questions or concerns about how ABB processes your personal data, please contact our Data Protection Officer at firstname.lastname@example.org, or submit your complaint at www.abb.com/privacy.
Should you not be satisfied with our response or believe we are processing your personal data against the law, you have the right to file a complaint in accordance with Art. 77 GDPR with the competent Data Protection Authority in your country of residence or work, or seek a remedy through the courts where you believe an infringement of data protection laws (and your rights) may have taken place.
Date of publication: November 22, 2019
Annex to the Data Protection Notice: Your rights as a data subject
1. Right of access
You have the right to receive from us at any time upon request (text form) information about your personal data processed by us within the scope of Art. 15 GDPR.
This right is limited by the statutory exceptions of § 34 BDSG, according to which the right of access is excluded, in particular if the data is stored on the basis statutory retention and documentation periods or for the purposes of data security and data protection control, the provision of information would require a disproportionate effort and a misuse of the data processing is prevented by suitable technical and organizational measures.
2. Right to rectification
You have the right, pursuant to Art. 16 GDPR, to obtain from us the immediate rectification of personal data concerning you, should it be incorrect.
3. Right to erasure
You have the right to obtain from us, under the conditions set out in Art. 17 GDPR, the deletion of any personal data relating to you.
These conditions apply in particular if a) the respective processing purpose has been achieved or otherwise ceases to apply, b) we have unlawfully processed your personal data, c) you have withdrawn your consent without another legal basis applying to the data processing, d) you have successfully objected to the data processing or e) in cases where there is an obligation to delete personal data on the basis of EU law or the law of an EU member state to which we are subject.
This right is limited by the statutory exceptions of § 35 BDSG, according to which the right to erasure may in particular be excluded if, in case of non-automated data processing, there is a disproportionately high expenditure for the deletion and your interest in the deletion is to be regarded as low.
4. Right to restriction of processing
In accordance with Art. 18 GDPR, you can request us to process your personal data only to a restricted extent.
This right exists in particular if a) the correctness of your personal data is disputed, b) you request limited processing instead of deletion under the conditions of a justified right of erasure, c) the data is no longer required for the purposes pursued by us, but you need the data to assert, exercise or defend legal claims or d) the success of an objection is still disputed.
5. Right to data portability
In accordance with Art. 20 GDPR, you have the right to receive from us personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format, as well as the right to request us to forward this personal data to another controller.
6. Right to object
In accordance with Art. 21 GDPR, you have the right to object at any time, for reasons arising from your particular situation, to the processing of your personal data, which is either based on a public interest pursuant to Art. 6 (1) e) GDPR or a legitimate interest pursuant to Art. 6 (1) f) GDPR.
Upon receipt of your objection notice, we will then cease processing your personal data unless we can prove that there are compelling legitimate reasons for the processing which outweigh your interests, rights and freedoms, or the processing serves to establish, exercise or defend legal claims. If you object to the processing of your personal data for marketing purposes, we will cease such processing in any case.