Global site - English

ABB's website uses cookies. By staying here you are agreeing to our use of cookies. Learn more

ABB Corporate Rules - Summary

Table of contents:

1. Introduction
1.1. Fairness and lawfulness
1.2. Processing of sensitive Personal Data
1.3 Transparency
2. Sharing personal data
2.1. Sharing data with Data Processors
2.2. Sharing Personal Data with Data Controllers
2.3. Onward transfer
3. Complaint
4. Third party rights available to the Data Subjects

1. Introduction

At ABB respecting data protection rights is a priority. ABB has adopted global data protection standards to ensure a standardised and high level of protection of Personal Data.

ABB Group Companies are committed to meet the data privacy principles described below when ABB Group Companies are the Data Controller for the Personal Data.

1.1. Fairness and lawfulness

The processing of Personal Data shall be always done fairly and lawfully in ways that would be reasonably expected and on the basis of one of the following grounds for processing:

  • the Data Subject has given their consent to the processing of Personal Data;
  • processing is necessary to perform a contract with the Data Subject, or to take pre-contractual steps at the request of the Data Subject;
  • processing is necessary for compliance with a legal obligation to which the Data Controller is subject;
  • processing is necessary to protect the vital interests of the Data Subject; or
  • processing is necessary for the Data Controller's legitimate interests or those of a third party, unless the interests of the Data Subject override those interests.

1.2. Processing of sensitive Personal Data

Where ABB Group Companies process sensitive Personal Data this processing shall be always done fairly and lawfully in ways that would be reasonably expected and on the basis of one of the following grounds for processing:

  • the Data Subject has given explicit consent;
  • processing is necessary to meet obligations or exercise rights in national or European law relating to employment, social security, and healthcare in so far as it is authorized by national law providing for adequate safeguards;
  • the Personal Data are manifestly made public by the Data Subject;
  • processing is necessary to establish, exercise or defend legal claims;
  • processing is necessary for the assessment of the working capacity of an Employee; or
  • processing is necessary for the security of ABB, Staff and customer assets, for example through the use of video recordings or biometric identifiers.

Adequate security measures will be ensured depending on the nature of the Personal Data and the risks associated with its intended processing.

1.3. Transparency

ABB Group companies shall provide the Data Subject at the point of collection, or within a reasonable period of collection, with the information necessary to ensure fair and transparent processing, in particular:

  • Identity and contact details of the Data Controller as well as the contact details of the data protection officer;
  • Purposes and the legal basis for the processing;
  • The recipients or categories of recipients of the Personal Data,
  • The source of Personal Data (unless this is Personal Data collected directly from the Data Subject);
  • Risks, rules, safeguards and rights in relation to the processing of Personal Data and how to exercise their rights in relation to such processing.
  • Purpose

ABB Group Companies shall only process Personal Data for explicit and legitimate purposes. At the same time collected Personal Data are not processed for further incompatible purpose - unless the Data Subject has given consent and has been provided with the information required by the Transparency Principle, or the processing is otherwise permitted under applicable law.

1.5. Proportionality and quality

Personal Data shall always be adequate and relevant to the purposes of processing. In particular, Personal Data must be limited to what is necessary to the purpose of processing. ABB ensures that Personal Data are accurate and, where necessary, kept up-to-date. ABB Group Companies take all reasonable steps to ensure that any incorrect or incomplete Personal Data are erased, blocked or, if necessary, corrected without undue delay.

1.6. Storage limitation

Personal Data shall be only processed for the period necessary for the purposes for which they are processed, or as advisable considering an applicable statute of limitations. At the end of this period the Personal Data are erased or anonymized unless there is an exemption under applicable law which allows the data to be kept longer.

1.7. Data security

ABB Group Companies will maintain appropriate technical and organisational measures to ensure a level of appropriate security for Personal Data, taking into account the nature of the Personal Data; possible risks that may affect Personal Data; the ability to ensure confidentiality, integrity, availability and resilience of processing of Personal Data; the requirements of applicable law; and any measures specified in the service agreement with a Customer.

ABB Group Companies must comply with the information security requirements set out in ABB’s Information Security Management Corporate Regulations, instructions, policies and standards. ABB will inform Data Subjects of a security breach affecting their Personal Information if (a) the Data Subject is at a high risk of harm as a result of the Personal Data breach or, (b) (even if the Data Subject is not at a high risk of harm) if an applicable breach notification law requires such notification.

2. Sharing Personal Data

2.1. Sharing data with Data Processors

An ABB Group Company will only appoint a Third Party Data Processor to process Personal Data where a data protection and information security risk assessment has been carried out to determine that the Data Processor will provide sufficient guarantees that it will implement appropriate technical and organisational measures. The ABB Group Company will ensure that there is a written contract with the Data Processor, which is recognised as valid under applicable law and which contains the provisions required in applicable law.

2.2. Sharing Personal Data with Data Controllers

An ABB Group Company may share Personal Data with another Data Controller where ABB is the Data Controller in respect of the Personal Data providing that it meets the ABB Privacy Principles.

2.3 Onward transfer

European Personal Data may be shared with other ABB Group Companies or with other Third Parties located in the European Union or in a country or territory in respect of which there is a valid decision by the European Commission determining an adequate level of protection for European Personal Data but with no further requirements to ensure adequate protection for the data. In all other situations, European Personal Data may only be shared where appropriate safeguards for the European Personal Data are put in place, as set out in article 46 GDPR – such as use of the EU Model Clauses. Where an ABB Group Company is the Data Controller in respect of the European Personal Data, such data may also be shared in specific situations where European Law provides a derogation for the transfer – for example, where the Data Subject has given explicit consent, where the transfer is necessary to perform a contract with the Data Subject or to take pre-contractual measures requested by the Data Subject. Non-European Personal Data may only be shared with other entities where appropriate safeguards have been put in place to protect the data and in accordance with the requirements of applicable law.

3. Complaint

If a Data Subject has a concern that their Personal Data has been processed by an ABB Group Company in violation of applicable data protection laws, they may submit a complaint in writing by submitting the contact form at abb.com/privacy or through privacy@abb.com.

ABB will facilitate the complaints process without undue delay and, ordinarily, within one month from the date the complaint is received. This period may be extended by two further months if this is necessary, because of the complexity of the complaint or the number of requests made by the Data Subject. The Data Subject will be informed if there is a delay in processing their complaint due to the above.

4. The third party rights available to the Data Subjects

Whenever ABB Group Companies process European Personal Data as a Data Controller, Data Subjects have the following rights listed below. Whenever ABB Group Companies process non-European Personal Data as a Data Controller, Data Subjects can enforce the rights available to them under applicable law. The justified request of the Data Subject will be responded without undue delay and in any event within one month.

Rights of access and portability- The Data Subject has the right to:

  • receive the confirmation if the ABB Group Company processes Personal Data about that Data Subject;
  • receive a copy of the Personal Data in a structured, commonly used and machine-readable format;
  • ask for transfer of Personal Data to another entity, in structured, machine-readable format when the Personal Data was provided by the Data Subject, is processed automatically, and where the Personal Data are processed with the individual’s consent or to fulfil a contract with him or her;

Right of rectification- The Data Subject has the right to request correction of inaccurate or incomplete Personal Data;

Right of erasure (the "right to be forgotten")- The Data Subject has the right to erase the Personal Data when it is no longer needed, where applicable law obliges us to delete the data or the processing of it is unlawful;

Right of restriction- The Data Subject has the right to restrict processing of Personal Data in specific circumstances;

Right to object- The Data Subject has the right to object to our processing of Personal Data where we rely on our legitimate interests as the basis for our processing or where data protection rights outweigh ABB reasoning for legitimate interests;

Automated decision-taking- The Data Subject has the right to ask ABB not to be subject to an automated decision (i.e. no human involvement in the decision);

Right of consent withdrawal- where ABB has asked for a consent to process Personal Data the Data Subject has the right to withdraw the consent at any time. The withdrawal of consent will not affect the lawfulness of processing based on consent before its withdrawal.

If you feel that you wish to contact ABB and review, update, change or delete any of your Personal Data and preferences of how ABB processes it, please visit our Data Subject Rights - Request forms site.