EU-US AND SWISS-US PRIVACY SHIELD
- ABB Inc.
- ABB Enterprise Software Inc.
- ABB Mechanical Motors, Inc.
- ABB Treasury Center (USA), Inc.
- ABB Installation Products Inc.
- ABB Power Electronics Inc.
- Industrial Connections and Solutions LLC
These entities are collectively referred to hereinafter as “ABB.”
The Policy sets forth the data privacy principles followed by ABB in connection with the transfer and protection of Personal Data received by ABB from its parent corporation, affiliates, and customers located in the European Union (“EU”), the European Economic Area (“EEA”), and Switzerland. ABB complies with the EU-US Privacy Shield Framework and the Swiss-US Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information from the EU, EEA, and Switzerland, respectively. ABB has certified to the U.S. Department of Commerce that it adheres to the Privacy Shield Principles, is committed to subjecting all Personal Data received in reliance on each Privacy Shield Framework to the Framework’s applicable Principles.
This Policy is to be applied consistent with the Privacy Shield Principles. If there is any conflict between the terms in this Policy and the applicable Privacy Shield Principles, the Privacy Shield Principles as applicable shall govern.
ABB has certified that it adheres to the Privacy Shield Principles:
- Accountability for Onward Transfer
- Data Integrity and Purpose Limitation
- Recourse, Enforcement and Liability.
To learn more about the Privacy Shield Frameworks, and to view ABB’s certification, please visit the US Department of Commerce’s Privacy Shield website at https://www.privacyshield.gov.
ABOUT THE PRIVACY SHIELD FRAMEWORKS
The EU-US Privacy Shield Framework and Swiss-US Privacy Shield Framework were designed by the U.S. Department of Commerce, and the European Commission and Swiss Administration, respectively, to provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the European Union and Switzerland to the United States in support of transatlantic commerce.
Participating in the Privacy Shield Program is a voluntary self-certification processes for companies operating in the U.S. Companies that certify to the programs represent that they are upholding privacy standards for Personal Data received from the EU and Switzerland. These standards exceed current US privacy standards. Compliance with the Principles is enforced by the U.S. Federal Trade Commission (the “FTC”). The FTC has jurisdiction over ABB. Accordingly, ABB is subject to the investigatory and enforcement powers of the FTC.
Adherence to the Principles may be limited: (a) to the extent necessary to meet national security, public interest, or law enforcement requirements; (b) by statute, government regulation, or case law that creates conflicting obligations or explicit authorizations; or (c) if the effect of the EU Directive, EU Member State law, or Swiss Act is to allow exceptions or derogations.
This Policy applies to all Personal Data described in this Policy that is transferred by or on behalf of ABB’s parent corporation, affiliates, customers, prospects, partners, vendors or suppliers from countries in the EU, EEA, or Switzerland to ABB in the United States.
“EU Directive” is the EU comprehensive privacy legislation, Directive 95/46/EC on Data Protection, that became effective on October 25, 1998 and the Swiss Federal Act on Data Protection that became effective June 19, 1992. On May 25, this Directive was replaced with the General Data Protection Regulation, known as (“GDPR”). The GDPR requires transfers of personal data take place only to non-EU countries that provide an “adequate” level of privacy protection.
“Swiss Act” is the Swiss Federal Act on Data Protection that became effective June 19, 1992. Like the Directive, it requires that transfers of personal data take place only to non-Swiss countries that provide an “adequate” level of privacy protection.
“Personal Data” are data about an identified or an identifiable individual received by ABB in the U.S. from the EU, EEA or Switzerland, and recorded in any form. It does not include anonymized data or data that is reported in aggregate.
An “identifiable” person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.
“Controller” means a person or organization which, alone or jointly with others, determines the purposes and means of the processing of personal data.
“Third Party” and “Third Parties” do not include third parties that are acting as an agent to perform task(s) on behalf of and under the instructions of ABB.
An “agent” is a third party acting as an agent to perform a task or tasks on behalf of and under the instructions of ABB.
“Sensitive Information” is Personal Data specifying medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, or information specifying the sex life of the individual, and, for Personal Data transferred from Switzerland only, information on social security measures or administrative or criminal proceedings and sanctions, which are treated outside pending proceedings.
PRIVACY SHIELD PRINCIPLES
EU, EEA, and Swiss Personal Data is processed subject to the Privacy Shield Principles.
NOTICE/PERSONAL DATA COLLECTION AND USE
Through this Policy and other means, ABB informs individuals about the types of personal data collected and, where applicable, the entities or subsidiaries of ABB also adhering to the Principles. ABB informs individuals of the purposes for which it collects and uses information about them, the identities or types of third-parties to which ABB discloses the information, the purposes for which ABB may disclose the information, and the choices and means ABB offers individuals for limiting the use and disclosure of such personal information. This notice will be provided in clear and conspicuous language when individuals are first asked to provide personal information to ABB or as soon thereafter as is practicable, but in any event before ABB uses such information for a purpose other than that for which it was originally collected or processed by the transferring organization or discloses it for the first time to a Third-Party.
ABB receives information from iIs Parent Corporation and affiliates in the EU, EEA and Switzerland concerning prospective, current and former employees, consultants, contractors and job applicants (“Human Resources Data”). The purposes for which ABB collects and uses Human Resources Data are set forth in the Notice / Choice – Employee Personal Data Addendum to this Policy.
ABB also receives Personal Data pertaining to customers, prospects, partners, vendors, and suppliers of ABB and its Parent Corporation and affiliates in the EU, EEA, and Switzerland (“Business Contact Data”). Business Contact Data is typically limited to name, business title, and contact information such as business postal address, email address, and telephone number. ABB collects, transfers and uses Business Contact Data for marketing and sales, the provision of products and services, partner and supply chain management, and legal compliance.
ABB further receives transfers of Personal Data pertaining to individuals personally identified in various software platforms from customers using ABB Enterprise Software Inc. software solutions (“Customer Data”). Customer Data may include Personal Data as well as Personal Data containing Sensitive Information such as medical treatment plans, ethnicity, and health plan information. ABB receives and transfers the Customer Data to assist software solution customers with software and/or system updates, upgrades and troubleshooting. ABB does not use or process the Customer Data for Its own commercial purposes. The transfer and processing of the Customer Data is governed by an ABB Enterprise Software Inc. Access Control Policy.
When ABB receives Human Resources Data, Business Contact Data and Customer Data from its parent corporation and affiliates in the EU, EEA, and Switzerland, ABB will use and disclose such Personal Data in accordance with the notices provided by such entities and the choices made by the individuals to whom it relates.
- ABB offers individuals the opportunity to choose whether their Personal Data is: (a) to be disclosed to a Third Party; or (2) to be used for a purpose that is incompatible with the purpose(s) for which it was originally collected or subsequently authorized by the individual. ABB will provide individuals with clear and conspicuous, readily available, and affordable mechanisms to exercise these choices.
ABB will not provide “choice” when disclosure is made to a third party that is acting as an agent to perform task(s) on behalf of and under the instructions of ABB. ABB shall always enter into a contract with such an agent to protect the confidentiality and security of your personal data.
ABB will obtain the express consent (opt in) from individuals if Sensitive Information is to be: (a) disclosed to a Third Party; or (b) used for a purpose other than those for which it was originally collected or subsequently authorized by the individuals through the exercise of opt-in choice. ABB will treat as sensitive any Personal Data received from a Third Party that identifies and treats it as sensitive.
ACCOUNTABILITY FOR ONWARD TRANSFER.
ABB may transfer Business Contact Data to third parties, including service providers, who act as agents to perform task(s) on behalf of and under the instructions of ABB for purposes related to those set forth above.
To transfer Personal Data to a third party acting as an agent, ABB shall:
- Transfer such Personal Data only for limited and specified purposes.
- Ascertain that the agent is obligated to provide at least the same level of privacy protection as is required by the Privacy Shield Principles.
- Take reasonable and appropriate steps to ensure that the agent effectively processes the Personal Data transferred in a manner consistent with ABB’s obligations under the Privacy Shield Principles.
- Require the agent to notify ABB if the agent determines it can no longer meet its obligation to provide the same level of protection as is required by the Privacy Shield Principles.
- Upon notice, take reasonable and appropriate steps to stop and remediate unauthorized processing.
- Provide a summary or representative copy of the relevant privacy provisions of its contract with that agent to the U.S. Department of Commerce upon request.
To transfer Personal Data to a Third Party acting as a Controller, ABB shall comply with the Privacy Shield Notice and Choice Principles. ABB shall also enter into a contract with the Third-Party Controller. The contract shall provide that such data may only be processed for limited and specified purposes consistent with the consent provided by the individual. It will provide the same level of protection as the Privacy Shield Principles. The contract will require the Third-Party controller to notify ABB if the Third-Party controller determines it can no longer meet this obligation. The contract shall provide that when such a determination is made the Third-Party controller shall cease processing or take other reasonable and appropriate steps to remediate.
- ABB shall take reasonable and appropriate measures to protect Personal Data from loss, misuse, unauthorized access, disclosure, alteration, and destruction, taking into account the risks involved in the processing and the nature of the personal data.
DATA INTEGRITY AND PURPOSE LIMITATION. ABB will only process Personal Data in a way that is compatible with the purposes for which it has been collected or subsequently authorized by the individual. ABB shall take reasonable steps to ensure that Personal Data is accurate, complete, reliable for its intended use, and current. Personal Data shall be retained in a form identifying or making identifiable the individual only for as long as it serves a purpose of processing consistent with the purpose for which it was collected or subsequently authorized by the individual.
- ABB provides individuals with access to their personal data for purposes of correcting, amending or deleting that information where it is inaccurate or has been processed in violation of the Principles. Access will not be provided where the burden or expense of providing such access would be disproportionate to the risks to the individual’s privacy or where the rights of persons other than the individual would be violated. A reasonable fee compensating ABB for resource use related to accessing, changing or deleting the Personal Data may be charged.
RECOURSE, ENFORCEMENT AND LIABILITY. Effective privacy protection includes robust mechanisms for assuring compliance with the Principles, recourse for individuals who are affected by non-compliance with the Principles, and consequences when the Principles are not followed.
- ABB has procedures to verify the attestations and assertions it makes about ABB’s privacy practices are true and that privacy practices have been implemented as presented. ABB verifies compliance with the Principles through self-assessment or outside compliance reviews. Any employee that violates these Principles will be subject to disciplinary procedures in accordance with ABB’s disciplinary policy.
- In compliance with the Privacy Shield Principles, ABB commits to resolve complaints about its collection of Personal Data. Individuals who are affected by or witness non-compliance with these Principles are encouraged to report the matter via ABB’s Ethics Hotline or other Reporting Channels. For more information on ABB Reporting Channels, please visit http://new.abb.com/about/integrity/reporting-channels/how-do-i-report. Alternatively, individuals may contact the US Country Privacy Lead whose direct contact information is:
Attn: Andrew Klein, U.S. Country Integrity Officer
305 Gregson Drive
Cary, NC 27518
Attn: Bridget N. Smith, Integrity Counsel
305 Gregson Drive
Cary, NC 27511
ABB will respond to a complaint within 45 days of receipt.
If a complaint cannot be resolved with ABB directly, there are readily available independent recourse mechanisms by which an individual’s complaints and disputes are investigated and expeditiously resolved at no cost to the individual and by reference to the Principles.
For complaints involving Human Resources Data transferred from the EU in the context of the employment relationship, ABB commits to cooperate with the panel established by the EU Data Protection Authorities and comply with the advice given by the panel. Complaints regarding processing of Human Resources Data pertaining to EU citizens may be reported by the individual to the relevant Data Protection Authority.
For complaints involving Human Resources Data transferred from Switzerland in the context of the employment relationship, ABB commits to cooperate with Swiss Federal Data Protection and Information Commissioner (“FDPIC”) and comply with the advice given by the FDPIC. Complaints regarding processing of Human Resources Data pertaining to Swiss citizens may be reported by the individual to the relevant Data Protection Authority.
All other complaints shall be resolved through alternative dispute resolution. ABB has selected the International Centre for Dispute Resolution, the international division of the American Arbitration Association (“ICDR/AAA”), as the administrator of ABB’s independent recourse mechanism for non- HR disputes. ABB has committed to refer such unresolved Privacy Shield complaints to ICDR/AAA in the United States. You may find more information about dispute resolution and how to file a claim with the ICDR/AAA at http://go.adr.org/privacyshield.html.
Individuals have the possibility, under certain conditions, to invoke binding arbitration for complaints regarding Privacy Shield compliance not resolved by any of the other Privacy Shield mechanisms. Please visit Annex I for additional information: https://www.privacyshield.gov/article?id=ANNEX-I-introduction.
- In the context of an onward transfer, ABB has responsibility for the processing of Personal Data it receives under the Privacy Shield and subsequently transfers to a third party acting as an agent on its behalf. ABB shall remain liable under the Principles if its agent processes such Personal Data in a manner inconsistent with the Principles unless ABB shows it is not responsible for the event giving rise to the damage.
Compelled Disclosure. ABB may be required to disclose Personal Data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
ABB’s parent corporation is a global corporation with subsidiaries and business partners in many countries, and with technical systems that cross borders. Personal Data collected by ABB may be transferred across state and country borders and stored or processed in the United States or any other country in which ABB, its parent corporation, its subsidiaries, affiliates, or business units maintain facilities for the purposes of data consolidation, storage, and simplified information management. ABB, its Parent Corporation, subsidiaries, affiliates and business units will handle your information collected in a consistent manner, as described here, even if the laws in some countries may provide less protection for your information. ABB’s privacy practices are designed to protect your Personal Data all over the world.
CHANGES TO THIS POLICY
If there are updates to the terms of ABB’s Policy, ABB will post those changes here and update the revision date in this document so that you will always know what information ABB collects, how we use it, and what choices you have.
Attn: Andrew Klein, U.S. Country Integrity Officer
305 Gregson Drive
Cary, NC 27518