This US-EU Privacy Shield & Swiss-US Privacy Shield Privacy Policy (the “Policy”) applies to the following entities:

ABB Inc.

ABB Enterprise Software Inc.

ABB Mechanical Motors, Inc.

ABB Treasury Center (USA), Inc.

ABB Installation Products Inc.

ABB Zenith Controls Inc.

ABB Power Electronics Inc.

Industrial Connections and Solutions LLC

These entities are collectively referred to hereinafter as “ABB.”

The Policy sets forth the data privacy principles followed by ABB in connection with the transfer and protection of Personal Data received by ABB from its arent corporation, affiliates, and customers located in the European Union (“EU”), the European Economic Area (“EEA”), and Switzerland.  ABB complies with the EU-US Privacy Shield Framework and the Swiss-US Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information from the EU, EEA, and Switzerland, respectively.  ABB has certified to the U.S. Department of Commerce that it adheres to the Privacy Shield Principles, is committed to subjecting all Personal Data received in reliance on each Privacy Shield Framework to the Framework’s applicable Principles.

This Policy is to be applied consistent with the Privacy Shield Principles.  If there is any conflict between the terms in this Policy and the applicable Privacy Shield Principles, the Privacy Shield Principles as applicable shall govern. 

ABB has certified that it adheres to the Privacy Shield Principles:

Notice

Choice

Accountability for Onward Transfer

Security

Data Integrity and Purpose Limitation

Access

Recourse, Enforcement and Liability. 

To learn more about the Privacy Shield Frameworks, and to view ABB’s certification, please visit the US Department of Commerce’s Privacy Shield website at https://www.privacyshield.gov.

ABOUT THE PRIVACY SHIELD FRAMEWORKS

The EU-US Privacy Shield Framework and Swiss-US Privacy Shield Framework were designed by the U.S. Department of Commerce, and the European Commission and Swiss Administration, respectively, to provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the European Union and Switzerland to the United States in support of transatlantic commerce. On July 12, 2016, the European Commission deemed the EU-US Privacy Shield Framework adequate to enable data transfers under EU law.  On January 12, 2017, the Swiss Government announced the approval of the Swiss-US Privacy Shield Framework as a valid legal mechanism to comply with Swiss requirements when transferring personal data from Switzerland to the United States.

Both programs are voluntary self-certification processes for companies operating in the U.S.  Companies that certify to the programs represent that they are upholding privacy standards for Personal Data received from the EU and Switzerland that have been accepted by the EU Commission, the Swiss Federal Data Protection and Information Commission, and the US Department of Commerce.  These standards exceed current US privacy standards.  Compliance with the Principles is enforced by the U.S. Federal Trade Commission (the “FTC”).  The FTC has jurisdiction over ABB.  Accordingly, ABB is subject to the investigatory and enforcement powers of the FTC.   

Adherence to the Principles may be limited: (a) to the extent necessary to meet national security, public interest, or law enforcement requirements; (b) by statute, government regulation, or case law that creates conflicting obligations or explicit authorizations; or (c) if the effect of the EU Directive, EU Member State law, or Swiss Act is to allow exceptions or derogations. 

SCOPE

This Policy applies to all Personal Data described in this Policy that is transferred by or on behalf of ABB’s parent corporation, affiliates, customers, prospects, partners, vendors or suppliers from countries in the EU, EEA, or Switzerland to ABB in the United States.

DEFINITIONS

“EU Directive” is the EU comprehensive privacy legislation, Directive 95/46/EC on Data Protection, that became effective on October 25, 1998 and the Swiss Federal Act on Data Protection that became effective June 19, 1992. On May 25, this Directive was replaced with the General Data Protection Regulation, known as (“GDPR”). The GDPR requires transfers of personal data take place only to non-EU countries that provide an “adequate” level of privacy protection. 

“Swiss Act” is the Swiss Federal Act on Data Protection that became effective June 19, 1992.  Like the Directive, it requires that transfers of personal data take place only to non-Swiss countries that provide an “adequate” level of privacy protection. 

“Personal Data” are data about an identified or an identifiable individual received by ABB in the U.S. from the EU, EEA or Switzerland, and recorded in any form.  It does not include anonymized data or data that is reported in aggregate. 

An “identifiable” person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity. 

“Controller” means a person or organization which, alone or jointly with others, determines the purposes and means of the processing of personal data.

“Third Party” and “Third Parties” do not include third parties that are acting as an agent to perform task(s) on behalf of and under the instructions of ABB. 

An “agent” is a third party acting as an agent to perform a task or tasks on behalf of and under the instructions of ABB.

“Sensitive Information” is Personal Data specifying medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, or information specifying the sex life of the individual, and, for Personal Data transferred from Switzerland only, information on social security measures or administrative or criminal proceedings and sanctions, which are treated outside pending proceedings.

PRIVACY SHIELD PRINCIPLES

EU, EEA, and Swiss Personal Data is processed subject to the Privacy Shield Principles.

NOTICE/PERSONAL DATA COLLECTION AND USE  

Through this Policy and other means, ABB informs individuals about the types of personal data collected and, where applicable, the entities or subsidiaries of ABB also adhering to the Principles.  ABB informs individuals of the purposes for which it collects and uses information about them, the identities or types of third-parties to which ABB discloses the information, the purposes for which ABB may disclose the information, and the choices and means ABB offers individuals for limiting the use and disclosure of such personal information.  This notice will be provided in clear and conspicuous language when individuals are first asked to provide personal information to ABB or as soon thereafter as is practicable, but in any event before ABB uses such information for a purpose other than that for which it was originally collected or processed by the transferring organization or discloses it for the first time to a Third-Party. 

ABB receives information from iIs Parent Corporation and affiliates in the EU, EEA and Switzerland concerning prospective, current and former employees, consultants, contractors and job applicants (“Human Resources Data”).  The purposes for which ABB collects and uses Human Resources Data are set forth in the Notice / Choice – Employee Personal Data Addendum to this Policy.

ABB also receives Personal Data pertaining to customers, prospects, partners, vendors, and suppliers of ABB and its Parent Corporation and affiliates in the EU, EEA, and Switzerland (“Business Contact Data”). Business Contact Data is typically limited to name, business title, and contact information such as business postal address, email address, and telephone number.  ABB collects, transfers and uses Business Contact Data for marketing and sales, the provision of products and services, partner and supply chain management, and legal compliance.

ABB further receives transfers of Personal Data pertaining to individuals personally identified in various software platforms from customers using ABB Enterprise Software Inc. software solutions (“Customer Data”). Customer Data may include Personal Data as well as Personal Data containing Sensitive Information such as medical treatment plans, ethnicity, and health plan information. ABB receives and transfers the Customer Data to assist software solution customers with software and/or system updates, upgrades and troubleshooting. ABB does not use or process the Customer Data for Its own commercial purposes. The transfer and processing of the Customer Data is governed by an ABB Enterprise Software Inc. Access Control Policy.

When ABB receives Human Resources Data, Business Contact Data and Customer Data from its parent corporation and affiliates in the EU, EEA, and Switzerland, ABB will use and disclose such Personal Data in accordance with the notices provided by such entities and the choices made by the individuals to whom it relates.

  ABB offers individuals the opportunity to choose whether their Personal Data is: (a) to be disclosed to a Third Party; or (2) to be used for a purpose that is incompatible with the purpose(s) for which it was originally collected or subsequently authorized by the individual.  ABB will provide individuals with clear and conspicuous, readily available, and affordable mechanisms to exercise these choices. 

ABB will not provide “choice” when disclosure is made to a third party that is acting as an agent to perform task(s) on behalf of and under the instructions of ABB.  ABB shall always enter into a contract with such an agent to protect the confidentiality and security of your personal data.

ABB will obtain the express consent (opt in) from individuals if Sensitive Information is to be: (a) disclosed to a Third Party; or (b) used for a purpose other than those for which it was originally collected or subsequently authorized by the individuals through the exercise of opt-in choice.  ABB will treat as sensitive any Personal Data received from a Third Party that identifies and treats it as sensitive. 

ACCOUNTABILITY FOR ONWARD TRANSFER. 

ABB may transfer Human Resources Data to Third Parties and third-party agents as set forth the Notice / Choice – Employee Personal Data Addendum to this Privacy Policy

ABB may transfer Business Contact Data to third parties, including service providers, who act as agents to perform task(s) on behalf of and under the instructions of ABB for purposes related to those set forth above. 

To transfer Personal Data to a third party acting as an agent, ABB shall:

Transfer such Personal Data only for limited and specified purposes.

Ascertain that the agent is obligated to provide at least the same level of privacy protection as is required by the Privacy Shield Principles. 

Take reasonable and appropriate steps to ensure that the agent effectively processes the Personal Data transferred in a manner consistent with ABB’s obligations under the Privacy Shield Principles.

Require the agent to notify ABB if the agent determines it can no longer meet its obligation to provide the same level of protection as is required by the Privacy Shield Principles.

Upon notice, take reasonable and appropriate steps to stop and remediate unauthorized processing.

Provide a summary or representative copy of the relevant privacy provisions of its contract with that agent to the U.S. Department of Commerce upon request.

To transfer Personal Data to a Third Party acting as a Controller, ABB shall comply with the Privacy Shield Notice and Choice Principles.  ABB shall also enter into a contract with the Third-Party Controller.  The contract shall provide that such data may only be processed for limited and specified purposes consistent with the consent provided by the individual.  It will provide the same level of protection as the Privacy Shield Principles.  The contract will require the Third-Party controller to notify ABB if the Third-Party controller determines it can no longer meet this obligation.  The contract shall provide that when such a determination is made the Third-Party controller shall cease processing or take other reasonable and appropriate steps to remediate. 

  ABB shall take reasonable and appropriate measures to protect Personal Data from loss, misuse, unauthorized access, disclosure, alteration, and destruction, taking into account the risks involved in the processing and the nature of the personal data.

DATA INTEGRITY AND PURPOSE LIMITATION.  ABB will only process Personal Data in a way that is compatible with the purposes for which it has been collected or subsequently authorized by the individual.  ABB shall take reasonable steps to ensure that Personal Data is accurate, complete, reliable for its intended use, and current.  Personal Data shall be retained in a form identifying or making identifiable the individual only for as long as it serves a purpose of processing consistent with the purpose for which it was collected or subsequently authorized by the individual. 

  ABB provides individuals with access to their personal data for purposes of correcting, amending or deleting that information where it is inaccurate or has been processed in violation of the Principles.  Access will not be provided where the burden or expense of providing such access would be disproportionate to the risks to the individual’s privacy or where the rights of persons other than the individual would be violated.  A reasonable fee compensating ABB for resource use related to accessing, changing or deleting the Personal Data may be charged. 

RECOURSE, ENFORCEMENT AND LIABILITY.  Effective privacy protection includes robust mechanisms for assuring compliance with the Principles, recourse for individuals who are affected by non-compliance with the Principles, and consequences when the Principles are not followed. 

  ABB has procedures to verify the attestations and assertions it makes about ABB’s privacy practices are true and that privacy practices have been implemented as presented.  ABB verifies compliance with the Principles through self-assessment or outside compliance reviews.  Any employee that violates these Principles will be subject to disciplinary procedures in accordance with ABB’s disciplinary policy. 

 In compliance with the Privacy Shield Principles, ABB commits to resolve complaints about its collection of Personal Data.  Individuals who are affected by or witness non-compliance with these Principles are encouraged to report the matter via ABB’s Ethics Hotline or other Reporting Channels.  For more information on ABB Reporting Channels, please visit http://new.abb.com/about/integrity/reporting-channels/how-do-i-report.  Alternatively, individuals may contact the US Country Privacy Lead whose direct contact information is:

ABB Inc.

Attn: Andrew Klein, U.S. Country Integrity Officer

305 Gregson Drive

Cary, NC 27518

(919) 829-4363

andrew.klein@us.abb.com

ABB Inc.

Attn: Bridget N. Smith, Integrity Counsel

305 Gregson Drive

Cary, NC 27511

(919) 831-3178

Bridget.n.smith@us.abb.com

ABB will respond to a complaint within 45 days of receipt.

If a complaint cannot be resolved with ABB directly, there are readily available independent recourse mechanisms by which an individual’s complaints and disputes are investigated and expeditiously resolved at no cost to the individual and by reference to the Principles. 

For complaints involving Human Resources Data transferred from the EU in the context of the employment relationship, ABB commits to cooperate with the panel established by the EU Data Protection Authorities and comply with the advice given by the panel.  Complaints regarding processing of Human Resources Data pertaining to EU citizens may be reported by the individual to the relevant Data Protection Authority. 

For complaints involving Human Resources Data transferred from Switzerland in the context of the employment relationship, ABB commits to cooperate with Swiss Federal Data Protection and Information Commissioner (“FDPIC”) and comply with the advice given by the FDPIC.  Complaints regarding processing of Human Resources Data pertaining to Swiss citizens may be reported by the individual to the relevant Data Protection Authority. 

All other complaints shall be resolved through alternative dispute resolution.  ABB has selected the International Centre for Dispute Resolution, the international division of the American Arbitration Association (“ICDR/AAA”), as the administrator of ABB’s independent recourse mechanism for non- HR disputes.  ABB has committed to refer such unresolved Privacy Shield complaints to ICDR/AAA in the United States.  You may find more information about dispute resolution and how to file a claim with the ICDR/AAA at http://go.adr.org/privacyshield.html.

Individuals have the possibility, under certain conditions, to invoke binding arbitration for complaints regarding Privacy Shield compliance not resolved by any of the other Privacy Shield mechanisms.  Please visit Annex I for additional information: https://www.privacyshield.gov/article?id=ANNEX-I-introduction.

  In the context of an onward transfer, ABB has responsibility for the processing of Personal Data it receives under the Privacy Shield and subsequently transfers to a third party acting as an agent on its behalf.  ABB shall remain liable under the Principles if its agent processes such Personal Data in a manner inconsistent with the Principles unless ABB shows it is not responsible for the event giving rise to the damage.

Compelled Disclosure.  ABB may be required to disclose Personal Data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

WORLDWIDE ACTIVITIES

ABB’s parent corporation is a global corporation with subsidiaries and business partners in many countries, and with technical systems that cross borders.  Personal Data collected by ABB may be transferred across state and country borders and stored or processed in the United States or any other country in which ABB, its parent corporation, its subsidiaries, affiliates, or business units maintain facilities for the purposes of data consolidation, storage, and simplified information management.  ABB, its Parent Corporation, subsidiaries, affiliates and business units will handle your information collected in a consistent manner, as described here, even if the laws in some countries may provide less protection for your information.  ABB’s privacy practices are designed to protect your Personal Data all over the world.

CHANGES TO THIS POLICY

If there are updates to the terms of ABB’s Policy, ABB will post those changes here and update the revision date in this document so that you will always know what information ABB collects, how we use it, and what choices you have.

CONTACT INFORMATION

ABB Inc.

Attn: Andrew Klein, U.S. Country Integrity Officer

305 Gregson Drive

Cary, NC 27518

(919) 829-4363

andrew.klein@us.abb.com

Effective:     10/1/2017

Updated:      10/25/2019

Title: NOTICE / CHOICE – EMPLOYEE PERSONAL DATA

Addendum to US-EU Privacy Shield & Swiss-US Privacy Shield

Statement of Acknowledgment

Effective Date: September 11, 2013

Revised: September 30, 2016

Revised: June 5, 2017

Revised: June 15, 2018 (this Notice supplements the “ABB Global Notice” and in the case of any conflicts controls).

Revised: July 31, 2019 (this Notice supplements the “ABB Global Employee Notice Policy” effective on May 25, 2019 and in the case of any conflicts controls).

ABB is certified to the US-EU Privacy Shield and the Swiss-US Privacy Shield data privacy programs of the U.S. Department of Commerce which can be found on the Privacy Shield’s website at www.privacyshield.gov.

This document is intended to satisfy, as necessary, the notice and choice privacy principles regarding the transfer of your personal data to certain third parties and third party agents.

NOTICE

As an employee of ABB, your personal data may be forwarded internally to your managers, other business units or divisions, and any of the various corporate functions (e.g., Human Resources, Integrity, Security, Tax, Health and Safety, etc.).  It may be shared with our various sister and parent companies in the normal course of business. 

Your personal data may also be shared with various third parties and third-party agents in the normal course of business. 

As an employee of ABB, you may have rights to access and/or limit disclosures of certain types of personal data. For any questions directly related to this please contact privacy@abb.com.

PURPOSE FOR WHICH ABB COLLECTS AND USES INFORMATION ABOUT YOU

ABB uses a number of internal and external databases, applications, and systems that contain personal data.  ABB collects, receives, uses, and shares your personal data in accordance with and as permitted by applicable laws, and, where applicable, as authorized by applicable government authorities.  Your personal data may be used for:

Staffing (e.g. headcount planning, recruitment, termination, succession planning)

Organizational planning and development and workforce management

Budget planning and administration

Compensation, payroll, and benefit planning and administration (e.g. salary, tax withholding, tax equalization, awards, insurance and pension)

Workforce development, education, training and certification

Background checks

Performance management

Problem resolution (e.g., internal reviews, grievances), internal investigations, auditing, compliance, risk management and security purposes

Authorizing, granting, administering, monitoring and terminating access to or use of ABB systems, facilities, records, property and infrastructure

Business travel (e.g., limousines, commercial flights, hotels, rental cars, etc.)

Expense management (e.g., corporate credit card, expense and grant of authority administration, procurement)

Project management

Conflict of interest reporting

Employee communications – internal only, including but not limited to photos, videos, surveys, signups, and testimonials.

Flexible work arrangements

Administration of employee enrollment and participation in activities and programs offered to eligible employees (e.g., matching donations to non-profit organizations, political action committee contributions, wellness activities)

Work-related injury and illness reporting

Monitoring and surveillance for industrial hygiene, public health and safety, security and formal workplace investigations

Legal proceedings and government investigations, including preservation of relevant data

As required or expressly authorized by laws or regulations applicable to ABB’s business or by government agencies that oversee or regulate our business

TYPES OF THIRD-PARTIES TO WHICH ABB MAY TRANSFER YOUR PERSONAL INFORMATION

ABB will forward your information to a number of third parties and third party agents.  The types of such third parties your information may be transferred to include, but may not be limited to, the following:

Auto purchase co. (benefit)

Immigration / Visa attorneys

Tax and audit advisory service providers like PwC / KPMG

Banks and other financial institutions

Academic evaluation service providers

Trainee Visa sponsor

HR & payroll service providers

Background & drug screening providers

Logistics cos. like FedEx

Various government entities (e.g., IRS I-9, W-2, W-4, etc.)

Travel & expense service providers

Leadership development assessors

Performance development appraisal and assessment

Corporate credit card cos. (e.g. AmEx)

Merit & Incentive COS.

Market analysts on salary information

Language training cos.

Insurance cos. (insurance benefits)

Cell phone service cos.

Employment verification co.

Relocation cos.

Outplacement services

Affirmative action consultants

Service awards          

ABB Political Action Committee

ABB Foundation

Auditor and tax consultants

Unions

ERISA attorneys

Retirement/investment cos.

Data warehousing providers

Actuaries

Health and wellness providers

Legal services benefits

Employee discounts benefits

Access control systems providers (e.g. Kantech)

Accountants

Property / casualty third party administrators

Claims management service providers

Travel providers

Communications and communication service providers

Security cos.

Travel assistance

Security training and crisis management

Federal, State and local taxing authorities

Law firms in various legal proceedings

Risk Management COS.

Workers’ compensation defense attorneys, nurse case managers, and private investigators

Federal, state and local regulatory agencies

Health and safety service and software providers

Benefits service providers

Pension service providers

Employee ID badge co.

Budgeting, timekeeping, & other financial systems

Hotline service providers

ELearning service providers

ABB parent, affiliate, and sister companies

Exit interview service providers

We only collect the personal data from you that we need for the above purposes described. Certain personal data collected from you relates to your next of kin and emergency contacts. In these cases, you are requested to inform such persons about this Notice.

DATA RETENTION

Based on mandatory legislation, ABB must keep certain personal data for a minimum period. For example, employment contracts, information about salary payments and reimbursements need to be kept for a minimum period based on local corporate and tax legislation.

At the same time, applicable data protection laws require that we do not keep personal data in an identifiable form for any longer than is necessary for the purpose for which the personal data is being processed. Through the setting of IT applications and policies we ensure that your personal data is deleted when we no longer need it.

The retention periods for the information that we hold can be found in our Directive Records Management GD/LI-44 (add link) or your local Directive Records. After an applicable retention period has lapsed, we will securely delete your personal data, unless there are specific circumstances that require us to keep such personal data, such as legal or regulatory obligations or to resolve potential disputes.

For more information regarding specific retention periods that apply to your personal data, please submit a request at www.abb.com/privacy.

CHANGES TO THIS STATEMENT

If there are updates to this Notice, ABB will post those changes on its website and inside.abb.com and update the revision date in this document so that you will always know what information ABB collects, how we use it, and what choices you have.