EU-US DATA PRIVACY FRAMEWORK, UK EXTENSION TO THE EU-US DATA PRIVACY FRAMEWORK AND SWISS-US DATA PRIVACY FRAMEWORK PRIVACY POLICY

 

 

PRIVACY POLICY

This EU-US Data Privacy Shield Framework, UK Extension to the EU-US Data Privacy Framework and Swiss-US Data Privacy Framework Privacy Policy (the “Policy”) applies to the following entities:

  • ABB Inc.
  • ABB Treasury Center (USA), Inc.
  • ABB Installation Products Inc.
  • Industrial Connections and Solutions LLC
  • Eve Systems LLC
  • Springpoint Solutions LLC

These entities are collectively referred to hereinafter as “ABB.”

The Policy sets forth the data privacy principles followed by ABB in connection with the transfer and protection of Personal Data received by ABB from its parent corporation, affiliates, and customers located in the European Economic Area (“EEA”), UK and Switzerland. ABB complies with the EU-US Data Privacy Framework, the UK Extension to the EU-US Data Privacy Framework and the Swiss-US Data Privacy Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of Personal Data from the EEA, UK and Switzerland, respectively. ABB has certified to the U.S. Department of Commerce that it adheres to the EU-US Data Privacy Framework Principles and Swiss-US Data Privacy Framework Principles, is committed to subjecting all Personal Data received in reliance on the respective Framework to the Framework’s applicable Principles.

This Policy is to be applied consistent with the EU-US Data Privacy Framework Principles and the Swiss-US Data Privacy Framework Principles. If there is any conflict between the terms in this Policy and the applicable Framework Principles, the Framework Principles as applicable shall govern.

ABB has certified that it adheres to the Privacy Shield Principles:

  • Notice
  • Choice
  • Accountability for Onward Transfer
  • Security
  • Data Integrity and Purpose Limitation
  • Access
  • Recourse, Enforcement and Liability.

To learn more about these Data Privacy Frameworks, and to view ABB’s certification, please visit the US Department of Commerce’s Data Privacy Framework website at https://www.dataprivacyframework.gov .

 

ABOUT THE DATA PRIVACY FRAMEWORKS

The EU-US Data Privacy Framework, UK Extension to the EU-US Data Privacy Framework and Swiss-US Data Privacy Framework were designed by the U.S. Department of Commerce and the European Commission, UK Government and Swiss Federal Administration, respectively, to provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring Personal Data from the EEA, UK, and Switzerland to the United States in support of transatlantic commerce.

Participating in the Data Privacy Frameworks is a voluntary self-certification process for companies operating in the U.S. Companies that certify to the Frameworks represent that they are upholding privacy standards for Personal Data received from the EEA, UK and Switzerland. These standards exceed current US privacy standards. Compliance with the respective Framework Principles is enforced by the

U.S. Federal Trade Commission (the “FTC”). The FTC has jurisdiction over ABB. Accordingly, ABB is subject to the investigatory and enforcement powers of the FTC.

Adherence to the respective Principles may be limited: (a) to the extent necessary to meet national security, public interest, or law enforcement requirements; (b) by statute, government regulation, or case law that creates conflicting obligations or explicit authorizations; or (c) if the effect of the EU General Data Protection Regulation (“EU GDPR”), EU Member State law, UK General Data Protection Regulation (“UK GDPR”) or UK Data Protection Act of 2018, or Swiss Federal Data Protection Act (“FDPA”) is to allow exceptions or derogations.

 

SCOPE

This Policy applies to all Personal Data described in this Policy that is transferred by or on behalf of ABB’s parent corporation, affiliates, customers, prospects, partners, vendors, suppliers or other third parties from countries in the EEA, the UK, or Switzerland to ABB in the United States.

 

DEFINITIONS

“Personal Data” means any information relating to an identified or identifiable natural person (i.e., Data Subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. It does not include anonymized data or data that is reported in aggregate.

“Controller” means a person or organization which, alone or jointly with others, determines the purposes and means of the processing of personal data.

“Third Party” and “Third Parties” do not include third parties that are acting as an agent to perform task(s) on behalf of and under the instructions of ABB.

An “agent” is a third party acting as an agent to perform a task or tasks on behalf of and under the instructions of ABB.

“Sensitive Information” or “Special Category Data” is Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation, and, for Personal Data transferred from Switzerland only, information on social security measures or administrative or criminal proceedings and sanctions, which are treated outside pending proceedings.

 

DATA PRIVACY FRAMEWORK PRINCIPLES

EEA, UK, and Swiss Personal Data is processed subject to the respective Data Privacy Framework Principles.

 

NOTICE/PERSONAL DATA COLLECTION AND USE

Through this Policy and other means, ABB informs Data Subjects about the types of Personal Data collected and, where applicable, the entities or subsidiaries of ABB also adhering to the respective Principles. ABB informs Data Subjects of the purposes for which it collects and uses Personal Data about them, the identities or types of third parties to which ABB discloses the Personal Data, the purposes for which ABB may disclose the Personal Data, and the choices and means ABB offers Data Subjects for limiting the use and disclosure of such Personal Data. This notice will be provided in clear and conspicuous language when individuals are first asked to provide Personal Data to ABB or as soon thereafter as is practicable, but in any event before ABB uses such information for a purpose other than that for which it was originally collected or processed by the transferring organization or discloses it for the first time to a Third- Party.

ABB receives information from its Parent Corporation and affiliates in the EEA, UK, and Switzerland concerning prospective, current and former employees, consultants, contractors and job applicants (“Human Resources Data”). Human Resources Data typically includes Personal Data as well as Personal Data containing Sensitive Information such as data concerning health, social security information and potentially racial or ethnic origin and/or sex life. The purposes for which ABB collects and uses Human Resources Data are set forth in the Notice / Choice – Employee Personal Data Addendum to this Policy.

ABB also receives Personal Data pertaining to customers, prospects, partners, vendors, and suppliers of ABB and its Parent Corporation and affiliates in the EEA, UK, and Switzerland (“Business Contact Data”). Business Contact Data is typically limited to name, business title, and contact information such as business postal address, email address, and telephone number. ABB collects, transfers and uses Business Contact Data for marketing and sales, the provision of products and services, partner and supply chain management, and legal compliance to (1) communicate with data subjects, for other everyday business purposes including financial account management, contract management, IT and website administration, fulfillment, analytics, corporate governance, reporting and legal compliance, (2) to respond to lawful requests from public authorities, including to meet national security, public interest, or law enforcement requirements, (3) as may be necessary for our regulatory, auditing, or operational needs, (4) further to protect our interests and legal rights, such as through responding to subpoenas and defending litigation; investigating an allegation or establishing a legal claim and (5) any other business appropriate needs as may be required based on the relationship between ABB and the Business.

ABB further receives transfers of Personal Data pertaining to individuals personally identified in various software platforms from customers using ABB Enterprise

Software Inc. software solutions (“Customer Data”). Customer Data may include Personal Data as well as Personal Data containing Sensitive Information such as medical treatment plans, ethnicity, and health plan information. ABB receives and transfers the Customer Data to assist software solution customers with software and/or system updates, upgrades and troubleshooting. ABB does not use or process the Customer Data for Its own commercial purposes. The transfer and processing of the Customer Data is governed by an ABB Enterprise Software Inc. Access Control Policy.

When ABB receives Human Resources Data, Business Contact Data and Customer Data from its parent corporation and affiliates in the EU, EEA, and Switzerland, ABB will use and disclose such Personal Data in accordance with the notices provided by such entities and the choices made by the individuals to whom it relates.

Notwithstanding the above, we may also use this data for the following general purposes:

 

CHOICE.

ABB offers Data Subjects the opportunity to choose whether their Personal Data is: (a) to be disclosed to a Third Party; or (2) to be used for a purpose that is incompatible with the purpose(s) for which it was originally collected or subsequently authorized by the Data Subject. ABB will provide Data Subjects with clear and conspicuous, readily available, and affordable mechanisms to exercise these choices.

ABB will not provide “choice” when disclosure is made to a third party that is acting as an agent to perform task(s) on behalf of and under the instructions of ABB. ABB shall always enter into a contract with such an agent to protect the confidentiality and security of your personal data.

ABB will obtain the express consent (opt in) from individuals if Sensitive Information is to be: (a) disclosed to a Third Party; or (b) used for a purpose other than those for which it was originally collected or subsequently authorized by the individuals through the exercise of opt-in choice. ABB will treat as sensitive any Personal Data received from a Third Party that identifies and treats it as sensitive. Please note the Data Subject’s affirmative consent is not required for us to disclose this data when it is in their vital interests or that of another person; as necessary for the establishment of

legal claims or defenses; for purposes of providing medical care or diagnosis; or as it relates to Personal Data the Data Subject has manifestly made public.

 

ACCOUNTABILITY FOR ONWARD TRANSFER.

ABB may transfer Human Resources Data to Third Parties and third-party agents as set forth the Notice / Choice – Employee Personal Data Addendum to this Privacy Policy.

ABB may transfer Business Contact Data to third parties, including service providers, who act as agents to perform task(s) on behalf of and under the instructions of ABB for purposes related to those set forth above.

To transfer Personal Data to a third party acting as an agent, ABB shall:

  • Transfer such Personal Data only for limited and specified purposes.
  • Ascertain that the agent is obligated to provide at least the same level of privacy protection as is required by the Data Privacy Framework Principles.
  • Take reasonable and appropriate steps to ensure that the agent effectively processes the Personal Data transferred in a manner consistent with ABB’s obligations under the Data Privacy Framework Principles.
  • Require the agent to notify ABB if the agent determines it can no longer meet its obligation to provide the same level of protection as is required by the Data Privacy Framework Principles.
  • Upon notice, take reasonable and appropriate steps to stop and remediate unauthorized processing.
  • Provide a summary or representative copy of the relevant privacy provisions of its contract with that agent to the U.S. Department of Commerce upon request.

To transfer Personal Data to a Third Party acting as a Controller, ABB shall comply with the Data Privacy Framework Notice and Choice Principles. ABB shall also enter into a contract with the Third-Party Controller. The contract shall provide that such data may only be processed for limited and specified purposes consistent with the consent provided by the Data Subject. It will provide the same level of protection as the respective Data Privacy Framework Principles. The contract will require the Third- Party Controller to notify ABB if the Third-Party Controller determines it can no longer meet this obligation. The contract shall provide that when such a determination is made the Third-Party Controller shall cease processing or take other reasonable and appropriate steps to remediate.

 

SECURITY.

ABB shall take reasonable and appropriate measures to protect Personal Data from loss, misuse, unauthorized access, disclosure, alteration, and destruction, considering the risks involved in the processing and the nature of the personal data.

 

DATA INTEGRITY AND PURPOSE LIMITATION.

ABB will only process Personal Data in a way that is compatible with the purposes for which it has been collected or subsequently authorized by the Data Subject. We take reasonable and appropriate steps to limit the collection of Personal Data to that which is relevant to accomplish the purpose(s) disclosed to the Data Subject and for compatible purposes. ABB shall take reasonable steps to ensure that Personal Data is accurate, complete, reliable for its intended use, and current. Personal Data shall be retained in a form identifying or making identifiable the Data Subject only for as long as it serves a purpose of processing consistent with the purpose for which it was collected or subsequently authorized by the Data Subject unless a longer retention period is required or permitted by law or the Principles.

 

ACCESS.

ABB provides Data Subjects with the opportunity to access or request a copy of their Personal Data and to correct, amend or delete that information where it is inaccurate or has been processed in violation of the respective Principles, subject to certain limitations. A reasonable fee compensating ABB for resources use related to accessing, changing or deleting the Personal Data may be charged.

To exercise any of these rights, please contact us at: prviacy@abb.com

Data Subjects must provide adequate identification to verify their identity and/or assist us in searching for their Personal Data. We may deny or limit a request if providing access would be unreasonably burdensome or expensive, the rights of non-requesting individuals would be adversely affected, or the individual is unable to present appropriate identification to verify their identity.

 

RECOURSE, ENFORCEMENT AND LIABILITY.

Effective privacy protection includes robust mechanisms for assuring compliance with the Principles, recourse for individuals who are affected by non-compliance with the Principles, and consequences when the Principles are not followed.

 

Enforcement.

ABB has procedures to verify the attestations and assertions it makes about ABB’s privacy practices are true and that privacy practices have been implemented as presented. ABB verifies compliance with the Principles through self-assessment or outside compliance reviews. Any employee that violates these Principles will be subject to disciplinary procedures in accordance with ABB’s disciplinary policy.

 

Recourse.

In compliance with the respective Data Privacy Framework Principles, ABB commits to resolve complaints about its collection of Personal Data. Individuals who are affected by or witness non-compliance with these Principles are encouraged to report the matter via ABB’s Ethics Hotline or other Reporting Channels. For more information on ABB Reporting Channels, please

visit https://new.abb.com/about/integrity/reporting-channels/how-do-i-

report. Alternatively, individuals may contact the US Country Privacy Lead whose direct contact information is:

ABB Inc.
Attn: Bridget N. Smith – Senior Counsel, EL 305 Gregson Drive
Cary, NC 27511
(919) 831-3178
Bridget.n.smith@us.abb.com

ABB will respond to a complaint within 45 days of receipt.

If a complaint cannot be resolved with ABB directly, there are readily available independent recourse mechanisms by which an individual’s complaints and disputes are investigated and expeditiously resolved at no cost to the individual and by reference to the Principles.

For complaints involving Human Resources Data transferred from the EU or UK in the context of the employment relationship, ABB commits to cooperate with the panel established by the EU Data Protection Authorities or UK ICO and comply with the advice given by the panel. Complaints regarding processing of Human Resources Data pertaining to EU or UK citizens may be reported by the individual to the relevant Data Protection Authority.

For complaints involving Human Resources Data transferred from Switzerland in the context of the employment relationship, ABB commits to cooperate with Swiss Federal Data Protection and Information Commissioner (“FDPIC”) and comply with the advice given by the FDPIC. Complaints regarding processing of Human Resources Data pertaining to Swiss citizens may be reported by the individual to the relevant Data Protection Authority.

All other complaints shall be resolved through alternative dispute resolution. ABB has selected the International Centre for Dispute Resolution, the international division of the American Arbitration Association (“ICDR/AAA”), as the administrator of ABB’s independent recourse mechanism for non- HR disputes. ABB has committed to refer such unresolved Data Privacy Framework complaints to ICDR/AAA in the United States. You may find more information about dispute resolution and how to file a claim with the ICDR/AAA at https://go.adr.org/privacyshield.html.

Individuals have the possibility, under certain conditions, to invoke binding arbitration for complaints regarding Privacy Shield compliance not resolved by any of the other Privacy Shield mechanisms. Arbitral decisions will be binding on all parties to the arbitration. Please visit Annex I for additional information: https://www.privacyshield.gov/article?id=ANNEX-I-introduction.

 

Liability.

In the context of an onward transfer, ABB has responsibility for the processing of Personal Data it receives under the respective Data Privacy Framework and subsequently transfers to a third party acting as an agent on its behalf. ABB shall remain liable under the respective Principles if its agent processes such Personal Data in a manner inconsistent with the Principles unless ABB shows it is not responsible for the event giving rise to the damage.

 

Compelled Disclosure. ABB may be required to disclose Personal Data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

 

WORLDWIDE ACTIVITIES

ABB’s parent corporation is a global corporation with subsidiaries and business partners in many countries, and with technical systems that cross borders. Personal Data collected by ABB may be transferred across state and country borders and stored or processed in the United States or any other country in which ABB, its parent corporation, its subsidiaries, affiliates, or business units maintain facilities for the purposes of data consolidation, storage, and simplified information

management. ABB, its Parent Corporation, subsidiaries, affiliates and business units will handle your information collected in a consistent manner, as described here, even if the laws in some countries may provide less protection for your

information. ABB’s privacy practices are designed to protect your Personal Data all over the world.

 

CHANGES TO THIS POLICY

If there are updates to the terms of ABB’s Policy, ABB will post those changes here and update the revision date in this document so that you will always know what information ABB collects, how we use it, and what choices you have.

 

CONTACT INFORMATION

ABB Inc.
Attn: Bridget N. Smith – Sr. Legal Counsel - EL 305 Gregson Drive
Cary, NC 27511
(919) 831-3178
Bridget.n.smith@us.abb.com

Effective: 10/1/2017

Updated: 10/25/2019

Updated: 10/14/2020

Updated: 10/22/2021

Updated: 10/9/2023

Updated: 12/16/2024

Select region / language