ABB Enterprise Software Inc.
ABB Mechanical Motors, Inc.
ABB Treasury Center (USA), Inc.
ABB Installation Products Inc.
ABB Zenith Controls Inc.
ABB Power Electronics Inc.
Industrial Connections and Solutions LLC
These entities are collectively referred to hereinafter as “ABB.”
The Policy sets forth the data privacy principles followed by ABB in connection with the transfer and protection of Personal Data received by ABB from its arent corporation, affiliates, and customers located in the European Union (“EU”), the European Economic Area (“EEA”), and Switzerland. ABB complies with the EU-US Privacy Shield Framework and the Swiss-US Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information from the EU, EEA, and Switzerland, respectively. ABB has certified to the U.S. Department of Commerce that it adheres to the Privacy Shield Principles, is committed to subjecting all Personal Data received in reliance on each Privacy Shield Framework to the Framework’s applicable Principles.
This Policy is to be applied consistent with the Privacy Shield Principles. If there is any conflict between the terms in this Policy and the applicable Privacy Shield Principles, the Privacy Shield Principles as applicable shall govern.
ABB has certified that it adheres to the Privacy Shield Principles:
Accountability for Onward Transfer
Data Integrity and Purpose Limitation
Recourse, Enforcement and Liability.
To learn more about the Privacy Shield Frameworks, and to view ABB’s certification, please visit the US Department of Commerce’s Privacy Shield website at https://www.privacyshield.gov.
ABOUT THE PRIVACY SHIELD FRAMEWORKS
The EU-US Privacy Shield Framework and Swiss-US Privacy Shield Framework were designed by the U.S. Department of Commerce, and the European Commission and Swiss Administration, respectively, to provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the European Union and Switzerland to the United States in support of transatlantic commerce. On July 12, 2016, the European Commission deemed the EU-US Privacy Shield Framework adequate to enable data transfers under EU law. On January 12, 2017, the Swiss Government announced the approval of the Swiss-US Privacy Shield Framework as a valid legal mechanism to comply with Swiss requirements when transferring personal data from Switzerland to the United States.
Both programs are voluntary self-certification processes for companies operating in the U.S. Companies that certify to the programs represent that they are upholding privacy standards for Personal Data received from the EU and Switzerland that have been accepted by the EU Commission, the Swiss Federal Data Protection and Information Commission, and the US Department of Commerce. These standards exceed current US privacy standards. Compliance with the Principles is enforced by the U.S. Federal Trade Commission (the “FTC”). The FTC has jurisdiction over ABB. Accordingly, ABB is subject to the investigatory and enforcement powers of the FTC.
Adherence to the Principles may be limited: (a) to the extent necessary to meet national security, public interest, or law enforcement requirements; (b) by statute, government regulation, or case law that creates conflicting obligations or explicit authorizations; or (c) if the effect of the EU Directive, EU Member State law, or Swiss Act is to allow exceptions or derogations.
This Policy applies to all Personal Data described in this Policy that is transferred by or on behalf of ABB’s parent corporation, affiliates, customers, prospects, partners, vendors or suppliers from countries in the EU, EEA, or Switzerland to ABB in the United States.
“EU Directive” is the EU comprehensive privacy legislation, Directive 95/46/EC on Data Protection, that became effective on October 25, 1998 and the Swiss Federal Act on Data Protection that became effective June 19, 1992. On May 25, this Directive was replaced with the General Data Protection Regulation, known as (“GDPR”). The GDPR requires transfers of personal data take place only to non-EU countries that provide an “adequate” level of privacy protection.
“Swiss Act” is the Swiss Federal Act on Data Protection that became effective June 19, 1992. Like the Directive, it requires that transfers of personal data take place only to non-Swiss countries that provide an “adequate” level of privacy protection.
“Personal Data” are data about an identified or an identifiable individual received by ABB in the U.S. from the EU, EEA or Switzerland, and recorded in any form. It does not include anonymized data or data that is reported in aggregate.
An “identifiable” person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.
“Controller” means a person or organization which, alone or jointly with others, determines the purposes and means of the processing of personal data.
“Third Party” and “Third Parties” do not include third parties that are acting as an agent to perform task(s) on behalf of and under the instructions of ABB.
An “agent” is a third party acting as an agent to perform a task or tasks on behalf of and under the instructions of ABB.
“Sensitive Information” is Personal Data specifying medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, or information specifying the sex life of the individual, and, for Personal Data transferred from Switzerland only, information on social security measures or administrative or criminal proceedings and sanctions, which are treated outside pending proceedings.
PRIVACY SHIELD PRINCIPLES
EU, EEA, and Swiss Personal Data is processed subject to the Privacy Shield Principles.
NOTICE/PERSONAL DATA COLLECTION AND USE
Through this Policy and other means, ABB informs individuals about the types of personal data collected and, where applicable, the entities or subsidiaries of ABB also adhering to the Principles. ABB informs individuals of the purposes for which it collects and uses information about them, the identities or types of third-parties to which ABB discloses the information, the purposes for which ABB may disclose the information, and the choices and means ABB offers individuals for limiting the use and disclosure of such personal information. This notice will be provided in clear and conspicuous language when individuals are first asked to provide personal information to ABB or as soon thereafter as is practicable, but in any event before ABB uses such information for a purpose other than that for which it was originally collected or processed by the transferring organization or discloses it for the first time to a Third-Party.
ABB receives information from iIs Parent Corporation and affiliates in the EU, EEA and Switzerland concerning prospective, current and former employees, consultants, contractors and job applicants (“Human Resources Data”). The purposes for which ABB collects and uses Human Resources Data are set forth in the Notice / Choice – Employee Personal Data Addendum to this Policy.
ABB also receives Personal Data pertaining to customers, prospects, partners, vendors, and suppliers of ABB and its Parent Corporation and affiliates in the EU, EEA, and Switzerland (“Business Contact Data”). Business Contact Data is typically limited to name, business title, and contact information such as business postal address, email address, and telephone number. ABB collects, transfers and uses Business Contact Data for marketing and sales, the provision of products and services, partner and supply chain management, and legal compliance.
ABB further receives transfers of Personal Data pertaining to individuals personally identified in various software platforms from customers using ABB Enterprise Software Inc. software solutions (“Customer Data”). Customer Data may include Personal Data as well as Personal Data containing Sensitive Information such as medical treatment plans, ethnicity, and health plan information. ABB receives and transfers the Customer Data to assist software solution customers with software and/or system updates, upgrades and troubleshooting. ABB does not use or process the Customer Data for Its own commercial purposes. The transfer and processing of the Customer Data is governed by an ABB Enterprise Software Inc. Access Control Policy.
When ABB receives Human Resources Data, Business Contact Data and Customer Data from its parent corporation and affiliates in the EU, EEA, and Switzerland, ABB will use and disclose such Personal Data in accordance with the notices provided by such entities and the choices made by the individuals to whom it relates.
ABB offers individuals the opportunity to choose whether their Personal Data is: (a) to be disclosed to a Third Party; or (2) to be used for a purpose that is incompatible with the purpose(s) for which it was originally collected or subsequently authorized by the individual. ABB will provide individuals with clear and conspicuous, readily available, and affordable mechanisms to exercise these choices.
ABB will not provide “choice” when disclosure is made to a third party that is acting as an agent to perform task(s) on behalf of and under the instructions of ABB. ABB shall always enter into a contract with such an agent to protect the confidentiality and security of your personal data.
ABB will obtain the express consent (opt in) from individuals if Sensitive Information is to be: (a) disclosed to a Third Party; or (b) used for a purpose other than those for which it was originally collected or subsequently authorized by the individuals through the exercise of opt-in choice. ABB will treat as sensitive any Personal Data received from a Third Party that identifies and treats it as sensitive.
ACCOUNTABILITY FOR ONWARD TRANSFER.
ABB may transfer Business Contact Data to third parties, including service providers, who act as agents to perform task(s) on behalf of and under the instructions of ABB for purposes related to those set forth above.
To transfer Personal Data to a third party acting as an agent, ABB shall:
Transfer such Personal Data only for limited and specified purposes.
Ascertain that the agent is obligated to provide at least the same level of privacy protection as is required by the Privacy Shield Principles.
Take reasonable and appropriate steps to ensure that the agent effectively processes the Personal Data transferred in a manner consistent with ABB’s obligations under the Privacy Shield Principles.
Require the agent to notify ABB if the agent determines it can no longer meet its obligation to provide the same level of protection as is required by the Privacy Shield Principles.
Upon notice, take reasonable and appropriate steps to stop and remediate unauthorized processing.
Provide a summary or representative copy of the relevant privacy provisions of its contract with that agent to the U.S. Department of Commerce upon request.
To transfer Personal Data to a Third Party acting as a Controller, ABB shall comply with the Privacy Shield Notice and Choice Principles. ABB shall also enter into a contract with the Third-Party Controller. The contract shall provide that such data may only be processed for limited and specified purposes consistent with the consent provided by the individual. It will provide the same level of protection as the Privacy Shield Principles. The contract will require the Third-Party controller to notify ABB if the Third-Party controller determines it can no longer meet this obligation. The contract shall provide that when such a determination is made the Third-Party controller shall cease processing or take other reasonable and appropriate steps to remediate.
ABB shall take reasonable and appropriate measures to protect Personal Data from loss, misuse, unauthorized access, disclosure, alteration, and destruction, taking into account the risks involved in the processing and the nature of the personal data.
DATA INTEGRITY AND PURPOSE LIMITATION. ABB will only process Personal Data in a way that is compatible with the purposes for which it has been collected or subsequently authorized by the individual. ABB shall take reasonable steps to ensure that Personal Data is accurate, complete, reliable for its intended use, and current. Personal Data shall be retained in a form identifying or making identifiable the individual only for as long as it serves a purpose of processing consistent with the purpose for which it was collected or subsequently authorized by the individual.
ABB provides individuals with access to their personal data for purposes of correcting, amending or deleting that information where it is inaccurate or has been processed in violation of the Principles. Access will not be provided where the burden or expense of providing such access would be disproportionate to the risks to the individual’s privacy or where the rights of persons other than the individual would be violated. A reasonable fee compensating ABB for resource use related to accessing, changing or deleting the Personal Data may be charged.
RECOURSE, ENFORCEMENT AND LIABILITY. Effective privacy protection includes robust mechanisms for assuring compliance with the Principles, recourse for individuals who are affected by non-compliance with the Principles, and consequences when the Principles are not followed.
ABB has procedures to verify the attestations and assertions it makes about ABB’s privacy practices are true and that privacy practices have been implemented as presented. ABB verifies compliance with the Principles through self-assessment or outside compliance reviews. Any employee that violates these Principles will be subject to disciplinary procedures in accordance with ABB’s disciplinary policy.
In compliance with the Privacy Shield Principles, ABB commits to resolve complaints about its collection of Personal Data. Individuals who are affected by or witness non-compliance with these Principles are encouraged to report the matter via ABB’s Ethics Hotline or other Reporting Channels. For more information on ABB Reporting Channels, please visit http://new.abb.com/about/integrity/reporting-channels/how-do-i-report. Alternatively, individuals may contact the US Country Privacy Lead whose direct contact information is:
Attn: Andrew Klein, U.S. Country Integrity Officer
305 Gregson Drive
Cary, NC 27518
Attn: Bridget N. Smith, Integrity Counsel
305 Gregson Drive
Cary, NC 27511
ABB will respond to a complaint within 45 days of receipt.
If a complaint cannot be resolved with ABB directly, there are readily available independent recourse mechanisms by which an individual’s complaints and disputes are investigated and expeditiously resolved at no cost to the individual and by reference to the Principles.
For complaints involving Human Resources Data transferred from the EU in the context of the employment relationship, ABB commits to cooperate with the panel established by the EU Data Protection Authorities and comply with the advice given by the panel. Complaints regarding processing of Human Resources Data pertaining to EU citizens may be reported by the individual to the relevant Data Protection Authority.
For complaints involving Human Resources Data transferred from Switzerland in the context of the employment relationship, ABB commits to cooperate with Swiss Federal Data Protection and Information Commissioner (“FDPIC”) and comply with the advice given by the FDPIC. Complaints regarding processing of Human Resources Data pertaining to Swiss citizens may be reported by the individual to the relevant Data Protection Authority.
All other complaints shall be resolved through alternative dispute resolution. ABB has selected the International Centre for Dispute Resolution, the international division of the American Arbitration Association (“ICDR/AAA”), as the administrator of ABB’s independent recourse mechanism for non- HR disputes. ABB has committed to refer such unresolved Privacy Shield complaints to ICDR/AAA in the United States. You may find more information about dispute resolution and how to file a claim with the ICDR/AAA at http://go.adr.org/privacyshield.html.
Individuals have the possibility, under certain conditions, to invoke binding arbitration for complaints regarding Privacy Shield compliance not resolved by any of the other Privacy Shield mechanisms. Please visit Annex I for additional information: https://www.privacyshield.gov/article?id=ANNEX-I-introduction.
In the context of an onward transfer, ABB has responsibility for the processing of Personal Data it receives under the Privacy Shield and subsequently transfers to a third party acting as an agent on its behalf. ABB shall remain liable under the Principles if its agent processes such Personal Data in a manner inconsistent with the Principles unless ABB shows it is not responsible for the event giving rise to the damage.
Compelled Disclosure. ABB may be required to disclose Personal Data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
ABB’s parent corporation is a global corporation with subsidiaries and business partners in many countries, and with technical systems that cross borders. Personal Data collected by ABB may be transferred across state and country borders and stored or processed in the United States or any other country in which ABB, its parent corporation, its subsidiaries, affiliates, or business units maintain facilities for the purposes of data consolidation, storage, and simplified information management. ABB, its Parent Corporation, subsidiaries, affiliates and business units will handle your information collected in a consistent manner, as described here, even if the laws in some countries may provide less protection for your information. ABB’s privacy practices are designed to protect your Personal Data all over the world.
CHANGES TO THIS POLICY
If there are updates to the terms of ABB’s Policy, ABB will post those changes here and update the revision date in this document so that you will always know what information ABB collects, how we use it, and what choices you have.
Attn: Andrew Klein, U.S. Country Integrity Officer
305 Gregson Drive
Cary, NC 27518
Title: NOTICE / CHOICE – EMPLOYEE PERSONAL DATA
Addendum to US-EU Privacy Shield & Swiss-US Privacy Shield
Statement of Acknowledgment
Effective Date: September 11, 2013
Revised: September 30, 2016
Revised: June 5, 2017
Revised: June 15, 2018 (this Notice supplements the “ABB Global Notice” and in the case of any conflicts controls).
Revised: July 31, 2019 (this Notice supplements the “ABB Global Employee Notice Policy” effective on May 25, 2019 and in the case of any conflicts controls).
ABB is certified to the US-EU Privacy Shield and the Swiss-US Privacy Shield data privacy programs of the U.S. Department of Commerce which can be found on the Privacy Shield’s website at www.privacyshield.gov.
This document is intended to satisfy, as necessary, the notice and choice privacy principles regarding the transfer of your personal data to certain third parties and third party agents.
As an employee of ABB, your personal data may be forwarded internally to your managers, other business units or divisions, and any of the various corporate functions (e.g., Human Resources, Integrity, Security, Tax, Health and Safety, etc.). It may be shared with our various sister and parent companies in the normal course of business.
Your personal data may also be shared with various third parties and third-party agents in the normal course of business.
As an employee of ABB, you may have rights to access and/or limit disclosures of certain types of personal data. For any questions directly related to this please contact email@example.com.
PURPOSE FOR WHICH ABB COLLECTS AND USES INFORMATION ABOUT YOU
ABB uses a number of internal and external databases, applications, and systems that contain personal data. ABB collects, receives, uses, and shares your personal data in accordance with and as permitted by applicable laws, and, where applicable, as authorized by applicable government authorities. Your personal data may be used for:
Staffing (e.g. headcount planning, recruitment, termination, succession planning)
Organizational planning and development and workforce management
Budget planning and administration
Compensation, payroll, and benefit planning and administration (e.g. salary, tax withholding, tax equalization, awards, insurance and pension)
Workforce development, education, training and certification
Problem resolution (e.g., internal reviews, grievances), internal investigations, auditing, compliance, risk management and security purposes
Authorizing, granting, administering, monitoring and terminating access to or use of ABB systems, facilities, records, property and infrastructure
Business travel (e.g., limousines, commercial flights, hotels, rental cars, etc.)
Expense management (e.g., corporate credit card, expense and grant of authority administration, procurement)
Conflict of interest reporting
Employee communications – internal only, including but not limited to photos, videos, surveys, signups, and testimonials.
Flexible work arrangements
Administration of employee enrollment and participation in activities and programs offered to eligible employees (e.g., matching donations to non-profit organizations, political action committee contributions, wellness activities)
Work-related injury and illness reporting
Monitoring and surveillance for industrial hygiene, public health and safety, security and formal workplace investigations
Legal proceedings and government investigations, including preservation of relevant data
As required or expressly authorized by laws or regulations applicable to ABB’s business or by government agencies that oversee or regulate our business
TYPES OF THIRD-PARTIES TO WHICH ABB MAY TRANSFER YOUR PERSONAL INFORMATION
ABB will forward your information to a number of third parties and third party agents. The types of such third parties your information may be transferred to include, but may not be limited to, the following:
Auto purchase co. (benefit)
Immigration / Visa attorneys
Tax and audit advisory service providers like PwC / KPMG
Banks and other financial institutions
Academic evaluation service providers
Trainee Visa sponsor
HR & payroll service providers
Background & drug screening providers
Logistics cos. like FedEx
Various government entities (e.g., IRS I-9, W-2, W-4, etc.)
Travel & expense service providers
Leadership development assessors
Performance development appraisal and assessment
Corporate credit card cos. (e.g. AmEx)
Merit & Incentive COS.
Market analysts on salary information
Language training cos.
Insurance cos. (insurance benefits)
Cell phone service cos.
Employment verification co.
Affirmative action consultants
ABB Political Action Committee
Auditor and tax consultants
Data warehousing providers
Health and wellness providers
Legal services benefits
Employee discounts benefits
Access control systems providers (e.g. Kantech)
Property / casualty third party administrators
Claims management service providers
Communications and communication service providers
Security training and crisis management
Federal, State and local taxing authorities
Law firms in various legal proceedings
Risk Management COS.
Workers’ compensation defense attorneys, nurse case managers, and private investigators
Federal, state and local regulatory agencies
Health and safety service and software providers
Benefits service providers
Pension service providers
Employee ID badge co.
Budgeting, timekeeping, & other financial systems
Hotline service providers
ELearning service providers
ABB parent, affiliate, and sister companies
Exit interview service providers
We only collect the personal data from you that we need for the above purposes described. Certain personal data collected from you relates to your next of kin and emergency contacts. In these cases, you are requested to inform such persons about this Notice.
Based on mandatory legislation, ABB must keep certain personal data for a minimum period. For example, employment contracts, information about salary payments and reimbursements need to be kept for a minimum period based on local corporate and tax legislation.
At the same time, applicable data protection laws require that we do not keep personal data in an identifiable form for any longer than is necessary for the purpose for which the personal data is being processed. Through the setting of IT applications and policies we ensure that your personal data is deleted when we no longer need it.
The retention periods for the information that we hold can be found in our Directive Records Management GD/LI-44 (add link) or your local Directive Records. After an applicable retention period has lapsed, we will securely delete your personal data, unless there are specific circumstances that require us to keep such personal data, such as legal or regulatory obligations or to resolve potential disputes.
For more information regarding specific retention periods that apply to your personal data, please submit a request at www.abb.com/privacy.
CHANGES TO THIS STATEMENT
If there are updates to this Notice, ABB will post those changes on its website and inside.abb.com and update the revision date in this document so that you will always know what information ABB collects, how we use it, and what choices you have.