This Data Processing Addendum, including its schedules and annexes (collectively, the “DPA”) forms part of the agreement (written or electronic) for the supply and provision of products, software, solutions and/or services (collectively “Products”) between Rockwell Automation and Customer (“Agreement”) and governs Rockwell Automation’s Processing of Customer Personal Data.
This DPA applies only to the extent Rockwell Automation processes Personal Data on behalf of Customer under or in connection with an Agreement. In the event of a conflict between Applicable Privacy Laws, the General Data Processing Terms, the Jurisdiction-Specific Terms, and the Agreement, the order of precedence will be (1) Applicable Privacy Laws, (2) the Jurisdiction-Specific Terms, (3) the General Data Processing Terms, and (4) the Agreement, as to the subject matter of this DPA unless otherwise stated herein or otherwise agreed in writing between the Parties. Any terms not defined in the Agreement or this DPA shall have the meaning given to them in the applicable Privacy Laws.
DPA STRUCTURE
This DPA consists of:
A. General Data Processing Terms. These terms apply to all Processing of Customer Personal Data by Rockwell Automation under the Agreement.
B. Jurisdiction-Specific Terms (Schedules A – D) Each schedule applies only to the extent Customer Personal Data originates from the specific jurisdiction.
§ Schedule A: EEA and Switzerland
§ Schedule B: United Kingdom
§ Schedule C: USA (California)
§ Schedule D: China
C. Technical and Organizational Measures (as set forth in the Security Measures available on Rockwell Automation’s Trust Center (defined below), collectively, “TOMS”)
GENERAL DATA PROCESSING TERMS
1.1. DEFINITIONS
“Adequacy Decision” means the determination of the European Commission, in accordance with Article 45 of the GDPR, that the country to which Customer Personal Data is transferred ensures an adequate level of data protection. A list of countries with an Adequacy Decision can be found at https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en
“Affiliates” means, unless otherwise defined in the Agreement, an entity that is directly or indirectly controlled by or is under common control with a party, where “control” means an ownership, voting, or similar interest representing fifty percent (50%) or more of the total interests then outstanding of the relevant entity.
“Applicable Privacy Laws” means all laws and regulations and any other enforceable statutory instruments and codes that regulate the collection, access, use, storage, disclosure, movement and/or other processing of Personal Data, as applicable, that apply either to Customer or Rockwell Automation in connection with the Processing of Personal Data under the Agreement.
“Customer” means (i) the entity that executed the Agreement, or (ii) in the event this DPA forms part of and is incorporated into a frame agreement capable of being utilized by several related entities, the entity executing a binding agreement under such frame agreement (for example, under an Order Form referencing the frame agreement and this DPA).
“Customer Personal Data” means any Personal Data which is Processed by Rockwell Automation on behalf of the Customer for the purpose of providing the Products.
“Controller” means the entity which determines the purposes and means of the Processing of Personal Data.
“Covered Region” means the jurisdiction from which Customer Personal Data originates.
“GDPR” means the REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) as may be amended from time to time.
“Personal Data” means any information that relates to an identified or reasonably identifiable natural person. It shall also include any information that relates to an identified or reasonably identifiable legal entity to the extent that such information is required by Applicable Privacy Laws. For the purpose of this DPA, Personal Data encompasses similar terms in the applicable jurisdiction, and which are intended to relate to similar concepts, including, but not limited to, personally identifiable information and personal information.
“Process”, “Processed”, or “Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
“Processor” means the entity which Processes Personal Data on behalf of the Controller, including as applicable any ‘service provider’ as defined in the California Consumer Privacy Act as amended (“CCPA”).
“Rockwell Automation” means Rockwell Automation, Inc., a Delaware corporation, , having a principal place of business at 1201 South 2nd Street, Milwaukee, Wisconsin 53204, or a Rockwell Automation Affiliate identified in or executing an Order form.
“Restricted Transfer” shall mean the export of Customer Personal Data by Rockwell Automation or its Sub-Processors outside a Covered Region (to the extent applicable Privacy Laws restrict such transfers) or a third country without an Adequacy Decision.
“Security Incident” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed by Rockwell Automation. Based on the appropriate jurisdiction, the presence of a Security Incident may take into account the potential risk of harm to the rights of individuals based on the nature of Personal Data and the context in which it is Processed.
“Trust Center” means Rockwell Automation’s trust center available at https://www.rockwellautomation.com/en-us/company/about-us/sustainability/trust-security.html.
1.2. PURPOSE AND SCOPE
1.2.1. To provide Customer with the Products, Rockwell Automation may Process Customer Personal Data. The extent of the obligations owed to and the rights exercisable by the Customer may vary based on the nature of the data provided by Customer, the scope of Rockwell Automation’s Processing activities, and governing jurisdiction(s). Customer is responsible for identifying and disclosing those applicable jurisdictions from which Customer Personal Data originates.
1.2.2. In accordance with and subject to Customer’s written, feasible and reasonable instructions, applicable Privacy Laws and this DPA, Rockwell Automation (acting as a Processor) will Process Customer Personal Data to the extent required to perform its obligations under the Agreement. Rockwell Automation will inform Customer if it believes that an instruction provided by Customer violates applicable Privacy Laws unless Customer is legally prohibited from doing so.
1.3. OBLIGATIONS
1.3.1. Customer Obligations:
(A) Customer shall comply with the Agreement, applicable Privacy Laws, and its obligations under this DPA. Prior to any Processing of Customer Personal Data by Rockwell Automation and its Products, and in accordance with Applicable Privacy Laws, Customer is responsible for providing appropriate information and obtaining any required consent from all Data Subjects whose Personal Information is Processed by Rockwell Automation under the Agreement.
(B) Under Applicable Privacy Laws, individuals may have certain rights in relation to their Personal Data. These rights may include the right to access, correct, update, disclose, delete, and/or port Personal Data, and/or to withdraw consent to Processing, opt-out of communications, restrict Processing of Personal Data, and/or make claims/complaints in relation to the exercise of such rights. As Controller and responsible entity under applicable Privacy Laws, Customer (or Rockwell Automation where applicable), is responsible for responding to any request by an individual to exercise such rights (“Data Subject Request”).
(C) In the event Customer is subject to additional industry or data specific legal or regulatory restrictions (including jurisdictional requirements as set forth in section 1.11 below) based on its area of business, jurisdiction, and/or categories of data it collects and maintains, including Customer Personal Data beyond those covered in this DPA, such as data localization or record specific retention requirements, Customer is responsible for notifying Rockwell Automation of all such restrictions that may impact Rockwell Automation’s Processing activities and will be responsible for any additional costs incurred by Rockwell Automation to meet this additional restriction.
1.3.2. Rockwell Automation Obligations:
In accordance with 1.2.2. and subject to Applicable Privacy Laws, Rockwell Automation will:
(A) process the Customer Personal Data only on and in accordance with the Customer’s documented written instructions, or as set out in this DPA and the Agreement (“Processing Instructions”);
(B) notify the Customer of any such requirement before processing the Customer Personal Data (unless applicable law prohibits such information on important grounds of public interest); and
(C) shall inform the Customer if RA becomes aware of a Processing Instruction that, in RA’s reasonable opinion, infringes Applicable Data Privacy Law, provided that, to the maximum extent permitted by mandatory law, RA shall have no liability howsoever arising (whether in contract, tort (including negligence) or otherwise) for any losses, costs, expenses or liabilities (including any Data Privacy Losses) arising from or in connection with any processing in accordance with the Customer's Processing Instructions.
1.4. SUB-PROCESSING
1.4.1. Pursuant to applicable Privacy Laws, Customer acknowledges and expressly agrees that Rockwell Automation may engage third party Sub-Processors who may Process Customer Personal Data in connection with Rockwell Automation’s provision of Products under the Agreement and consents to such engagements.
1.4.2. Rockwell Automation will maintain a list of Sub-Processors used in Rockwell Automation’s provision of the Products to Customer (a current list of Sub-Processors is available on Rockwell Automation’s Trust Center, the “Sub-Processor List”). Rockwell Automation may remove or add new Sub-Processors from time to time in accordance with applicable Privacy Laws. Any new Sub-Processors will be identified in the corresponding column.
1.4.3. Rockwell Automation shall enter into a data processing agreement with each relevant Sub-Processor prior to providing such Sub-Processor access to Customer Personal Data. These agreements shall impose data protection obligations on the Sub-Processor that are relevant and equivalent to the data protection obligations Rockwell Automation is subject to as a Processor of Customer Personal Data under this DPA and the Agreement. Where the Sub-Processor fails to fulfil its data protection obligations under applicable Privacy Laws, Rockwell Automation shall remain fully liable to the Customer for the performance of the Sub-Processor’s obligations.
1.5. COOPERATION
1.5.1. Rockwell Automation shall reasonably assist Customer in complying with Customer’s obligations under applicable Privacy Laws, taking into account the nature and relative risks of the Processing, the nature of the Products and Rockwell Automation’s subsequent Processing under the Agreement, and the information reasonably available to Customer directly. Reasonable costs and expenses incurred by or on behalf of Rockwell Automation in connection with this section 1.5.1. shall be borne and reimbursed by Customer.
1.5.2. In the event of an investigation by a supervisory authority (or its equivalent under applicable Privacy Laws) related to Customer Personal Data, each Party will reasonably cooperate with the other Party, including, to the extent permitted by applicable law, providing prompt notification to the non-receiving party of the investigation to allow the non-receiving party to seek a protective order or other appropriate remedy.
1.5.3. To the extent Rockwell Automation receives an access request from a government or law enforcement agency, Rockwell Automation will, to the extent permitted by applicable law, notify Customer (not the Data Subject) of such request.
1.6. AUDITS
1.6.1. Rockwell Automation will maintain records and information reasonably necessary to demonstrate compliance with its obligations under this DPA. Rockwell Automation will allow, and collaborate with, Customer and/or or a third-party auditor appointed by the Customer, to audit Rockwell Automation’s compliance with this DPA, provided that the audit, unless otherwise agreed in writing with Rockwell Automation, will:
a. Be subject to thirty (30) days’ prior written notice from the Customer;
b. Be conducted at reasonable intervals, but not more than once per calendar year;
c. Be conducted during business hours and not unreasonably disrupt Rockwell Automation’s business;
d. Not interfere with the interests of Rockwell Automation’s other customers;
e. Not cause Rockwell Automation to breach its confidentiality obligations vis-à-vis its other customers, suppliers or any other organization;
f. Not exceed a period of two (2) business days;
g. Start with reviewing and assessing the information Rockwell Automation may provide through external, shared platforms it may support; and
h. Relate only to the processing of Customer Personal Data by Rockwell Automation as a processor on behalf of Customer.
1.6.2. Customer shall, and shall cause its third-party auditor to, comply with Rockwell Automation’s relevant safety and security policies and appropriate confidentiality expectations.
1.6.3. When Rockwell Automation accepts that an audit goes beyond the parameters in this DPA, Customer will reimburse Rockwell Automation for its reasonable costs and expenses associated with the audit.
1.6.4. Customer acknowledges that Rockwell Automation is regularly audited for compliance with various recognized standards. Rockwell Automation and the Approved Subcontractors are allowed to reject, or reduce the scope of, a requested audit, where they demonstrate their compliance with their obligations under or pursuant to this DPA, by adhering to a code of conduct approved by the competent authority or regulator, by providing a generally recognized certification, or by providing an audit or information report issued by a generally accepted organization or independent third-party auditor.
1.7. SECURITY
1.7.1. TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES
a. Taking into account the scope and purposes of the processing, the types of personal data involved, the categories of affected data subjects, the possible privacy risks, the generally available state of the art and the costs of implementation, Customer and Rockwell Automation will implement and maintain reasonable technical and organizational security measures (as further specified in Annex II to Schedule A to ensure a level of security, in respect of Customer Personal Data processed by Rockwell Automation under the Agreement, that is appropriate to the identified privacy risks, in particular to protect against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to the Customer Personal Data.
b. Rockwell Automation ensures that persons who are authorized to process, or have access to, Customer Personal Data hereunder have committed themselves to confidentiality or are under appropriate statutory obligation of confidentiality.
c. Without prejudice to other applicable confidentiality obligations between the parties, Rockwell Automation will keep the Customer Personal Data confidential, use the Customer Personal Data for the purposes provided in this DPA, and will not share it with third parties (other than Sub-Processors) without customer’s approval.
d. Customer acknowledges and agrees that, taking into account the nature, scope, risks and context of the processing of Customer Personal Data by Rockwell Automation within the context of the Agreement, Rockwell Automation’s implementation of the technical and organizational security measures set forth in the TOMS provide an appropriate level of security.
1.7.2. SECURITY INCIDENTS
1.7.2.1. Where Rockwell Automation becomes aware of a Security Incident affecting Customer Personal Data Processed by Rockwell Automation under the Agreement, Rockwell Automation shall, without undue delay after it becomes aware of the incident:
a. Notify Customer of the Security Incident.
b. Investigate the Security Incident, take necessary actions to mitigate, remedy, and correct the incident, and keep the Customer informed of these actions.
c. Use reasonable efforts to assist Customer, at Customer’s request, in collecting and providing the information relating to the Security Incident which the Customer needs in order to assess the requirement of, and to comply with, the Customer’s timely breach notification obligations to competent authorities and/or affected individuals pursuant to the applicable Privacy Laws (for example, a description of the nature of the incident, including where possible the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned; a description of the likely consequences of the incident; description of the measures taken or proposed to be taken to address the incident including, where appropriate, measures to mitigate its possible adverse effects).
1.7.2.2. Where Customer becomes aware of a Security Incident affecting the systems and/or activities that are under the control of Customer or Rockwell Automation or its approved Sub-Processors, Customer shall, without undue delay, after it becomes aware of the incident:
a. Notify Rockwell Automation of the Security Incident; and
b. Use reasonable efforts to assist Rockwell Automation, at Rockwell Automation’s request, in collecting and providing the information relating to the Security Incident which Rockwell Automation needs in order to investigate the Security Incident, to take protective actions, and to comply with Rockwell Automation’s obligations pursuant to the Applicable Privacy Laws, if any.
1.7.2.3. Any damages, losses, costs and expenses incurred by or on behalf of Rockwell Automation in connection with this section 1.7.2. shall be borne and reimbursed by Customer, except if and to the extent that the Security Incident occurred as a direct result of a breach of Rockwell Automation’s obligations under this DPA.
1.8. DURATION OF PROCESSING
Unless otherwise instructed by the Customer, Rockwell Automation is authorized to Process Customer Personal Data under the Agreement until the expiration or termination of the Agreement or until Customer Personal Data is returned to or destroyed upon instruction from Customer.
1.9. TERMINATION AND RETURN/DESTRUCTION OF PERSONAL DATA
Upon Customer’s termination of the Agreement, Rockwell Automation shall, at the discretion of Customer, either delete, destroy, or return all Customer Personal Data to Customer and destroy or return existing copies. To the extent that applicable laws require Rockwell Automation to retain Customer Personal Data following termination of the Agreement, Rockwell Automation will continue to meet the obligations set forth in this DPA and the Agreement with respect to Customer Personal Data and will only use it for the purpose for which it must be retained as required by the applicable Privacy Laws. Certification of deletion of Customer Personal Data shall be provided by Rockwell Automation upon Customer’s written request. Rockwell Automation reserves the right to retain Customer Personal Data to meet Rockwell Automation obligations under applicable law, regulations, security and other best practices, provided that such retention shall continue to be governed by the Agreement and this DPA.
1.10. ROCKWELL AUTOMATION AS CONTROLLER
Where Rockwell Automation processes Customer Personal Data on Rockwell Automation’s own behalf as required to establish and maintain its business relationship with Customer (e.g. for purposes of contract administration, billing, business inquiries, establishment, maintenance, and support of the business relationship) (collectively “Business Relationship Processing”), Rockwell Automation will be an independent Controller of all Business Relationship and its Processing will be solely in accordance with Rockwell Automation’s Privacy Policy available at https://www.rockwellautomation.com/en-us/company/about-us/legal-notices/privacy-and-cookiespolicy.html. Where such Processing results in the cross-border transfer of Personal Data, Customer and Rockwell Automation agree to complete the required documentation set forth in Applicable Privacy Laws or as set forth in the appropriate Jurisdiction-Specific Terms referenced herein.
1.11. JURISDICTION-SPECIFIC TERMS
1.11.1. Where Customer Personal Data originating from the European Economic Area, Switzerland, the United Kingdom, California, and China (as applicable) is Processed by Rockwell Automation under the Agreement, such Processing will be performed in accordance with the applicable jurisdiction specific schedule attached to this DPA. In the event of a conflict or inconsistency between the jurisdiction specific schedule and this DPA, the jurisdiction specific schedule governing the Processing of Customer Personal Data from the originating jurisdiction shall prevail, but solely with regard to the portion of the provision in conflict or inconsistent with this DPA.
1.11.2. The jurisdiction specific schedules shall not replace any additional rights relating to Processing of Personal Data in the Agreement; provided that, in the event of inconsistencies between the provisions of a schedule and the Agreement, the provisions of the schedule shall prevail.
1.12. INTERNATIONAL DATA TRANSFERS
In the case of a Restricted Transfer, Rockwell Automation will transfer Customer Personal Data using appropriate safeguards in accordance with applicable Privacy Laws and as further set forth in the Jurisdiction-Specific Terms.
1.13. INDEMNIFICATION; LIMITATION OF LIABILITY
1.13.1. The limitation of liability and indemnification provisions contained in the Agreement shall govern this DPA but are amended to include the following:
1.13.2. Indemnification.
(A) Each party (indemnifying party) shall indemnify the other party (indemnified party) against any claims of Data Subjects, governmental authorities or other third parties, if and to the extent this claim is a result of breach by the indemnifying party of its obligations under this DPA and/or under applicable Privacy Laws.
(B)Where a party receives a third-party claim in relation to the Processing of Customer Personal Data in connection with this DPA or the Agreement, it will inform the other party thereof and will make no admission of liability nor agree to any settlement or compromise of the relevant claim without the prior written consent of the other party (which shall not be unreasonably withheld or delayed).
1.13.3. Limitation of Liability. To the maximum extent permitted by applicable law, Rockwell Automation shall have no liability for any losses, costs, expenses, or liabilities arising from or in connection with any Processing in accordance with the Processing Instructions.
1.14. UPDATES TO DPA
Rockwell Automation reserves the right to amend this DPA by positing an updated DPA on its website.
SCHEDULE A – EUROPEAN ECONOMIC AREA AND SWITZERLAND
In addition to each Party’s obligation to comply with Applicable Privacy Laws, this Schedule A applies where Rockwell Automation Processes Customer Personal Data on behalf of Customer that originates from the European Economic Area (“EEA”) and/or Switzerland pursuant to the Agreement, and that such Processing shall be governed by the applicable modules of the EU Standard Contractual Clauses (defined below) as set forth in section A.2.1. of this Schedule A.
A.1. DEFINITIONS
"EU Standard Contractual Clauses" or “EU SCCs” means the Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, as may be amended from time to time and as currently set out at: https://commission.europa.eu/system/files/2021-06/1_en_annexe_acte_autonome_cp_part1_v5_0.pdf, and which are incorporated herein by reference.
A.2. PERSONAL DATA TRANSFERS
Any Restricted Transfer between Rockwell Automation and Customer under this Schedule A will be performed in accordance with the applicable module of the EU SCC’s as set forth in the following table:
|
Rockwell Automation |
Customer |
||
Controller |
Processor |
Controller |
Processor |
|
Module 1 |
x |
|
x |
|
Module 2 |
|
x |
x |
|
A.2.3. Switzerland Where a Restricted Transfer relates to Customer Personal Data originating from Switzerland, any reference to the EU SCCs or the GDPR shall be interpreted as the applicable Privacy Laws in Switzerland and reference to the ‘competent supervisory authority’ will mean the competent data protection authority in Switzerland.
A.3. EU SCC'S GOVERNING LAW, FORUM AND JURISDICTION, AND OPTIONAL PROVISIONS
Rockwell Automation and Customer will comply with the applicable EU SCCs. The following optional provisions for are selected together with the stated governing law, forum and jurisdiction.
a. Clause 7: Docking Clause
b. Clause 9(a) Use of Sub-processors: Option 2 - General Written Authorization, with a notice period of 30 business days has been selected.
c. Clause 11 Redress: The optional clause is not included.
d. Clause 17 Governing Law: Option 1 has been selected, with the governing law as follows:
For customers in the EEA: Belgium
For customers in Switzerland: Switzerland
e. Clause 18(b) Choice of Forum and Jurisdiction, the choice of forum and jurisdiction shall be as follows:
EEA: Belgium
Switzerland: Switzerland
A.3. COOPERATION Rockwell Automation shall reasonably assist Customer in ensuring compliance with its obligations under GDPR (or applicable and substantially similar Swiss law) (Security of Processing, Personal Data Breach notification, Data Protection Impact Assessments, and prior consultation with a relevant Supervisory Authority in relation to a Data Protection Impact Assessment) taking into account the nature of the Processing and information available to Rockwell Automation.
A.4. UPDATES AND AMENDMENTS In the event the EU SCCs are amended, replaced, or repealed by the European Commission or other competent authority under European Privacy Laws, the parties shall work together, in good faith, to enter into an updated version of the EU SCCs or negotiate an alternative solution to enable the cross-border transfer of Personal Data in compliance with applicable European or Swiss Privacy Laws.
A.5. EU SCC's Annexes The following Annexes are added to the EU SCC’s.
A.6. To comply with clause 7 of the EU SCCs, Annex I to the EU Standard Contractual Clauses (“Annex I”) has been pre-signed by Rockwell Automation, Inc. as the data importer. (Please note the contracting Rockwell Automation entity under the Agreement may be different.) To complete the DPA and where the Jurisdiction-Specific Terms set forth in Schedule A apply to Customer, Customer must complete the information in the signature line for the data exporter in Annex I and send the signed DPA to Rockwell Automation by email to dpa@rockwellautomation.com indicating Customer’s full legal name and address. Except as otherwise expressly set forth in the Agreement this DPA will become legally binding on both Customer and Rockwell Automation upon receipt of the signed DPA by Rockwell Automation at the aforementioned email address. Where Customer wishes to separately execute the EU SCCs and the appendices, Customer should contact their sales representative and/or customer service representative.
ANNEX I TO THE EU STANDARD CONTRACTUAL CLAUSES
A. LIST OF PARTIES
Data exporter(s): [Identity and contact details of the data exporter(s) and, where applicable, of its/their data protection officer and/or representative in the European Union]
Name: |
The Customer identified in the Agreement or Order Form as applicable. |
Address: |
As set forth in the Agreement or Order Form or as may be otherwise provided to Rockwell Automation at the time of purchase of the Products. |
Contact person’s name, position and contact details: |
As confirmed in writing by Exporter. |
Activities relevant to the data transferred under these Clauses: |
Obligations related to the Products as set forth in the Agreement. |
Signature and date: |
Exporter agrees that the acceptance of or the date of Customer’s execution of the Agreement is deemed Customer’s signature and acceptance of the DPA and the EU SCCs. In the event Customer wishes to separately execute the EU SCCs, Customer must contact Rockwell Automation’s Privacy Office at privacy@ra.rockwell.com together with Customer’s customer service representative or equivalent. |
Role (Controller/Processor): |
Controller for the purposes of Module 1or 2 as applicable. |
Data importer(s): [Identity and contact details of the data importer(s), including any contact person with responsibility for data protection]
Name: |
Rockwell Automation |
Address: |
As set forth in the Agreement or applicable Order Form |
Contact person’s name, position and contact details: |
Chief Privacy Officer, 1201 S 2nd Street, Milwaukee, WI 53204, USA Email: privacy@ra.rockwell.com |
Activities relevant to the data transferred under these Clauses: |
Provision of Products pursuant to the Agreement. |
Signature and date: |
Unless Exporter requests to sign the EU SCC’s separately (as set forth above), Rockwell Automation agrees the acceptance of or the date of Exporter’s execution of the Agreement of Order Form is deemed the date of and signature by Rockwell Automation of the EU SCCs. |
Role (Controller/Processor): |
For the purpose of Business Relationship Processing, Rockwell Automation is a Controller subject to Module 1 EU SCCs. For all other Processing, Rockwell Automation shall Process Customer Personal Data as a Processor in accordance with Module 2 EU SCCs. |
B. DESCRIPTION OF TRANSFER
Categories of data subjects whose personal data is transferred:
As determined by Customer, but may include, and are not limited to, Customer’s:
- Prospects, customers, business partners, contractors, and vendors.
- Employees or contact persons of prospects, customers, business partners, contractors, and vendors.
- Employees, contractors, agents, and advisors.
- User’s authorized by Customer to use Rockwell Automation Products.
Categories of personal data transferred:
Subject to the Product and as determined by Customer, which may include:
First and last name, Title, Position, Employer, Contact Information (company email, phone, physical business address), IP address.
Sensitive data transferred (if applicable)
The Products are not intended for the processing of Sensitive Personal Data and Customer and its Affiliates shall not transfer, directly or indirectly, any Sensitive Personal Data to Rockwell Automation.
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis):
Continuous (subject to the term and post termination provisions of the Agreement)
Nature of the processing:
The context for and purpose of the Processing of Customer Personal Data is Rockwell Automation’s provision of Products to Exporter in accordance with the Agreement and/or Order Form as applicable.
Purpose(s) of the data transfer and further processing:
The context for and purpose of the Processing of Customer Personal Data is Rockwell Automation’s provision of Products to Exporter in accordance with the Agreement and/or Order Form as applicable.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period:
Subject to Applicable Privacy Laws, in accordance with the Agreement.
For transfers to Sub-processors, also specify subject matter, nature and duration of the processing:
As determined by Customer as set forth above.
C. COMPETENT SUPERVISORY AUTHORITY
Identify the competent supervisory authority/ies in accordance with Clause 13:
EEA: Belgian Data Protection Authority
Switzerland: Swiss Federal Data Protection and Information Commissioner (FDPIC)
ANNEX II TO THE STANDARD CONTRACTUAL CLAUSES
TECHNICAL AND ORGANISATIONAL MEASURES
This Annex II refers to and includes the TOMS which are available on the Trust Center and that are implemented by Rockwell Automation to protect Rockwell Automation’s information technology systems and its Products. Some Products may have different and/or additional TOMs as may be set forth in the Agreement or in specific Product documentation available on Rockwell Automation’s Trust Center.
ANNEX III TO THE STANDARD CONTRACTUAL CLAUSES
As of the date of this DPA, Customer authorizes Rockwell Automation to engage the Sub-Processors listed on the Sub-Processor List available on Rockwell Automation’s Trust Center specific to the Products purchased by Customer.
SCHEDULE B – UNITED KINGDOM DATA TRANSFER ADDENDUM
This Schedule B sets for the additional requirements where Customer Personal Data originating from the United Kingdom (“UK”) is Processed by Rockwell Automation, such Processing will be subject to the template International Data Transfer Addendum issued by and as set forth on the UK’s Information Commissioners Office (“ICO”) website (https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/international-data-transfer-agreement-and-guidance/) and incorporated herein by reference (“UK Addendum”).
B.1. UK ADDENDUM The UK Addendum consists of two parts, Part One and Part Two. The information required to complete the UK Addendum is as follows:
Part 1 (Tables 1 to 3) responses are either included in the DPA or in the Annexes to the EU SCCs set forth in Schedule A.
Part 1 (Table 4): neither Party may terminate the UK Addendum when the Approved Addendum changes.
Part 2, “Mandatory Clauses” are included here by reference, and are the Mandatory Clauses of the Approved Addendum being the template addendum B.1.0 issued by the UK Information Commissioner’s Office and laid before UK Parliament in accordance with section 119A of the UK’s Data Protection Act 2018 on February 2, 2022, as it is revised under section 18 of the Mandatory Clauses.
B.2. EU SCCs The selected EU SCC’s, its annexes, applicable module(s), and optional provisions are those set out in Schedule A.
SCHEDULE C – CALIFORNIA
This Schedule C applies only to the extent that Rockwell Automation Processes Personal Data on behalf of Customer subject to the CCPA. Appendix 1 to this Schedule C sets forth the Personal Information Processed by Rockwell Automation under the Agreement.
C.1. DEFINITIONS.
“Contracted Business Purposes” means the services described in the Agreement for which the Rockwell Automation receives or accesses personal information.
C.2. ROCKWELL AUTOMATION OBLIGATIONS UNDER CCPA.
C.2.1. Rockwell Automation will only collect, use, retain, or disclose personal information for the Contracted Business Purposes for which Customer provides or permits personal information access in accordance with the Customer's written instructions.
C.2.2. Rockwell Automation will not collect, use, retain, disclose, sell, or otherwise make personal information available for its own commercial purposes or in a way that does not comply with the CCPA. If a law requires Rockwell Automation to disclose personal information for a purpose unrelated to the Contracted Business Purpose, Rockwell Automation will inform Customer of the legal requirement and give Customer an opportunity to object or challenge the requirement, unless the law prohibits such notice.
C.2.4. Rockwell Automation will limit personal information collection, use, retention, and disclosure to activities reasonably necessary and proportionate to achieve the Contracted Business Purposes or another compatible operational purpose.
C.2.5. Rockwell Automation will comply with any Customer request or instruction requiring Rockwell Automation to provide, amend, transfer, or delete the personal information, or to stop, mitigate, or remedy any unauthorized processing.
C.2.6. If the Contracted Business Purposes require the collection of personal information from individuals on Customer's behalf, Rockwell Automation will provide a CCPA-compliant notice addressing use and collection methods.
C.2.7. To the extent permitted under the CCPA, Rockwell Automation may aggregate, deidentify, or anonymize personal information so it no longer meets the personal information definition, and may use such aggregated, deidentified, or anonymized data to perform analytics and reporting for system metrics, benchmarking and marketing for industry, financial and other business purposes. Rockwell Automation will not attempt to or actually re-identify any previously aggregated, deidentified, or anonymized data and will contractually prohibit downstream data recipients from attempting to or actually re-identifying such data.
C.3. CCPA WARRANTIES.
C.3.1. Customer and Rockwell Automation will comply with all applicable requirements of the CCPA when collecting, using, retaining, or disclosing personal information.
C.3.2. Rockwell Automation will comply with the restrictions and obligations contained in the Privacy Terms and the CCPA with regards to selling personal information and retaining, using, or disclosing personal information outside of the parties' direct business relationship.
C.3.3. Rockwell Automation confirms it has no reason to believe any CCPA requirements or restrictions prevent it from providing any of the Contracted Business Purposes or otherwise performing under this Agreement. Rockwell Automation will promptly notify Customer of any changes to the CCPA's requirements that may adversely affect its performance under the Agreement.
C.3.4. Updates and Amendments. In the event federal legislation in the United States pre-empts, supersedes, supplements, repeals, or amends the CCPA, the parties shall, in good faith, negotiate an amendment to the Privacy Terms to meet all requirements and obligations under such privacy laws and ensure the continuation of obligations under the Agreement with respect to the secure handling of Personal Data.
C.4 SUBCONTRACTING Customer agrees to Rockwell Automation’s use of the Sub-Processors set forth in the TOMS available on the Trust Center provided the Sub-Processor qualifies as a service provider under the CCPA and provided Rockwell Automation (i) does not make any disclosures to a Sub-Processor that the CCPA would treat as a sale, and (i) the list of Sub-Processors is maintained.
ANNEX 1 TO SCHEDULE C
PERSONAL INFORMATION PROCESSING PURPOSES AND DETAILS
Contracted Business Purposes: As set forth in the Agreement or this DPA.
Personal Data Categories: This Agreement involves the following types of Personal Information, as defined and classified in CCPA Cal. Civ. Code § 1798.140(o):
Category |
Examples |
Processed under this Agreement |
A. Identifiers. |
A real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, Social Security number, driver's license number, passport number, or other similar identifiers. |
To the extent required by the Products and as provided by Customer. |
B. Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)). |
A name, signature, Social Security number, physical characteristics or description, address, telephone number, passport number, driver's license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information. Some personal information included in this category may overlap with other categories. |
To the extent required by the Products and as provided by Customer. |
C. Protected classification characteristics under California or federal law. |
Age (40 years or older), race, color, ancestry, national origin, citizenship, religion or creed, marital status, medical condition, physical or mental disability, sex (including gender, gender identity, gender expression, pregnancy or childbirth and related medical conditions), sexual orientation, veteran or military status, genetic information (including familial genetic information). |
To the extent required by the Products and as provided by Customer. |
D. Commercial information. |
Records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies. |
No |
E. Biometric information. |
Genetic, physiological, behavioral, and biological characteristics, or activity patterns used to extract a template or other identifier or identifying information, such as fingerprints, faceprints, and voiceprints, iris or retina scans, keystroke, gait, or other physical patterns, and sleep, health, or exercise data. |
To the extent required by the Products and as provided by Customer. |
F. Internet or other similar network activity. |
Browsing history, search history, information on a consumer's interaction with a website, application, or advertisement. |
To the extent required by the Products and as provided by Customer. Use of Rockwell Automation’s own website shall be subject to and in accordance with the posted privacy notice. |
G. Geolocation data. |
Physical location or movements. |
No |
H. Sensory data. |
Audio, electronic, visual, thermal, olfactory, or similar information. |
No |
I. Professional or employment-related information. |
Current or past job history or performance evaluations. |
To the extent required by the Products and as provided by Customer. |
J. Non-public education information (per the Family Educational Rights and Privacy Act (20 U.S.C. Section 1232g, 34 C.F.R. Part 99)). |
Education records directly related to a student maintained by an educational institution or party acting on its behalf, such as grades, transcripts, class lists, student schedules, student identification codes, student financial information, or student disciplinary records. |
To the extent required by the Products and as provided by Customer. |
K. Inferences drawn from other personal information. |
Profile reflecting a person's preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes. |
No |
Types of Consumers: As set forth in Annex I to the Standard Contractual Clauses in Schedule A.
Approved Subcontractors: As set forth in the list of Sub-Processors available on Rockwell Automation’s Trust Center.
This Schedule D applies solely to the extent Rockwell Automation Processes Customer Personal Data on behalf of Customer that originates from the People’s Republic of China pursuant to the Agreement. Any Processing of Personal Data under this Schedule D will be in accordance with the DPA and applicable Chinese Privacy Laws. In the event of a conflict between the Agreement, the DPA, this Schedule, and Chinese Privacy Laws, the order of precedence is (i) Chinese Privacy Laws, (ii) this Schedule D, (iii) the DPA, and (iv) the Agreement.
To ensure that the Processing of Personal Data by overseas recipients meets the protection standards stipulated in relevant Chinese Privacy Laws, Customer and Rockwell Automation agree that the Standard Contract of Outbound Cross-Border Transfer of Personal Information (“China SCC”) shall apply and is automatically incorporated herein by reference. The Parties agree that for the China SCC the following elections apply: Article 9; Clause (3), the Parties agree that all notices, sent according to such provision, will be deemed received within five (5) business days. Article 9; Clause (4)(1), the Parties agree that the China International Economic and Trade Arbitration Commission shall act as the arbitration institution. Article 9; Clause (6), the Parties agree that the original of this Agreement is in two (2) copies and each Party shall maintain one (1) copy. Appendix 1 of the China SCC shall be deemed to be prepopulated with the relevant sections of Annex I of this Schedule D. Where filing of the China SCC requires that the document be provided and filed in Chinese, Customer and Rockwell Automation agree to timely execute a Chinese version of the China SCC. In the event Customer fails to execute a Chinese version of the China SCC, Rockwell Automation will suspend all Processing of Personal Data subject to Chinese Privacy Laws.
ANNEX I TO SCHEDULE D
INFORMATION OF OUTBOUND CROSS-BORDER TRANSFER OF PERSONAL INFORMATION IN CROSS-BORDER TRANSFERS FROM THE PRC
TO BE COMPLETED FOR CHINA DATA TRANSFERS
(1) Personal Information transmitted belongs to the following types of Individuals:
Customer employees, contractors, and third parties as authorized under the Agreement.
(2) Transfers are made for the following purposes:
The context for and purpose of the Processing of Customer’s Personal Data is Supplier’s provision of Products to Customer in accordance with the Agreement.
(3) Method of processing:
Processing will be in accordance with this DPA.
(4) Amount of Personal Information transferred:
Less than one million individuals and fewer than 100,000 in aggregate since January 1 of the preceding year.
(5) Types of cross-border transferred Personal Information:
Customer employees, contractors, and third parties as authorized under the Agreement.
(6) Types of cross-border transferred Sensitive personal information:
Customer is not permitted to transfer sensitive personal information to Rockwell Automation.
(7) Oversea recipients will only provide Personal Information to the following recipients outside the PRC:
As set forth on the Sub-Processor List available on Rockwell Automation’s Trust Center specific to the Products purchased by Customer.
(8) Transfer method:
For On-Premise Software: as determined by Customer and Rockwell Automation in the Agreement or as may otherwise be agreed in writing.
For SaaS: via applicable cloud service
For Professional Services: As set forth in the applicable Statement of Work.
(9) Storage time after cross-border transferred:
Subject to applicable law, Personal Data will only be stored for the duration of the Agreement or as otherwise agreed between the parties.
(10) Storage location after cross-border transferred:
As set forth in the Sub-Processor List available on the Trust Center.
Download the Data Processing Addendum
- English [PDF]
Revised June 6, 2023