Axalta Contractor Data Processing Policy


Effective Date: April 6, 2016

This Contractor Data Processing Policy (“Policy”) applies to all contractors (“Contractors”) who receive and Process Personal Information on behalf of Axalta or an Axalta affiliate (“Axalta”) and is made a part of the agreements (each an “Agreement”) between such Contractors and Axalta which refer to this Policy.

I.  Definitions. Capitalized terms used in this Policy but not otherwise defined herein shall have the following meanings.

(A)“Information Security Incident” means any reasonably suspected unauthorized or illegal Processing, loss, use, disclosure or acquisition of or access to any Personal Information subject to this Policy.

(B) “Personal Information” means any information relating to an identified or identifiable individual, including, but not limited to, name, postal address, email address, telephone number, date of birth, Social Security number (or its equivalent), driver’s license number, account number, credit or debit card number, personal identification number, health or medical information, Internet Protocol (IP) address, or any other unique identifier or one or more factors specific to the individual’s physical, physiological, mental, economic or social identity, whether such data is in individual or aggregate form and regardless of the media in which it is contained, that may be (i) disclosed at any time to Contractor or its Personnel by Axalta, Axalta Affiliates or their respective Personnel in anticipation of, in connection with or incidental to the performance of services for or on behalf of Axalta or an Axalta  Affiliate; (ii) Processed at any time by Contractor or its Personnel in connection with or incidental to the performance of the Agreement with Axalta; or (iii) derived by Contractor or its Personnel from the information described in (i) and (ii) above.

(C) “Personnel” means the employees, agents, consultants or contractors of Contractor or Axalta.

(D)“Privacy Laws”  means (i) all applicable international, federal, state, provincial and local laws, rules, regulations, directives and governmental requirements currently in effect and as they become effective relating in any way to the privacy, confidentiality or security of Personal Information including, without limitation, the European Union Directives and laws implementing such Directives governing general data protection (Directive 95/46/EC), electronic commerce (Directive 2002/58/EC), and data retention (Directive 2006/24/EC); the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA) and relevant provincial laws; the Gramm-Leach-Bliley Act (“GLBA”), 15 U.S.C. § § 6801-6827, and all regulations implementing GLBA; the Fair Credit Reporting Act (“FCRA”), 15 U.S.C. § 1681 et seq., as amended by the Fair and Accurate Credit Transactions Act (“FACTA”), and all regulations implementing the FCRA and FACTA; the Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM); security breach notification laws (such as Cal. Civ. Code §§ 1798.29, 1798.82 - 1798.84); laws imposing minimum security requirements (such as Cal. Civ. Code § 1798.81.5 and 201 Mass. Code Reg. 17.00); laws requiring the secure disposal of records containing certain Personal Information, such as N.Y. Gen. Bus. Law § 399-H); and all other similar international, federal, state, provincial, and local requirements; (ii) all applicable industry standards concerning privacy, data protection, confidentiality or information security; currently in effect and as they become effective, including without limitation, the Payment Card Industry Data Security Standard, and any other similar standards, and (iii) applicable provisions of Axalta’s written requirements currently in effect and as they become effective relating in any way to the privacy, confidentiality and security of Personal Information or applicable privacy policies, statements or notices that are provided to Contractor in writing.

(E) “Process” or “Processing” means any operation or set of operations performed upon Personal Information, whether or not by automatic means, such as creating, collecting, procuring, obtaining, accessing, recording, organizing, storing, adapting, altering, retrieving, consulting, using, disclosing or destroying the Personal Information.

II.  Notification. 

(a) Contractor shall immediately inform Axalta in writing of any requests with respect to Personal Information received from Axalta’s employees, customers or any third party. Contractor shall respond to such requests in accordance with Axalta’s instructions. Contractor shall cooperate with Axalta if an individual requests access to his or her Personal Information for any reason.

(b) Subject to applicable law, Contractor shall notify Axalta immediately in writing of any subpoena or other judicial or administrative order by a government authority or proceeding seeking access to or disclosure of Personal Information. Axalta shall have the right to defend such action in lieu of and on behalf of Contractor. Axalta may, if it so chooses, seek a protective order. Contractor shall reasonably cooperate with Axalta in such defense.

(c) If Contractor becomes aware of any Information Security Incident, Contractor shall, within twenty-four (24) hours after becoming aware of such Information Security Incident, notify Axalta’s local Data Protection Officer in writing of such Information Security Incident, specifying the extent to which Personal Information was or is reasonably believed to have been compromised or disclosed. In addition, Contractor shall (i) perform a root cause analysis thereon, (ii) investigate such Information Security Incident, (iii) preserve all documents, data and other information related to the Information Security Incident and investigation, (iv) provide Axalta with a remediation plan, acceptable to Axalta, to address the Information Security Incident and prevent any further incidents, (v) remediate such Information Security Incident in accordance with such approved plan, (vi) conduct a forensic investigation to determine what systems, data and information have been affected by such event; and (vii) cooperate with Axalta and, at Axalta’s request, any law enforcement or regulatory officials, credit reporting companies, and credit card associations investigating such Information Security Incident. If Contractor does not provide to Axalta the results and related reporting associated with its forensic investigation or Axalta determines that such information is not sufficient, then Contractor shall allow Axalta and its designees to conduct a forensic investigation of the Information Security Incident. Contractor shall use commercially reasonable efforts to preserve all evidence relating to the Information Security Incident until Axalta has completed such forensic investigation or confirmed to Contractor that it waives its right to conduct such an investigation. To the extent Contractor is unable to preserve any evidence relating to the Information Security Incident, Contractor shall create and maintain forensic copies of all such evidence and supporting documentation reasonably necessary for the investigation and prosecution of claims relating to such Information Security Incident.

(d) Without limiting the foregoing and notwithstanding anything herein or in the Agreement to the contrary, Axalta shall make the final decision on notifying Axalta’s customers, employees, service providers and/or the general public of such Information Security Incident as it relates to Axalta, and the implementation of the remediation plan as it relates to Axalta and the services provided to Axalta under the Agreement. If a notification to any person is required under any Privacy Law, then at Axalta’s option notifications to all persons who are affected by the same event (as reasonably determined by Axalta) shall be considered legally required.

(e) Contractor will be responsible for the costs and expenses associated with the performance of its obligations in Section II(c) above if the Information Security Incident did not result from the acts or omissions of Axalta or any of its third party providers (excluding Contractor and its designees), and Contractor shall reimburse Axalta on demand for all Notification Related Costs (as hereinafter defined) incurred by Axalta and its affiliates arising out of or in connection with any such Information Security Incident. Axalta will be responsible for Contractor’s reasonable costs and expenses associated with the performance of its obligations in Section II(c) above, other than the costs and expenses associated with the notification required to be provided to Axalta of the Information Security Incident, if the Information Security Incident resulted from the acts or omissions of Axalta, its affiliates or any of their third party providers (excluding Contractor and its designees). “Notification Related Costs” shall include Axalta’s internal and external costs associated with addressing and responding to the Information Security Incident, including but not limited to: (i) preparation and mailing or other transmission of legally required notifications; (ii) preparation and mailing or other transmission of such other communications to such persons as Axalta deems reasonably appropriate; (iii) establishment of a call center or other communications procedures in response to such Information Security Incident (e.g., FAQs, talking points and training); (iv) public relations and other similar crisis management services; (v) legal and accounting fees and expenses associated with Axalta’s investigation of and response to such event; and (vi) costs for commercially reasonable credit reporting services that are associated with legally required notifications or are advisable under the circumstances.

III. Compliance with Privacy and Information Security Requirements.

(a) Contractor shall comply with all Privacy Laws as they relate to Personal Information subject to this Policy.

(b) Contractor confirms that no applicable law, or legal requirement, or privacy or information security enforcement action, investigation, litigation or claim prohibits Contractor from (i) fulfilling its obligations under the Agreement with Axalta or (ii) complying with instructions it receives from Axalta concerning Personal Information. In the event a law, or legal requirement, or privacy or information security enforcement action, investigation, litigation or claim, or any other circumstance, is reasonably likely to adversely affect Contractor’s ability to comply with this Policy, Contractor shall promptly notify Axalta in writing and Axalta may, in its sole discretion and without penalty of any kind to Axalta, suspend the transfer or disclosure of Personal Information to Contractor or access to Personal Information by Contractor, terminate any further Processing of Personal Information by Contractor, and terminate the Agreement, if Axalta reasonably deems termination necessary to comply with applicable Privacy Laws or to avoid any breach thereof.

(c) Contractor shall enter into any further privacy, information security, data transfer or data processing agreement requested by Axalta for purposes of compliance with applicable Privacy Laws. In case of any conflict between this Policy and any such further data privacy or information security agreement, such further agreement shall prevail with regard to the Processing of Personal Information covered by it.

IV. Personal Information Safeguards.

(a) Contractor shall develop, maintain and implement a comprehensive written information security program that complies with applicable Privacy Laws. Contractor’s information security program shall include appropriate administrative, technical, physical, organizational and operational safeguards and other security measures designed to (i) ensure the security and confidentiality of Personal Information; (ii) protect against any anticipated threats or hazards to the security and integrity of Personal Information; (iii) protect against any actual or suspected Information Security Incident; (iv) encourage timely internal reporting of reasonably suspected and actual Information Security Incidents; and (v) facilitate appropriate response by Contractor to Information Security Incidents. Without limiting the generality of the foregoing, Contractor’s information security policies shall provide for (y) regular assessment and re-assessment of the risks to the security of Personal Information and systems used by Contractor to Process Personal information, including (1) identification of internal and external threats that could result in an Information Security Incident, (2) assessment of the likelihood and potential damage of such threats, taking into account the sensitivity of such data and systems, and (3) assessment of the sufficiency of policies, procedures, and information systems of Contractor, and other arrangements in place, to control risks; and (z) protection against such risks.

(b) If the Processing by Contractor or its Personnel involves the transmission of the Personal Information over a network, Contractor shall implement appropriate measures designed to protect the Personal Information against the specific risks associated with such transmission. Contractor shall ensure a level of security appropriate to the risks associated with such transmission and the nature of the Personal Information Processed or as otherwise required by Privacy Laws.

(c) Contractor shall exercise the necessary and appropriate supervision over its relevant Personnel to maintain appropriate privacy, confidentiality and security of Personal Information. Contractor shall provide training, as appropriate, regarding the privacy, confidentiality and information security requirements set forth in this Policy to relevant Personnel who have access to Personal Information. Contractor shall only retain contractors that Contractor reasonably can expect to be suitable and capable of performing the delegated obligations in accordance with the Agreement and this Policy.

(d) Promptly upon the expiration or earlier termination of the Agreement, or such earlier time as Axalta requests, Contractor shall return to Axalta or its designee, or at Axalta’s request, securely destroy or render unreadable or undecipherable if return is not reasonably feasible or desirable to Axalta (which decision shall be based solely on Axalta’s written statement), each and every original and copy in every media of all Personal Information in Contractor’s possession, custody or control. Promptly following any return or alternate action taken to comply with this paragraph, Contractor shall provide to Axalta a completed officer’s certificate certifying that such return or alternate action occurred. In the event applicable law does not permit Contractor to comply with the delivery or destruction of the Personal Information, Contractor warrants that it shall ensure the protection and confidentiality of the Personal Information until such time as delivered or destroyed and that it shall not use or disclose any Personal Information after termination of the Agreement.

V. Right to Monitor.

(a) Axalta shall have the right to monitor Contractor’s compliance with this Policy. During normal business hours, and without prior notice, Axalta or its authorized representatives may inspect Contractor’s facilities, equipment and systems, and any information or materials in Contractor’s possession, custody or control, relating in any way to Contractor’s obligations under this Policy. An inspection performed pursuant to this Policy shall not unreasonably interfere with the normal conduct of Contractor’s business. Contractor shall cooperate fully with any such inspection initiated by Axalta.

(b) Contractor shall deal promptly and appropriately with any inquiries from Axalta relating to the Processing of Personal Information subject to this Policy.