Effective Date: September 7, 2022

Axalta Coating Systems, LLC and its subsidiaries and affiliates (“Axalta”) strives to protect the privacy of its employees, clients and contractors, including its suppliers.  Unless otherwise agreed upon in writing, suppliers should refer to the following privacy statement for guidance on how Axalta collects, uses and discloses information: https://www.axalta.com/corporate/en_US/privacy.html.

In addition, unless otherwise agreed upon in writing, and such written agreement expressly conflicts with the below, the following terms and conditions (“Privacy Terms”) apply to all contractors (“Contractors”) who receive and process Personal Data on behalf of Axalta.  For the sake of clarity, the Standard Contractual Clauses shall prevail over any conflicting terms and conditions. Capitalized terms shall have the meaning given them in the below Privacy Terms, and in the Data Protection Laws, as applicable.

Axalta and Contractor agree to the following:

1.      DEFINITIONS. The following terms, including any derivatives thereof, will have the meanings set forth below.

1.1.    “Affiliate” means, with respect to any specified person or entity, any other person or entity that, directly or indirectly, through one or more intermediaries, controls, or is controlled by, or is under common control with, such specified person or entity.

1.2.    “Data Protection Laws” means any laws that apply to the Processing of data by Contractor under the Privacy Terms. This includes laws, regulations, guidelines, requirements, and government issued rules in the U.S. and other jurisdictions, at the international, country, state/provincial, or local levels, currently in effect and as they become effective.

1.3.    “Data Subject” means any living identified or identifiable natural person to whom Personal Data relates or identifies.

1.4.    “Data Subject Request” means a request relating to a Data Subject’s Personal Data consistent with that person’s rights under Data Protection Laws.

1.5.    “Personal Data” means information that is linked, reasonably linkable, or relates to a Data Subject.

1.6.    “Security Incident” means any accidental, unauthorized, unintended, or unlawful processing, access to, exfiltration, theft, disclosure, destruction, loss, alteration, compromise, and/or malicious infection of Axalta Personal Data transferred, transmitted, stored, or otherwise Processed by Contractor.

1.7.    “Services” will be those services as agreed upon by Contractor and Axalta.

1.8.    “Standard Contractual Clauses” means the applicable Module (based on the relationship between the Parties) of the Standard Contractual Clauses for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection, pursuant to the European Commission’s decision ((EU) 2021/914) of 4 June 2021.

1.9.    “Subprocessor” means a subcontractor engaged by Contractor or its affiliates to Process Axalta Personal Data as part of the performance of the Services.

1.10. “UK Addendum” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, Version B1.0.

1.11. The following terms have the meanings as set forth in the Data Protection Laws: De-Identified Data, Process or Processing, Pseudonymous Data, Sell, Sensitive Personal Information, Share.

2.      PROCESSING OF CUSTOMER PERSONAL DATA

2.1.    Processing of Axalta Personal Data. Contractor will only Process (including but not limited to Sale, Sharing, or Disclosure) Axalta Personal Data for the purposes of providing its Services, and only in accordance with Axalta’s documented instructions, unless otherwise required under Data Protection Laws to which Contractor is subject, in which case Contractor shall notify Axalta prior to such Processing unless prohibited by law.

2.1.1.  Contractor shall comply with Data Protection Laws and Axalta’s instructions when Processing Axalta Personal Data. Contractor will inform Axalta immediately if, in its opinion, an instruction does not comply with Data Protection Laws.

2.1.2.  Axalta instructs Contractor to Process Axalta Personal Data to perform the Services and as described in the Privacy Terms.

2.1.3.  Contractor will not Sell or Share Axalta Personal Data, nor will it retain, use, or disclose Axalta Personal Data for any purpose other than for the specific business purpose of performing the Services specified in the Privacy Terms.  Contractor will not Process Axalta Personal Data outside the direct business relationship between Axalta and Contractor, including retaining, using, or disclosing Axalta Personal Data for a commercial purpose other than providing the Services specified in the Privacy Terms or as required by law.

2.1.4.  Contractor shall not aggregate, anonymize, or otherwise deidentify Axalta Personal Data without the prior written authorization of Axalta except as needed to perform the Services.

2.1.5.  Contractor shall not combine Axalta Personal Data received from Axalta with any other information Contractor receives from or on behalf of another person or business or which it collects from its own interactions with Data Subjects.

2.1.6.  Contractor shall Process Personal Data under the Privacy Terms in compliance with Data Protection Laws, including providing the same level of privacy protection required by Data Protection Laws.  Contractor will notify Axalta if Contractor determines it or its Subprocessor(s) cannot meet its obligations under the Data Protection Laws, in which case Axalta may, immediately, take reasonable and appropriate steps to stop and remediate unauthorized Processing of Personal Data.

2.1.7.  Where Contractor Processes Axalta Personal Data, the details of data processing are as follows:

2.1.7.1.  Axalta is the data controller, and Contractor is the data processor.

2.1.7.2.  Axalta instructs Contractor to Process Axalta Personal Data as needed to provide the services agreed upon by the parties.

2.1.7.3.  The duration of processing will be the term of the written agreement between the parties, if applicable, unless otherwise agreed by the parties.

2.1.7.4.  The nature and purpose of the Processing are for Contractor to provide Axalta with the services agreed by the parties.

2.1.7.5.  The categories of data subjects whose Personal Data is Processed may include employees, job applicants, dependents/beneficiaries, former employees, vendors/third parties, and/or other categories.

2.1.7.6.  The types of Personal Data processed by Contractor may include personal details, including any information that identifies the data subject and their personal characteristics; personal details issued as an identifier by a public authority; health and medical information, health insurance information; education and training details, including information which relates to the education and any professional training of the data subject; employment details, including information relating to the employment of the data subject; financial details, including information relating to the financial affairs of the data subject; and sensitive personal data.

2.2.    Data Subject Requests.  Contractor shall inform Axalta within one business day if it receives a request from a Data Subject relating to their Personal Data.   Contractor will provide such assistance, including taking any appropriate technical and organizational measures, as Axalta requests to help Axalta fulfill its obligations under Data Protection Laws to respond to Data Subject Requests.

2.2.1.  Responding to Requests.  Unless expressly authorized by Axalta, Contractor shall not respond to any Data Subject Request.

2.2.2.  Requests to Delete.  Unless it is permitted to retain Personal Data under the Data Protection Laws, Contractor will comply with Axalta’s direction to delete any Personal Data Processed under the Privacy Terms, and shall notify any Subprocessors of such direction as applicable.  Contractor shall promptly inform Axalta if Contractor is required to retain Personal Data subject to such a request, including the exception(s) relied upon under applicable law, and Contractor shall not use the Personal Data retained for any other purpose than provided for by the exception(s).

2.2.3.  Requests to Restrict Processing of Sensitive Personal Information.  Contractor will assist Axalta in complying with a Data Subject's request to limit the use and disclosure of Sensitive Personal Information and will not use the Sensitive Personal Information after it has received instructions from the Axalta and to the extent it has actual knowledge that the Personal Data is Sensitive Personal Information for any other purpose.

2.3.    Regulator Requests. Both Parties will assist the other in communicating and cooperating with any regulators relating to Axalta Personal Data.  In the event Contractor receives a request from a regulator relating to the Processing of Personal Data under the Privacy Terms, Axalta shall maintain all control over any communications with the regulator regarding such request, unless otherwise required by applicable law.

2.3.1.  Contractor shall promptly notify Axalta of all enquiries from a regulator that Contractor receives which relate to the Processing of Personal Data under the Privacy Terms, the provision or receipt of the Services, or either Party's obligations under the Privacy Terms, unless prohibited from doing so at law or by the regulator.

2.3.2.  Unless a regulator requests in writing to engage directly with Contractor, the Parties (acting reasonably and taking into account the subject matter of the request) agree that Axalta shall be responsible for handling all regulator requests.  

2.4.    Deletion and Return of Axalta Personal Data. Upon termination of the Services or Axalta’s request, Contractor will, at Axalta’s option: either (a) return all Axalta Personal Data to Axalta, or (b) securely destroy all Axalta Personal Data.  Upon Axalta's request, Contractor will provide a certification that Axalta Personal Data has been returned and, if applicable, securely destroyed, unless retention is required by law. If required to retain Axalta Personal Data by law, Contractor will provide written notice to Axalta and continue to safeguard such data in accordance with these Privacy Terms.

2.5.    Disclosure.

2.5.1.  Contractor shall not disclose Axalta Personal Data to any third parties without Axalta’s prior consent, except as required by law or permitted by the Privacy Terms.

2.5.2.  If Axalta Personal Data is requested by a third party via a subpoena or other discovery request, to the extent permitted by applicable law, Contractor will immediately provide Axalta with notice of the request prior to disclosing the Axalta Personal Data so that Axalta may, at its expense, object to the subpoena or discovery request and seek an appropriate protective order.  Axalta reserves the right to defend any related action in whole or in part, and Contractor shall reasonably cooperate in such defense.  Contractor shall only disclose the minimum amount of Personal Data required by law.

2.6.    Access.

2.6.1.  Subject to these Privacy Terms, Contractor will limit access to Axalta Personal Data to only its employees, Subprocessors, and other third parties who require access as part of providing the Services.

2.6.2.  Contractor shall inform its personnel engaged in the Processing of Axalta Personal Data of the confidential nature of the Axalta Personal Data and ensure that they are subject to binding confidentiality obligations.

2.7.    Data Protection Impact Assessments; Prior Consultation.  Contractor agrees to provide all reasonable assistance to Axalta in completing any data protection impact assessments and/or consultations with government authorities pursuant to Data Protection Laws.

2.8.    De-Identified Data. Contractor shall be responsible for its compliance with all laws regarding data that cannot reasonably identify, be related to, describe, be capable of being associated with or be linked directly or indirectly to a Data Subject.  

2.8.1.       To the extent Contractor Processes De-Identified Data under the Privacy Terms, Contractor:

2.8.1.1.  Will not attempt to associate De-Identified Data with an individual;

2.8.1.2.  Will not attempt to re-identify De-Identified Data;

2.8.1.3.  Will maintain and use De-Identified Data only in a de-identified fashion; and

2.8.1.4. Will not use De-Identified Data to infer information about, or otherwise link to, an identified or identifiable individual or a device linked to such an individual.

2.9.    Pseudonymous Data.  To the extent Contractor Processes Pseudonymous Data under the Privacy Terms, Contractor will not attribute or attempt to attribute Pseudonymous Data to an identified or identifiable individual.  Contractor will ensure that any information necessary to identify the Data Subject is:

2.9.1.  Kept separately from Pseudonymous Data; and

2.9.2.       Subject to effective technical and organizational controls that prevent access to such information.

3.      AUDITS. Axalta may audit Contractor’s compliance with its obligations under these Privacy Terms, and under Data Protection Laws, and will cooperate in a data protection impact assessment as required by Data Protection Laws.  Contractor will inform Axalta if, in its opinion, any of Axalta’s instructions relating to the audit violate applicable Data Protection Laws.

4.      SECURITY MEASURES. Subject to the obligations of Axalta under the Privacy Terms:

4.1.    Taking into account the state of the art, the costs of implementation and the nature, scope, context, and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Contractor shall, in relation to the Axalta Personal Data, implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk to protect the Axalta Personal Data from unauthorized access, destruction, use, or other processing, including, as appropriate, the measures referred to in Article 32 of the GDPR.

4.2.    In assessing the appropriate level of security, Service Provider shall take account in particular of the risks that are presented by Processing, including without limitation the risks of a Security Incident.

4.3.    Contractor shall notify Axalta without undue delay after becoming aware of a Security Incident and shall cooperate with Axalta and take such reasonable commercial steps as are directed by Axalta to assist in the investigation, mitigation, and remediation of a Security Incident.  Such notification shall be made initially via phone, thereafter using whichever method(s) directed by Axalta.  Contractor shall also provide Axalta with the assistance necessary for Axalta to meet its obligations relating to Security Incidents.

5.      SUBPROCESSORS

5.1.    Axalta authorizes Contractor to appoint (and permit each Subprocessor appointed in accordance with this Section to appoint) Subprocessors in accordance with this Section and any restrictions in the Privacy Terms and applicable Data Protection Laws.

5.2.    Contractor may continue to use those Subprocessors already engaged by Contractor as of the date it begins to provides Services to Axalta, subject to Contractor in each case as soon as practicable meeting the obligations set out in this Section.  Contractor shall give Axalta prior written notice of the appointment of any new Subprocessor, including full details of the Processing to be undertaken by the Subprocessor, and Axalta must inform Contractor of any objection to such new Subprocessor within ten (10) business days of such notice.

5.3.    Contractor will ensure that any Subprocessor with access to Axalta Personal Data enters into a written agreement obligating the Subprocessor to comply with terms that are at least as restrictive as those imposed on Contractor under the Privacy Terms.

5.4.    Contractor shall remain fully responsible for and liable to Axalta for the performance of its Subprocessors’ obligations and its Subprocessors’ Processing of Axalta Personal Data.

6.      RESTRICTED TRANSFERS

6.1.    Restricted Transfers.  Axalta is solely responsible for ensuring that any authorized transfer of Axalta Personal Data across national borders made by Contractor at the Axalta’s direction complies with all laws, including but not limited to any cross-border data transfer requirements or prohibitions.  For Axalta Personal Data subject to the GDPR, Contractor will not transfer Axalta Personal Data to or within any country outside of the European Economic Area (“EEA”), the United Kingdom (“UK”), or any country not recognized by the European Commission as providing an adequate level of protection for Personal Data (a “Restricted Transfer”), either directly or via onward transfer, without Axalta’s consent.  If Axalta consents to a Restricted Transfer, Contractor shall provide appropriate safeguards under Article 46 of the GDPR.  Without limitation, Axalta and Contractor agree that: (i) the Standard Contractual Clauses shall apply to any Restricted Transfer that is subject to the GDPR, which shall be formalized in a separate written agreement; and (ii) the UK Addendum shall apply to any Restricted Transfer that is subject to the UK GDPR which shall be formalized in a separate written agreement.

6.2.    Alternative Transfer Mechanisms. If the Standard Contractual Clauses or the UK Addendum is invalidated or modified by judicial proceeding, statute, regulation, or otherwise, the Parties shall cooperate to identify alternative data transfer mechanisms, if available, provided that either Party may decline to adopt such mechanisms or to accept a modification of the Standard Contractual Clauses or UK Addendum in its sole discretion.

7.      ADDITIONAL COMPLIANCE PROVISIONS

7.1.    Information to Demonstrate Compliance.  Contractor agrees, upon the reasonable request of Axalta, to make available to Axalta all information in its possession necessary to demonstrate Contractor’s compliance with its obligations under this Privacy Terms and the Data Protection Laws.  Axalta shall have the right to take reasonable and appropriate steps to ensure that the Contractor is using Axalta Personal Data in a manner consistent with Contractor’s obligations under this Privacy Terms and Data Protection Laws.

7.2.    Reasonable Assistance. Contractor shall provide Axalta with all reasonable assistance required by Axalta to comply with Axalta’s obligations under Data Protection Laws.

7.3.    No Sale or Sharing.  The disclosure of Axalta Personal Data to Contractor does not constitute a Sale or Sharing under the Data Protection Laws. Notwithstanding anything in the Privacy Terms, the Parties acknowledge and agree that Axalta’s provision of access to Personal Data is not part of and is explicitly excluded from the exchange of consideration or any other thing of value between the Parties.

7.4.    Interpretation.  This Privacy Terms and the Privacy Terms shall be interpreted as broadly as necessary to implement and comply with the mandatory provisions of the Data Protection Laws.

7.5.    Contractor as Service Provider, Processor.  The Parties agree that where Contractor processes Personal Data under the Privacy Terms, it functions as a Service Provider and a Processor under the Data Protection Laws.

7.6.    Certification.  Unless it provides written notice to Axalta within 10 days after it receives notice of these Privacy Terms, Contractor certifies that it understands the restrictions herein and will comply with them.