Data privacy obligations for Honeywell suppliers
Notwithstanding anything to the contrary elsewhere in the applicable purchase order or agreement (collectively “Agreement”), but without limiting any agreed contractual data privacy obligations exceeding the obligations under this exhibit, Supplier will:
- Process information relating to an identified or identifiable natural person that Supplier and/or its subcontractors are processing on behalf of Honeywell and/or its subsidiaries and affiliates in performance of or in connection with the Agreement (“Honeywell Personal Data”) solely for the purpose of, and only to the extent necessary for, the performance of the Agreement and in accordance with the written instructions of Honeywell as set forth in the Agreement, this exhibit (including the ”Data Processing Details” below) and any statement of work. If Supplier believes that it is required by applicable data protection, privacy, breach notification and/or data security laws (“Applicable Privacy Laws”) to process Honeywell Personal Data in a different manner, Supplier will notify Honeywell without undue delay and before processing begins, unless such notification is prohibited by law.
- Provide reasonable assistance, information and cooperation to allow Honeywell to ensure compliance with its obligations under Applicable Privacy Laws, including with respect to responding to requests from individuals to exercise their rights relating to Honeywell Personal Data about them and allowing for, and contributing to, reasonable audits conducted by or on behalf of Honeywell or supervisory authorities.
- Provide notice to Honeywell at HoneywellPrivacy@honeywell.com, within thirty-six (36) hours of discovery by Supplier or its subcontractors, of any event involving any compromise of the confidentiality, integrity or availability of Honeywell Personal Data and/or the networks, systems or databases on which the Honeywell Personal Data is stored, transmitted or otherwise processed, including, but not limited to, any accidental, unlawful or unauthorized disclosure, use, viewing, destruction, loss, alteration, or acquisition of, or access to, any Honeywell Personal Data (“Security Breach”).
- Respond promptly to all inquiries from Honeywell regarding Supplier’s processing of Honeywell Personal Data, and, within one (1) business day of receipt, notify Honeywell at HoneywellPrivacy@honeywell.com of any inquiry received from an individual or a data protection authority or other government regulator regarding Supplier’s processing Honeywell of Personal Data.
- Implement and maintain appropriate technical and organizational measures in relation to its processing of Honeywell Personal Data so as to ensure an appropriate level of security with respect to Honeywell Personal Data processed by it.
- Ensure that its employees and agents authorized to process Honeywell Personal Data have committed themselves to confidentiality, or are under a statutory obligation of confidentiality.
- Not disclose or otherwise make available Honeywell Personal Data to any third party, unless: (1) the third party is a subcontractor processing Honeywell Personal Data in connection with the performance of Supplier’s obligations under the Agreement; (2) Supplier has provided prior written notice to Honeywell of, and an opportunity for Honeywell to object to, the use of the subcontractor; and (3) Supplier has entered into a written contract with the subcontractor requiring the subcontractor to abide by terms materially equivalent to those set forth in the Agreement (including this exhibit) regarding the processing and protection of Honeywell Personal Data. Supplier will be responsible for all its subcontractors regarding the processing and protection of Honeywell Personal Data and any act or omission of the subcontractor will be deemed an action or omission of Supplier for the purpose of this exhibit.
- Not transfer Honeywell Personal Data relating to individuals residing in the European Economic Area (“EEA”) or Switzerland from the EEA or Switzerland to jurisdictions outside the EEA or Switzerland unless such steps have been taken by Supplier to ensure that each such transfer complies with Applicable Privacy Laws.
- Indemnify Honeywell and its subsidiaries, affiliates and agents, and their respective officers, directors and employees (collectively "Indemnitees") from and against, and reimburse the Indemnitees for, any and all losses, costs, expenses, damages, liabilities, demands, claims, actions or proceedings suffered or incurred by any of the Indemnitees relating to, resulting from, or in connection with Supplier’s negligence or breach of any Applicable Privacy Laws or any of the terms and conditions or obligations relating to data protection, privacy, breach notification, data security or Honeywell Personal Data set out in the Agreement (including this exhibit).
- Upon the termination or expiration of the Agreement securely destroy all Honeywell Personal Data or, alternatively, upon Honeywell’s written request, return such Honeywell Personal Data to Honeywell. Notwithstanding the foregoing, Supplier may retain Honeywell Personal Data beyond the retention limits set forth in this exhibit to the extent such retention is required by applicable law, provided that, in such a case Supplier retains only that Honeywell Personal Data needed to comply with that legal requirement, and continues to comply with all provisions of the Agreement (including this exhibit) regarding the processing and protection of such Honeywell Personal Data for as long as Supplier retains Honeywell Personal Data.
- Comply (and ensure that its subcontractors comply) with Applicable Privacy Laws at all times when performing the Services.
- And not charge Honeywell any separate or additional fee for its compliance with its foregoing obligations; the mutually agreed pricing shall include all associated cost of compliance with this exhibit.
The following information describes Supplier’s processing of Honeywell Personal Data in connection with the Services:
Data Processing Details
Duration of processing:
For the duration of the Agreement
The Honeywell Personal Data transferred concern the following categories of individuals:
Honeywell and its subsidiaries and affiliates and their employees and contractors.
The Honeywell Personal Data transferred concern the following categories of information:
Name, employee identification number and business contact information.
The Honeywell Personal Data transferred will be subject to the following basic processing activities:
The Honeywell Personal Data will be processed only for the purposes of performance of the Services under the Agreement.
This data privacy exhibit is entered into by Honeywell for and on behalf of itself and each of its subsidiaries and affiliates, which list may be amended from time to time and made available upon request.
Capitalized terms used in this exhibit are defined in the place in which they are used. Capitalized terms that are used but not defined in this exhibit shall have the meanings given them in the Agreement.
© 2020 Honeywell International Inc.
All rights reserved.