Cross Border Data Transfers

International Data Transfers

Our global privacy program was designed with the most stringent global privacy and data protection laws in mind. We are committed to providing the best privacy protection available, including international data transfers. Johnson Controls has substantial experience in dealing with the variety of laws governing the transfer of personal data across different countries and jurisdictions. When Johnson Controls processes personal data for our own purposes or on behalf of a customer, we utilize the following transfer mechanisms:

EU Standard Contractual Clauses (SCCs)

In June 2021, the European Commission issued modernized standard contractual clauses (SCCs) under the General Data Protection Regulation (GDPR) for data transfers from controllers or processors in the EU/EEA (or otherwise subject to the GDPR) to controllers or processors established outside the EU/EEA (and not subject to the GDPR). These modernized SCCs replace the three sets of SCCs that were adopted under the previous Data Protection Directive 95/46. Since September 2021, it is no longer possible to conclude contracts incorporating these earlier sets of SCCs. In line with this, Johnson Controls has incorporated the new SCCs into our  Data Processing Addendum (DPA) and Global Data Processing Terms. These SCCs allow the transfer of personal data from the EU to other countries including the US. This applies to situations where Johnson Controls is for example, processing personal data for a customer or where a vendor is processing personal data on behalf of Johnson Controls.

Asia-Pacific Economic Cooperation Cross-Border Privacy Rules (APEC CBPR)

This government-backed privacy certification demonstrates that Johnson Controls complies with internationally recognized data privacy protections. The framework is approved for the transfer of personal data by Johnson Controls between participating APEC member economies: United States of America, Mexico, Japan, Canada, Singapore, Republic of Korea, Australia, Chinese Taipei and Philippines. 

 

Data Processing Addendum

Our dedication to protecting customer data is integrated into all Johnson Controls products and services and is reflected in our Data Processing Addendum. Our deep understanding of protective systems and processes provides companies and individuals a secure environment in today’s digital world.

View the data processing addendum.

Global Personal Data Processing Terms

These terms apply when a vendor is processing personal data on behalf of Johnson Controls.

Binding Corporate Rules (BCRs)

Johnson Controls has also adopted Binding Corporate Rules (BCRs) that have been vetted by EU data protection authorities. See a full downloadable list below.

These BCRs are designed to ensure an adequate level of protection of your personal data, in compliance with the EU Privacy Directive 95/46/EC, while transferring personal data from the European Economic Area (EEA) to our affiliates globally.

Map depicting the European Economic Areas under Johnson Controls Binding Corporate Rules