Skip to content
Platform Strategy

Cross Border Data Transfers

Approved by:

  • David Kohler
  • Jeff Andersen

Effective Date: September 4, 2024

The official Approved Google Document for this policy can be found here.

Company Policy will supersede when approved and released.

A Trimble Cloud Core Platform Standard

Standards for Cross Border Data Transfers

This document outlines the approach Trimble Cloud Platform (TCP) will take when transferring data for processing for the permitted purpose and/or as a processor or sub processor on behalf of Trimble Cloud Platform Integrators and their customers in accordance with their instructions.

Trimble Cloud Platform Core plans to utilize an existing Legal Entity in the countries where Trimble operates, for the purposes of transferring personal data to the USA and will safeguard such transfer of personal data in compliance with the global privacy and other regulatory requirements for controller, processor or sub processor transfers.

Trimble Cloud Platform adheres to the Enterprise Data Classification Policy and Data Protection Policies and relies on notifying consumers/subscribers of its personal data transfer practices in the Privacy Notice published on Trimble.com.

Scope

These standards apply to the Trimble Cloud Core Platform team personnel, contractors/consultants processing data and the systems used to process data on their behalf. They are expected to adhere to these standards when developing and enhancing Core products and services or managing operations globally including cross border data transfers.

Scope also includes contractual obligations of Trimble (Integrators) to their customers if the integrators are using Core Products and Services supported by TCP in data processing and storage as stated in the agreements or contracts.

The scope further extends to regionalization requests for Core products and supporting infrastructure where cross border data transfers of operational and service data (containing personal data) to the centralized operations and technical support regions may occur.

Statement

Trimble Cloud Platform Core Products and Services personnel (employees,contractors,agents) are expected to apply the Standards for Global Data handling, processing, protection and transfers as stated in this document, in designing,developing and operationalizing Core products and services.

These standards should be followed in addition to Trimble’s Policies and Standards for Data Classification, Protection and advice on applicable Privacy laws given by Legal and Office of Data Protection.

Standards

Applicable Privacy Regulations

Identify the data protection laws and privacy regulations applicable to Trimble Cloud Platform Core organization (ODP,Legal and Integrators) and utilize effective controls to mitigate the Privacy risk and address any privacy harms possible to the data subjects, on an ongoing basis.

Lawful/Legal Basis for Collection, Use and Disclosure

TCP warrants that the data is collected, used, disclosed and transferred in accordance with applicable regulatory requirements and the Data Subjects have been notified and have given consent to the purposes via Terms and Conditions or Privacy Notice, where reasonable and practicable.

Data Protection Clauses

TCP will process the data in accordance with Data Classification and Protection policies related to Collection, Notification, Purpose, Accuracy, Security Safeguards, Access and Correction, Transfers, Retention and Accountability.

Incident Management

TCP will identify, record and classify service requests and incidents, and assign a priority according to business criticality and service agreements. Procedures are posted on Confluence.

  1. Security Incident: TCP personnel will follow the Enterprise (Cyber) Incident management procedures established internally at Trimble, for reporting and managing security incidents.
  2. Data Breach Notification: TCP personnel will follow the enterprise Incident Management process and notify appropriate incident management teams,in a timely manner as stipulated by the regulation, if they become aware of any loss or unauthorized use, copying, modification, disclosure, destruction of, or access to, personal data they process
  3. Response Time: TCP will ensure that the response plan stipulates SLAs required by regulations (ex.GDPR) associated with each privacy breach.

Data Transfers

Data Transfers are regulated by applicable privacy and data protection regulations globally. TCP should be knowledgeable and take advice from Legal and ODP on what are the regulatory requirements or restrictions placed on data transfers that apply to TCP’s transfers in processing of data. An example is GDPR,CCPA,or any other state Privacy law (US State) applicable to Trimble will also be applicable to TCP.

  1. List of Transfers: Entities need to be able to track and manage all data transfers, including those internal and external to the regular information systems and any ad hoc ones.
  2. Role: Determine TCP’s role and responsibility in the data transfers. Is the role one of Controller, Processor or Sub-Processor of data?
  3. Relationship of the Parties: Determine the relationship between the parties transferring the data. Is it Controller to Controller or Controller to Processor?
    1. Controller to Controller: When a Party transfers Personal Data to another Party without Instructions on the purposes of processing the relevant Personal Data, each Party will be an independent Controller.
    2. Controller to Processor: When a Party transfers personal data to another Party with Instructions, the disclosing Party will be a Controller and the receiving Party will be a Processor in respect of the relevant Personal Data.

Data Subject Rights

  1. Implement technical solutions to provide mechanisms for individuals (Data Subjects) to exercise their rights under the Privacy Regulations. TCP process should not be independent but be a part of Enterprise (Trimble’s) Data Subject Access & Removal Request processing (DSAR) (See Appendix).
  2. In case of requests coming in directly to TCP from integrators or their customers (for example to remove Trimble Identity of an individual or group of individuals), such requests should be directed to ODP (via email: Joesph_Shelby@Trimble.com or Office of Data Protection intake process when released) and TCP compliance for review until a DSAR process is established at an enterprise level to automate receiving and addressing such requests.

Trimble may have legal obligations to preserve and provide information on an individual, to Law enforcement or supervisory authorities due to Legal Hold or subpoena. In such cases TCP should assist Legal in preserving and providing the information if applicable. TCP should consult with Legal if this requirement would supersede any privacy regulations for consent or data retention. Data Flow diagrams and ROPAs are helpful in knowing what and where the data resides.

Data Protection Agreement (DPA)

  1. The European Commission has the power to determine, on the basis of article 45 of Regulation (EU) 2016/679 whether a country outside the EU offers an adequate level of data protection.The effect of such a decision is that personal data can flow from the EU (and Norway, Liechtenstein and Iceland) to that third country without any further safeguard being necessary.
  2. Contact ODP for determining if the TCP data transfers need any Data Processing Agreements (DPA) or Transfer Impact Assessments (TIA) from the countries where transferred data is originating from.

Technical Measures

Taking into account the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Processor (if applicable to TCP) will in relation to the Company Personal Data, implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR.

  1. Develop and maintain Data Flow Diagrams and Records of Processing Activity (ROPA) for each TCP Core product and service, to understand and document what data is being transferred and for what purpose.
  2. Maintain the data elements collected by each TCP product/Service and classify according to the Trimble Data Classification Policy for appropriate data protection mechanisms such as Encryption of data at rest and in transit.
  3. Maintain Architecture diagrams to clearly show the systems (including third party), data sources, Infrastructure components (including Cloud Service Providers) and their geographical locations.
  4. Maintain an inventory of all Sub-processors TCP appoints, including the Processing activities they fulfill, and provide such list (“Sub-processor List”) to Controller upon request.
  5. Maintain an inventory (List) of the vendors providing systems or services to TCP and clearly mark each one of them as a ‘Controller’ or ‘Processor’ or ‘Sub-Processor’. This listing will help in implementing and documenting each vendor’s role and responsibility in Privacy compliance
  6. Utilize the Data Flow Diagrams to define and implement a process for addressing the data subject rights such as ‘Right to Forget’ and ‘Right to Access’ that follows the enterprise DSAR process

Security Measures

Processor (if applicable to TCP) will take reasonable steps to ensure the reliability of any employee, agent or contractor of any Contracted Processor who may have access to the Company Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know / access the relevant Company Personal Data, as strictly necessary for the purposes of complying with Applicable Laws ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.

TCP is certified and implements security standards frameworks such as SOC2, ISO 27001,NIST 800-171. Data protection, access to Personal Data etc. are managed using the controls defined in these frameworks. Additionally, operational controls are implemented to mitigate risks to personal data and its processing.

  1. TCP personnel (especially developers & engineers) should understand these controls as applicable to the process and perform control activities for continued compliance assurance.
  2. Manage access and authorization to process the personal data to personnel (employees,contractors or agents) ensuring they have undergone appropriate training in care, protection and handling of such data.
  3. Implement Security Standard (SOC2,ISO) Controls for monitoring and Logging, business continuity and disaster recovery.
  4. Manage multiple copies of information and distribution methods in case of person to person transfer of data such as avoid attaching a data file to an email and sending from one person in the entity to another via the corporate email system where the data retention policy may require a longer period of retention than necessary to process the data as per privacy regulation.

Types of Data Transfers

TCP develops and services the Core Platform Products and Services providing Identity and Access Management, APIs etc., used by the Integrators to develop and build Trimble products and used by their customers. In the course of managing operations and maintaining technical support using the ‘Follow the Sun’ model, operational data and technical information is transferred from other countries to the US, India, Finland ,Ireland and other countries.

  1. Operational Data: Monitoring and Logging requires access to the Personal Data and the logs are transferred and stored in a system at central location
  2. Disaster Recovery Infrastructure models for Active- Active and Active-Passive
  3. Technical Data for support: TCP uses ‘Follow the Sun’ support model where Personal data, logs ,runbooks and other relevant data can be accessed by supporting teams from their respective geographical locations
  4. Regionalized Data storage and Disaster Recovery Infrastructure

Instruments for Transfer

All international transfers of Personal Data must be in compliance with all Applicable Privacy Laws. Where required, the Processor will ensure that a lawful data transfer mechanism is in place prior to transferring Personal Data from one country to another.

The EU Data Protection Directive 95/46/EC has been the principal data protection regime for the EU until the EU General Data Protection Regulation (GDPR) replaced it in May 2018.Under the Directive, there were three ways to legally move personal data from the EU to the United States (US), a nation whose laws did not (and still do not) offer adequate (i.e., essentially equivalent to that of the EU) protection to data subjects:

Standard Contractual Clauses (SCCs)

These are sets of standard clauses governing data transfers out of the EU to nations that have not received a prior ruling from the European Commission (EC) that their laws offer adequate protections to EU personal Using the SCCs, the organization (referred to as a data controller by the GDPR) that is receiving the personal data in a non-adequate nation is agreeing contractually with the organization transferring it to protect those data according to the mandates described in the clauses.

Binding Corporate Rules

Binding corporate rules (BCRs) are specially agreed upon SCCs for a group of related enterprises, such as a parent enterprise and its subsidiaries scattered around the world, or for multiple locations of a global Salesforce.

Data Privacy Framework

On July 17, 2023, the European Commission issued an adequacy decision on the EU-U.S. Data Privacy Framework (DPF). This new voluntary Framework, which replaces the Privacy Shield program, provides a mechanism for companies to transfer personal data from the EU to the United States in a privacy-protective way consistent with EU law.

The EU-U.S. DPF, UK Extension to the EU-U.S. DPF, and Swiss-U.S. DPF were respectively developed by the U.S. Department of Commerce and the European Commission, UK Government, and Swiss Federal Administration to provide U.S. organizations with reliable mechanisms for personal data transfers to the United States from the European Union, United Kingdom, and Switzerland while ensuring data protection that is consistent with EU, UK, and Swiss law.

To join the Data Privacy Framework, Trimble has self-certified to the Department of Commerce that it complies with the Data Privacy Framework Principles. A participating company’s failure to comply with the Principles may violate Section 5 of the FTC Act’s prohibition on unfair and deceptive acts.

Obligation of Transfers

Model Contractual Clauses for Cross Border Data Flows (MCCs)

The MCCs are a voluntary standard designed to provide guidance on baseline considerations for transferring personal data. Parties may, by written agreement, adopt or modify the MCCs and add clauses by written agreement, as appropriate for their commercial or business arrangements so long as they do not contradict the MCCs.

Transfer mechanisms include, but are not limited to, self-assessment that transfer of data overseas shall be protected to a comparable level of protection, consent, codes of conduct, binding corporate rules, certifications, such as ISO series relating to security and privacy techniques.

Modules Based on the Relationship of the Parties

Controller-to-Processor Transfer

For use by Data Exporters who transfer data to Data Importers who are contractors or vendors, also known as “data processors” in this relationship, who process data on behalf of the transferring company, also known as the “data controller,” including onward transfers from data processors to downstream data processors, also known as “sub-processors”. Common examples of data processors include HR services or payroll administrators, logistics or fulfillment companies and other third-party business services providers.

Exceptions

In cases where there are limitations due to Technology, Architecture requirements or information security requirements and Trimble Cloud Platform Products and Services cannot meet the Standards and guidelines laid out in this document, the Engineering Managers and/or SRE teams should contact TCP Compliance team for review and recommendations, via email/Jira Ticket assignment with the exception and the reason for exception.

Appendix

  1. Policies Reference:
    1. Data Protection PolicyTrimble International Data Protection Policy EN:See Section 13- Transferring Personal Data to a Country Outside the EEA and Switzerland
    2. Data Classification Policy
    3. Data Governance Policy - (To be released)
    4. Data Retention Policy- TCP Local Data Retention Policy
    5. Privacy Notice
    6. Standard Contractual Clauses for Trimble and other policies
    7. Data Processing Agreement for Trimble
    8. Personal Data Guidelines (By ODP)
    9. Data Privacy Framework
    10. Data Subject Request Process (To be released)
  2. Definitions and Interpretation Definitions and Interpretations of terms used in this Standards document shall have the following meaning:
    1. “Agreement” means this Data Processing Agreement (DPA) and all Schedules;
      A data processing agreement, or DPA, is an agreement between a data controller (such as a company) and a data processor (such as a third-party service provider). It regulates any personal data processing conducted for business purposes. A DPA may also be called a GDPR data processing agreement.
    2. “Company Personal Data” means any Personal Data Processed by a Contracted Processor on behalf of Company pursuant to or in connection with Agreement;
    3. “Contracted Processor” means a Subprocessor
    4. “Data Protection Laws” means EU Data Protection Laws and, to the extent applicable, the data protection or privacy laws of any other country;
    5. “EEA” means the European Economic Area;
    6. “EU Data Protection Laws” means EU Directive 95/46/EC, as transposed into domestic legislation of each Member State (of EU) and as amended, replaced or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR;
    7. “GDPR” means EU General Data Protection Regulation 2016/679;
    8. “Data Transfer” means:A transfer of Company Personal Data from the Company to a Contracted Processor; or an onward transfer of Company Personal Data internally from a Controller or Processor to a Sub-Processor.
    9. “Subprocessor” means any person appointed by or on behalf of a Processor to process Personal Data on behalf of the Company in connection with the Agreement
    10. “TIA” means Transfer Impact Assessments conducted by Trimble’s Office of Data Protection and can be requested if establishing Infrastructure or Technology components in a Country for the first time.
    11. The terms, “Commission”, “Controller”, “Data Subject”, “Member State”, “Personal Data”, “Personal Data Breach”, “Processing” and “Supervisory Authority” shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly
    12. The Process DSAR (Data Subject Access Rishts) is defined by GDPR (Global Data Privacy Regulation) requirements and if applicable CCPA (California Consumer Privacy Act) and other state privacy laws in the US. This process ensures that the Data Subject requests for access, removal etc are addressed through mechanisms for intake, verification of the requester, and communication of the information or action