General Oshkosh Website Privacy Policy Addenda

Oshkosh – Additional US, EU/UK, and Brazil Notices

This document provides additional information for individuals residing in countries and U.S. states that have enacted privacy laws giving certain additional rights to residents of those jurisdictions. These countries include, but are not limited to, those in the European Economic Area (EEA), the United Kingdom, and Switzerland, as well as Brazil. 

Additional US Privacy Notice for California Consumers

This notice was last reviewed and updated as of January 1, 2025. 

If you are a consumer in CA, CT, CO, VA, or UT¹, this notice applies to our processing of information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with you or your household (“personal information”). The provisions of this Notice prevail over any conflicting provisions in other section of our General Oshkosh Website Privacy Policy  (the “Policy”). We sell and share, and in the past 12 months have sold and shared, substantially all categories of personal information described in section 1 below to and with third parties as further described under “How Oshkosh may share the information Oshkosh collects” in the general Policy. However, we do not sell or share, and in the past 12 months have not sold or shared, personal information of individuals we know to be under 16 years of age.

¹ Other states have signed legislation that will govern the processing of information. These states, and the effective date of this legislation, are as follows: (Florida and Oregon (July 1, 2024); Montana (Oct. 1, 2024); Iowa, Texas and Delaware (Jan. 1, 2025); Tennessee (July 1, 2025); and Indiana (Jan. 1, 2026).

1. Collection of Personal Information

We have collected the following categories of personal information within the last 12 months:
(a) Identifiers, such as real name, unique personal identifier, online identifier, IP address, email address, account name, or other similar identifiers. 
(b) Personal information described in Cal. Civ. Code § 1798.80(e), such as telephone number, employment, bank account number, credit card number, debit card number, or any other financial information. 
(c) Characteristics of protected classifications under California or federal law, such as age or gender.
(d) Commercial information, such as products or services purchased, obtained, or other purchasing or consuming histories or tendencies.
(e) Internet or other electronic network activity information, such as information regarding your interaction with any websites, applications, or devices associated with our business.
(f) Geolocation data when vehicle telematics are used in relation to a vehicle fleet, not a person.
(g) Audio information from calls placed with customer service centers which may be recorded, and electronic information in the form of Internet or other electronic network activity information as described above.
(h) Professional or employment-related information, such as your occupation.
(i) Inferences drawn from any of the information identified in this section to create a profile about you reflecting your preferences, in order to optimize your experience, consistent with our Privacy Policy. 

We collect these categories of personal information from you, your device, and third parties including your authorized representatives and our business partners, as further specified in “The types of information Oshkosh collects” and “How Oshkosh uses the information Oshkosh collects” in the general Policy. Please see these sections to learn more about the types of information we collect and how we collect them. We retain each category of personal information as described in section “Protection and storage of the information we collect” in the general Policy. 

2. Purposes of Collection

For each of the above categories, we use the personal information for a variety of business purposes such as:
(a) Auditing and reporting relating to particular transactions and interactions, including online interactions you may have with us or others on our behalf, counting ad impressions to unique visitors, verifying positioning and quality of ad impressions, and auditing compliance.
(b) Helping to ensure security and integrity.
(c) Debugging to identify and repair errors that impair existing intended functionality.
(d) Short-term, transient use, including, but not limited to, non-personalized advertising shown as part of your current interaction with us.
(e) Performing services on our behalf, including maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, and other similar services.
(f) Providing advertising and marketing services.
(g) Undertaking internal research for technological development and demonstration.
(h) Undertaking activities to verify, maintain, improve, upgrade, or enhance the quality or safety of our services.

3. Disclosure of Personal Information

Within the last 12 months, we have disclosed substantially all categories of personal information for our business purposes as described in section 2 above. To learn more about the categories of third parties with whom we share such information, please see section “How Oshkosh may share the information Oshkosh collects” in the general Policy. If you would like specific information about our service providers who have received your information, please contact us at [email protected] and we will provide that information to you.

4. Privacy Rights

Consumers in CA, CO, CT, VA, and UT² have certain rights with respect to the collection and use of their Personal Information. Those rights vary by state. You may have the following rights, in each case under the conditions and to the extent set out in applicable law:
(a) Right to know and access what personal information we have collected about you, including the specific pieces and categories of personal information we have collected about you, the categories of sources from which the personal information is collected, the business or commercial purpose for collecting, selling, or sharing personal information, and the categories of third parties to whom we disclose personal information.
(b) Right to delete personal information that we have collected from you. Please note that if you have requested a service that requires the use of your personal information, we may not be able to provide that service if you choose to delete your personal information.
(c) Right to correct inaccurate personal information that we maintain about you.
(d) Right to opt-out of the sale or sharing of personal information with third parties. Like many companies, we sell or share personal information, or process personal information for targeted advertising purposes. You can opt-out of targeted advertising by visiting the Digital Advertising Alliance website or the Network Advertising Initiative website. To learn more about how to opt-out of targeted advertising, please see section “What choices do I have” in the general Policy. If you opt-out of the sale of your personal information, we will wait at least 12 months before asking you if we may sell or share your personal information.
(e) Right to consent to or limit the use or disclosure of sensitive personal information. You have the right to consent to the use of your Sensitive Personal information in CT, CO, VA and UT. CA consumers also have the right to instruct us to limit the use and disclosure of your sensitive personal information. However, we do not use or disclose sensitive personal information for purposes that, under applicable law, require us to support the right to limit the use or disclosure of sensitive personal information. 

You may request to exercise these rights by:
(a) Calling us toll-free at 888-832-7797; or
(b) Completing our privacy rights request form available here: https://www.oshkoshcorp.com/contact-us. 

Additionally, we process opt-out preference signals from Global Privacy Control (“GPC”) as described in the “What choices do I have” section of our general Policy . California consumers can also consult FAQs published by the California Privacy Protection Agency (CPPA) about how you can set up and use opt-out preference signals such as “Global Privacy Control” (see the FAQ titled “How to submit your requests).

As required under applicable law, we will take steps to verify your identity before granting you access to information or acting on your request to exercise your rights. We may require you to provide your first name, last name, and email address to verify your identity in response to exercising requests to know, delete, or correct. We may limit our response to your exercise of the above rights as permitted under applicable law. When you submit a request to exercise your rights above, we will use the information you provide to process your request and to maintain a record of your request and our response, as permitted under applicable law.

Under California law, you may designate an authorized agent to make a request on your behalf. You may make such a designation by providing the agent with written permission to act on your behalf. We will require the agent to provide proof of that written permission. To the extent permitted by law, we may require you to verify your own identity in response to a request, even if you choose to use an agent. If you are an authorized agent submitting a request on behalf of a California consumer, please email us at [email protected]

You also have the right not to receive discriminatory treatment by us for the exercise of privacy rights.
 
If your rights request is denied, applicable law may give you a right to lodge an appeal with us. The response to your rights request will inform you of any appeal rights you may have and tell you how you can exercise them.

² See Footnote 1, above

5. Additional California Information

Within the meaning of California’s “Shine the Light” law (Cal. Civ. Code § 1798.83), we do not disclose personal information to third parties for their own direct marketing purposes. For additional practices, visit the section “Do Not Track” in the general Policy.   

6. Changes to this Notice

Oshkosh reserves the right to amend this Notice at our discretion and at any time. Learn more by reviewing the “Changes to this Privacy Policy” section in the general Policy.

If you would like additional information regarding this Notice, please contact us at  [email protected], visit our website’s Contact Us page, or call 888-832-7797.

Additional GDPR Privacy Notice

This supplemental Notice applies to people who are located in the European Economic Area (“EEA”), Switzerland or the United Kingdom (“UK”) and is intended to be read in conjunction with our general Privacy Policy (the “Policy”). The definitions found in the Policy apply to this Notice.   

This notice was last reviewed and updated as of January 1, 2025. 

If you are located in the EEA, Switzerland, or the UK, in accordance with the European Union’s General Data Protection Regulation (the “GDPR”) and the UK Data Protection Act of 2018, which incorporates the GDPR as the UK GDPR (collectively, the “GDPR”), this Notice (together with other relevant sections of the general Policy) provides information about the collection, use, processing, and sharing of data about you.

Oshkosh is the responsible data controller for the purposes of personal data processed through this website. For our contact information, please see “Contact Us” in the general Policy.

Purposes and Legal Basis for Processing 

The legal bases for Oshkosh’s processing activities include processing such information as necessary to comply with our contractual obligations, compliance with our legal obligations, protecting the safety of our employees, customers, and others, for our legitimate business interests, and pursuant to your consent. The particular legal basis for the processing of your personal data is based on the purpose for which such information was provided or collected as detailed in the table below:

Your decision to provide personal data to Oshkosh is typically voluntary, except where personal data is, for example collected to meet a legal requirement or necessary in connection with a contract we have with you.

If you do not provide certain personal data, we may not be able to achieve some of the purposes outlined in this Notice or our general Policy.

Rights of Data Subjects

You have the right to request access to your personal data, to have your personal data corrected, restricted or erased, to revoke any consent that you have given to the processing of your personal data (without affecting the lawfulness of the processing prior to revoking your consent) and to object to our processing of your personal data in certain circumstances. You also have the right to take your personal data away (data portability) in certain circumstances, which means that you can request that we provide you (or a third party you designate) with a transferable copy of personal data that you have provided to us. Your rights may be subject to various limitations under the GDPR. If you wish to exercise any of these rights, or if you have any concerns about our processing of your personal data, please contact us in any of the ways listed in the section “Contact Us” in our general Policy.

You have the right to file a complaint concerning our processing of your personal data with your local data protection authority. The EU Commission has a list here: https://ec.europa.eu/justice/article-29/structure/data-protection-authorities/index_en.htm. You may also contact the UK Information Commissioner’s Office (www.ico.org.uk) or Switzerland Data Protection and Information Commissioner (https://www.edoeb.admin.ch/en) as appropriate.

Additional Privacy Notice for Brazilian Residents

This supplemental Notice applies to people who are located in Brazil and is intended to be read in conjunction with our general Privacy Policy  (the “Policy”). The definitions found in the Policy apply to this Notice.

This notice was last reviewed and updated as of January 1, 2025

If you are located in Brazil, pursuant to Federal Law No. 13,709/2018 – General Data Protection Law of Brazil (“LGPD”), this Notice (together with other relevant sections of the general Policy) provides information about the collection, use, processing, and sharing of personal data about you.

Oshkosh is the responsible data controller for the purposes of personal data processed through this website. For our contact information, please see “Contact Us” in the general Policy.

Collection, Use and Sharing of Personal Data

The legal bases for Oshkosh’s processing activities include processing such information as necessary to comply with our contractual obligations to you, compliance with our legal or regulatory obligations, protecting the safety of our employees, customers, and others, for our legitimate business interests, and pursuant to your consent. Legitimate business interests may include (1) to communicate with you in response to your requests, questions, inquiries, and submissions; (2) to protect against fraud, harassment, intellectual property infringement, crime and security risks; (3) to conduct advertising and marketing in connection with operating our business; and (4) for research and development, security and optimization of our products and websites. For additional business uses, please refer to “How Oshkosh uses the information Oshkosh collects” in the general Policy.

We also may share your personal data with our service providers, who are required to protect it by law or contract and use it in accordance with our instructions.

Automated Decisions

Oshkosh uses attributes in your Online Express (“OLE”) user profile to personalize your experience on the site, including, but not limited to, translating the site content into Portuguese. Please not that, in this regard, you have the right to request for the review of decisions made solely based on automated processing of personal data affecting your interests, including decisions intended to define your personal, professional, consumer and credit profile, or aspects of your personality. 

Rights of Data Subjects

LGPD provides certain rights to individuals with regard to their personal data where Oshkosh acts as a data controller with respect to the custody and processing of your information. Pursuant to the LGPD, you have the right to submit requests based on the following rights:

1. confirmation of processing;
2. access to your data;
3. correction of incomplete, inaccurate or outdated data;
4. anonymization, blocking or deletion of unnecessary or excessive data processed in violation of the LGPD;
5. deletion of data processed with your consent;
6. portability of your data to another service or product provider, upon express request, as provided by applicable law;
7. information about the public and private entities with which we shared data;
8. information about the possibility to refuse providing consent to a personal data processing activity and to be informed about the respective consequences, when applicable; and
9. withdrawal of your consent.

If you wish to exercise any of these rights, or learn more about these rights, please contact us in any of the ways listed in the section “Contact Us” in our general Policy. We may need to verify your identity before we process your request.

Please note that your rights may be subject to various limitations under the LGPD. For instance, your request may be legally rejected if you are unable to verify your identity or when you request deletion of data that is required or permitted under applicable law to be maintained. In the event that Oshkosh is unable to comply with your request, we will let you know the reasons why the request cannot be fulfilled.

If you believe that we are processing your personal data in violation of applicable law, you may also file a complaint with Oshkosh’s Data Protection Officer, Felipe Fantasia (Controller) or Surrogate Data Protection Officer Gisele Berossa (Finance Coordinator), who may be contacted at [email protected], or with a supervisory authority.

Language

The Policy may have been prepared in the English language and in the Portuguese language. If you are a user located in Brazil, you shall refer to the Portuguese version, which shall prevail.

Additional Privacy Notice for Mexican Residents (Aviso de Privacidad para Residentes en México)

This Notice supplements the General Oshkosh Website Privacy Policy and applies specifically to the processing of personal data of individuals located in Mexico, in accordance with the Ley Federal de Protección de Datos Personales en Posesión de los Particulares (LFPDPPP) 2025, published in the Official Gazette of the Federation (Diario Oficial de la Federación) on March 20, 2025, and its accompanying Regulations. This Addendum outlines our commitment to the enhanced data protection standards now in force in Mexico.

1. Identity and Contact Information of the Data Controller

Oshkosh Corporation, with its domicile at 1917 Four Wheel Drive, Oshkosh WI 54902, acts as the Data Controller responsible for the processing of your personal data. For any inquiries regarding this Addendum or the exercise of your rights, please contact us at [email protected],  or through our Contact Us page.

2. Purposes of Data Processing

We process your personal data for the following purposes, which are categorized based on whether your consent is required:

Purposes Requiring Your Consent:

• Sending marketing communications, promotional offers, and personalized advertisements about our products and services.
• Conducting market research or surveys not directly related to the improvement of services you have requested.

Purposes Not Requiring Your Consent (Necessary for our Legal Relationship or Legitimate Interests):

• Providing requested products or services and fulfilling our contractual obligations.
• Processing transactions and managing your account.
• Providing customer support and responding to your inquiries.
• Ensuring the security and integrity of our systems and operations.
• Complying with legal obligations, including tax, accounting, and regulatory requirements.
• Specific purposes explicitly permitted by law without consent, such as those related to public interest, medical emergencies, or judicial orders.

If we intend to process your data for purposes different from those initially established, we will seek your new consent.

Opt-Out for Marketing and Commercial Prospecting:

If your personal data is processed for marketing, advertising, or commercial prospecting purposes, you have the right to reject the use of your information for such purposes. You can exercise this right by visiting [email protected], or through our Contact Us page.

3. Categories of Personal Data Processed

We collect and process various categories of personal data, which may include, but are not limited to:

• Identification Data: Such as your name, address, phone number, email address, date of birth, and government ID numbers.
• Contact Data: Including your email, phone number, and postal address.
• Financial and Patrimonial Data: Such as bank account details, credit card information, and payment history. Please note that processing of financial or patrimonial data requires your express consent.
• Sensitive Personal Data: This may include, for specific and legitimate purposes (e.g., for employee benefits or occupational health), information such as your health status, genetic information, religious or philosophical beliefs, political opinions, sexual preference, or biometric data (if collected for access control or identification). The processing of sensitive personal data requires your explicit and written consent.
• Employment Data: Such as your job title, employment history, and professional qualifications.
• Electronic Data: Including your IP address, browsing history, device information, and data collected through cookies and similar technologies (as detailed below).

We only process personal data that is necessary, adequate, and relevant for the stated purposes.

4. Consent Mechanisms

In Mexico, your consent is generally required for the processing of your personal data, unless a legal exception applies. Consent must be freely given, specific to the purposes, and informed.

• Tacit Consent: Unless express consent is legally required, your tacit consent is generally sufficient. This is obtained if, after having been made aware of this Privacy Notice, you do not express your refusal to the processing of your personal data. When we collect data directly, this Privacy Notice will include a mechanism for you to express your refusal for purposes not essential to our legal relationship.
• Express Consent: For the processing of financial or patrimonial data, your express consent is required. This can be given verbally, in writing, or through electronic means.
• Explicit Written Consent: For the processing of sensitive personal data, your explicit and written consent is required. This must be provided through your autograph signature, electronic signature, or another robust authentication mechanism established for that purpose.

You have the right to revoke your consent at any time. You may contact us via [email protected] to initiate any such request.

5. Data Subject Rights (ARCO Rights)

You, as the data subject, have the following fundamental rights regarding your personal data, known as ARCO Rights:

• Access (Acceso): You have the right to obtain your personal data held by us, along with information regarding the conditions and generalities of its processing.
• Rectification (Rectificación): You can request the correction of your personal data if it is inaccurate, incomplete, or outdated. Your request must specify the data to be corrected, the correction needed, and be accompanied by supporting documentation.
• Cancellation (Cancelación): You can request the cessation of processing of your personal data, which involves blocking and subsequent suppression, when you consider that your data is not being processed in accordance with the law. If appropriate, we will establish a blocking period to determine possible responsibilities before suppression.
• Opposition (Oposición): You may object to the processing of your personal data for legitimate reasons related to your specific situation, or when you wish to object to processing for specific purposes (e.g., direct marketing). This right also applies when your data is subject to automated processing that produces adverse legal effects or significantly affects your rights or freedoms.

Procedure for Exercising ARCO Rights:

• Who can exercise: ARCO rights can be exercised by you, as the data subject (after proving your identity with official identification or electronic authentication mechanisms), or by your legal representative (after proving the identity of both you and the representative, and the existence of the representation).
• Means of Exercise: You can submit your request by emailing [email protected]. The request must clearly indicate the specific right you wish to exercise and the personal data involved.
• Costs: The exercise of ARCO rights is simple and free. You will only be responsible for covering reasonable shipping, reproduction, or document certification costs.
• Response Times: We will respond to your ARCO request within 20 business days from the date of receipt. If your request is incomplete or erroneous, we may ask for additional information once within five business days of receiving the request, and you will then have ten business days to respond. If your request is deemed appropriate, we will execute it within 15 business days following our notification of the response.
• Response Content: Our response will refer exclusively to the personal data indicated in your request and will be in a legible, understandable, and easily accessible format. If we deny the exercise of any ARCO right, we will justify our decision and inform you of your right to initiate the rights protection procedure before the Secretariat of Anti-Corruption and Good Governance (SABG).
• Automated Decisions and AI: We are committed to providing easy access to mechanisms for exercising your rights, including specific measures for dealing with requests related to automated decisions or artificial intelligence that may produce adverse legal effects or significantly affect your rights or freedoms.

6. International Data Transfers

While the LFPDPPP 2025 has eliminated the explicit obligation to inform about personal data transfers in the comprehensive privacy notice, we maintain this information to promote transparency and align with international best practices.

Your personal data may be transferred to national or foreign third parties, including other entities within Oshkosh Corporation, for the purposes outlined in this Privacy Notice. When we transfer your data, we will inform the receiving third parties of this Privacy Notice and the purposes for which you consented to its processing. The receiving third party will assume the same data protection obligations as Oshkosh Corporation.

Transfers of personal data may be carried out without your consent in specific circumstances permitted by law, including:

• When the transfer is provided for in a Mexican law or an international treaty to which Mexico is a party.
• When necessary for medical prevention or diagnosis, the provision of healthcare, medical treatment, or the management of health services.
• When made to controlling companies, subsidiaries, or affiliates under the common control of the data controller, or to a parent company or any company of the same corporate group as the data controller that operates under the same internal processes and policies.
• When necessary by virtue of a contract entered into or to be entered into in your interest, by the data controller and a third party.
• When necessary or legally required for the safeguarding of a public interest, or for the procurement or administration of justice.
• When precise for the recognition, exercise, or defense of a right in a judicial process.
• When precise for the maintenance or fulfillment of a legal relationship between the data controller and the data subject.

7. Data Retention and Deletion

We retain your personal data only for the period necessary to fulfill the purposes for which it was collected, and to comply with legal obligations. Once your data is no longer necessary for these purposes, it will be blocked and subsequently suppressed. We establish and document clear procedures for the conservation, blocking, and suppression of personal data, including defining specific retention periods.

8. Data Security and Confidentiality

Oshkosh Corporation is committed to protecting your personal data. We implement and maintain robust administrative, technical, and physical security measures designed to protect your personal data against damage, loss, alteration, destruction, or unauthorized use, access, or treatment. These measures are proportional to the risks associated with the data processing. For sensitive personal data, enhanced security measures, such as encryption at rest and in transit, are applied.

All persons involved in the processing of personal data, including our employees, processors, and third parties, are bound by a strict duty of confidentiality, which remains even after the termination of their legal relationship with us.