Generations of IBMers have earned the trust of our customers and society through responsible data stewardship. We remain committed to developing policies and practices that prioritize ethics, trust, transparency and accountability while ensuring compliance with global data privacy regulations.
IBM® was one of the first companies to adopt a privacy code of conduct and appoint a Chief Privacy Officer. In keeping with our extensive legacy of privacy leadership, IBM’s Chief Privacy and Trust Officer serves on the board of the International Association of Privacy Professionals (IAPP), the largest and most comprehensive professional association for privacy and AI governance globally.
IBM is committed to safeguarding individuals’ privacy by implementing policies and practices that prioritize trust and transparency.
The IBM Privacy Statement explains how IBM collects, uses and shares your personal information.
IBM’s Controller Binding Corporate Rules (BCR’s) describe how IBM collects, uses and shares business personal information, and have been approved by the relevant European Data Protection Authorities since 2017.
IBM’s Data Privacy Framework describes how IBM complies with the Principles of the EU-US Data Privacy Framework regarding the collection, use and retention of personal information that is transferred to the United States.
You have certain rights when it comes to handling your personal information. You can customize your privacy settings using the provided links, allowing you to manage the information that IBM collects and uses about you.
Review and update your existing IBM marketing communication preferences, including your preferred method(s) of contact.
Submit a data rights request to opt-out of specific personal information processing types.
Submitted a data rights request? Click here to view the status of your request.
At IBM, we adhere to all required reporting standards. Additionally, we voluntarily provide reports to demonstrate our commitment to transparency and foster trust.
IBM’s Law Enforcement Requests Transparency Report accounts for inquiries that we receive from law enforcement agencies regarding data and the steps we take to protect the integrity of personal information. Starting in 2021, reports have been published every 6 months.
The CPRA Data Rights Metrics Report provides a high-level overview, offering transparency into how IBM manages and fulfills consumer data rights requests in California. You can request to delete, access, correct and opt-out of sale or sharing of your personal information under the California Consumer Privacy Act.
This section describes the communications that IBM sends to clients, informing them of updates to our privacy terms resulting from regulatory changes. If you are an active client contact, you can view the specific privacy communications sent to your company.
The European Commission, the United Kingdom’s Information Commissioner’s Office and the Swiss Federal Data Protection and Information Commissioner (FDPIC) have each approved and/or published new Standard Contractual Clauses (the "SCCs"), as a mechanism for the lawful transfer of personal data from the European Economic Area ("EEA"), the United Kingdom (UK) and Switzerland respectively.
As a result, the previous version of the standard contractual clauses contained in your existing contract(s) with IBM (your Contract) will no longer be considered a valid transfer mechanism by the EEA from December 27, 2022, by the UK from March 22, 2024 and by Switzerland from December 31, 2022 and must be replaced by these new terms to ensure harmonization with applicable data protection law. Please consult the FAQs for more explanations about the new changes introduced.
As a supplier of services to you that may involve the processing of personal data by IBM on your behalf, we understand the evolving nature of our obligations to you as new data protection laws are enacted around the globe.
The terms and conditions that apply to the processing of personal data by IBM on your behalf are described in the IBM Data Processing Addendum (DPA). We are writing to let you know that IBM has extended the applicability of the DPA and associated Exhibits to all data protection laws listed on the IBM Terms site. These laws impose similar requirements on us when processing personal data on your behalf.
IBM believes that the best outcome for business is that the current negotiations on the United Kingdom’s exit from the European Union (“Brexit”) will result in a transition period and future arrangements which will support business. However, the UK could exit the EU and the European Economic Area, with no withdrawal agreement.
Protecting client data is of utmost importance to IBM. Your company may have agreements in place with IBM group companies providing services that involve the processing of personal data. In order to help ensure both your and IBM’s compliance with applicable data protection law, on the date that the UK leaves the EU, the following will take effect:
1. References to the General Data Protection Regulation (GDPR) in the applicable contracts will include the UK Data Protection Act 2018 to the extent it applies. Other references to EU or EEA legislation will include any implementing or equivalent UK legislation, to the extent relevant.
2. The transfer of personal data from the EEA to the UK will be classed as an international transfer. To permit these data transfers to continue uninterrupted, the following applies to the extent that such transfer is considered a transfer to a “non-adequate”country under the GDPR:
- IBM UK entities acting as Processors or Subprocessors will be added as data importers under existing EU Standard Contractual Clauses, based on your jurisdiction.
- Those external vendors located in the UK and listed as Subprocessors in existing agreements with you will be bound by IBM to the same obligations imposed on IBM under the applicable EU Standard Contractual Clauses.
Personal Data and its protection are becoming increasingly important to individuals and enterprises. As you may know, the European Union passed the General Data Protection Regulation (GDPR) effective 25 May 2018. The GDPR is designed to ensure a consistent level of protection of the rights and freedoms of natural persons with regard to the processing of their data and to establish one set of data protection rules across the European Economic Area (EEA).
The GDPR applies to all organisations established in the EEA but also to organisations established outside the EEA, when their processing activities relate to the offering of goods and services to individuals in the EEA or to the monitoring of individuals' behaviour within the EEA.
IBM is committed to GDPR readiness.
Your company may have one or more agreements in place with companies or affiliates of the IBM group (hereafter 'IBM'), where IBM provides a service to you that involves the processing of your Personal Data by IBM.
Accordingly, IBM acts as processor of your Personal Data.According to the GDPR (Article 28), both controller and processor, have the obligation to enter into an agreement governing the processing of Personal Data. The GDPR explicitly sets out requirements with regard to the content of such agreement.
In order to comply with this statutory requirement, IBM has created an IBM Data Processing Addendum (DPA) and applicable DPA Exhibit, which amend our existing contracts. This applies in situations where IBM is processing Personal Data within the scope of the GDPR. In the event of any conflict with existing data privacy or security terms, the DPA and applicable DPA exhibit shall prevail.
Responsible data handling requires robust security measures. Find out more about IBM’s comprehensive range of data security solutions to protect your organization.
Explore IBM’s comprehensive data privacy solutions and consulting services to build customer trust.
IBM Security® Verify offers consent management capabilities, delivering privacy-aware consumer identity and access management.
IBM Cloud Pak® for Data provides tools to create a governed data foundation to accelerate data outcomes and address privacy and compliance requirements.