IBM uses Binding Corporate Rules (BCRs) in order to protect personal data (referred to as personal information) it controls. This includes personal information collected during the application, recruitment and onboarding processes as applicable. Personal information used in this context is referred to as Employee Information. IBM’s Controller BCRs were approved by the European Data Protection Authorities in 2017. Below you can find a summary of the IBM Controller BCRs – if you would like a copy of the full BCRs, please contact the IBM Chief Privacy Office at the following address: 1 North Castle Drive, Armonk, New York, 10504, U.S.A.

IBM’s Binding Corporate Rules (Employee Information)

IBM is a global company whose business frequently extends beyond the borders of one country. As a consequence, personal information which we have collected in the course of our business may be transferred and processed by IBM companies worldwide and, in appropriate circumstances, by parties outside of IBM. In order to establish uniform standards across IBM and demonstrate our commitment to data privacy and the protection of your personal information, we have adopted a series of Binding Corporate Rules for the processing of personal information. These Binding Corporate Rules have been approved by the relevant Data Protection Authorities within the EU.

In the context of your work for IBM, IBM will collect and process personal information about you. This will, for example, include your contact details, recruitment information and your employment record (e.g. absence records, appraisals etc.). IBM refers to this information as “Employee Information”.

IBM’s Binding Corporate Rules comprise a framework of policies, corporate instructions and guidelines which complement IBM’s existing privacy policies to provide protection for your Employee Information.

IBM’s Binding Corporate Rules set out IBM’s data privacy principles, and describe what Employee Information we may collect and what we will do with your Employee Information. This includes, for example, using your Employee Information as part of the management and administration of your employment and as part of the day-to-day performance of IBM’s business operations.

Our Binding Corporate Rules also contain information about the safeguards we have put in place to protect your Employee Information, including restrictions on the disclosure of Employee Information both within and outside of IBM.

IBM’s Binding Corporate Rules are composed of the following five documents: (i) Corporate Policy Letter 130; (ii) Corporate Instruction HR 113 concerning the processing of Employee Information; (iii) Corporate Instruction MKT 115 concerning the processing of Business Personal Information; (iv) Guidelines and Supporting Documentation for the Protection of Employee Information; and (v) Guidelines for the Processing of Business Personal Information. To request a copy of IBM’s Binding Corporate Rules, please contact the IBM Chief Privacy Office at the following address: 1North Castle Drive, Armonk, New York, 10504, U.S.A or alternatively via the web form available at privacy webform [http://www.ibm.com/scripts/contact/contact/us/en/privacy/].

If you would like a copy of any of your Employee Information, or if you would like to update or correct it, object to its processing by IBM, or have it erased or transmitted to a third party, please contact your point of contact for your application or the IBM Chief Privacy Office at the address above.

If you have an inquiry or concern about how IBM has used your Employee Information, as a first step, you should raise the concern in writing with your IBM contact for review and resolution. Alternatively contact us using this form. Your inquiry or concern will be reviewed and, other than in exceptional circumstances, you will receive a response within 30 days. There may be cases where IBM needs more time to deal with your request, for example if the data is particularly hard to locate or the request is large. If IBM needs more time to process your request, you will receive confirmation of this within 30 days of the receipt of the request, including a proposed timetable for dealing with your request.

Please allow time for IBM to resolve your concern as described above. However, if your Employee Information was collected or otherwise processed by or on behalf of IBM in circumstances where the EU Data Protection Directive 95/46/EC and/or Privacy and Electronic Communications Directive 2002/58/EC or any successor or replacement legislation issued by the European Commission, such as the General Data Protection Regulation (EU) 2016/679, applied or applies to its processing, then you are entitled to lodge your concern with your local Data Privacy Authority or before the courts in your country where you may seek compensation from IBM for any loss or damage that you have suffered as a result of IBM’s failure to comply with applicable data protection laws.