These IBM Controller Binding Corporate Rules have been last updated on April 5th, 2021
IBM uses Binding Corporate Rules (BCRs) in order to protect personal data (referred to as personal information) it controls; IBM’s Controller BCRs were approved by the European Data Protection Authorities in 2017. Below you can find a summary of our BCRs – if you would like a copy of the full BCRs please contact the IBM Corporate Privacy Office at the following address: 1 North Castle Drive, Armonk, New York, 10504, U.S.A.
IBM’s Binding Corporate Rules and Your Business Personal Information
IBM is committed to protecting the privacy and confidentiality of personal information about its customers, business partners and other individuals. In order to demonstrate our commitment to data privacy, IBM has adopted a series of Binding Corporate Rules for the processing of personal information.
IBM’s Binding Corporate Rules set out IBM’s data privacy principles, as well as describing what personal information IBM may collect and what it will do with your business personal information. The Rules comprise a framework of policies, corporate instructions and guidelines which complement IBM’s existing privacy policies, and have been approved by the relevant Data Protection Authorities within the EU.
As IBM is a global company whose business frequently extends beyond the borders of one country, personal information which it has collected in the course of its business may be transferred and processed by IBM companies worldwide and, in appropriate circumstances, by parties outside of IBM. Uniform practices across the organisation assist IBM to process personal information fairly and appropriately, disclosing it and/or transferring it only under certain condition.
This document provides a summary of IBM’s Binding Corporate Rules, as they relate to personal information which IBM processes in the context of its business relationships. If you would like to receive a full copy of IBM’s Binding Corporate Rules please contact the IBM Corporate Privacy Office at the following address: 1 North Castle Drive, Armonk, New York, 10504, U.S.A.
What does IBM mean by your Business Personal Information?
In the course of IBM’s interactions with you as a customer, supplier, IBM Business Partner, a website visitor, or a representative of any other organization with whom IBM has or contemplates a business relationship, IBM may collect and process personal information about you. IBM refers to this information as “Business Personal Information”. This information is distinct from the information IBM collects about its employees in the course of an employment relationship.
The type of Business Personal Information that IBM processes depends on the particular business context and the purpose for which it is collected. It may include:
- Business contact information such as your name and your business e-mail address, physical address and telephone number;
- Details of your business and other interests and opinions;
- Information with respect to your use of the IBM website; and/or
- Credit card details, credit worthiness, and other financial-related information collected in support of business transactions.
What are IBM’s general principles for processing Business Personal Information?
IBM’s Binding Corporate Rules set out seven general principles which apply to its processing of Business Personal Information, including the general principle of Privacy by Design. The term “processing” includes collecting, using, disclosing, storing, accessing or transferring your Business Personal Information.
IBM’s Binding Corporate Rules state that it will:
- Collect and process Business Personal Information fairly, lawfully and in a transparent manner.
- Collect and process Business Personal Information which is relevant to and necessary for a particular purpose(s) and process Business Personal Information in a manner which is not incompatible with the purposes for which it is collected.
- Process Business Personal Information which is adequate, relevant to and not excessive for the purpose for which it is processed.
- Keep Business Personal Information as accurate, complete and up to date as necessary for the purpose for which it is processed.
- Keep Business Personal Information in a form which permits identification for no longer than necessary for the purpose for which it was collected.
- Implement appropriate technical and organizational measures to safeguard Business Personal Information and instruct third parties processing Business Personal Information on behalf of IBM to implement appropriate measures to safeguard Business Personal Information in a manner which is consistent with IBM’s own processing of such information and to act only in accordance with the instructions of IBM.
- Provide you with access to your Business Personal Information and correct it if factually inaccurate.
When will IBM collect Business Personal Information?
The Binding Corporate Rules also set out the circumstances under which IBM may collect Business Personal Information.
IBM’s Binding Corporate Rules state that it will:
- limit the collection of Business Personal Information to that which is needed and relevant to fulfil the particular purpose concerned;
- collect Business Personal Information for legitimate business reasons, for example:
- managing IBM accounts and records
- collect Business Personal Information where processing is for the performance of a contract, including a contract to which the organisation which you work for is a party, or is connected with entering such a contract, for example:
- negotiating a customer contract
- collect Business Personal Information where you have given your consent, for example:
- cases where “opt-in” consent is required by local law for marketing communications
collect Business Personal Information where the processing is necessary for compliance with a legal obligation within the EEA to which IBM is subject, such as legal or regulatory compliance, internal audit and other internal investigations, for example:
- anti-money laundering legislation
where appropriate, distinguish between Business Personal Information that must be provided and that which is optional.
When will IBM give you Notice and Choice regarding your Business Personal Information?
If IBM wants to use your Business Personal Information to send you marketing messages or other communications which are outside of the scope of a transaction that IBM is conducting with you or with the organization that you are working for, IBM will provide you with sufficient Notice and Choice.
Notice informs you about how personal information that IBM collects from you may be used by IBM, including if IBM plans to use it for marketing purposes. When collecting Business Personal Information directly from you, IBM will inform you of the purpose of collection by providing “notice”, unless you have already been informed or such purpose is obvious from the context.
Choice provides you with the opportunity to decide whether to let IBM use the information for purposes unrelated to the immediate transaction. In other words, IBM will inform you of how it plans to use the information and give you the choice to decide whether you want IBM to use it for those purposes;
IBM will not necessarily provide prior notice and choice where it is clear that the primary purpose for collecting Business Personal Information is to fulfil your request for marketing communications.
If, after having collected Business Personal Information, IBM proposes to use it in a manner that is incompatible with that which was made known to you at the time that it was collected and the proposed change in use is likely to have a significant impact on you, IBM will provide you with a further notice explaining the proposed change, together with any likely consequences for you. Where required to do so by its Binding Corporate Rules or by applicable law, IBM will also obtain your consent before implementing a proposed change in use.
Will IBM process sensitive Business Personal Information?
IBM makes efforts to avoid processing “sensitive” Business Personal Information (information which may relate to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, or health or sex life). However, when a compelling business reason exists, IBM may process sensitive Business Personal Information in accordance with all applicable laws and any related designated safeguards.
Who will have access to your Business Personal Information within IBM?
Generally, access to Business Personal Information will only be granted to IBM employees or others acting on behalf of IBM who have a “need to know” such information and only for the purposes for which it was originally collected or to process it in a manner consistent with such purposes. Third parties carrying out processing on IBM’s behalf will only be given access to Personal Information where there is a suitable written agreement in place with the contractor requiring the contractor to properly protect the information.
When will your Business Personal Information be shared outside IBM?
Your Business Personal Information may only be communicated by IBM to a third party (for example an IBM Business Partner or third party contracting on IBM’s behalf) under certain conditions.
IBM’s Binding Corporate Rules state that the conditions where Business Personal Information may be communicated by IBM to a third party include, by way of examples, where:
- it is necessary for a transaction for which the Business Personal Information was collected;
- you have provided free and informed consent regarding the communication;
- it is required or authorized by applicable law;
- it is necessary for investigatory or statutory audit purposes or to obtain legal advice;
- it is necessary for legitimate IBM research or strategy; or
it is necessary because a third party processes Business Personal Information on behalf of IBM, in which case IBM will enter into appropriate contractual arrangements with such third party to safeguard the Business Personal Information.
European Economic Area (“EEA”) Business Personal Information
Certain additional rules may apply in relation to Business Personal Information which is collected or otherwise processed by or on behalf of IBM in circumstances where the EU Data Protection Directive 95/46/EC and/or Privacy and Electronic Communications Directive 2002/58/EC or any successor or replacement legislation issued by the European Commission, such as the General Data Protection Regulation (EU) 2016/679, applied or applies to its processing (referred to as “EEA Business Personal Information”).
Before processing your EEA Business Personal Information, IBM will check that at least one of the following grounds is satisfied:
- you have given your consent;
- the processing is for the performance of a contract, including a contract to which the organisation which you work for is party, or is connected with entering into such a contract;
- the processing is necessary for compliance with a legal obligation within the EEA to which IBM is subject;
- the processing is necessary in order to protect your vital interests;
- the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in IBM or in a third party to whom the EEA Business Personal Information are disclosed; or
- the processing is necessary for the purposes of legitimate interests pursued by IBM or a third party or parties to whom the EEA Business Personal Information is disclosed, except where such interests are overridden by your interests or fundamental rights and freedoms.
Before processing EEA Business Personal Information that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs or trade-union membership, and the processing of genetic data, biometric data or data concerning health, sex life or sexual orientation, IBM will check that at least one of the following grounds is satisfied:
- where necessary in connection with actual or proposed legal action, in order for IBM to obtain legal advice or to establish, exercise or defend its legal rights;
- in cases where the Business Personal Information relates to race, ethnic origin, religious or other beliefs, physical or mental health, sex life or sexual orientation and the processing is necessary to identify or keep under review the existence or absence of equality of opportunity or treatment at IBM or its suppliers if considered as a reason for substantial public interest, where permitted by Member State law, or alternatively for statistical purposes; or
- if you have given your explicit consent to its processing.
You may object to IBM’s processing of EEA Business Personal Information on compelling, legitimate grounds relating to your circumstances. This ability to object does not apply where you have given your consent or where it is necessary to fulfill a contractual obligation between you and IBM.
Please note that IBM may be required or permitted by law to process the EEA Business Personal Information despite your objections.
If you have a concern about the processing of your EEA Business Personal Information, would like to have it erased or transmitted to a third party, or would like to withdraw an earlier consent of yours, please contact the IBM website coordinator via the web form available at privacy webform, or alternatively the IBM Corporate Privacy Office at the following address: 1 North Castle Drive, Armonk, New York, 10504, U.S.A. You are also entitled to contact your local Data Protection Authority regarding your concern.
Please allow the Corporate Privacy Office time to resolve your concern. However, you are entitled to lodge your concern with your local Data Privacy Authority or before the courts in your country where you may seek compensation from IBM for any loss or damage that you have suffered as a result of IBM’s failure to comply with applicable data protection laws.
IBM International Group B.V. shall be responsible for remedying situations where another IBM Company outside the EEA has processed EEA Business Personal Information in breach of IBM’s Binding Corporate Rules. In the event that you are entitled to bring a claim for compensation against IBM International Group B.V., it shall bear the burden of proof for establishing that the IBM Company outside the EEA did not process EEA Business Personal Information in violation of the Binding Corporate Rules.
How to contact IBM regarding your information
If you would like a copy of any of your Business Personal Information or if you would like to update or correct it, please contact the IBM website coordinator via the web form available at privacy webform, or alternatively the IBM Corporate Privacy Office at the following address: 1 North Castle Drive, Armonk, New York, 10504, U.S.A.
If you would like to request IBM to stop sending you marketing materials (either generally or via a particular media) please submit your opt-out request here.
If you are a web user or IBM customer and you have a concern about how IBM has used your Business Personal Information, you should raise the concern in writing to IBM Customer Support using the details set out above. IBM Customer Support will respond to you within 30 days. There may be cases where IBM needs more time to deal with your request, for example if the data is particularly hard to locate or the request is large. If IBM needs more time to process your request, you will receive confirmation of this within 30 days of the receipt of the request, including a proposed timetable for dealing with your request. If your complaint is not resolved within a reasonable time of it being made to IBM Customer Support, it can be escalated to the Corporate Privacy Office. If you are a Business Partner or other third party organization, please contact the IBM Corporate Privacy Office directly. The Corporate Privacy Office will respond to you in writing within a reasonable time (which should be no more than 12 weeks) setting out its conclusions together with details of any remedial action that it proposes to take.
Please note that this document is intended as a summary only, and the full text of the Binding Corporate Rules will prevail in the event of a conflict. Except that Individuals may, in certain circumstances, have a right to seek a remedy from IBM International Group B.V. in respect of the processing of their EEA Business Personal Information, neither this summary document nor IBM’s Binding Corporate Rules are intended to, and do not grant, further or additional rights or establish further obligations beyond those already provided under applicable law.