On July 10, 2023, the European Commission adopted its adequacy decision for the EU-US Data Privacy Framework (DPF). The decision concluded that the US ensures an adequate level of protection for personal information that is transferred from the EU to US companies as part of the DPF.
The DPF amends the privacy principles that IBM adhered to as part of the EU-US Privacy Shield Framework as the EU-US Data Privacy Framework Principles. IBM offerings certified as part of the EU-US Privacy Shield Framework remain certified under the DPF.
For prevailing information about IBM’s adherence to the DPF, see the IBM Data Privacy Framework Policy for Certified Cloud Services.
On 16 July 2020, the Court of Justice of the European Union issued a judgment declaring as invalid the European Commission’s Decision (EU) 2016/1250 of 12 July 2016 on the adequacy of the protection provided by the EU-U.S. Privacy Shield. As a result of that decision, the EU-U.S. Privacy Shield Framework is no longer a valid mechanism to comply with EU data protection requirements when transferring personal data from the European Economic Area to the United States.
Please note that: (i) EU Standard Contractual Clauses (SCCs) remain a valid mechanism to comply with EU data protection requirements when transferring personal data from the European Economic Area and the United Kingdom to the United States; and (ii) section 9 of the Data Sheet, which is referenced in section 2 of the Service Description for virtually every offering listed at the bottom of this web page, already includes the required reference to the SCCs (which states “…EU Standard Contractual Clauses signed by all IBM Data Importers, if applicable, are available at: https://www.ibm.com/tw-en/software/sla/sladb.nsf/sla/eumc.”).
On 8 September 2020, the Swiss Federal Data Protection and Information Commissioner (FDPIC) issued a position paper following his annual re-assessment of the Swiss-US Privacy Shield Framework. The FDPIC’s new position is that although the Swiss-US Privacy Shield guarantees special protection rights for persons in Switzerland, it no longer provides an adequate level of protection for data transfer from Switzerland to the US pursuant to the Swiss Federal Act on Data Protection (FADP).
Special Note: While the EU-US and Swiss-US Privacy Shield Frameworks may no longer be used or relied upon for transfer of personal information, IBM continues to comply with all EU-US Privacy Shield Framework and Swiss-US Privacy Shield Framework obligations. Doing so demonstrates IBM’s serious commitment to protect personal information in accordance with a set of privacy principles that offer meaningful privacy protections and recourse for EU individuals. More information can be found here: US Department of Commerce (Program Overview), and US Department of Commerce (FAQ #3).
This IBM Privacy Shield Privacy Policy for Cloud Services (the “Policy”) applies to certain designated IBM Infrastructure-as-a-Service, Platform-as-a-Service, Software-as-a-Service, and other hosted offerings that are Privacy Shield certified (“Privacy Shield-Certified Cloud Services”). A list of these offerings is provided below; if an offering is not on this list, it is not covered by this Policy.
As the Privacy Shield only applies to personal data transferred to the United States from those countries whose data protection laws recognize Privacy Shield as a valid mechanism for such cross-border transfers, this Statement only applies to:
This Policy does not otherwise apply when clients choose to have their offering content hosted in other countries.
IBM’s Privacy Shield-Certified Cloud Services process content (which may include the personal data of individual end users) on behalf of enterprise clients. In this scenario, and as provided below, IBM may direct inquiries from individual end users to the enterprise client that oversees the use of their personal data.
IBM complies with the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework (collectively Privacy Shield) as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred to the United States from those countries whose data protection laws recognize Privacy Shield as a valid mechanism for such cross-border transfers. IBM has certified to the Department of Commerce that it adheres to the Privacy Shield Principles with respect to such information. If there is any conflict between the terms in this privacy policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern.
All personal data received from those countries whose data protection laws recognize Privacy Shield as a valid mechanism for such cross-border transfers in connection with Privacy Shield-Certified Cloud Services is subject to the Privacy Shield principles as described in the EU-U.S. Privacy Shield Framework and the Swiss-US Privacy Shield Framework, which applies to all IBM affiliates that process personal data associated with Privacy Shield-Certified Cloud Services.
To learn more about the Privacy Shield Program, or to view the certification applicable to certain IBM Cloud Services, please visit www.privacyshield.gov.
The types of personal data that Privacy Shield-Certified Cloud Services collect will vary based on the type and nature of each offering and is described in its offering documentation (searchable via this link) or as otherwise provided by IBM. IBM uses such personal data as needed to deliver the Cloud Service, along with additional purposes that may be described in the corresponding TD or Attachment.
IBM may use processors and subprocessors (including personnel and resources) in locations worldwide to deliver the Cloud Services. A list of subprocessors is available upon request. If IBM subcontracts the performance of any of the Cloud Services pursuant to any Attachment or TD, IBM will be liable to the Client for the acts and omissions of IBM subcontractors as if they were the acts or omissions of IBM under the agreement governing the Cloud Services (subject to the limits and exclusions of liability).
IBM is subject to investigatory and enforcement powers of the Federal Trade Commission in the United States in connection with its Privacy Shield program. IBM may also be required to disclose personal information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
If end users have any questions or complaints concerning IBM’s processing of personal data on behalf of an IBM enterprise client, they are invited to contact the enterprise client directly, or they may contact IBM by using this form. End users who wish to access the personal data that IBM hosts on behalf of an enterprise client, or to make choices concerning their data, are invited to contact the enterprise client directly.
If you have an unresolved privacy or data use concern that we have not addressed satisfactorily, please contact our U.S.-based third party dispute resolution provider (free of charge) at https://feedback-form.truste.com/watchdog/request. In addition, and as described in the Privacy Shield Principles, you may also have the option of invoking binding arbitration after other dispute resolution procedures have been exhausted.
Account data -- i.e. all information about IBM’s clients or their users provided to or collected by IBM (including through tracking and other technologies, such as cookies) – is covered by the IBM Online Privacy Statement, available at www.ibm.com/tw-en/privacy/.