On July 10, 2023, the European Commission adopted its adequacy decision for the EU-US Data Privacy Framework (DPF). The decision concluded that the US ensures an adequate level of protection for personal information that is transferred from the EU to US companies as part of the DPF.

The DPF amends the privacy principles that IBM adhered to as part of the EU-US Privacy Shield Framework as the EU-US Data Privacy Framework Principles. IBM offerings certified as part of the EU-US Privacy Shield Framework remain certified under the DPF.

For prevailing information about IBM’s adherence to the DPF, see the IBM Data Privacy Framework Policy for Certified Cloud Services.

On 16 July 2020, the Court of Justice of the European Union issued a judgment declaring as invalid the European Commission’s Decision (EU) 2016/1250 of 12 July 2016 on the adequacy of the protection provided by the EU-U.S. Privacy Shield. As a result of that decision, the EU-U.S. Privacy Shield Framework is no longer a valid mechanism to comply with EU data protection requirements when transferring personal data from the European Economic Area to the United States.

Please note that: (i) EU Standard Contractual Clauses (SCCs) remain a valid mechanism to comply with EU data protection requirements when transferring personal data from the European Economic Area and the United Kingdom to the United States; and (ii) section 9 of the Data Sheet, which is referenced in section 2 of the Service Description for virtually every offering listed at the bottom of this web page, already includes the required reference to the SCCs (which states “…EU Standard Contractual Clauses signed by all IBM Data Importers, if applicable, are available at: https://www.ibm.com/tw-en/software/sla/sladb.nsf/sla/eumc.”).

On 8 September 2020, the Swiss Federal Data Protection and Information Commissioner (FDPIC) issued a position paper following his annual re-assessment of the Swiss-US Privacy Shield Framework. The FDPIC’s new position is that although the Swiss-US Privacy Shield guarantees special protection rights for persons in Switzerland, it no longer provides an adequate level of protection for data transfer from Switzerland to the US pursuant to the Swiss Federal Act on Data Protection (FADP).

Special Note: While the EU-US and Swiss-US Privacy Shield Frameworks may no longer be used or relied upon for transfer of personal information, IBM continues to comply with all EU-US Privacy Shield Framework and Swiss-US Privacy Shield Framework obligations. Doing so demonstrates IBM’s serious commitment to protect personal information in accordance with a set of privacy principles that offer meaningful privacy protections and recourse for EU individuals. More information can be found here: US Department of Commerce (Program Overview), and US Department of Commerce (FAQ #3).

This IBM Privacy Shield Privacy Policy for Cloud Services (the “Policy”) applies to certain designated IBM Infrastructure-as-a-Service, Platform-as-a-Service, Software-as-a-Service, and other hosted offerings that are Privacy Shield certified (“Privacy Shield-Certified Cloud Services”). A list of these offerings is provided below; if an offering is not on this list, it is not covered by this Policy.

As the Privacy Shield only applies to personal data transferred to the United States from those countries whose data protection laws recognize Privacy Shield as a valid mechanism for such cross-border transfers, this Statement only applies to:

1. such personal data hosted in the United States through the Privacy Shield-Certified Cloud Services; and
2. select offerings when the data is hosted outside the United States, but the Cloud Service processing is temporarily directed to a United States data center to enable continued availability and resiliency.

This Policy does not otherwise apply when clients choose to have their offering content hosted in other countries.

IBM’s Privacy Shield-Certified Cloud Services process content (which may include the personal data of individual end users) on behalf of enterprise clients. In this scenario, and as provided below, IBM may direct inquiries from individual end users to the enterprise client that oversees the use of their personal data.

IBM complies with the EU-U.S. Privacy Shield Framework  and the Swiss-U.S. Privacy Shield Framework (collectively Privacy Shield) as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred to the United States from those countries whose data protection laws recognize Privacy Shield as a valid mechanism for such cross-border transfers. IBM has certified to the Department of Commerce that it adheres to the Privacy Shield Principles with respect to such information. If there is any conflict between the terms in this privacy policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern.

All personal data received from those countries whose data protection laws recognize Privacy Shield as a valid mechanism for such cross-border transfers in connection with Privacy Shield-Certified Cloud Services is subject to the Privacy Shield principles as described in the EU-U.S. Privacy Shield Framework and the Swiss-US Privacy Shield Framework, which applies to all IBM affiliates that process personal data associated with Privacy Shield-Certified Cloud Services.

To learn more about the Privacy Shield Program, or to view the certification applicable to certain IBM Cloud Services, please visit www.privacyshield.gov.

The types of personal data that Privacy Shield-Certified Cloud Services collect will vary based on the type and nature of each offering and is described in its offering documentation (searchable via this link) or as otherwise provided by IBM. IBM uses such personal data as needed to deliver the Cloud Service, along with additional purposes that may be described in the corresponding TD or Attachment.

IBM may use processors and subprocessors (including personnel and resources) in locations worldwide to deliver the Cloud Services. A list of subprocessors is available upon request. If IBM subcontracts the performance of any of the Cloud Services pursuant to any Attachment or TD, IBM will be liable to the Client for the acts and omissions of IBM subcontractors as if they were the acts or omissions of IBM under the agreement governing the Cloud Services (subject to the limits and exclusions of liability).

IBM is subject to investigatory and enforcement powers of the Federal Trade Commission in the United States in connection with its Privacy Shield program. IBM may also be required to disclose personal information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

If end users have any questions or complaints concerning IBM’s processing of personal data on behalf of an IBM enterprise client, they are invited to contact the enterprise client directly, or they may contact IBM by using this form. End users who wish to access the personal data that IBM hosts on behalf of an enterprise client, or to make choices concerning their data, are invited to contact the enterprise client directly.

If you have an unresolved privacy or data use concern that we have not addressed satisfactorily, please contact our U.S.-based third party dispute resolution provider (free of charge) at https://feedback-form.truste.com/watchdog/request. In addition, and as described in the Privacy Shield Principles, you may also have the option of invoking binding arbitration after other dispute resolution procedures have been exhausted.

Account data -- i.e. all information about IBM’s clients or their users provided to or collected by IBM (including through tracking and other technologies, such as cookies) – is covered by the IBM Online Privacy Statement, available at www.ibm.com/tw-en/privacy/.

• Enterprise Video Streaming
  
• IBM Analytics Engine (Also known as “IAE”)
• IBM Analytics Engine (Also known as “IBM Analytics Engine -Serverless Spark”)
• IBM API Connect for IBM Cloud
• IBM App Connect Enterprise as a Service
• IBM App Connect on IBM Cloud
• IBM App Connect Professional on Cloud
• IBM Aspera on Cloud
• IBM Blockchain Platform on IBM Cloud Standard Plan (IBP)
• IBM Blueworks Live
• IBM Business Automation Content Analyzer on Cloud (BACAoC)
• IBM Business Automation Content Services on Cloud
• IBM Business Automation Workflow on Cloud
• IBM Business Process Manager Hybrid Entitlement
• IBM Business Process Manager on Cloud
• IBM Business Process Manager on Cloud Express
• IBM Cloud Activity Tracker event routing
• IBM Cloud App Configuration
• IBM Cloud App ID
• IBM Cloud App Service (also known as “Developer Experience”)
• IBM Cloud Bare Metal Servers for VPC
• IBM Cloud Block Storage for Virtual Private Cloud (also known as “IBM Cloud Block Storage for VPC”)
• IBM Cloud Code Engine
• IBM Cloud Container Registry
• IBM Cloud Continuous Delivery
• IBM Cloud Data Engine (formerly known as "IBM Cloud SQL Query")
• IBM Cloud Databases for DataStax
• IBM Cloud Databases for Elasticsearch
• IBM Cloud Databases for EnterpriseDB
• IBM Cloud Databases for etcd
• IBM Cloud Databases for MongoDB
• IBM Cloud Databases for MySQL
• IBM Cloud Databases for PostgreSQL
• IBM Cloud Databases for Redis
• IBM Cloud DNS Services (dns-svcs)
• IBM Cloud Event Notifications
• IBM Cloud for Education
• IBM Cloud for VMware Solutions (also known as “IBM Cloud for VMware Solutions Dedicated”)
• IBM Cloud for VMware Solutions specifically includes:
  • VMware vCenter Server on IBM Cloud
  • VMware vSphere on IBM Cloud
  • NetApp ONTAP Select
  • Single-node Trial for Migration and App Modernization
  • Single-node Trial for Data Protection and Disaster Recovery
  • Caveonix RiskForesight on IBM Cloud
  • IBM Cloud Private Hosted
  • FortiGate Security Appliance on IBM Cloud
  • FortiGate Virtual Appliance on IBM Cloud
  • F5 on IBM Cloud
  • IBM Cloud Secure Virtualization
  • HyTrust CloudControl on IBM Cloud
  • HyTrust DataControl on IBM Cloud
  • HyTrust KeyControl on IBM Cloud
  • KMIP for VMware on IBM Cloud
  • IBM Spectrum Protect Plus on IBM Cloud
  • Veeam on IBM Cloud
  • Zerto on IBM Cloud
• IBM Cloud Functions
• IBM Cloud Hyper Protect Crypto Services
• IBM Cloud Hyper Protect DBaaS
• IBM Cloud Hyper Protect DBaaS specifically includes:
  • IBM Cloud Hyper Protect DBaaS for MongoDB
  • IBM Cloud Hyper Protect DBaaS for PostgreSQL
• IBM Cloud Hyper Protect Virtual Servers
• IBM Cloud Infrastructure Services (Infrastructure Services in IBM Cloud specifically are bare metal, virtual servers, networking, cloud DNS Services, storage, and security services)
• IBM Cloud Internet Services
• IBM Cloud Kubernetes Service and Red Hat OpenShift on IBM Cloud
• IBM Cloud Messages for RabbitMQ
• IBM Cloud Metrics Routing
• IBM Cloud Object Storage
• IBM Cloud Object Storage (IaaS)
• IBM Cloud Pak for Business Automation as a Service (formerly known as “IBM Digital Business Automation on Cloud”)
• IBM Cloud Platform - Core Services (formerly known as "IBM Cloud Platform - Public")
• IBM Cloud Satellite
• IBM Cloud Schematics
• IBM Cloud Secrets Manager
• IBM Cloud Security and Compliance Center
• IBM Cloud Virtual Private Cloud (Gen2)
• IBM Cloud Virtual Server for VPC (Gen2)
• IBM Cloudant Dedicated Cluster
• IBM Cloudant for IBM Cloud
• IBM Cloudant on Transaction Engine
• IBM Cognos Analytics on Cloud Hosted
• IBM Cognos Analytics on Cloud
• IBM Cognos Controller on Cloud
• IBM Cognos Dashboard Embedded
• IBM Compose Enterprise
• IBM Compose Enterprise Paygo
• IBM Compose for Elasticsearch for IBM Cloud
• IBM Compose for etcd for IBM Cloud
• IBM Compose for MongoDB for IBM Cloud
• IBM Compose for MySQL for IBM Cloud
• IBM Compose for PostgreSQL for IBM Cloud
• IBM Compose for RabbitMQ for IBM Cloud
• IBM Compose for Redis for IBM Cloud
• IBM Compose for RethinkDB for IBM Cloud
• IBM Compose for ScyllaDB for IBM Cloud
• IBM Comprehend Services
• IBM Content Foundation on Cloud
• IBM Content Manager OnDemand on Cloud
• IBM Datacap on Cloud
• IBM DataStage
• IBM DB2 on Cloud Paygo
• IBM DB2 Warehouse on Cloud
• IBM DB2 Warehouse on Cloud specifically includes:
  • DB2 Warehouse on Cloud (5725-U38)
  • DB2 Warehouse on Cloud Paygo (5725-R65)
• IBM Document Conversion Service
• IBM Emptoris Contract Management (also known as “IBM Emptoris Contract Management on Cloud”)
• IBM Emptoris Program Management (also known as “IBM Emptoris Program Management SaaS” or “IBM Emptoris Program Management on Cloud”)
• IBM Emptoris Sourcing (also known as “IBM Emptoris Sourcing on Cloud” and “IBM Emptoris Sourcing SaaS”)
• IBM Emptoris Supplier Lifecycle Management (also known as “IBM Emptoris Supplier Lifecycle Management on Cloud” and “IBM Emptoris Supplier Lifecycle Management SaaS”)
• IBM Engineering Lifecycle Management Base SaaS
• IBM Engineering Lifecycle Management Extended SaaS
• IBM Event Streams for IBM Cloud (Enterprise)
• IBM Event Streams for IBM Cloud (Standard)
• IBM Facilities and Real Estate Management on Cloud (TRIRIGA)
• IBM ILOG CPLEX Optimization Studio Subscription
• IBM Informix on Cloud
• IBM IoT Connected Vehicle Insights (also known as "IBM IoT for Automotive")
• IBM Key Protect for IBM Cloud
• IBM MaaS360
• IBM Master Data Management on Cloud
• IBM Master Data Management on Cloud Managed Service
• IBM Maximo Application Suite as a Service
• IBM Maximo Application Suite Managed Service
• IBM Maximo EAM SaaS Flex [formerly known as "IBM Enterprise Asset Management on Cloud (Maximo)"]
• IBM Maximo MRO Inventory Optimization
• IBM MQ on Cloud (pre-pay)
• IBM MQ on IBM Cloud (pay-as-you-go)
• IBM Netezza Performance Server for IBM Cloud Pak for Data as a Service
• IBM OpenPages with Watson on Cloud (formerly known as “OpenPages GRC on Cloud”)
• IBM Operational Decision Manager on Cloud
• IBM Order Management (also known as “IBM Sterling Order Management”)
• IBM Order Management specifically includes:
  • IBM Sterling Order Management
  • IBM Pricing Add-On
  • IBM Store Engagement Add-On
  • IBM Call Center Add-On
• IBM Planning Analytics with Watson (formerly known as "IBM Planning Analytics")
• IBM Process Mining as a Service
• IBM QRadar on Cloud  (also known as “IBM Security QRadar on Cloud”)
• IBM Robotic Process Automation as a Service
• IBM SaaS Connect (formerly known as “IBM Integration Services-Standard”)
• IBM Security Verify (formerly known as "IBM Cloud Identity Connect" or "IBM Cloud Identity")
• IBM SPSS Statistics Subscription
• IBM Sterling B2B Services – File Transfer Service
• IBM Sterling Fulfillment Optimizer with Watson
• IBM Storage Insights (also known as "IBM Storage Insights Multi-tenant")
• IBM Supply Chain Business Network (SCBN)
• SCBN specifically includes:
  • Essential Edition
  • Standard Edition
  • Premium Edition
• IBM Supply Chain Intelligence Suite
• IBM TRIRIGA Application Suite Managed Service
• IBM TRIRIGA Building Insights
• IBM Trusteer Mobile SDK
• IBM Trusteer Pinpoint
• IBM Trusteer Pinpoint specifically includes: 
  • IBM Trusteer Pinpoint Detect
  • IBM Trusteer Pinpoint Criminal Detection
  • IBM Trusteer Pinpoint Malware Detection
• IBM Trusteer Rapport (also known as "IBM Security Trusteer Rapport")
• IBM Video Streaming
  
• IBM Watson Discovery
• IBM Watson IoT Platform
• IBM Watson Knowledge Catalog Paygo
• IBM Watson Knowledge Studio
• IBM Watson Language Translator
• IBM Watson Machine Learning (Also known as "IBM Watson Machine Learning (SQO)")
• IBM Watson Machine Learning Service (Also known as "Watson ML")
• IBM Watson Natural Language Classifier
• IBM Watson Natural Language Understanding
• IBM Watson OpenScale
• IBM Watson Speech to Text Service
• IBM Watson Studio (Also known as "IBM Watson Studio Enterprise")
• IBM Watson Studio Desktop Subscription (formerly known as “IBM SPSS Modeler Subscription”)
• IBM Watson Studio Paygo (Also known as “IBM Watson Studio Paygo (Bluemix)”)
• IBM Watson Text To Speech Service
• IBM Watson Tone Analyzer
• IBM X-Force
• IBM X-Force specifically includes:
  • IBM X-Force Exchange (0000-0000)
  • IBM X-Force Threat Intelligence (5737-A31, 5900-A3J)
• Watson Assistant
• Watson Query