IBM uses Binding Corporate Rules (BCRs) in order to protect personal data (referred to as personal information) it controls; IBM’s Controller BCRs were approved by the European Data Protection Authorities in 2017. Below you can find a summary of our BCRs – if you would like a copy of the full BCRs please contact the IBM Chief Privacy Office at the following address: 1 North Castle Drive, Armonk, New York, 10504, U.S.A.
IBM is committed to protecting the privacy and confidentiality of personal information about its customers, business partners and other individuals. In order to demonstrate our commitment to data privacy, IBM has adopted a series of Binding Corporate Rules for the processing of personal information.
IBM’s Binding Corporate Rules set out IBM’s data privacy principles, as well as describing what personal information IBM may collect and what it will do with your business personal information. The Rules comprise a framework of policies, corporate instructions and guidelines which complement IBM’s existing privacy policies, and have been approved by the relevant Data Protection Authorities within the EU.
As IBM is a global company whose business frequently extends beyond the borders of one country, personal information which it has collected in the course of its business may be transferred and processed by IBM companies worldwide and, in appropriate circumstances, by parties outside of IBM. Uniform practices across the organisation assist IBM to process personal information fairly and appropriately, disclosing it and/or transferring it only under certain condition.
This document provides a summary of IBM’s Binding Corporate Rules, as they relate to personal information which IBM processes in the context of its business relationships. If you would like to receive a full copy of IBM’s Binding Corporate Rules please contact the IBM Chief Privacy Office at the following address: 1 North Castle Drive, Armonk, New York, 10504, U.S.A.
In the course of IBM’s interactions with you as a customer, supplier, IBM Business Partner, a website visitor, or a representative of any other organization with whom IBM has or contemplates a business relationship, IBM may collect and process personal information about you. IBM refers to this information as “Business Personal Information”. This information is distinct from the information IBM collects about its employees in the course of an employment relationship.
The type of Business Personal Information that IBM processes depends on the particular business context and the purpose for which it is collected. It may include:
Credit card details, credit worthiness, and other financial-related information collected in support of business transactions.
IBM’s Binding Corporate Rules set out seven general principles which apply to its processing of Business Personal Information, including the general principle of Privacy by Design. The term “processing” includes collecting, using, disclosing, storing, accessing or transferring your Business Personal Information.
IBM’s Binding Corporate Rules state that it will:
Provide you with access to your Business Personal Information and correct it if factually inaccurate.
The Binding Corporate Rules also set out the circumstances under which IBM may collect Business Personal Information.
IBM’s Binding Corporate Rules state that it will:
collect Business Personal Information where the processing is necessary for compliance with a legal obligation within the EEA to which IBM is subject, such as legal or regulatory compliance, internal audit and other internal investigations, for example:
where appropriate, distinguish between Business Personal Information that must be provided and that which is optional.
If IBM wants to use your Business Personal Information to send you marketing messages or other communications which are outside of the scope of a transaction that IBM is conducting with you or with the organization that you are working for, IBM will provide you with sufficient Notice and Choice.
Notice informs you about how personal information that IBM collects from you may be used by IBM, including if IBM plans to use it for marketing purposes. When collecting Business Personal Information directly from you, IBM will inform you of the purpose of collection by providing “notice”, unless you have already been informed or such purpose is obvious from the context.
Choice provides you with the opportunity to decide whether to let IBM use the information for purposes unrelated to the immediate transaction. In other words, IBM will inform you of how it plans to use the information and give you the choice to decide whether you want IBM to use it for those purposes;
IBM will not necessarily provide prior notice and choice where it is clear that the primary purpose for collecting Business Personal Information is to fulfil your request for marketing communications.
If, after having collected Business Personal Information, IBM proposes to use it in a manner that is incompatible with that which was made known to you at the time that it was collected and the proposed change in use is likely to have a significant impact on you, IBM will provide you with a further notice explaining the proposed change, together with any likely consequences for you. Where required to do so by its Binding Corporate Rules or by applicable law, IBM will also obtain your consent before implementing a proposed change in use.
IBM makes efforts to avoid processing “sensitive” Business Personal Information (information which may relate to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, or health or sex life). However, when a compelling business reason exists, IBM may process sensitive Business Personal Information in accordance with all applicable laws and any related designated safeguards.
Generally, access to Business Personal Information will only be granted to IBM employees or others acting on behalf of IBM who have a “need to know” such information and only for the purposes for which it was originally collected or to process it in a manner consistent with such purposes. Third parties carrying out processing on IBM’s behalf will only be given access to Personal Information where there is a suitable written agreement in place with the contractor requiring the contractor to properly protect the information.
Your Business Personal Information may only be communicated by IBM to a third party (for example an IBM Business Partner or third party contracting on IBM’s behalf) under certain conditions.
IBM’s Binding Corporate Rules state that the conditions where Business Personal Information may be communicated by IBM to a third party include, by way of examples, where:
it is necessary because a third party processes Business Personal Information on behalf of IBM, in which case IBM will enter into appropriate contractual arrangements with such third party to safeguard the Business Personal Information.
Certain additional rules may apply in relation to Business Personal Information which is collected or otherwise processed by or on behalf of IBM in circumstances where the EU Data Protection Directive 95/46/EC and/or Privacy and Electronic Communications Directive 2002/58/EC or any successor or replacement legislation issued by the European Commission, such as the General Data Protection Regulation (EU) 2016/679, applied or applies to its processing (referred to as “EEA Business Personal Information”).
Before processing your EEA Business Personal Information, IBM will check that at least one of the following grounds is satisfied:
Before processing EEA Business Personal Information that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs or trade-union membership, and the processing of genetic data, biometric data or data concerning health, sex life or sexual orientation, IBM will check that at least one of the following grounds is satisfied:
You may object to IBM’s processing of EEA Business Personal Information on compelling, legitimate grounds relating to your circumstances. This ability to object does not apply where you have given your consent or where it is necessary to fulfill a contractual obligation between you and IBM.
Please note that IBM may be required or permitted by law to process the EEA Business Personal Information despite your objections.
If you have a concern about the processing of your EEA Business Personal Information, would like to have it erased or transmitted to a third party, or would like to withdraw an earlier consent of yours, please contact the IBM website coordinator via the web form available at privacy webform, or alternatively the IBM Chief Privacy Office at the following address: 1 North Castle Drive, Armonk, New York, 10504, U.S.A. You are also entitled to contact your local Data Protection Authority regarding your concern.
Please allow the Chief Privacy Office time to resolve your concern. However, you are entitled to lodge your concern with your local Data Privacy Authority or before the courts in your country where you may seek compensation from IBM for any loss or damage that you have suffered as a result of IBM’s failure to comply with applicable data protection laws.
IBM International Group B.V. shall be responsible for remedying situations where another IBM Company outside the EEA has processed EEA Business Personal Information in breach of IBM’s Binding Corporate Rules. In the event that you are entitled to bring a claim for compensation against IBM International Group B.V., it shall bear the burden of proof for establishing that the IBM Company outside the EEA did not process EEA Business Personal Information in violation of the Binding Corporate Rules.
If you would like a copy of any of your Business Personal Information or if you would like to update or correct it, please contact the IBM website coordinator via the web form available at privacy webform, or alternatively the IBM Chief Privacy Office at the following address: 1 North Castle Drive, Armonk, New York, 10504, U.S.A.
If you would like to request IBM to stop sending you marketing materials (either generally or via a particular media) please submit your opt-out request here.
If you are a web user or IBM customer and you have a concern about how IBM has used your Business Personal Information, you should raise the concern in writing to IBM Customer Support using the details set out above. IBM Customer Support will respond to you within 30 days. There may be cases where IBM needs more time to deal with your request, for example if the data is particularly hard to locate or the request is large. If IBM needs more time to process your request, you will receive confirmation of this within 30 days of the receipt of the request, including a proposed timetable for dealing with your request. If your complaint is not resolved within a reasonable time of it being made to IBM Customer Support, it can be escalated to the Chief Privacy Office. If you are a Business Partner or other third party organization, please contact the IBM Chief Privacy Office directly. The Chief Privacy Office will respond to you in writing within a reasonable time (which should be no more than 12 weeks) setting out its conclusions together with details of any remedial action that it proposes to take.
Please note that this document is intended as a summary only, and the full text of the Binding Corporate Rules will prevail in the event of a conflict. Except that Individuals may, in certain circumstances, have a right to seek a remedy from IBM International Group B.V. in respect of the processing of their EEA Business Personal Information, neither this summary document nor IBM’s Binding Corporate Rules are intended to, and do not grant, further or additional rights or establish further obligations beyond those already provided under applicable law.