This IBM Data Privacy Framework Policy for Certified IBM Cloud Services (Policy) applies to certain designated IBM Infrastructure-as-a-Service, Platform-as-a-Service, Software-as-a-Service, and other hosted offerings that are Data Privacy Framework certified (Data Privacy Framework-Certified Cloud Services). A list of these offerings is provided in the Data Privacy Framework-Certified Cloud Services section. If an offering is not on this list, it is not covered by this Policy.
As the Data Privacy Framework applies to personal information that is transferred to the United States from those countries whose data protection laws recognize the Data Privacy Framework as a valid mechanism for such cross-border transfers, this Policy only applies to:
This Policy does not otherwise apply when clients choose to have their offering content hosted in other countries.
IBM’s Data Privacy Framework-Certified Cloud Services process content (which can include the personal information of individual users) on behalf of enterprise clients. In this scenario, IBM can direct inquiries from individual users to the enterprise client that oversees the use of their personal information.
IBM complies with the Principles of the (i) EU-US Data Privacy Framework, (ii) the UK Extension to the EU-US Data Privacy Framework, and (iii) the Swiss-US Data Privacy Framework (hereinafter collectively referred to as the Data Privacy Framework), as set forth by the US Department of Commerce regarding the collection, use, and retention of personal information that is transferred to the United States from those countries whose data protection laws recognize the Data Privacy Framework as a valid mechanism for such cross-border transfers. IBM has certified to the Department of Commerce that it adheres to the Data Privacy Framework Principles with respect to such information. If there is any conflict between the terms in this Policy and the Data Privacy Framework Principles, the Data Privacy Framework Principles govern.
All personal information that is received from those countries whose data protection laws recognize the Data Privacy Framework as a valid mechanism for such cross-border transfers in connection with Data Privacy Framework-Certified Cloud Services is subject to the Data Privacy Framework Principles, which applies to all IBM affiliates that process personal information associated with Data Privacy Framework-Certified Cloud Services.
For more information about the Data Privacy Framework Program, or to view the certification applicable to certain IBM Cloud Services, see the Data Privacy Framework (DPF) Program.
The types of personal information that Data Privacy Framework-Certified Cloud Services collect varies based on the type and nature of each offering and is described in its offering documentation or as otherwise provided by IBM. For more information, see IBM Terms. IBM uses such personal information as needed to deliver the Cloud Service, along with additional purposes that can be described in the corresponding Transactional Document (TD) or Attachment.
IBM can use processors and subprocessors (including personnel and resources) in locations worldwide to deliver the Cloud Services. A list of subprocessors is available upon request. If IBM subcontracts the performance of any of the Cloud Services pursuant to any Attachment or TD, IBM is liable to the client for the acts and omissions of IBM subcontractors as if they were the acts or omissions of IBM under the agreement governing the Cloud Services (subject to the limits and exclusions of liability).
IBM is subject to investigatory and enforcement powers of the Federal Trade Commission in the United States in connection with its Data Privacy Framework program. IBM might also be required to disclose personal information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
If users have any questions or complaints concerning IBM’s processing of personal information on behalf of an IBM enterprise client, they can contact the enterprise client directly, or by using the Contact IBM Privacy webform. Users who want to access the personal information that IBM hosts on behalf of an enterprise client, or to make choices concerning their information, must contact the enterprise client directly.
If you have an unresolved privacy or data use concern that we have not addressed satisfactorily, contact our US-based third-party dispute resolution provider (free of charge) by using the TRUSTe Feedback and Resolution System. In addition, and as described in the Data Privacy Framework Principles, you also have the option of invoking binding arbitration after other dispute resolution procedures have been exhausted.
Account data, for example all information about IBM’s clients or their users that is provided to or collected by IBM (including through tracking and other technologies, such as cookies), is covered by the IBM Privacy Statement.