We understand well that Personal Data, its security and its protection are becoming increasingly important to individuals and organisations as a consequence of the new European Union General Data Protection Regulation (GDPR), which is now in full effect.

We are also aware that GDPR applies to all organisations established in the European Economic Area (EEA) and also to those established outside the EEA, when their processing activities relate to the offering of goods and services to individuals in the EEA or to the monitoring of individuals' behaviour within the EEA.

This note is intended to set out the data privacy issues as they impact on our client organisations in respect of IBM Kenexa related data processed by IBM on your behalf and, to a more limited extent, our clients' contact data held and/or processed by ourselves.

AFM as Data Processor:

Although a Premier IBM Business Partner, we at AFM do not ourselves gather, record, store or otherwise process Personal Data other than that which we need for our contacts with a client organisation in order to maintain the communication necessary to enable swift and flexible responses to their Talent Management needs. This Personal Data is managed in line with the attached Data Protection Policy (which will be continually updated) and data security incident and audit procedures for our hosting services. If we are required by a client at any time to handle any other Personal Data (including for example, the processing of assessments or other candidate or employee related requests) we will do so under the client's instructions and, unless otherwise instructed by them, we will immediately, after completing the exercise, delete any such Personal Data from our systems and records. The Personal Data related to the relevant candidates or employees will thereafter reside on IBM servers alone and we will have no access to such data.

IBM as Data processor:

IBM acknowledges publicly that, pursuant to GDPR Article 28, where they provide a service to a customer (the “Data Controller”) involving the processing of that client's Personal Data, both IBM and the client have the obligation to enter into an agreement governing the processing of this Personal Data. During 2018, IBM will be communicating the contractual updates as a result of these new regulations direct to existing customers via email. The communication will address all customers who purchased IBM products or services through IBM Business Partners.

Additional information about the GDPR and the IBM GDPR Readiness Journey can be found here: http://www.ibm.com/gdpr

If you have any questions or need to discuss any issues around GDPR and IBM, please see our contact page.

Additional documents