We understand well that Personal Data, its security and its protection are becoming increasingly important to individuals and organisations as a consequence of the new European Union General Data Protection Regulation (GDPR), which is now in full effect.
We are also aware that GDPR applies to all organisations established in the European Economic Area (EEA) and also to those established outside the EEA, when their processing activities relate to the offering of goods and services to individuals in the EEA or to the monitoring of individuals' behaviour within the EEA. This note is intended to set out the data privacy issues as they impact on our client organisations in respect of IBM Kenexa related data processed by IBM on your behalf and, to a more limited extent, our clients' contact data held and/or processed by ourselves.
AFM as Data Processor:
Although a Premier IBM Business Partner, we at AFM do not ourselves gather, record, store or otherwise process Personal Data other than that which we need for our contacts with a client organisation in order to maintain the communication necessary to enable swift and flexible responses to their Talent Management needs. This Personal Data is managed in line with the attached Data Protection Policy (which will be continually updated) and data security incident and audit procedures for our hosting services. If we are required by a client at any time to handle any other Personal Data (including for example, the processing of assessments or other candidate or employee related requests) we will do so under the client's instructions and, unless otherwise instructed by them, we will immediately, after completing the exercise, delete any such Personal Data from our systems and records. The Personal Data related to the relevant candidates or employees will thereafter reside on IBM servers alone and we will have no access to such data.
Post Brexit situation: AFM believes that the best outcome for business is that the current negotiations on the United Kingdom’s exit from the European Union (“Brexit”) will result in a transition period and future arrangements which will support business. However, there is still much uncertainty and, although we do not process Personal Data (other than business-2-business and contractual names and contact details - see above), we intend to obsreve the advice and guidelines laid down by the Office of Information (see https://ico.org.uk/for-organisations/data-protection-and-brexit/) in tems of data privacy, processing and management. The UK government plans to incorporate the provisions of GDPR into UK law alongside the Data Protection Act 2018 after Brexit. This means that, if you are a business or organisation in the EEA that sends us any personal data, you can rest assured that we comply with EU data protection laws. Therefore, any references to the General Data Protection Regulation (GDPR) in our contracts or other corporate documentation will include the UK Data Protection Act 2018 to the extent it applies. Other references to EU or European Economic Area (EEA) legislation will include any implementing or equivalent UK legislation, to the extent relevant.
If you have any questions or need to discuss any issues around GDPR, please see our contact page.
IBM as Data processor:
IBM acknowledges publicly that, pursuant to GDPR Article 28, where they provide a service to a customer (the “Data Controller”) involving the processing of that client's Personal Data, both IBM and the client have the obligation to enter into an agreement governing the processing of this Personal Data. During 2018, IBM will be communicating the contractual updates as a result of these new regulations direct to existing customers via email. The communication will address all customers who purchased IBM products or services through IBM Business Partners. Additional information about the GDPR and the IBM GDPR Readiness Journey can be found here: http://www.ibm.com/gdpr
Post Brexit situation: Your company may have contracted under IBM Terms & Conditions for Talent Management services that involve the processing of personal data. In order to help ensure both your and IBM’s compliance with applicable data protection law, on the date that the UK leaves the EU, the following will take effect:
1. References to the General Data Protection Regulation (GDPR) in the applicable contracts will include the UK Data Protection Act 2018 to the extent it applies. Other references to EU or EEA legislation will include any implementing or equivalent UK legislation, to the extent relevant.
2. The transfer of personal data from the EEA to the UK will be classed as an international transfer. To permit these data transfers to continue uninterrupted, the following applies to the extent that such transfer is considered a transfer to a “non-adequate” country under the GDPR:
IBM UK entities acting as Processors or Sub-processors will be added as data importers under existing EU Standard Contractual Clauses, based on your jurisdiction.
Those external vendors located in the UK and listed as Sub-processors in existing agreements with you will be bound by IBM to the same obligations imposed on IBM under the applicable EU Standard Contractual Clauses. Additionally, in certain agreements with IBM, there may be a statement of territorial scope (for example, for the purposes of IBM warranty support) which includes reference to the UK in terms such as Western Europe, the European Union (or EU), EU member states, or countries in the European Economic Area. Irrespective of the conditions of exit and until further notice from IBM, those terms shall continue to include the UK as if the UK were expressly mentioned.
By using IBM goods and service beyond the date that the UK leaves the EU, you are accepting the changes referenced in this communication, if and to the extent applicable. This arrangement will remain in place also for new agreements you enter into with IBM (as applicable) until contractual terms are refreshed to comply with any changes to the law that may be enacted once Brexit becomes effective.
If you have any additional questions or to obtain versions of this letter in other languages – please contact your IBM sales representative, or send your query to DP.Operations@uk.ibm.com