Introduction
Integrity, transparency, and responsibility characterize the way Ericsson conducts business. We recognize our responsibility to respect privacy rights and to put in place appropriate standards of data protection when handling Personal Data of our employees and other individuals such as customers´ or suppliers’ employees.
We operate in a highly networked, interconnected, and global business reality that demands a coordinated response to data protection. Our Controller Binding Corporate Rules ("C-BCR") set out effective and uniform standards for certain processing of Personal Information across Ericsson's global operations when an Ericsson BCR Member acts as a Data Controller (deciding on the purposes and means of the processing) and to provide appropriate safeguards to transfers of Personal Data between BCR members when applying the C-BCRs for international data transfers. The updated list of the C-BCR Members is accessible here.
The purpose is to protect privacy and ensure the secure processing of Personal Data, particularly in connection with global transfers of Personal Data, which is of the utmost importance for Ericsson Group.
The full text of our C-BCR can be found herein below. The following FAQs are part of our transparency efforts to share information about our approach to data protection regarding the Binding Corporate Rules. They are designed to help individuals – referred to as "Data Subjects" – whose Personal Information we process, to understand what the C-BCR are.
We also process Personal Information on behalf of our customers when providing services. This is governed by our Processor BCR (“P-BCRs”).
All terminology used in this website shall have the same meaning as it does in Ericsson's C-BCR. Please note that this website is designed for general information purposes only– the language of the C-BCR shall take precedence in the event of any inconsistency between this website and the language of the C-BCRs.
Please note that Ericsson Group has also implemented the Standard Contractual Clauses as an international data transfer mechanisms as explained in the Standard Contractual Clauses
FAQs
What are Binding Corporate Rules ("BCR")?
Binding Corporate Rules, or BCR, are data protection policies adhered to by companies for international transfers of Personal Data within a group of undertakings or enterprises. The BCRs include general data protection principles and enforceable rights to ensure appropriate international personal data transfer mechanisms when processing data between the BCRs members.
Ericsson´s BCRs apply to transfers of Personal data between BCR Members, including onward transfers to BCR Members outside the EU/EEA, when no other international or local transfer mechanism apply.
How, when and by whom Ericsson BCRs are approved?
Ericsson BCRs are approved by the European Data Protection Authorities, being the lead supervisory authority the Swedish Supervisory Authority [Integritetsskyddsmyndigheten (IMY)]. Ericsson BCRs were approved in 2016 and they are updated annually, to accommodate the BCRs to the principles and requirements of the European General Data Protection Regulations (GDPR) and Ericsson internal organization. Ericsson AB is the lead company of the BCRs within Ericsson Group. The Ericsson Group Companies that have adhered to the C-BCR can be found herein below.
What is the difference between Ericsson's C-BCR and its P-BCR?
Ericsson has two sets of BCR – one for when it processes Personal Information for its own purposes (C-BCR), deciding on the purposes and the means, and one for when it processes Personal Information on behalf of its Customers (P-BCR). These two roles are different from one another in EU data protection Regulations, which is reflected in our different sets of rules.
Ericsson handles Personal Information for various reasons as a Data Controller. For example, Ericsson collects, stores, and access Personal Data of its employees in order to pay their salaries. When it comes to C-BCRs, Ericsson controls the manner and purposes for which the Personal Information is being processed, and, therefore, Ericsson is referred to as the "Data Controller". These types of processing activities are therefore covered by our C-BCR.
When we provide services to our customers, however, it is our customers that control why and how Personal Data is to be processed. We process it on their behalf according to their instructions. In legal terms, this makes our customer the "Data Controller" and Ericsson the "Data Processor". To ensure that we act as a responsible partner for our customers when acting as their Data Processor, we have adopted our P-BCR which can be found here.
When do Ericsson's C-BCR apply?
Our C-BCR apply to all Personal Data processed by Ericsson where we determine the purposes and means for which the Personal Data is being processed. Typical examples are Human Resource data (including job applicant data) and contact details relating to representatives of business partners (customers and suppliers).
These rules are applicable to the processing of Personal Data by wholly or partly automated means or when it forms (or is intended to form part of a filling system.
How do I lodge a request or complaint?
A Data Subject who wishes to file a complaint or a request to a BCR Member shall send an e-mail to privacy@ericsson.com, and, additionally, in countries where local contacts for privacy related matters exist, send an e-mail to such local contact or contacts as per the following link.
Data Subjects are entitled to file a cause of action before a court or lodge a complaint before a Supervisory Authority. In these situations, Data Subjects that are Employees of Ericsson Group receiving information of the action from or on behalf of the Data Subject or the Supervisory Authority shall send an e-mail about the cause of action or complaint to privacy@ericsson.com.
It is also possible to contact the Chief Privacy Officer (CPO) by postal mail at Ericsson AB, Group Function Legal Affairs, Torshamnsgatan164 80 Stockholm, Sweden.
How do I report an incident?
Data Subjects who wish to report a security or privacy incident shall be instructed to use the Security Incident Management System (SIMS) for those Data Subjects with access to SIMS, and such incidents shall be handled according to the SIMS process. In cases where incidents are e-mailed to ericsson.group.privacy@ericsson.com or directly reported to the CPO, GDPO, a DPO, a Data Protection Advisor or to a Privacy Advisor, those incidents shall be reported into SIMS by any employee.
How do I find out more?
The full text of the C-BCR can be found below.