Introduction
Integrity, transparency, and responsibility characterize the way Ericsson conducts business. We recognize our responsibility to respect privacy rights and to put in place appropriate standards of data protection when handling Personal Data on behalf of our customers.
We operate in a highly networked, interconnected, and global business reality that demands a coordinated response to data protection. Our Processor Binding Corporate Rules ("P-BCR") set out effective and uniform standards for certain processing of Personal Information across Ericsson's global operations when Ericsson acts as a Data Processor when providing services to our customers. The requirements laid out in the P-BCRs are designed to provide appropriate safeguards for the transfer of Personal Data between BCR members when applying the P-BCRs for international data transfers. The updated list of the P-BCR Members is accessible here.
The purpose is to protect privacy and ensure the secure processing of Personal Data of our customers, particularly in connection with global transfers of Personal Data, which is of the utmost importance for Ericsson Group.
The full text of our P-BCR can be found herein below. The following FAQs are part of our transparency efforts to share information about our approach to data protection regarding the Binding Corporate Rules. They are designed to help individuals – referred to as "Data Subjects" – whose Personal Information we process on behalf of our customers, to understand what the P-BCR are.
We also process Personal Information on our behalf when handling Personal Data of our employees and other individuals such as customers´ or suppliers’ employees. This is governed by our Controller BCR (“C-BCR”), which can be found here.
All terminology used in this website shall have the same meaning as it does in Ericsson's P-BCR. Please note that this website is designed for general information purposes only – the language of the P-BCR shall take precedence in the event of any inconsistency between this website and the language of the P-BCRs.
Please note that Ericsson Group has also implemented the Standard Contractual Clauses as an international data transfer mechanisms as explained in the Standard Contractual Clauses.
FAQs
What are Binding Corporate Rules ("BCR")?
Binding Corporate Rules, or BCR, are data protection policies adhered to by companies for international transfers of Personal Data within a group of undertakings or enterprises. The BCRs include general data protection principles and enforceable rights to ensure appropriate international personal data transfer mechanisms when processing data between the BCRs members.
Ericsson´s BCRs apply to transfers of personal data between BCRs Members where a BCR member acts as a Processor.
How, when and by whom Ericsson BCRs are approved?
Ericsson BCRs are approved by the European Data Protection Authorities, being the lead supervisory authority the Swedish Supervisory Authority [Integritetsskyddsmyndigheten (IMY)]. Ericsson BCRs were approved in 2016 and they are updated lately in 2025, to accommodate the BCRs to the principles and requirements of the European General Data Protection Regulations (GDPR) and Ericsson internal organization. Ericsson AB is the lead company of the BCRs within Ericsson Group. The Ericsson Group Companies that have adhered to the P-BCR can be found herein below.
What is the difference between Ericsson's C-BCR and its P-BCR?
Ericsson has two sets of BCR – one for when it processes Personal Information for its own purposes (C-BCR), deciding on the purposes and the means, and one for when it processes Personal Information on behalf of its Customers (P-BCR). These two roles are different from one another in EU data protection Regulations, which is reflected in our different sets of rules.
Ericsson handles Personal Information for various reasons. For example, Ericsson collects, stores, and access Personal Data on customers´end users behalf in order to provide services to our customers.
When we provide services to our customers, however, it is our customers that control why and how Personal Data is to be processed. We process it on their behalf according to their instructions. In legal terms, this makes our customer the "Data Controller" and Ericsson the "Data Processor". To ensure that we act as a responsible partner for our customers when acting as their Data Processor, we have adopted our P-BCR.
When do Ericsson's P-BCR apply?
Our P-BCR apply to all Personal Data processed by BCR Members, including their employees and external workforce in the processing of Personal Data or in the development of internal tools or services used to process Personal Data where a BCR Member acts as a Data Processor (separately or jointly with another BCR Member) or as Sub-Processor to another BCR Member (internal processors).
These rules are applicable to the processing of Personal Data by wholly or partly automated means or when it forms (or is intended to form part of a filling system.
How do I lodge a request or complaint or report an incident?
The Ericsson Group has delegated the Group Data Protection Officer (GDPO) as the specific contact point for Data Subjects. Data Subjects who wish to report a privacy incident, question or present a complaint pertaining his/her Personal Data can contact the Group Data Protection Officer by postal mail at Ericsson AB, Group Function Legal Affairs, 164 80 Stockholm, Sweden or send an e-mail to ericsson.group.privacy@ericsson.com.
In countries where local contacts for privacy related matters exist, Data Subjects can also report an incident by way of sending an e-mail to such local contact or contacts as per the following link.
Data Subjects shall be entitled to lodge a complaint before the Lead Supervisory Authority (choice between the supervisory authority of the EU Member State of his/her habitual residence, place of work or place of alleged infringement). Data Subjects in the EU shall also be entitled to lodge a complaint before the competent court of the EU Member State, with a choice for the Data Subject to act before the courts where the Data Controller or BCR Member has an establishment or where the Data Subject has his or her habitual residence.
How do I find out more?
The full text of the P-BCR can be found below.