Controller binding corporate rules
Integrity, transparency, and responsibility characterize the way Ericsson conducts business. We recognize our responsibility to respect privacy rights and to put in place appropriate standards of data protection when handling the personal data – or Personal Information – of our employees and other individuals.
We operate in a highly networked, interconnected, and global business reality that demands a coordinated response to data protection. Our Controller Binding Corporate Rules ("C-BCR") set down effective and uniform standards for certain processing of Personal Information across Ericsson's global operations, and helps us to comply with data protection standards within the European Union ("EU") and the European Economic Area ("EEA").
The full text of our C-BCR can be found below. The following FAQs are part of our transparency efforts to share information about our approach to data protection. They are designed to help individuals – referred to as "Data Subjects" – whose Personal Information we process, to understand what the C-BCR are.
We also process Personal Information on behalf of our Customers when providing services. This is governed by our Processor BCR ("P-BCR").
All terminology used in this information sheet shall have the same meaning as it does in Ericsson's C-BCR. Please note that this information sheet is designed to serve as a guide only – the language of the C-BCR shall take precedence in the event of any inconsistency between the two documents.
What are Binding Corporate Rules ("BCR")?
Binding Corporate Rules, or BCR, are a binding code of practice that governs how a multinational company transfers Personal Information between different entities within its corporate group. A multinational company has different parts of its business based across the world, and therefore subject to different local laws. While some national laws might afford a high level of protection for Personal Information, others may fall below the standard set down by data protection legislation in the EU/EEA. Therefore, most Personal Information governed by the laws of EU/EEA Member States cannot be transferred to countries that do not afford adequate protection, unless there are proper additional safeguards in place. An approved set of BCR is one such type of safeguard.
What is the difference between Ericsson's C-BCR and its P-BCR?
Ericsson has two sets of BCR – one for when it processes Personal Information for its own purposes (C-BCR) and one for when it processes Personal Information on behalf of its Customers (P-BCR). These two roles are kept distinct from one another in EU data protection law, which is reflected in our different sets of rules.
Ericsson handles Personal Information for various reasons. For example, Ericsson collects, stores, and uses Personal Information about its employees in order to pay them salaries. In cases like this, Ericsson controls the manner and purposes for which the Personal Information is being processed, and so is referred to as the "Data Controller". These types of processing activities are therefore covered by our C-BCR.
When we provide services to our Customers, however, it is our Customers that control why and how Personal Information is to be processed. We process it on their behalf according to their instructions. In legal terms, this makes our Customer the "Data Controller" and Ericsson the "Data Processor". To ensure that we act as a responsible partner for our Customers when acting as their Data Processor, we have adopted our P-BCR.
Both Ericsson's C-BCR and P-BCR have been approved by the relevant EU/EEA Data Protection Authorities. The Swedish Data Protection Authority (Datainspektionen) acted as the lead authority during the approval process.
When do Ericsson's C-BCR apply?
Our C-BCR apply to all Personal Information processed by Ericsson where we determine the manner and purposes for which the Personal Information is being processed. Typical examples are Human Resource data (including job applicant data) and contact details relating to representatives of business partners.
How do I lodge a request or complaint?
Data Subjects with access to HR Direct (that is Ericsson staff) who wish to file a complaint or a request pertaining to their Personal Information shall contact HR Direct.
Data Subjects who do not have access to HR Direct who wish to file a request or a complaint pertaining to their Personal Information can send an e-mail to firstname.lastname@example.org.
It is also possible to contact the Group Data Protection Officer by postal mail at Ericsson AB, Group Function Legal Affairs, 164 80 Stockholm, Sweden.
How do I find out more?
The full text of the C-BCR can be found below.