Introduction
The EU’s General Data Protection Regulation (“GDPR”) sets obligations for international data transfers to ensure that individuals’ rights are respected when their personal data is transferred out of the EU/EEA.
According to the GDPR, standard contractual clauses ensuring appropriate data protection safeguards can be used as a ground for data transfers from the EU to third countries. This includes model contract clauses – so-called Standard Contractual Clauses (“SCCs”) – that have been “pre-approved” by the European Commission. To this end, Ericsson promoted the adoption of the SCCs.
As part of its business operations but also for its internal operations, the Ericsson Group transfers, stores and processes personal data, which inter alia includes transfers of personal data from Ericsson Companies within the EU/EEA to Ericsson Companies outside the EU/EEA.
Ericsson´s Intragroup SCCs
Ericsson Group has entered into two Intragroup Agreements (Set A for Group Functions and Set B for Business related matters) for incorporating the SCCs pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council published on 7th June, 2021. The SCCs entered into force on December 9, 2022 for Ericsson entities and branches. The updated list of such Ericsson Group entities is accessible here.
Both Intragroup Agreements incorporate the four modules of the SCCs (Controller - Controller, Controller – Processor, Processor - Processor, Processor - Controller), as well as the relevant annexes for each module where the processes are described.
In the Annex II there is a description of the security technical and organizational measures implemented across Ericsson organization. The updated Annex II covering the implemented security technical and organizational measures is accessible here.
The SCCs include all general data protection principles and enforceable rights to ensure appropriate safeguards for data transfers.
Ultra-territoriality of Ericsson´s Intragroup SCCs
While the GDPR framework on Third Country transfers only applies to companies that are subject to the GDPR, Ericsson Group has decided that SCCs will apply globally and Ericsson Companies that are not subject to the GDPR also entered into the SCCs. Local deviations will be applicable where required under mandatory applicable local law.
Updating the SCCs
Ericsson plans to update the SCCs at least once a year for
- incorporating processes related to new products and services.
- incorporating new entities coming from divestments or in case of termination of the intragroup SCCs with any entity in case of divestment of liquidation.
- update the annexes, including the TOMS.
Third Parties Sub-processors
When it comes to Third Parties, Ericsson has in place the Standard Contractual Clauses (SCC) for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council published on 7th June, 2021.
Other International Data Transfer Mechanisms within Ericsson Group
Ericsson´s existing Intragroup BCRs (approved in 2016), were updated according to the GDPR. Updated BCRs for Processors and Controllers were approved by the Swedish Supervisory Authority, and some Ericsson Group Entities adhered to the updated versions of the BCRs. BCRs are referred in the Ericsson Code of Business Ethics and are published in Ericsson extranet. See Controller binding corporate rules - Ericsson and Processor binding corporate rules - Ericsson
Questions
For any questions related to Ericsson SCCs please contact privacy@ericsson.com or the relevant Data Protection Officer.