Personal Data and its protection are becoming increasingly important to individuals and enterprises. As you may know, the European Union passed the General Data Protection Regulation (GDPR) effective 25 May 2018. The GDPR is designed to ensure a consistent level of protection of the rights and freedoms of natural persons with regard to the processing of their data and to establish one set of data protection rules across the European Economic Area (EEA).
The GDPR applies to all organisations established in the EEA but also to organisations established outside the EEA, when their processing activities relate to the offering of goods and services to individuals in the EEA or to the monitoring of individuals' behaviour within the EEA.
IBM is committed to GDPR readiness.
Your company may have one or more agreements in place with companies or affiliates of the IBM group (hereafter 'IBM'), where IBM provides a service to you that involves the processing of your Personal Data by IBM.
Accordingly, IBM acts as processor of your Personal Data. According to the GDPR (Article 28), both controller and processor, have the obligation to enter into an agreement governing the processing of Personal Data. The GDPR explicitly sets out requirements with regard to the content of such agreement.
In order to comply with this statutory requirement, IBM has created an IBM Data Processing Addendum (DPA) and applicable DPA Exhibit, which amend our existing contracts. This applies in situations where IBM is processing Personal Data within the scope of the GDPR. In the event of any conflict with existing data privacy or security terms, the DPA and applicable DPA exhibit shall prevail.