Professional Documents
Culture Documents
Baseline Privacy Requirements
Baseline Privacy Requirements
Baseline Privacy Requirements
Abstract
Application
Purpose
1 Instruction
Ericsson units who are involved in the Processing (e.g. collection, use,
retention, disposal, access or disclosure) of Personal Information or in the
development of tools, processes, products or services used to process
Personal Information shall implement the Baseline Privacy Requirements
within the context of applicable legal and contractual requirements.
Where there are no legal and contractual privacy requirements, the Baseline
Privacy Requirements shall be implemented where appropriate. Where there
are legal and contractual privacy requirements, the strictest requirements
shall be implemented.
The Baseline Privacy Requirements are based off the corresponding Ericsson
Privacy Principle, as follows:
The Baseline Privacy Requirements are divided into two sections to meet the
differing ways that Ericsson processes Personal Information.
Ericsson acts as a Data Controller when the company alone or jointly with
others determines the purposes and means of the processing of Personal
Information. The typical situation when Ericsson acts as Data Controller is
when Ericsson processes Personal Information relating to its employees, job
applicants, visitors on premises or on the web and representatives of the
suppliers and customers.
1.1.1 Notice
1 A Privacy Notice shall be provided to the Data Subject describing the
purposes for which Personal Information is collected, used, retained and
disclosed and the choices, if any, available to limit the use and disclosure
of Personal Information.
1 In some cases, other interests may override the data subject’s right of choice and consent. One example is
investigations on criminal activities which may lead to data processing and disclosure without the knowledge of the
individual. In several countries consent shall not be obtained from employees, as a consent can be seen as not
freely given and therefore not valid. Instead the processing shall for such cases be based on other appropriate
legal condition such as fulfillment of law or the employment contract.
Ericsson Internal
GROUP INSTRUCTION 4 (11)
Prepared (also subject responsible if other) No.
3 Should a Data Subject refuse to provide consent or place any limits on the
collection, processing, or disclosure of their Personal Information, this
may result in limitation or unavailability of certain benefits of service
functionality. The Data Subject shall be notified of such limitations or
unavailability2.
1.1.3 Collection
1 Personal Information shall only be collected for fulfillment of legal or
contractual obligations, securing legal claims, protecting individuals and
assets and for other legitimate commercial and operational purposes
accepted by applicable law.
2 Where the data subject is an Ericsson employee, a refusal to provide Personal Information, or placing limits on
the use of Personal Information, shall not result in any disciplinary action against the employee.
Ericsson Internal
GROUP INSTRUCTION 5 (11)
Prepared (also subject responsible if other) No.
1.1.9 Quality
1 Reasonable steps shall be taken to ensure Personal Information is correct
and accurate.
2 Records shall be kept in an auditable manner showing which Personal
Information has been has been accessed, modified, disclosed or
disposed.
3 Normally the law in the exporting country if such exist and the country where the data resides
Ericsson Internal
GROUP INSTRUCTION 7 (11)
Prepared (also subject responsible if other) No.
1.2.1 Notice
1 Ericsson does not provide Notice to the Data Subject unless Ericsson has
agreed to do so on behalf of the Data Controller per contractual obligation.
2 The Ericsson unit shall ensure that the responsibilities of Ericsson and of
the Data Controller (i.e. the customer) are clearly described and (i)
implemented as part of the commercial contract, and (ii) addressed and
appropriately implemented. The terms and conditions set out below shall
be analyzed and implemented on a case by case basis:
2.1 The clear agreement that Ericsson is the Data Processor and that
the Customer is the Data Controller.
2.2 The clear definition of what constitutes Personal Information.
2.3 The clear definition of applicable law(s) for processing Personal
Information and for transferring such information cross border.
2.4 The clear description of the purpose for processing the Personal
Information.
2.5 Clear instructions on the handling of privacy breaches, including,
e.g., responsibilities of the parties, notifications and timing, points of
contact.
2.6 Clear requirements for security for protecting the privacy of Personal
Information including the applicable requirements set forth in these
Baseline Privacy Requirements.
Ericsson Internal
GROUP INSTRUCTION 8 (11)
Prepared (also subject responsible if other) No.
1.2.3 Collection
1 Personal Information shall only be collected for the purposes specified in
the contract with the Data Controller.
1.2.9 Quality
1 Reasonable steps shall be taken to have the Personal Information
updated, corrected, deleted or anonymized at the request of the Data
Controller.
2 Records shall be kept in an auditable manner showing which Personal
Information, has been accessed, modified, disclosed or disposed.
Ericsson Internal
GROUP INSTRUCTION 10 (11)
Prepared (also subject responsible if other) No.
2 Responsibility
Ericsson units and companies are responsible for compliance to the Baseline
Privacy Requirements.
4 References
[1] Group Policy, 011 03-2815 Uen, Privacy
[2] Group Directive, 034 02-3150 Uen, Data Privacy Management
[3] Information, LME-14:003111 Uen, Privacy Terminology
[4] Ericsson Privacy Forum
[5] Instruction, 1/00021-2849 Uen, Baseline Information Security and
Privacy Requirements for Suppliers
Ericsson Internal
GROUP INSTRUCTION 11 (11)
Prepared (also subject responsible if other) No.
5 Change information
Change since Rev H:
1 Minor change to update reference link.
Changes since Rev G:
2 Major revision including
2.1 expanding the Privacy Principles into the Baseline Privacy
Requirements,
2.2 consolidating Privacy Requirements for Customer Data and Privacy
Requirements for ICT Systems into this one document,
2.3 adding Privacy by Design, Privacy Impact Assessments and Privacy
Training requirements.
Changes rev L
Links updated.
Changes rev K
Links Updated.