Baseline Privacy Requirements

Ericsson Internal
GROUP INSTRUCTION 1 (11)

Prepared (also subject responsible if other) No.
ESOFFRE Sofia Frederiksen 00021-2851 Uen

Approved Checked Date Rev Reference
GFFII [Pär Gunnarsson L] 2017-04-18 M
Baseline Privacy Requirements
Abstract
This document defines the requirements for handling Personal Information

processed by Ericsson or in Ericsson’s custody, including that of employees,
contingent workforce, partners, customers and end-users such as customer’s
subscribers.
Application
This Instruction is applicable to all Ericsson operations involved in Processing

of Personal Information, involved in contracting to provide, obtain or exchange
services which entails Processing of Personal Information, or in the
development of tools, products or services used to process Personal
Information where Ericsson is the Data Controller and/or the Data Processor.
Purpose
The purpose of the Baseline Privacy Requirements Instruction is to define the

requirements for handling Personal Information to achieve Ericsson’s privacy
commitments as described in the Privacy Policy [1].
Contents
1 Instruction ...............................................................................................2
1.1 Baseline Privacy Requirements - Data Controller ......................3
1.2 Baseline Privacy Requirements - Data Processor......................7
2 Responsibility .......................................................................................10
3 Contacts for this Instruction ...............................................................10
4 References ............................................................................................10
5 Change information .............................................................................11
Ericsson Internal

1 Instruction
Ericsson units who are involved in the Processing (e.g. collection, use,
retention, disposal, access or disclosure) of Personal Information or in the
development of tools, processes, products or services used to process
Personal Information shall implement the Baseline Privacy Requirements
within the context of applicable legal and contractual requirements.
Where there are no legal and contractual privacy requirements, the Baseline
Privacy Requirements shall be implemented where appropriate. Where there
are legal and contractual privacy requirements, the strictest requirements
shall be implemented.
The Baseline Privacy Requirements are based off the corresponding Ericsson
Privacy Principle, as follows:
 Notice to individuals to identify the purposes for which Personal

Information is collected, used, retained and disclosed.
 Choice and consent available to individuals with respect to the

collection, use, retention and disclosure of Personal Information.
 Collection of Personal Information for the purposes identified in the

Notice.
 Use, retention and disposal of Personal Information as identified in the

Notice and for which the individual has provided Consent.
 Review of Personal Information for individuals to access their

information and ensure it is correct and accurate.
 Disclosure to third parties of Personal Information for purposes

identified in the Notice and for which the individual has provided Consent.
 Transferring data to other countries in a legal, secure and auditable

manner.
 Security for privacy of Personal Information to help protect against

unauthorized access and use.
 Quality of Personal Information to ensure that reasonable steps are

taken to ensure Personal Information is correct and accurate.
 Accountability and Privacy by Design to ensure compliance with the

privacy framework.
Ericsson Internal

The Baseline Privacy Requirements are divided into two sections to meet the
differing ways that Ericsson processes Personal Information.
1.1 Requirements – Data Controller
1.2 Baseline Privacy Requirements – Data Processor
The Privacy Terminology [3] document has been developed to ensure

common understanding of the terminology used.
Additional information about Data Privacy at Ericsson, including guidelines

and templates on Privacy by Design, Privacy Impact Assessments, Breach
Reporting, etc. can be found on the Ericsson Privacy Forum [4].
1.1 Baseline Privacy Requirements - Data Controller
These requirements shall be implemented where Ericsson is acting as a Data

Controller within the context of applicable legal and contractual requirements
and where appropriate.
Ericsson acts as a Data Controller when the company alone or jointly with
others determines the purposes and means of the processing of Personal
Information. The typical situation when Ericsson acts as Data Controller is
when Ericsson processes Personal Information relating to its employees, job
applicants, visitors on premises or on the web and representatives of the
suppliers and customers.
1.1.1 Notice
1 A Privacy Notice shall be provided to the Data Subject describing the
purposes for which Personal Information is collected, used, retained and
disclosed and the choices, if any, available to limit the use and disclosure
of Personal Information.
1.1.2 Choice and consent

1 Consent with respect to the collection, use, retention and disclosure of
Personal Information shall be obtained as required by applicable law, or
otherwise deemed appropriate1.
2 Where the Data Subject has the choice to accept or reject consent, the
choice shall be described in the Privacy Notice.
1 In some cases, other interests may override the data subject’s right of choice and consent. One example is
investigations on criminal activities which may lead to data processing and disclosure without the knowledge of the
individual. In several countries consent shall not be obtained from employees, as a consent can be seen as not
freely given and therefore not valid. Instead the processing shall for such cases be based on other appropriate
legal condition such as fulfillment of law or the employment contract.
Ericsson Internal

3 Should a Data Subject refuse to provide consent or place any limits on the
collection, processing, or disclosure of their Personal Information, this
may result in limitation or unavailability of certain benefits of service
functionality. The Data Subject shall be notified of such limitations or
unavailability2.
1.1.3 Collection
1 Personal Information shall only be collected for fulfillment of legal or
contractual obligations, securing legal claims, protecting individuals and
assets and for other legitimate commercial and operational purposes
accepted by applicable law.
1.1.4 Use, retention and disposal

1 The use, or Processing, of Personal Information shall be limited to the
purposes identified in the Privacy Notice and for which the Data Subject
has provided implicit or explicit consent, where applicable.
2 Personal Information shall be retained for only as long as necessary to
fulfill the stated purposes, or as required by law or regulations, and shall
thereafter be appropriately disposed.
3 The disposal of Personal Information shall be done in a secure manner.
4 Where the use or retention of Personal Information is required for
legitimate business interests beyond the original purpose or retention
period, the data shall be made Anonymous or new consent obtained in
accordance with applicable law.
5 Personal Information shall not be excessively stored, printed, copied,
disclosed or subject to other means of Processing outside the purpose for
use.
1.1.5 Review of Personal Information

1 The Data Subject shall be provided with access to their Personal
Information for review.
2 The Data Subject shall have the right to request correction of inaccurate
Personal Information.
2 Where the data subject is an Ericsson employee, a refusal to provide Personal Information, or placing limits on
the use of Personal Information, shall not result in any disciplinary action against the employee.
Ericsson Internal

1.1.6 Disclosure to third parties

1 Personal Information shall be disclosed to third parties only for the
purposes identified in the Privacy Notice and with the implicit or explicit
consent of the Data Subject, except where such consent is not required
for legal reasons, or except under the following circumstances:
1.1 Legal requests and investigations:
Ericsson may disclose Personal Information when, in Ericsson’s
opinion, such disclosure is necessary to prevent fraud or to comply
with any statute, law, rule or regulation of any governmental
authority or any order of any court of competent jurisdiction.
1.2 Third Party Processors:
Ericsson employs other companies and individuals, sub-processors,
to perform functions on Ericsson’s behalf, where Ericsson is the
Data Controller and the Third Party Processor is the Data
Processor. Sub-processing examples include processing
compensation, providing employee benefits, and performing legal
and other professional services. These Third Party Processors have
access to Personal Information needed to perform their functions,
but may not use it for other purposes.
1.3 Business transfers:
As Ericsson continues to develop its business; it might sell or buy
companies, subsidiaries or business units. In such transactions,
Personal Information is generally one of the transferred business
assets but is subject to any privacy agreements made with the
acquiring companies.
1.4 Protection of Company and others:
Ericsson releases Personal Information when appropriate to comply
with the law; enforce or apply policies and other agreements; or
protect the rights, property or safety of the Company, Ericsson
employees or others. This does not include selling, renting, sharing
or otherwise disclosing Personal Information for commercial
purposes in violation of the commitments made in this Group
Instruction.
2 Prior to transferring Personal Information to a Third Party Processor, the
Ericsson unit shall ensure responsibilities of Ericsson and of the Third
Party Processor are clearly described and implemented as part of the
commercial contract, utilizing the Baseline Information Security and
Privacy Requirements for Suppliers.
3 Third Party Processors shall be restricted to only the necessary access,
use, retention and disclosure of Personal Information needed to fulfill
contractual obligations.
Ericsson Internal

1.1.7 Transferring data to other countries

1 Before Personal Information may be transferred to a country other than
the country of the Data Subject’s residency, the legal requirements of
such a transfer shall be investigated and appropriate actions taken.
2 Records shall be kept in an auditable manner showing which Personal
Information that has been transferred to which countries.
1.1.8 Security for privacy

1 Personal Information shall be classified as Ericsson Confidential and
handled as such. Business contact information is not Ericsson
Confidential information by itself and is not subject to point 2-4 below.
2 Access to Personal Information shall be limited to authorized individuals
on a “need to know” basis.
3 Personal Information shall be protected against unauthorized access, use,
retention, disposal, modification and disclosure through physical and
logical controls.
4 Personal Information shall be encrypted in transit, and when required by
applicable laws at rest3 when stored on removable media.
5 Individuals with regular access to Personal Information or in the
Information shall take appropriate Security and Privacy Training on a
regular basis.
1.1.9 Quality
1 Reasonable steps shall be taken to ensure Personal Information is correct
and accurate.
Information has been has been accessed, modified, disclosed or
disposed.
1.1.10 Accountability and Privacy by Design

1 Privacy shall be designed, engineered and automated to the extent
feasible into products, services, tools and delivery processes to conform
to Privacy by Design methodology in order to ensure the Baseline Privacy
Requirements, and/or other applicable privacy requirements, are
implemented.
3 Normally the law in the exporting country if such exist and the country where the data resides
Ericsson Internal

2 Privacy Impact Assessments (PIA) or other privacy related assessments

shall be performed, where feasible or legally required, to assess risks to
Data Subjects and identify corrective measures to mitigate such risks.
3 For processing of business contact details only, the pre-PIA is often
sufficient for assessing the risk to data subjects. The Privacy Advisor
decides if Pre-PIA is sufficient, and in doubt refers the decision to the
Privacy Core Team
4 There shall be a process in place to report and handle Privacy Incidents
or Breaches as well as address inquiries, complaints and disputes.
1.2 Baseline Privacy Requirements - Data Processor
These requirements shall be implemented where Ericsson is acting as a Data

Processor within the context of applicable legal and contractual requirements
and where appropriate.
Ericsson acts as a Data Processor when it acts on behalf of and on

instructions from another party. The typical situation when Ericsson act as
Data Processor is when Ericsson processes subscriber data of its customers
in connection with providing services for the customers.
1.2.1 Notice
1 Ericsson does not provide Notice to the Data Subject unless Ericsson has
agreed to do so on behalf of the Data Controller per contractual obligation.
2 The Ericsson unit shall ensure that the responsibilities of Ericsson and of
the Data Controller (i.e. the customer) are clearly described and (i)
implemented as part of the commercial contract, and (ii) addressed and
appropriately implemented. The terms and conditions set out below shall
be analyzed and implemented on a case by case basis:
2.1 The clear agreement that Ericsson is the Data Processor and that
the Customer is the Data Controller.
2.2 The clear definition of what constitutes Personal Information.
2.3 The clear definition of applicable law(s) for processing Personal
Information and for transferring such information cross border.
2.4 The clear description of the purpose for processing the Personal
Information.
2.5 Clear instructions on the handling of privacy breaches, including,
e.g., responsibilities of the parties, notifications and timing, points of
contact.
2.6 Clear requirements for security for protecting the privacy of Personal
Information including the applicable requirements set forth in these
Baseline Privacy Requirements.
Ericsson Internal

1.2.2 Choice and consent

1 Ericsson does not provide choice and consent options to the Data Subject
unless Ericsson has agreed to do so on behalf of the Data Controller per
contractual obligation.
1.2.3 Collection
1 Personal Information shall only be collected for the purposes specified in
the contract with the Data Controller.
1.2.4 Use, retention and disposal

1 The use, or Processing, of Personal Information shall be limited to the
purposes specified in the contract with the Data Controller.
2 Personal Information shall be retained for only as long as necessary to
fulfill contractual obligations, or as required by law or regulations, and
shall thereafter be appropriately returned or disposed at the choice of the
Data Controller.
3 The disposal of Personal Information shall be done in a secure manner
and shall be recorded in order to certify to the Data Controller that such
disposal has taken place.
4 Where the return or disposal of some or all of the Personal Information is
prevented by law or regulation, the Personal Information shall be kept
confidential and shall no longer be processed.
5 Personal Information shall not be excessively stored, printed, copied,
disclosed or subject to other means of Processing outside the scope of
the contract with the Data Controller.
1.2.5 Review of Personal Information

1 Personal Information shall be transferred to the Data Controller in order to
support any Data Subject request, without answering the request unless
authorized to do so.
1.2.6 Disclosure to third parties

1 Sub-processing to Third Party Service Providers shall only be allowed
with prior written consent from the Data Controller and only for the
purposes identified in the contract with the Data Controller.
2 Prior to transferring Personal Information to a Third Party Service
Provider, the Ericsson unit shall ensure responsibilities of Ericsson and of
the Third Party Service Provider are clearly described and implemented
as part of the commercial contract. The contract shall clearly reflect any
requirements from the Data Controller and the Baseline Information
Security and Privacy Requirements for Suppliers [5].
Ericsson Internal

3 Third Party Service Providers shall be restricted to only the necessary

access, use, retention and disclosure of Personal Information needed to
fulfill contractual obligations.
1.2.7 Transferring data to other countries

1 Before Personal Information may be transferred to a country other than
the country of the Data Controller, the legal requirements of such a
transfer shall be investigated and appropriate actions taken.
2 Personal Information shall be transferred to a country other than the
country of the Data Controller only with prior written consent from the Data
Controller.
Information has been transferred to which countries.
1.2.8 Security for privacy

1 Security practices with respect to the Processing of Personal Information
shall comply with any security measures specified in the contract with the
Data Controller.
2 Personal Information shall be classified as Ericsson Confidential, or as
otherwise agreed upon with the Data Controller, and handled as such.
3 Access to Personal Information shall be limited to authorized individuals
on a “need to know” basis.
4 Personal Information shall be protected against unauthorized access, use,
retention, disposal, modification and disclosure through physical and
logical controls.
5 Personal Information shall be encrypted, as required by applicable law
and where feasible, when on removable media or when in transit.
6 Individuals with regular access to Personal Information or in the
Information shall take appropriate Security and Privacy Training on a
regular basis.
1.2.9 Quality
1 Reasonable steps shall be taken to have the Personal Information
updated, corrected, deleted or anonymized at the request of the Data
Controller.
Information, has been accessed, modified, disclosed or disposed.
Ericsson Internal

1.2.10 Accountability and Privacy by Design

1 Privacy shall be designed, engineered and automated to the extent
feasible into products, services, tools and delivery processes to conform
to Privacy by Design methodology in order to ensure the Baseline Privacy
Requirements, and/or other applicable privacy requirements, are
implemented.
2 Privacy Impact Assessments or other privacy related assessments shall
be performed, where feasible or legally required, to assess risks to Data
Subjects and identify corrective measures to mitigate such risks.
3 There shall be a process in place to report and handle Privacy Incidents
or Breaches as well as address inquiries, complaints and disputes.
2 Responsibility
Ericsson units and companies are responsible for compliance to the Baseline
Privacy Requirements.
Appointed privacy personnel such as Data Protection Officers and Privacy

Advisors can provide assistance as described in Group Directive, Data
Privacy Management [2].
3 Contacts for this Instruction

CPO, Group Security, LME/DEA
4 References
[1] Group Policy, 011 03-2815 Uen, Privacy
[2] Group Directive, 034 02-3150 Uen, Data Privacy Management
[3] Information, LME-14:003111 Uen, Privacy Terminology
[4] Ericsson Privacy Forum
[5] Instruction, 1/00021-2849 Uen, Baseline Information Security and
Privacy Requirements for Suppliers
Ericsson Internal

5 Change information
Change since Rev H:
1 Minor change to update reference link.
Changes since Rev G:
2 Major revision including
2.1 expanding the Privacy Principles into the Baseline Privacy
Requirements,
2.2 consolidating Privacy Requirements for Customer Data and Privacy
Requirements for ICT Systems into this one document,
2.3 adding Privacy by Design, Privacy Impact Assessments and Privacy
Training requirements.
Changes since rev J:

1 Clarification that Personal information such as Business contact
information is not classified as Confidential information.
2 Privacy impact assessments are conducted to asses risks to data
subjects.
3 Clarification on the limitations for Ericsson for the use of Consent as
justification for processing personal information added.
4 Responsibility for Data Privacy Officers added.
5 Requirements regarding Disclosure to third Party replaced by reference to
BISPRS.
6 Definitions on when Ericsson acts as Controller or Processor added.
Changes rev L
Links updated.
Changes rev K
Links Updated.

Baseline Privacy Requirements

Uploaded by

Copyright:

Available Formats

You might also like

Baseline Privacy Requirements

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Baseline Privacy Requirements

Uploaded by

Copyright:

Available Formats

Ericsson Internal

GROUP INSTRUCTION 1 (11)

ESOFFRE Sofia Frederiksen 00021-2851 Uen

GFFII [Pär Gunnarsson L] 2017-04-18 M