Skip to main content

Kyndryl Data Privacy Framework Policy


A. Compliance with the Data Privacy Framework

Kyndryl complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce.

Kyndryl has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from:

  • The European Union in reliance on the EU-U.S. DPF; and
  • The United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF.

Kyndryl has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF.

If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/.


B. Description of Processing Activities

1. Controller-Based Activities

Kyndryl processes personal data on its own behalf for the following purposes:

  • Business operations and work-related processes;
  • Communication and collaboration tools;
  • Marketing (including newsletters, cookies, and similar technologies);
  • Employment administration (including recruitment, compensation, evaluations, benefits, on-boarding, and off-boarding);
  • Use of Kyndryl infrastructure, networks, and assets; and
  • Audit functions.

The main types of personal data processed pursuant to the above activities are:

  • Kyndryl employees, agents, contractors, applicants, or other affiliates;
  • Customers’ employees, agents, or other affiliates; and
  • Suppliers’ employees, agents, or other affiliates;


2. Processor-Based Activities

Subject to applicable offerings and individual customer agreements, Kyndryl may process customer-controlled personal data for the following purposes:

  • Applications, networks, systems, or infrastructure logging or monitoring;
  • Help desk or other technical support;
  • Provision, maintenance, or management (including security management) of applications, networks, systems, or infrastructure;
  • Hosting, caching, backup, archiving, and disaster recovery;
  • Design, development, build, or test; and
  • Advisory, analytics, or other services.

The main types of personal data processed pursuant to the above activities are:

  • Customers’ employees, agents, contractors, applicants, or other affiliates;
  • Customers’ end users, visitors, or business partners; and
  • Customers’ suppliers or subcontractors.

For general information about:

  • The type or identity of third parties to which it discloses personal information, and the purposes for which it does so;
  • The right of individuals to access their personal data; and
  • The choices and means the organization offers individuals for limiting the use and disclosure of their personal data,

Please refer to the Kyndryl Privacy Statement.

If Kyndryl subcontracts the performance of any of the processing activities pursuant to the Kyndryl Privacy Notice and/or its customer agreements, Kyndryl will be liable to data subjects for the acts and omissions of Kyndryl subcontractors as if they were the acts or omissions of Kyndryl (subject to limits, exclusions, and assignments of liability).


C. Regulatory Authority and Dispute Resolution

The Federal Trade Commission (FTC) has jurisdiction over Kyndryl’s compliance with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF).

In certain circumstances, personal information may be subject to disclosure to government agencies in accordance with judicial proceedings, court orders, or legal processes. We may also share personal information to protect the rights of Kyndryl or others when Kyndryl believes that such rights may be affected, for example to prevent fraud.

An individual has the possibility, under certain conditions, to invoke binding arbitration for complaints regarding DPF compliance not resolved by any of the other DPF mechanisms. Please refer to this link for additional information: https://www.dataprivacyframework.gov/s/article/ANNEX-I-introduction-dpf?tabset-35584=2

In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, Kyndryl commits to cooperate and comply respectively with the advice of the panel established by the EU data protection authorities (DPAs) and the UK Information Commissioner’s Office (ICO) and the Gibraltar Regulatory Authority (GRA) and the Swiss Federal Data Protection and Information Commissioner (FDPIC) with regard to unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF.


D. Contact

In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, Kyndryl commits to resolve DPF Principles-related complaints about our collection and use of your personal information.

If EU and UK and Swiss individuals have any questions or complaints concerning Kyndryl’s processing of personal information on behalf of a Kyndryl customer, they can contact the customer directly. Individuals who want to access the personal information that Kyndryl hosts on behalf of a customer, or to make choices concerning their information, must contact the customer directly.

EU and UK and Swiss individuals with inquiries or complaints regarding our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF may contact Kyndryl at: https://www.kyndryl.com/privacy/portal/contact/us-en