Privacy@Siemens

Siemens has established a global Data Privacy Organization with dedicated officers for regions and businesses. The Data Privacy Organization covers all of Siemens, from business product development to administrative activities.

To ensure trust of customers, business partners and employees, Siemens has developed comprehensive data privacy policies for all relevant instances, tools, and guidelines to go beyond what is required by law incl. the GDPR.

Transfers of personal data within Siemens are covered by binding internal data protection regulations: the Siemens Binding Corporate Rules on Data Protection (BCR). In 2014, Siemens was one of the first companies to introduce Binding Corporate Rules to ensure this high level of data protection for intra-group exchange of personal data across international borders and form an essential part of the international business activities.

You find a summary of the Siemens EU BCR and the UK BCR Addendum below:

- Siemens EU BCR

- UK BCR Addendum

All Siemens employees are bound to comply with the Siemens Business Conduct Guidelines, which are a binding code of conduct. The Binding Code of Conduct states: “All of us who handle the personal data of employees, customers, or third-parties bear a high level of responsibility”. This includes that employees commit themselves to observe confidentiality when processing personal data.

Please visit our Business Conduct Guidelines for more information.

We believe transparency about processing is a key component of effective data protection. In order to enable Data Subjects to easily assert these rights, Siemens has introduced a centralized hub through which Data Subjects' rights are asserted and answered.

For more information visit the Siemens Data Privacy Notice.

The sustainable implementation of data protection requirements is not just an IT and procedural issue but must also involve our employees from all departments. For this reason, internal regulations, such as our Business Conduct Guidelines, require every employee to comply with our data protection requirements. Siemens employees also receive regular trainings on how to handle personal data that are tailored to specific functions and target groups. In addition, employees have access to multiple resources such as GDPR guidelines, awareness campaigns and tools to assist with their data protection requirements.

Requests or complaints from data subjects can be channeled through the Siemens Data Privacy Organization by contacting dataprotection@siemens.com .

A holistic approach to data protection only works if data protection requirements are consistently observed and implemented not only within the Group but also by our external suppliers and partners. For this reason, our suppliers and partners are subjected to a preliminary data protection audit and contractually committed to data protection standards. In addition, our suppliers need to follow our data protection requirements in our Code of Conduct for Suppliers.

Siemens is continually auditing our data processing activities, applications, and products to ensure the compliance with technical and organizational requirements and Privacy by Design principles.

A fast response is essential in the event of a data protection violation. This is the only way to ensure that these violations are terminated swiftly and that all involved parties both in-house and external (such as the data subjects and the regulatory authorities) are informed immediately. To facilitate this, Siemens has established a global Data Privacy Incident Process that uses central reporting channels and includes the relevant stakeholder.

Comprehensive security mechanisms and a security-oriented mindset throughout the entire organization are essential to avert and control data security risks.

Visit Siemens Cybersecurity website for further information.

Siemens continuously maintains a comprehensive register of data processing activities, such as local and global applications, which collect, store, process and use personal data. The content is especially tailored to meet the record and accountability requirements of the General Data Protection Regulation, and we are prepared to make these records available to the competent supervisory authority on request.

Siemens systematically manages data retention and deletion as a mandatory part of our comprehensive register of processing activities. We recognize that appropriate retention periods for personal data are not generic but depend on the specific use-case and purpose of the data processing. In Siemens each activity includes a tailored deletion concept, that is reviewed by our Data Privacy Organization as part of the data privacy assessment and data privacy law comment.

For enabling the business activities of a worldwide operating group of companies like Siemens, the international data transfers are safeguarded by different instruments such as EU Standard Contractual Clauses and Binding Corporate Rules, including our Siemens Binding Corporate Rules on Data Protection.

To learn more about Siemens’ approach on international data transfers related to our customer solutions, click here.

When outsourcing data processing activities, the parties involved (i.e. controller and processor) must enter into a data processing agreement. Siemens Data Processing Agreements are utilized both when Siemens is acting as a customer (controller) and when acting as a provider (processor).

In case Siemens acts as processor for its customer, our Siemens Data Privacy Terms apply.

Siemens wants to ensure that its products and solutions can be used in compliance with all relevant data protection rules. So for Siemens, privacy by design means that compliance with the law, transparency, informational self-determination, data minimization, and data security are already applied when functions and services are developed, and that they’re incorporated into the design. This approach means that privacy by design is securely integrated into our product development processes. Siemens is well aware that using its products and services may lead customers to entrust Siemens with processing one of their most precious assets: their data. If Siemens processes personal data for a customer, it does so under contractual terms that govern how the data is handled, including transfers to third parties.