Global Privacy Policy

1. Purpose

Cisco is committed to protecting the privacy of Personal Data of its Workers, Customers, business partners, and other individuals. Cisco has, therefore, implemented a global privacy program to establish and maintain high standards for creating, collecting, using, disclosing, storing, securing, accessing, transferring, or otherwise processing Personal Data. This Global Privacy Policy is the foundation of that program and describes the approach taken by Cisco when processing Personal Data worldwide.

2. Scope

All Cisco employees, contractors, vendors, consultants, temporary agency workers, and other agents of any Cisco Group Company (“Cisco Workers”) must comply with this Policy, including all personnel affiliated with third parties who may have access to any Cisco network or resource, including cloud-based services, hosted inside or outside of Cisco.

This Global Privacy Policy applies globally to Personal Data that Cisco processes, whether by electronic or non-electronic means (i.e., in hard copy, paper, or analog form). This Policy applies to any Personal Data Processing that is done for or by Cisco.

With respect to People Data and Business Personal Data specifically, this Global Privacy Policy is supplemented by the Cisco Global People Data Protection Policy, European People Data Protection Policy, and the Cisco Business Personal Data Privacy Policy. These internal policy documents describe in more detail how this Global Privacy Policy applies to People Data and Business Personal Data, respectively, and provide guidance to Cisco Workers on the proper handling of Personal Data.

3. Policy Statements

3.1 Adequate Safeguards for Processing of Personal Data

In conjunction with the Global People Data Protection Policy, the European People Data Protection Policy, and the Business Personal Data Privacy Policy, this Global Privacy Policy is also intended to provide adequate safeguards for the processing of Personal Data entrusted to Cisco and transferred from countries requiring such protections. This is to help enable Cisco to transfer Personal Data wherever it is needed globally to support its internal business processes or promote services and product functionality and improvement. To do this, the Global People Data Protection Policy, European People Data Protection Policy, and the Business Personal Data Privacy Policy each describe certain additional obligations and legal rights in circumstances where European Data Protection Law, American, Asia-Pacific Economic Cooperation (APEC), and other countries or regions’ Personal Data Protection and Privacy Laws or requirements differ and are applicable.

3.2 Compliance with Applicable Law

Cisco shall comply with applicable Personal Data Protection and Privacy Laws and requirements worldwide.

Where applicable Personal Data Protection and Privacy Laws require a higher standard of protection for Personal Data than presented in this Global Privacy Policy, the requirements of applicable personal data protection law shall prevail. Where applicable Personal Data Protection and Privacy Laws establish a lower standard of protection for Personal Data than presented in this Global Privacy Policy, the requirements of this Global Privacy Policy shall prevail.

Where Cisco Workers have reason to believe that applicable law prevents Cisco from fulfilling its obligations under this Global Privacy Policy, they shall promptly inform the Privacy Center of Excellence and Cisco Legal via the Privacy Request Form. Where there is a conflict between applicable law and this Global Privacy Policy, the Chief Privacy Officer and Cisco Legal shall make a responsible decision regarding what action to take to resolve such a conflict and shall consult with the relevant regulatory authority in cases of doubt. This includes resolving conflicts that may arise in the course of business taking place in a third country which are likely to have a substantial adverse effect on the guarantees provided by this policy. 

3.3 Privacy Principles

The following high-level principles establish Cisco practices for collecting, using, disclosing, storing, securing, accessing, transferring, or otherwise processing Personal Data.

  • Fairness

  • Cisco shall process Personal Data in a fair, lawful, legitimate, and transparent manner.

  • Purpose Limitation

  • Cisco shall only create or collect Personal Data for a specific, explicit, and legitimate purpose(s). Any subsequent processing shall be compatible with such purpose(s), unless Cisco has obtained the individual’s consent, or the processing is otherwise permitted by law.

  • Proportionality

  • Cisco shall only process Personal Data that is adequate, relevant, and not excessive for the purpose(s) for which it is processed.

  • Data Integrity

  • Cisco shall keep Personal Data accurate, complete, and up to date as is reasonably necessary for the purpose(s) for which it is processed.

  • Data Retention and Disposal

  • Cisco shall keep Personal Data in a form that is personally identifiable for no longer than necessary to accomplish the purpose(s), or other permitted purpose(s), for which the Personal Data was obtained. Thereafter, it shall either be destroyed, deleted, anonymized, or removed from our systems.

  • Data Security

  • Cisco shall implement appropriate and reasonable physical, technical, and organizational measures to safeguard Personal Data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure, use, or access. Cisco shall instruct and contractually require third parties processing Personal Data on behalf of Cisco, if any, to: (a) process it only for purposes consistent with Cisco’s purpose(s) for processing; and (b) implement appropriate physical, technical, and organizational measures to safeguard the Personal Data.

  • Individual Rights

  • Cisco shall process Personal Data in a manner that respects individuals’ rights under applicable Personal Data Protection and Privacy Laws.

  • Accountability

  • Cisco shall implement appropriate governance, policies, processes, controls, and other measures necessary to enable it to demonstrate that its processing of Personal Data is in accordance with this Global Privacy Policy and applicable Personal Data Protection and Privacy Laws.

  • Cisco as a Processor

  • In circumstances where Cisco processes Personal Data as a Processor on behalf of a Customer as an integral part of Cisco’s provision of its products and services to Customers under the terms of a contractual agreement, Cisco will comply with the Data Security and Accountability Principles set out above. Cisco will also provide reasonable cooperation and, to the extent reasonably possible, assistance to the relevant Customer to facilitate the Customer's compliance with the other Privacy Principles as well as privacy by design and privacy by default.

3.4 Availability of this Policy

Cisco will make this Policy available to data subjects by publishing it on a public-facing Cisco website that is accessible to the data subjects, and in the case of the data subjects being Cisco employees, on a Cisco intranet site that is accessible to the employees.

3.5 Updates to this Policy

Cisco may periodically review and revise its personal data protection and privacy practices, policies, and procedures including this Global Privacy Policy. If any significant changes are made, Cisco shall:

  • Take reasonable steps to inform all Cisco Group Companies, Cisco Workers, Customers, business partners, and other data subjects affected by the revisions; and
  • Post appropriate notices referring to the changes on the relevant websites—both internal and external, as appropriate; and
  • Inform the relevant regulatory authority in accordance with applicable law.

3.6 Cooperating with Supervisory Authorities

Cisco will respond promptly and appropriately to requests from supervisory authorities about this Global Privacy Policy and any other matters or concerns regarding privacy laws and regulations.

4. Policy Compliance

Cisco is committed to ensuring that this Global Privacy Policy is observed by all Cisco Workers. Cisco Workers must comply with this Global Policy.

4.1 Compliance Effective Date

This policy is effective upon approval.

4.2 Compliance Management

Cisco shall appoint a Data Protection Officer (DPO) and establish and maintain a Data Privacy Program, with executive sponsorship, which is responsible for monitoring and ensuring compliance with applicable privacy and data protection laws and this Policy.

4.3 Compliance Measurement

Compliance with this Global Privacy Policy is verified by various means, including reports from available business tools, internal and external audits, self-assessment, and/or feedback to the policy owner(s). Cisco will monitor its compliance with this Policy on an ongoing basis. Cisco will periodically verify that this Global Privacy Policy continues to conform to the applicable Personal Data Protection and Privacy Laws and is being complied with. Cisco will make the final results of reports of its internal or external Audits to relevant regulatory authorities upon request and with appropriate confidentiality protections.

4.4 Compliance Exceptions

Any exception to this Global Privacy Policy requires the written approval of the Chief Privacy Officer and Cisco Legal.

Any records of exceptions should be archived according to the Cisco Records Management Process.

4.5 Non-Compliance

Compliance with Cisco policies is required. Deviations or non-compliance with this Policy, including attempts to circumvent the stated policy/process by bypassing or knowingly manipulating the process, system, or data may result in disciplinary actions, including termination, civil action and lawsuits, and referral for criminal prosecution as allowed by local laws.

In some countries, violations of regulations designed to protect Personal Data may result in administrative sanctions, penalties, claims for compensation or injunctive relief, and/or other civil or criminal prosecution and remedies against Cisco and culpable persons in their individual capacity.

5. Related Policies and Supporting Documents

6. Supporting Documents

7. Definitions

The following terms appear in this document.

Term

Definition

APEC The Asia-Pacific Economic Cooperation (APEC) is a regional economic forum established to leverage the growing interdependence of the Asia-Pacific.
Business Personal Data Personal Data processed by Cisco in a business context that is not People Data.
Cisco Candidate

A person who is of interest for a job opportunity at Cisco but may not have applied for a specific job.

Cisco Cisco Systems, Inc. and its subsidiaries, worldwide.
Cisco Worker

This includes employees and contingent workers.

Note: Any reference to 'Cisco Worker or Candidate' in this Policy is only for the purpose of the operation of this Policy and is not intended to and does not in any way indicate or give rise to an employment relationship between the 'Cisco Worker or Candidate' as referenced, and Cisco.

Customers Individuals who are current, former, or prospective customers of Cisco or who represent organizations that are customers.
Data Controller An entity which alone or jointly determines the purpose for which, and the manner in which, Personal Data is processed.
Data Processor An entity which processes Personal Data on behalf of a Data Controller, under the Data Controller’s instructions.
European Data Protection Law EU General Data Protection Regulation (EU) 2016/679, the Electronic Communications Directive 2002/58/EC, and all laws and regulations giving binding legal effect to them in an EEA country, together with any successor or replacement legislation and regulation.
People Data Information relating to an identified or identifiable Cisco Worker or Candidate insofar as that information has been obtained by Cisco in the context of the Cisco Worker's or Candidate’s actual or potential working relationship with Cisco. A Cisco Worker or Candidate is ‘identifiable’ if he/she can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his/her physical, physiological, mental, economic, cultural or social identity. Cisco People data includes each of the following:
  • Cisco Worker or Candidate Company Identification Data—Data generated and/or collected solely for the purpose of identifying a Cisco Worker in the performance of his/her duties for Cisco.
  • Cisco Worker or Candidate Contextual Data— Data generated and/or collected which identifies or describes the performance, compensation or other similar information which provides additional information about the worker, their background and family.
  • Cisco Worker or Candidate Personal Identification Data - Data generated and/or collected which identifies or describes non-Cisco identifiers related to the workers’ or candidates’ bank, governmental or other accounts.
Personal Data Any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
Personal Data Processing Any operation or set of operations performed on Personal Data, at any time in its lifecycle, including creating, collecting, recording, organizing, storing, adapting, altering, retrieving, accessing, reviewing, consulting, using, disclosing in any way (for example, by transmission, dissemination, or otherwise making the data available), analyzing, aligning or combining data, or blocking, erasing or destroying data. Processing is not limited to automatic means or type of media. In short, Cisco “processes” Personal Data any time we or our Third-Party Processors use, touch, or handle Personal Data in any way.
Personal Data Protection and Privacy Laws All applicable legislation and regulatory requirements relating to personal data protection and privacy including without limitation all regional, national, and local personal data protection privacy laws and related regulations, as amended, repealed, consolidated, or replaced from time to time.

Sorry, no results matched your search criteria(s). Please try again.

This Global Privacy Policy is Cisco’s Binding Corporate Rules -- Controller (BCR-C) for applicable Cisco entities.

The Global Privacy Policy was revised and effective as of June 12, 2023.