Awdurdod annibynnol y Deyrnas Unedig a sefydlwyd i gynnal hawliau gwybodaeth er budd y cyhoedd, annog cyrff cyhoeddus i fod yn agored a hybu preifatrwydd data i unigolion.

The concept of using Binding Corporate Rules (BCRs) to provide adequate safeguards for making restricted transfers was developed under EU law and continues to be part of UK law under the UK GDPR, specifically, Article 47.

You can make a restricted transfer within an international organisation if both you and the receiver have signed up to approved BCRs. UK BCRs are approved by the Commissioner under Article 58.3(j).

BCRs are intended for use by multinational corporate groups, groups of undertakings or a group of enterprises engaged in a joint economic activity such as franchises, joint ventures or professional partnerships.

Latest BCR update - 20 September 2021

Binding Corporate Rules previously authorised under Article 26(2) of Directive 95/46/EC where Information Commissioner issued an authorisation (whether ICO was the lead supervisory authority or not).

Holders of EU BCRs for which Information Commissioner issued an authorisation under Directive 95/46/EC were automatically eligible for a UK BCR under paragraph 9, Part 3, Schedule 21 to the DPA 2018 (as amended from 1 January 2021).

These organisations have been permitted to rely on a UK BCR as a valid transfer tool since 1 January 2021 subject to:

  • Producing a UK version of their BCRs by 1 January 2021 incorporating the changes described in that paragraph and
  • Providing a UK version of their BCRs together with other amended documentation (as specified in the November Information Note) to the ICO on or before the next annual update return date.

We have published a list of those organisations that were automatically entitled to a UK BCR pursuant to paragraph 9, Part 3, Schedule 21 to the DPA 2018 and have affirmed that they seek a UK BCR.

Any organisations who fit into the above category who do not appear on the list and want UK BCRs should contact the ICO via BCR@ico.org.uk without delay.

Where organisations have submitted the required documentation already, ICO is currently in the process of reviewing and will be in touch in due course in respect of the amendments made.

Where documentation has not yet been provided, we would encourage organisations to submit this as soon as possible.

If the amended documentation is not provided to ICO’s satisfaction or at all, the Information Commissioner may revoke the authorisation both under the Directive 95/46/EC and, consequently, the 2019 Regulations as specified above.

List of BCR Holders (approved pursuant to paragraph 9, Part 3, Schedule 21 to the DPA 2018)

Group entity UK entity with delegated responsibility for UK BCRs Type Categories of data
Accenture Accenture (UK) Limited Controller
  • Employees (and dependants inc. children) - includes permanent and contracting staff and applicants
  • Non-employee workers
  • Business & Marketing contacts
  • Vendor, supplier contacts.
  • Website users and complainants, correspondents and enquirers.
  • Other third parties
American Express Company American Express Services Europe Limited Controller
  • Customer Data
Astra Zeneca PLC AstraZeneca PLC Controller
  • HR
  • Healthcare professionals
  • Suppliers
  • Patients
Box, Inc Box.com (UK) Ltd Controller
  • Personnel personal data
  • Vendor Personnel data
  • Customer data
  • Content personal data
Box, Inc Box.com (UK) Ltd Processor
  • Customer data
  • Content personal data
British Telecommunications plc (BT Plc) BT Plc Controller
  • HR data
  • Customer data
  • Shareholder data

 

British Telecommunications plc (BT Plc) BT Plc Processor
  • Customer data in connection with the services it provides to third party Data Controllers
Cargill, Inc Cargill PLC Controller
  • Business Information
  • Business
  • HR
Citigroup Inc. Citigroup Global Markets Limited Controller
  • Workforce data
Ernst & Young Global Limited Ernst & Young Global Limited Controller
  • Current, past and prospective EY Personnel, clients, suppliers, subcontractors and any other third parties ("EY Data").
Ernst & Young Global Limited Ernst & Young Global Limited Processor
  • EY Personnel
  • EY Data
  • Third Party Client (Controller) data
First Data Corporation FDR LIMITED, LLC(UK branch) Controller
  • Customer Information
  • Employee Data
  • Vendors, Suppliers, Merchants
First Data Corporation FDR LIMITED, LLC(UK branch) Processor
  • Customer Data
Flex Ltd. Flextronics Global Services (Manchester) Limited Controller
  • Employee Data
  • Business Contact Information
  • Shareholder Information
Fluor Corporation Fluor Limited Controller
  • HR
  • Client contact information Third party clients
General Electric Company UK branch of GE International, GE International, Incorporated (GEII) Controller
  • Employee Data
  • Customer Data
  • Supplier Data
General Electric Company UK branch of GE International, GE International, Incorporated (GEII) Processor
  • Customer Personal Information
GlaxoSmithKline plc. GlaxoSmithKline plc. Controller
  • HR and R&D activities
Global Hyatt Corporation (GHC) Hyatt Holdings (UK) Limited Controller
  • Employee
  • Guest data
International Business Machines Corporation (IBM) IBM United Kingdom Limited Controller
  • Employee Information
  • Business Personal Information
Intel Corporation Intel Corporation (UK) Ltd Controller
  • Human resources data
  • Customer relationship management data
  • Supply chain management data
JP Morgan Chase & Co (JPMC) JP Morgan (JPMC) Controller
  • Customers
  • Suppliers
  • Business Partners
  • Other individuals in the context of its business activities and
  • Employees and their Dependents in the context of Employees’ working relationship with JPMC
Latham & Watkins LLP Latham & Watkins (London) LLP Controller
  • Employee Data (inc. former)
  • Personal information gathered for marketing purposes
Linklaters LLP Linklaters LLP Controller
  • HR related data
  • Client and other business related data
Marsh and McLennan Companies Inc. MMC UK GROUP LIMITED Controller
  • HR
  • Business contacts and clients including suppliers and vendors
  • Other third parties
Marsh and McLennan Companies Inc. MMC UK GROUP LIMITED Processor
  • Group member clients
Motorola Solutions Inc. Motorola Solutions UK Limited Controller
  • Employees, customers, suppliers and other individuals
Schlumberger Ltd. Schlumberger Oilfield UK PLC Controller
  • Employee
  • Customer Data
Verizon Business Group (VBG) Verizon UK Limited Controller
  • Employee
  • Customer
  • Contractor data
Verizon Business Group (VBG) Verizon UK Limited Processor
  • Customer

Binding Corporate Rules from 1 January 2021

From 1 January 2021 the ICO will accept UK BCRs Controller and UK BCRs Processor applications.

New applications for UK BCRs must be submitted to the ICO using the UK BCR application forms and referential tables referenced below. The ICO will work with you, your legal team or external lawyers in the review of your UK BCR application. When the ICO is satisfied that the requirements have been met the Information Commissioner will approve the UK BCR.

Organisations with existing authorised EU BCRs do not need to complete a UK BCR application form or referential table. However they must still provide ICO with a UK version of their BCRs.

The Information Commissioner has created the following guidelines for UK BCRs applications whilst complying with the requirements of UK GDPR:

Previous updates