Skip to main content

EU Binding Corporate Rules authorised under Article 26(2) of Directive 95/46/EC

Contents

List of BCR Holders (approved pursuant to paragraph 9, Part 3, Schedule 21 to the DPA 2018)

Group entity UK entity with delegated responsibility for UK BCRs Type Categories of data
Accenture Accenture (UK) Limited Controller
  • Employees (and dependants inc. children) - includes permanent and contracting staff and applicants
  • Non-employee workers
  • Business & Marketing contacts
  • Vendor, supplier contacts.
  • Website users and complainants, correspondents and enquirers.
  • Other third parties
American Express Company American Express Services Europe Limited Controller
  • Customer Data
Astra Zeneca PLC AstraZeneca PLC Controller
  • HR
  • Healthcare professionals
  • Suppliers
  • Patients
Box, Inc Box.com (UK) Ltd Controller
  • Personnel personal data
  • Vendor Personnel data
  • Customer data
  • Content personal data
Box, Inc Box.com (UK) Ltd Processor
  • Customer data
  • Content personal data
British Telecommunications plc (BT Plc) BT Plc Controller
  • HR data
  • Customer data
  • Shareholder data

British Telecommunications plc (BT Plc) BT Plc Processor
  • Customer data in connection with the services it provides to third party Data Controllers
Cargill, Inc Cargill PLC Controller
  • Business Information
  • Business
  • HR
Citigroup Inc. Citigroup Global Markets Limited Controller
  • Workforce data
Ernst & Young Global Limited Ernst & Young Global Limited Controller
  • Current, past and prospective EY Personnel, clients, suppliers, subcontractors and any other third parties ("EY Data").
Ernst & Young Global Limited Ernst & Young Global Limited Processor
  • EY Personnel
  • EY Data
  • Third Party Client (Controller) data
First Data Corporation FDR LIMITED, LLC(UK branch) Controller
  • Customer Information
  • Employee Data
  • Vendors, Suppliers, Merchants
First Data Corporation FDR LIMITED, LLC(UK branch) Processor
  • Customer Data
Flex Ltd. Flextronics Global Services (Manchester) Limited Controller
  • Employee Data
  • Business Contact Information
  • Shareholder Information
Fluor Corporation Fluor Limited Controller
  • HR
  • Client contact information Third party clients
GlaxoSmithKline plc. GlaxoSmithKline plc. Controller
  • HR and R&D activities
Global Hyatt Corporation (GHC) Hyatt Holdings (UK) Limited Controller
  • Employee
  • Guest data
International Business Machines Corporation (IBM) IBM United Kingdom Limited Controller
  • Employee Information
  • Business Personal Information
Intel Corporation Intel Corporation (UK) Ltd Controller
  • Human resources data
  • Customer relationship management data
  • Supply chain management data
JP Morgan Chase & Co (JPMC) JP Morgan (JPMC) Controller
  • Customers
  • Suppliers
  • Business Partners
  • Other individuals in the context of its business activities and
  • Employees and their Dependents in the context of Employees’ working relationship with JPMC
Latham & Watkins LLP Latham & Watkins (London) LLP Controller
  • Employee Data (inc. former)
  • Personal information gathered for marketing purposes
Linklaters LLP Linklaters LLP Controller
  • HR related data
  • Client and other business related data
Marsh and McLennan Companies Inc. MMC UK GROUP LIMITED Controller
  • HR
  • Business contacts and clients including suppliers and vendors
  • Other third parties
Marsh and McLennan Companies Inc. MMC UK GROUP LIMITED Processor
  • Group member clients
Motorola Solutions Inc. Motorola Solutions UK Limited Controller
  • Employees, customers, suppliers and other individuals
Schlumberger Ltd. Schlumberger Oilfield UK PLC Controller
  • Employee
  • Customer Data
Verizon Business Group (VBG) Verizon UK Limited Controller
  • Employee
  • Customer
  • Contractor data
Verizon Business Group (VBG) Verizon UK Limited Processor
  • Customer

Binding Corporate Rules previously authorised under Article 26(2) of Directive 95/46/EC where Information Commissioner issued an authorisation (whether ICO was the lead supervisory authority or not).

Holders of EU BCRs for which Information Commissioner issued an authorisation under Directive 95/46/EC were automatically eligible for a UK BCR under paragraph 9, Part 3, Schedule 21 to the DPA 2018 (as amended from 1 January 2021).

These organisations have been permitted to rely on a UK BCR as a valid transfer tool since 1 January 2021 subject to:

  • Producing a UK version of their BCRs by 1 January 2021 incorporating the changes described in that paragraph and
  • Providing a UK version of their BCRs together with other amended documentation (as specified in the November Information Note) to the ICO on or before the next annual update return date.

We have published a list of those organisations that were automatically entitled to a UK BCR pursuant to paragraph 9, Part 3, Schedule 21 to the DPA 2018 and have affirmed that they seek a UK BCR.

Any organisations who fit into the above category who do not appear on the list and want UK BCRs should contact the ICO via [email protected] without delay.

Where organisations have submitted the required documentation already, ICO is currently in the process of reviewing and will be in touch in due course in respect of the amendments made.

Where documentation has not yet been provided, we would encourage organisations to submit this as soon as possible.

If the amended documentation is not provided to ICO’s satisfaction or at all, the Information Commissioner may revoke the authorisation both under the Directive 95/46/EC and, consequently, the 2019 Regulations as specified above.