List of BCR Holders (approved pursuant to paragraph 9, Part 3, Schedule 21 to the DPA 2018)
| Group entity | UK entity with delegated responsibility for UK BCRs | Type | Categories of data |
|---|---|---|---|
| Accenture | Accenture (UK) Limited | Controller |
|
| American Express Company | American Express Services Europe Limited | Controller |
|
| Astra Zeneca PLC | AstraZeneca PLC | Controller |
|
| Box, Inc | Box.com (UK) Ltd | Controller |
|
| Box, Inc | Box.com (UK) Ltd | Processor |
|
| British Telecommunications plc (BT Plc) | BT Plc | Controller |
|
| British Telecommunications plc (BT Plc) | BT Plc | Processor |
|
| Cargill, Inc | Cargill PLC | Controller |
|
| Citigroup Inc. | Citigroup Global Markets Limited | Controller |
|
| Ernst & Young Global Limited | Ernst & Young Global Limited | Controller |
|
| Ernst & Young Global Limited | Ernst & Young Global Limited | Processor |
|
| First Data Corporation | FDR LIMITED, LLC(UK branch) | Controller |
|
| First Data Corporation | FDR LIMITED, LLC(UK branch) | Processor |
|
| Flex Ltd. | Flextronics Global Services (Manchester) Limited | Controller |
|
| Fluor Corporation | Fluor Limited | Controller |
|
| GlaxoSmithKline plc. | GlaxoSmithKline plc. | Controller |
|
| Global Hyatt Corporation (GHC) | Hyatt Holdings (UK) Limited | Controller |
|
| International Business Machines Corporation (IBM) | IBM United Kingdom Limited | Controller |
|
| Intel Corporation | Intel Corporation (UK) Ltd | Controller |
|
| JP Morgan Chase & Co (JPMC) | JP Morgan (JPMC) | Controller |
|
| Latham & Watkins LLP | Latham & Watkins (London) LLP | Controller |
|
| Linklaters LLP | Linklaters LLP | Controller |
|
| Marsh and McLennan Companies Inc. | MMC UK GROUP LIMITED | Controller |
|
| Marsh and McLennan Companies Inc. | MMC UK GROUP LIMITED | Processor |
|
| Motorola Solutions Inc. | Motorola Solutions UK Limited | Controller |
|
| Schlumberger Ltd. | Schlumberger Oilfield UK PLC | Controller |
|
| Verizon Business Group (VBG) | Verizon UK Limited | Controller |
|
| Verizon Business Group (VBG) | Verizon UK Limited | Processor |
|
Binding Corporate Rules previously authorised under Article 26(2) of Directive 95/46/EC where Information Commissioner issued an authorisation (whether ICO was the lead supervisory authority or not).
Holders of EU BCRs for which Information Commissioner issued an authorisation under Directive 95/46/EC were automatically eligible for a UK BCR under paragraph 9, Part 3, Schedule 21 to the DPA 2018 (as amended from 1 January 2021).
These organisations have been permitted to rely on a UK BCR as a valid transfer tool since 1 January 2021 subject to:
- Producing a UK version of their BCRs by 1 January 2021 incorporating the changes described in that paragraph and
- Providing a UK version of their BCRs together with other amended documentation (as specified in the November Information Note) to the ICO on or before the next annual update return date.
We have published a list of those organisations that were automatically entitled to a UK BCR pursuant to paragraph 9, Part 3, Schedule 21 to the DPA 2018 and have affirmed that they seek a UK BCR.
Any organisations who fit into the above category who do not appear on the list and want UK BCRs should contact the ICO via [email protected] without delay.
Where organisations have submitted the required documentation already, ICO is currently in the process of reviewing and will be in touch in due course in respect of the amendments made.
Where documentation has not yet been provided, we would encourage organisations to submit this as soon as possible.
If the amended documentation is not provided to ICO’s satisfaction or at all, the Information Commissioner may revoke the authorisation both under the Directive 95/46/EC and, consequently, the 2019 Regulations as specified above.