Binding Corporate Rules (BCRs) express our commitment to data protection at First Data.  BCRs are a legally binding agreement with the Data Protection Authorities of the EU member states to uphold standards of data protection in connection with providing services to our data subjects (individuals) and clients.  BCRs facilitate First Data’s transfer of Personal Data internationally to our global affiliates in compliance with EU data protection law.

The EU currently recognizes two kinds of BCRs: Controller BCRs and Processor BCRs. Our Controller BCRs enable us to transfer Personal Data that we control (for example, employee information) within First Data globally. Processor BCRs enable us to make global transfers of personal data that we process on behalf of our clients from the EU to other First Data locations. First Data is one of very few groups of companies to have obtained approval for both Controller BCRs and Processor BCRs.

BCRs provide confidence to First Data employees, clients, data subjects (individuals), and end-consumers that their Personal Data is being processed using legally binding standards. BCRs offer a competitive advantage over other processors without this approval.

BCRs do not override client contracts or local laws and regulations, so any restrictions contained in those documents and laws still apply.

Additional information can be found within the following documents which are posted below:

  • A copy of both our processor and controller BCRs
  • A listing of the First Data entities that have executed intra-group agreements (IGAs)
First Data Corporate Security / Data Privacy Hotline

+1 800-368-1000