At a high level, Binding Corporate Rules (BCRs) are First Data’s global privacy policy. They set our global standard for privacy protection. The BCRs include a set of privacy principles that are broad statements of our commitment to data protection. The principles provide the foundation for our BCRs.

The EU currently recognizes two kinds of BCRs: Controller BCRs and Processor BCRs. First Data obtained approval for Controller BCRs in 2011 and just received approval for Processor BCRs in late 2014. Our Controller BCRs enable us to transfer Personal Data that we control (for example, employee information) within First Data globally. Processor BCRs enable us to make global transfers of personal data that we process on behalf of our clients from the EU to other First Data locations.

BCRs are a tool designed to help a multinational company facilitate international transfers of Personal Data to its global affiliates. The BCRs will help provide confidence to First Data employees, clients, and end-consumers that their Personal Data is being processed using legally binding standards. BCRs offer a competitive advantage over other processors without this approval. They highlight First Data’s solid commitment to the protection of data. In addition, the BCRs will make complying with our legal and regulatory compliance obligations less time-consuming and expensive.

It must be noted that BCRs do not override client contracts or local laws and regulations, so any restrictions contained in those documents and laws still apply.

Additional information can be found within the following documents which are posted below.

  • A copy of both our processor and controller BCRs
  • A summary document of the BCRs
  • A listing of the entities which have executed intra-group agreements (IGAs)
First Data Corporate Security / Data Privacy Hotline

+1 800-368-1000