Binding Corporate Rules (“BCRs”) express Fiserv’s commitment to privacy. BCRs are legally binding data protection policies and a detailed code of conduct, approved by EU and UK data protection authorities following significant consultation. BCRs are Fiserv’s commitment to uphold standards of data protection in our processing of EU and UK Personal Data based on strict principles established by EU and UK data protection authorities. The approval of our BCRs demonstrates that Fiserv has implemented a consistent set of robust privacy practices worldwide for the processing of EU and UK Personal Data.
BCRs facilitate the transfer of EU and UK Personal Data internationally to our affiliates around the world in compliance with EU and UK data protection law. BCRs provide confidence to employees, clients and data subjects that their EU and UK Personal Data is being processed using legally binding standards which provide for strong privacy and security protections.
The EU and the UK recognize two kinds of BCRs: Controller BCRs and Processor BCRs.
Chronology of Fiserv BCRs
- 2011; First Data obtained approval from Information Commissioners Office (“ICO”) for EU Processor BCRs
- 2014; First Data obtained approval from ICO for EU Controller BCRs
- 2019; First Data was acquired by Fiserv. The change in corporate ownership did not impact the BCRs for the activities of those companies who were signatories.
- 2021; As a result of Brexit, it was necessary to split our BCRs into distinct EU and UK BCRs. Irish Data Protection Commission (“DPC”) became our Lead Supervisory Authority for our EU BCRs. ICO remains our Supervisory Authority for UK BCRs.
- 2023; DPC approved the extension of the original First Data EU BCRs to the wider Fiserv group and original Fiserv companies.
Additional information on our BCRs can be found within the following documents, found on the links posted below:
- A copy of both our Processor and Controller BCRs for each of the EU and the UK
- A listing of the entities that have signed an Intragroup Agreement which binds those entities to comply with the respective set of BCRs.
The contents of this page, and the BCRs themselves, will be updated when appropriate. Should you have any queries or concerns about the BCRs please contact dpo@fiserv.com.