Binding Corporate Rules

PLEASE NOTE: First Data was acquired in 2019 by Fiserv. The change in corporate ownership does not impact the applicability of the Binding Corporate Rules (BCRs), which remain in force relating to the activities of companies listed in the membership documents posted below. The contents of this page, and of the BCRs themselves, will be updated when appropriate. Should you have any queries or concerns about the BCRs, as to their continued effectiveness or otherwise, please contact dpo@fiserv.com.​

​Binding Corporate Rules express our commitment to privacy. BCRs are a legally binding agreement with the Data Protection Authorities of the EU member states and the UK to uphold standards of data protection in connection with providing services to our data subjects (individuals) and clients. BCRs facilitate the transfer of Personal Data internationally to our affiliates in compliance with EU and UK data protection law.​

​Both the EU and the UK currently recognize two kinds of BCRs: Controller BCRs and Processor BCRs. Our Controller BCRs enable us to transfer Personal Data that we control (for example, employee information) between BCR members. Processor BCRs enable us to make global transfers of personal data that we process on behalf of our clients from the EU and the UK to other locations. ​

BCRs provide confidence to employees, clients and data subjects that their Personal Data is being processed using legally binding standards. BCRs offer a competitive advantage over other processors without this approval.​

​BCRs do not override client contracts or local laws and regulations, so any restrictions contained in those documents and laws still apply.​

​Additional information can be found within the following documents, which are posted below:​

• ​A copy of both our processor and controller BCRs ​for each of the EU and the UK
• A listing of the entities that are members of each set of BCRs for the EU and the UK