EY - Data Protection Binding Corporate Rules Program

EY Data Protection Binding Corporate Rules Program

  • Share

EY has established a Binding Corporate Rules (BCR) Program to comply with European data protection law, specifically regarding transfers of personal data between the Member Firms.

What is data protection law?

Data protection law in Europe gives people the right to control how their personal data1 is used. When Ernst & Young collects and uses the personal data of its current, past and prospective partners and employees, clients, suppliers, sub-contractors and any other third parties, this activity is covered and regulated by data protection law.

How does data protection law affect Ernst & Young internationally?
Data protection law does not allow personal data to be transferred to countries outside Europe 2 without ensuring an adequate level of data protection. Some of the countries in which Ernst & Young operates are not regarded by European data protection authorities as providing an adequate level of protection for individuals’ data privacy rights.

What is Ernst & Young doing about it?
To avoid breaking the law, Ernst & Young must take proper steps to ensure that its use of personal data on an international basis is safe and, hence, lawful. The purpose of this BCR, therefore, is to develop the framework set out in the global privacy program to satisfy the standards contained in European data protection law and, as a result, provide an adequate level of protection for all personal data used and collected in Europe and transferred from the Member Firms within Europe to Member Firms outside Europe.

Although the legal obligations under European law apply only to personal data used and collected in Europe, Ernst & Young will apply this BCR globally, and in all cases where Ernst & Young processes personal data both manually and by automatic means, whether the personal data relates to Ernst & Young’s current, past and prospective partners and employees, clients, suppliers, sub-contractors and any other third parties 3.

Central to this BCR are 15 rules based on, and interpreted in accordance with, relevant European data protection standards. These rules must be followed by each partner, employee or contractor when handling personal data. All Member Firms are bound to comply with this BCR as a result of becoming a member of Ernst & Young Global Ltd (“EYG”) by way of signing the joining agreement.

By signing the joining agreement Member Firms are subject to comply with all common standards, methodologies and policies of Ernst & Young which are set out in the EYG Regulations. The BCR is part of one of the common standards specifically mentioned in the EYG Regulations.

Compliance with the BCR must be confirmed annually by Member Firms to their respective Area Privacy leader. Area Privacy leaders must communicate the results of the Member Firm annual compliance confirmation to the Global Privacy Director.

Further information

For the full text of our Binding Corporate Rules, click here.

If you have any questions regarding the provisions of this BCR, your rights under this BCR or any other data privacy issues, you may contact Ernst & Young’s Global Privacy Director, who will either deal with the matter or forward it to the appropriate person or department within Ernst & Young. The Global Privacy Director can be reached at the following address:


Geraldine Henbest
Global Privacy Director
Ernst & Young Global Limited


1 Personal data means any information relating to an identified or identifiable natural person in line with the definition in Directive 95/46/EC.

2 For the purpose of this BCR, reference to Europe means the EEA and Switzerland.

3 Processing in European data protection law means any set of operations performed upon personal data whether or not by automatic means. This is interpreted widely to include collecting, storing, organizing, destroying, amending, consulting, destroying and disclosure of the personal data.