EY - Binding corporate rules on data protection (BCR)

Binding corporate rules on data protection (BCR)

  • Share

EY has introduced a program for binding corporate rules (BCR). This program governs compliance with the European Data Protection Directive1, particularly in view of the transmission of personal data among EY member companies.

What is the purpose of the European Data Protection Directive?
The European Data Protection Directive grants citizens the right to control the use of their personal data2. If EY collects and uses the personal data of its current, former and potential partners, employees, clients, suppliers and contractors as well as other third parties, such collection and use is subject to European data protection provisions.

To what extent is EY affected by the European Data Protection Directive at the international level?
According to the European Data Protection Directive, personal data may not be transmitted to countries outside of Europe3 if data protection is not adequately guaranteed. In some countries in which EY is active, the data protection rights of private individuals are not adequately observed under the viewpoint of the European data protection authorities.

What does EY do to counter this?
In order to avoid violations of applicable law, EY must take appropriate measures to ensure that personal data is used with the necessary security and thus lawfully by our companies around the world.

The purpose of binding corporate rules therefore is to further develop the parameters of our global data protection program to ensure that they meet the standards of the European Data Protection Directive. In this way, we ensure an adequate level of protection for all personal data that is collected and used in Europe as well as data that is transmitted from European to non-European member companies.

Pursuant to the European Data Protection Directive, the legal obligations only apply to personal data that is collected and used in Europe. However, EY will apply the binding corporate rules globally and in all cases in which EY processes personal data manually or automatically4 – irrespective of whether this personal data relates to current, former or potential partners, employees, clients, suppliers and contractors of EY or other third parties.

The central component of the binding corporate rules are 15 rules that are based on the relevant European data protection standards and are to be interpreted in accordance with these standards. These rules must be followed by all partners, employees and contractors which handle personal data. All member companies that belong to Ernst & Young Global Ltd. ("EYG") and that have signed the corresponding association agreement are required to comply with the binding corporate rules.

By signing the association agreement, the member companies are bound by all uniform standards, methods and directives of EY as set out in the EYG rules and regulations ("EYG Regulations"). The binding corporate rules are part of one of the uniform standards that is particularly emphasized in the EYG Regulations.

The member companies must confirm their compliance with the binding corporate rules to the data protection officer for their area (Area Privacy Leader) once annually. The Area Privacy Leader in turn must prepare a report on the annual confirmation notices from the member companies for the global data protection officer (Global Privacy Director).

Further information

For the complete text of our binding corporate rules, click here.

For questions about individual provisions of the binding corporate rules, about your rights according to these corporate rules or for other questions about data protection, please contact the Global Privacy Officer at EY. This person will either take care of the matter personally or refer you to the responsible employee or corresponding department within EY. The Global Privacy Officer can be reached via the following link:

Andrew Heaton
Global Privacy Officer
Ernst & Young Global Limited


1 The BCR have been registered with the Federal Data Protection and Information Commissioner (FDPIC).
2 Personal data includes information that relates to an identified or identifiable natural person pursuant to the definition in Directive 95/46/EC.
3 For the purpose of these binding corporate rules, Europe includes the European Economic Area and Switzerland.
4 Pursuant to the European Data Protection Directive, processing includes any activities, whether manual or automatic, that are carried out in connection with personal data. According to the current interpretation, this includes collecting, saving, organizing, destroying, altering, accessing and publishing personal data.