Binding Corporate Rules

As one of the world’s foremost providers of consulting, technology and outsourcing services to a wide array of clients around the world, Capgemini is committed to protecting privacy and the Personal Data entrusted to it. As an international Group with companies in more than 40 countries, Capgemini needs to ensure that Personal Data flows freely and securely between all companies in the Capgemini Group with an appropriate and uniformed level of protection.

Capgemini’s Binding Corporate Rules (BCRs) consist of its Controller and Processor EU BCRs and Controller UK BCRs, and Processor UK BCRs (Capgemini BCRs).

Capgemini EU BCRs – Capgemini’s Controller and Processor EU BCRs were approved by its lead Supervisory authority the CNIL in 2016, and further updated to comply with the General Data Protection Regulation (GDPR) in 2019 as acknowledged by the CNIL.

Capgemini UK BCRs – Following Brexit and the introduction of the UK GDPR, Capgemini sought the approval of both its Controller and Processor UK BCRs. The Capgemini UK BCRs were approved by the Information Commissioner’s office in February 2022.

Capgemini BCRs may be amended from time to time including updating the members of the Capgemini Group that are subject to our BCRs and to comply with new requirements issued by the data protection authorities.

Following the so-called ‘Schrems II ’ decision from the European Court of Justice (ECJ), Binding Corporate Rules remain a valid and lawful transfer mechanism and in light of such decision Capgemini has not currently modified its BCRs. If further guidance is provided requiring changes to the Binding Corporate Rules, then Capgemini shall seek to implement the relevant amendments to its BCRs to ensure continued compliance.

Capgemini is committed to protecting all personal data entrusted to it as part of its activities as a Data Controller and as a Data Processor. As an international group, it is important to Capgemini that information flows freely and securely. Providing an appropriate level of protection to the personal data being transferred within the group, is one of the reasons why Capgemini has chosen to implement these Binding Corporate Rules (BCR) which were first approved by the French data protection authority, the CNIL, in March 2016. This is all the more important as legal data protection and legal data security are crucial for each affiliate of Capgemini. The financial and reputational risks are high.