Skip to Content

Data Protection Policy

Capgemini is committed to protecting the privacy of its clients, employees and partners. In order to do so, Capgemini has adopted Binding Corporate Rules (BCR) as its global data protection policy.

Capgemini BCR apply to all Capgemini entities and their employees, ensuring a strong standard of protection for all personal data processed by Capgemini, whether on its own behalf and on behalf of its clients.

Capgemini EU & UK Processor BCR (BCR-P) apply to and cover the processing and transfers of personal data carried out by Capgemini as a data processor i.e. where Capgemini is processing and transferring personal data to deliver services to its Clients. More specifically and as provided under the draft EDPB Recommendation 1/2022 (adopted on Nov. 2022) “BCR-P apply to data received from a controller that is not a member of the Group, and which are then processed by the concerned Group members as processors and/or sub-processors.”

The EU Binding Corporate Rules (EU BCR) for Controller & Processor activities – initially approved by the European Data Protection Authorities in March 2016 and subsequently updated in January 2019 to comply with the General Data Protection Regulation (GDPR).

Capgemini EU BCR were most recently updated in April 2023 in light of the so-called Schrems II decision. Indeed, in order to align with the additional obligations stemming from this decision, the European Data Protection Board (EDPB) – which is composed of representatives from EU national data protection authorities – is in the process of updating the BCR requirements. In the meanwhile, Capgemini has been working with its Lead data protection authority, the CNIL, to start the process of updating its BCRs to comply with the upcoming requirements. The public version of Capgemini’s EU BCRs reflects this work.

The UK Binding Corporate Rules (UK BCR) for Controller & Processor activities – Following Brexit, and to comply with UK data protection legislation, Capgemini submitted an application for UK BCR to the Information Commissioner Office (ICO) – the UK Data Protection Authority – which was approved in March 2022.

In addition to being Capgemini’s global data protection policy, BCR allow Capgemini to safely transfer personal data among entities of the Group, in compliance with the EU General Data Protection Regulation (GDPR) and UK  General Data Protection Regulation (UK GDPR).  

Capgemini EU & UK Controller BCR (BCR-C) apply to and cover the processing and transfers of personal data carried out by Capgemini entities acting as data controller  i.e. where Capgemini is processing and transferring data between entities of the Group as part of its own operations.