Data Protection Policy

The EU Binding Corporate Rules (EU BCR) for Controller & Processor activities – initially approved by the European Data Protection Authorities in March 2016 and subsequently updated in January 2019 to comply with the General Data Protection Regulation (GDPR).

Capgemini EU BCR were most recently updated in April 2023 in light of the so-called Schrems II decision. Indeed, in order to align with the additional obligations stemming from this decision, the European Data Protection Board (EDPB) – which is composed of representatives from EU national data protection authorities – is in the process of updating the BCR requirements. In the meanwhile, Capgemini has been working with its Lead data protection authority, the CNIL, to start the process of updating its BCRs to comply with the upcoming requirements. The public version of Capgemini’s EU BCRs reflects this work.

The UK Binding Corporate Rules (UK BCR) for Controller & Processor activities – Following Brexit, and to comply with UK data protection legislation, Capgemini submitted an application for UK BCR to the Information Commissioner Office (ICO) – the UK Data Protection Authority – which was approved in March 2022.

In addition to being Capgemini’s global data protection policy, BCR allow Capgemini to safely transfer personal data among entities of the Group, in compliance with the EU General Data Protection Regulation (GDPR) and UK  General Data Protection Regulation (UK GDPR).  

Capgemini EU & UK Controller BCR (BCR-C) apply to and cover the processing and transfers of personal data carried out by Capgemini entities acting as data controller  i.e. where Capgemini is processing and transferring data between entities of the Group as part of its own operations.