Binding Corporate Rules


Binding Corporate Rules (“BCRs”) express Fiserv’s commitment to privacy. BCRs are legally binding data protection policies and a detailed code of conduct, approved by EU and UK data protection authorities following significant consultation. BCRs are Fiserv’s commitment to uphold standards of data protection in our processing of EU and UK Personal Data based on strict principles established by EU and UK data protection authorities. The approval of our BCRs demonstrates that Fiserv has implemented a consistent set of robust privacy practices worldwide for the processing of EU and UK Personal Data.  

BCRs facilitate the transfer of EU and UK Personal Data internationally to our affiliates around the world in compliance with EU and UK data protection law.​ ​BCRs provide confidence to employees, clients and data subjects that their EU and UK Personal Data is being processed using legally binding standards which provide for strong privacy and security protections.

The EU and the UK recognize two kinds of BCRs: Controller BCRs and Processor BCRs.

Chronology of Fiserv BCRs 

  • 2011; First Data obtained approval from Information Commissioners Office (“ICO”) for EU Controller BCRs (“EU BCR-C”)
  • 2014; First Data obtained approval from ICO for EU Processor BCRs (“EU BCR-P”)
  • 2019; First Data was acquired by Fiserv. The change in corporate ownership did not impact the BCRs for the activities of those companies who were signatories.
  • 2021; As a result of Brexit, it was necessary to split our BCRs into distinct EU and UK BCRs. Irish Data Protection Commission (“DPC”) became our Lead Supervisory Authority for our EU BCRs. ICO remains our Supervisory Authority for UK BCRs.
  • 2023; DPC approved the extension of the original First Data EU BCRs to the wider Fiserv group and original Fiserv companies.
  • 2025; ICO has confirmed that Fiserv’s UK Controller BCR (“UK BCR-C”) (consisting of the UK BCR-C Addendum, UK BCR-C Summary and Fiserv’s EU BCR-Cs) are compliant with and contains all the required elements of Article 47 UK GDPR. Fiserv’s UK BCR-C approval remains the same, pursuant to paragraph 9, Schedule 21 of the DPA 2018.
  • 2026; ICO has confirmed that Fiserv’s UK Processor BCR (“UK BCR-P”) (consisting of the UK BCR-P Addendum, UK BCR-P Summary and Fiserv’s EU BCR-Ps) are compliant with and contains all the required elements of Article 47 UK GDPR. Fiserv’s UK BCR-P approval remains the same, pursuant to paragraph 9, Schedule 21 of the DPA 2018.

​Additional information on our BCRs can be found within the following documents, found on the links posted below:​

  • ​A copy of our EU BCR-C & EU BCR-P.  ​
  • A copy of our UK BCR-P and UK BCR-C Summary
  • A listing of the Fiserv entities that have signed the EU BCR-C and BCR-P and the UK BCR-C and UK BCR-P Addenda which binds those entities to comply with the respective set of BCRs.

The contents of this page, and the BCRs themselves, will be updated when appropriate. Should you have any queries or concerns about the BCRs please contact dpo@fiserv.com.

EU Binding Corporate Rules

 

Full EU Controller Binding Corporate Rules
List of entities that have signed an IGA for​ EU Controller BCRs
Full EU Processor Binding Corporate Rules
List of entities that have signed an IGA for​ EU Processor BCRs

UK Binding Corporate Rules

 

UK BCR-C Summary
List of entities that have signed a BCR-C Addendum
UK BCR-P Summary
List of entities that have signed a BCR-P Addendum