EY has established a Binding Corporate Rules (BCR) Program to comply with European data protection law, specifically regarding transfers of personal data between EY Network entities. The BCR Program comprises both a BCR Controller Policy as well as a BCR Processor Policy.
In the BCR Program “EY” refers to the global organization of independent member firms (“EY Member Firm”) and other entities in the EY organization (“EY Network entity”) that are bound to comply with the requirements of Ernst & Young Global Limited (“EYG”). EYG is the central governance entity of the EY organization and coordinates EY Network entities and the cooperation among them.
Data protection law in Europe gives people the right to control how their personal data1 is used. When EY collects and uses the personal data of its current, past and prospective partners and employees, clients, suppliers, sub-contractors and any other third parties, this activity is covered and regulated by data protection law.
Data protection law does not allow personal data to be transferred to countries outside Europe 2 without ensuring an adequate level of data protection. Some of the countries in which EY operates are not regarded by European data protection authorities as providing an adequate level of protection for individuals’ data privacy rights.
EY must take proper steps to make sure its use of personal data on an international basis is safe and, hence, lawful. The purpose of the BCR Program, therefore, is to develop a framework to satisfy the standards contained in European data protection law and, as a result, provide an adequate level of protection for all personal data transferred from the EY Network entities within Europe to EY Network entities outside Europe.
EY applies the BCR Program globally, and in all cases where EY processes personal data both manually and by automatic means, whether the personal data relates to EY’s current, past and prospective partners and employees, clients, suppliers, sub-contractors and any other third parties 3.
Central to the BCR Program are various main rules based on, and interpreted in accordance with, relevant European data protection standards. These rules must be followed by each partner, employee or contractor when handling personal data.
All EY Member Firms are bound to comply with the BCR Program as a result of becoming a member of EYG by way of signing a joining agreement. By signing the joining agreement EY Member Firms are subject to comply with all common standards, methodologies and policies of EY which are set out in the EYG Regulations. The BCR Program is part of one of the common standards specifically mentioned in the EYG Regulations. EY Member Firms are responsible for making sure that their controlled entities also comply with the provisions of the EYG Regulations.
If you want to access your personal data being processed by EY or if you want to request rectification, erasure, restriction of processing or a readily portable copy of your personal data please contact us.
Further information
For the full text of our Binding Corporate Rules Controller Policy, click here (pdf).
For the full text of our Binding Corporate Rules Processor Policy, click here (pdf).
As a result of the departure of the United Kingdom from the European Union, EY has now produced a UK version of its BCR in order to comply with UK data protection law.
For the full text of our UK Binding Corporate Rules Controller Policy, click here (pdf).
For the full text of our UK Binding Corporate Rules Processor Policy, click here (pdf).
For additional information about our BCR Program, read our “BCR: a global data-sharing solution (pdf)” brochure.
If you have any questions regarding the provisions of the BCR Program, your rights under this BCR Program or any other data privacy issues, you may contact the EY Global Privacy Leader, who will either deal with the matter or forward it to the appropriate person or department within EY. The EY Global Privacy Leader can be reached at:
Felipe Paez
Global Privacy Leader
1 Personal data means any information relating to an identified or identifiable natural person in line with the definition in the EU General Data Protection Regulation (GDPR).
2 For the purpose of the BCR, reference to Europe means the EEA and Switzerland.
3 Processing in European data protection law means any set of operations performed upon personal data whether or not by automatic means. This is interpreted widely to include collecting, storing, organizing, destroying, amending, consulting, and disclosure of the personal data.