Skip to Content
Policy

Data Protection Policy

Capgemini is committed to protecting the privacy of its clients, employees and partners. In order to do so, Capgemini has adopted Binding Corporate Rules (BCR) as its global data protection policy.

Capgemini BCR apply to all Capgemini entities and their employees, ensuring a strong standard of protection for all personal data processed by Capgemini, whether on its own behalf and on behalf of its clients.

Download EU BCR (Controller activities)
Download EU BCR (Processor activities)

The EU Binding Corporate Rules (EU BCR) for Controller & Processor activities – initially approved by the European Data Protection Authorities in March 2016 and subsequently updated in January 2019 to comply with the General Data Protection Regulation (GDPR).

Capgemini EU BCR were most recently updated in April 2023 in light of the so-called Schrems II decision. Indeed, in order to align with the additional obligations stemming from this decision, the European Data Protection Board (EDPB) – which is composed of representatives from EU national data protection authorities – is in the process of updating the BCR requirements. In the meanwhile, Capgemini has been working with its Lead data protection authority, the CNIL, to start the process of updating its BCRs to comply with the upcoming requirements. The public version of Capgemini’s EU BCRs reflects this work.

In order to comply with UK data protection legislation following Brexit, Capgemini Group also has the UK Binding Corporate Rules (UK BCR) for Controller & Processor activities, which was approved in March 2022 by the Information Commissioner Office (ICO) – the UK Data Protection AuthorityAccess here to UK BCR.

In addition to being Capgemini’s global data protection policy, BCR allow Capgemini to safely transfer personal data among entities of the Group, in compliance with the EU General Data Protection Regulation (GDPR) and UK General Data Protection Regulation (UK GDPR).  

Capgemini EU & UK Controller BCR (BCR-C) apply to and cover the processing and transfers of personal data carried out by Capgemini entities acting as data controller  i.e. where Capgemini is processing and transferring data between entities of the Group as part of its own operations

Capgemini EU & UK Processor BCR (BCR-P) apply to and cover the processing and transfers of personal data carried out by Capgemini as a data processor i.e. where Capgemini is processing and transferring personal data to deliver services to its Clients. More specifically and as provided under the draft EDPB Recommendation 1/2022 (adopted on Nov. 2022) “BCR-P apply to data received from a controller that is not a member of the Group, and which are then processed by the concerned Group members as processors and/or sub-processors.”