Worldline BCR-C
Binding Corporate Rules
Worldline received in May 2025 the approval for its Binding Corporate Rules for Controller (BCR-C) and for Processor (BCR-P) from the French Data Protection Authority (CNIL), following concurrence from the European Data Protection Board (EDPB).
In this page you will find the most common questions and answers about Worldline’s BCRs as well as the BCRs text and appendices.
Q&A
-
Binding Corporate Rules, or BCRs, are data protection policies adhered to by companies for international transfers of personal data within a group of undertakings or enterprises. The BCRs include general data protection principles and enforceable rights and obligations to ensure appropriate international personal data transfer mechanisms when processing personal data between Worldline group entities which are members to Worldline’s BCRs. A Worldline entity becomes a member to the BCRs by signing an intra-group agreement.
-
Worldline adopted BCRs to demonstrate its commitment to safeguarding personal data, facilitate smooth personal data transfers within the Worldline group, and ensure compliance with strict data protection laws across all jurisdictions.
-
BCRs guarantee that personal data is managed consistently with high privacy standards, providing reassurance to customers and employees that their personal data is protected and handled responsibly by all Worldline group entities around the world who are member of Worldline’s BCRs.
-
Worldline has two sets of BCR – one for when we process personal data for our own purposes (BCR-C), deciding on the purposes and the means, and one for when we process personal data on behalf of our customers (BCR-P). These two roles are different from one another in EU data protection regulations, which is reflected in our different sets of rules.
We handle personal data for various reasons as a data controller. For example, we collect, store, and access Personal Data of our employees in order to pay their salaries. When it comes to BCRs-C, we control the manner and purposes for which the personal data is being processed, and, therefore, we are referred to as the "Data Controller". These types of processing activities are therefore covered by our BCR-C.
When we provide services to our customers, however, it is our customers that control why and how personal data is to be processed. We process it on their behalf according to their instructions. In legal terms, this makes our customer the "Data Controller" and Ericsson the "Data Processor". To ensure that we act as a responsible partner for our customers when acting as their Data Processor, we have adopted our BCR-P.