Complying with data privacy laws is part of Accenture’s Code of Business Ethics (COBE). In line with our COBE, we implement recognized standards or legal arrangements, such as Binding Corporate Rules (BCR) within our business practices.
Accenture’s BCR has been in place since 2009, following an approval process conducted by the European Union data privacy regulators. The BCR was updated in 2018 to reflect new requirements under the EU General Data Protection Regulation.
This document defines obligations Accenture has in regards of data processing in scope of the BCR, and explains how we comply with those responsibilities across participating entities through our global data privacy program by addressing ethical aspects and legal compliance, accountability, opportunities and risk.
Our BCR apply to all personal data processed by Accenture as a data controller for our own purposes. It does not apply to Accenture as a data processor for services we provide to clients.
The BCR does not override any applicable national data privacy laws and regulations in countries where we operate.
Accenture’s data privacy obligations under the BCR are defined as a set of Commitments which establish our data privacy responsibilities and safeguards in relation to key requirements such as fair and lawful processing, data minimization, security and retention. The associated Annexes provide information on how we uphold these Commitments. In particular, Annex 1 explains our compliance measures including privacy by design and data protection impact assessments and how we cooperate with the supervisory authorities.
The table in Annex 2 sets out (i) information about the categories of individuals, (ii) the categories of personal data we may process about them; and (iii) a description of the purposes for which we process personal information.
A key component of the BCR is the data privacy rights given to individuals in relation to their personal information. These rights are explained in section Four of the Commitments. Annex 3 of the BCR sets out the process for individuals to exercise their rights, the procedure Accenture follows to facilitate these rights and the process for individuals to make data privacy complaints as well as how they can contact Accenture.
Accenture’s BCR is made binding on all participating entities using an Intercompany Agreement (ICA). All participating Accenture entities and their employees are bound by the BCR, irrespective of geographic location, and abide by the same internal rules for processing personal data. It also means that individuals’ rights stay the same no matter where individuals’ personal data is processed by Accenture.
Annex 1 provides an overview of how Accenture manages its BCR. Day to day responsibility for managing the BCR lies with the Global Data Privacy Team. Other Accenture functions have responsibility for matters such as auditing and security.
If you have any queries about the BCR, please direct them to Accenture’s Data Privacy Officer: DataPrivacyOfficer@accenture.com