ICO authorises Citi's Binding Corporate Rules

10 July 2012

The Information Commissioner's Office has authorised Citi's 'Binding Corporate Rules' – these are policies and procedures used to protect personal data across Citi's operations globally. Bird & Bird has worked with Citi on the development, authorisation and implementation of its BCRs.


Citi's BCRs were reviewed and authorised under a mutual recognition procedure set up by EU data protection authorities. Citi now joins a select group of companies which have completed this rigorous review process.


Ruth Boardman's Image

Ruth Boardman, the lead partner for our team and Joint Head of our International Privacy and Data Protection Group comments: "This authorisation demonstrates Citi's commitment to achieving data privacy compliance not just in the UK but across its global network of offices:  it is the culmination of great team effort across Citi."

Vivienne Artz, Managing Director and Head of Citi's International IP & Technology Group in London comments: "Citi is delighted with the approval of its BCR, as it reflects the importance Citi attributes to protecting the personal data we process.  This could not have happened without a concerted global effort and close teamwork between Citi and Bird & Bird."


David Smith, Deputy Information Commissioner, said: "Citi should be commended for its commitment to the concept of binding corporate rules and for the respect for the privacy of individuals that this demonstrates. The ICO welcomes approaches from multi-national organizations that need to share personal information within their own group, but outside Europe and who want to use binding corporate rules to enable that."


BCRs are a means by which organisations can legitimise international transfers of personal data under the Data Protection Directive (95/46/EC). The Directive states that personal data cannot be transferred to third countries unless adequate safeguards are in place to protect that data. BCRs offer multinational companies, like Citi, a flexible means for ensuring that their intra-group transfers are carried out in accordance with European data protection law. They require that a group draft an internal set of data protection rules and have these approved by data protection authorities.