- Purpose and lawful basis for processing
- What we need
- Why we need it
- What we do with it
- How long we keep it
- What are your rights?
- Do we use any data processors?
Our purpose for processing this information is to have a contact point at your organisation and to respond to you with the outcome of the Binding Corporate Rules (BCR) assessment.
The lawful basis we rely on to process your personal data is article 6(1)(e) of the UK GDPR, which allows us to process personal data when this is necessary to perform our public tasks as a regulator.
When we assess and authorise BCR applications, we’ll take the name and contact details of your organisation’s main point of contact and your external legal representatives if applicable.
We use the data collected to assess the BCR application, issue the national authorisation and evidence the information provided.
We’ll publish the fact that we have issued an approval for transfers of personal data under BCRs for your organisation, but this will not contain any personal data.
For information about how long we hold personal data, see our retention schedule.
We process personal data in the BCR assessment and authorisation in our capacity as regulator, so you have the right to object to our processing of your personal data. There are legitimate reasons why we may refuse your objection, which depend on why we are processing it.
For more information on your rights, please see ‘Your rights as an individual’.
Yes – we may sometimes share this information with our external legal representatives.