Skip to content
    1. Overview
    2. Alternative Managers
    3. Consultants
    4. Family Offices
    5. Financial Advisors
    6. Financial Institutions
    7. Individuals & Families
    8. Insurance Companies
    9. Investment Managers
    10. Nonprofits
    11. Pension Funds
    12. Sovereign Entities
  1. Contact Us
  2. Search
  3. Client Login

Binding Corporate Rules

Introduction

Data protection law in Europe gives individuals the right to control how their personal data is used. It also requires that safeguards are in place when personal data may need to be transferred to countries whose national laws do not provide the same level of protection as the EU/EEA.

Northern Trust maintains a global operating model which enables delivery of our services and products to our international client base. Data protection laws, in some countries to which Northern Trust transfers personal data, may be considered less protective than those in the EU/EEA. 

As part of our commitment and dedication to protecting your privacy and safeguarding your confidential personal and financial information, Northern Trust has adopted Binding Corporate Rules (“BCRs”) to comply with European data protection law, specifically regarding transfers of personal data outside of the EU/EEA.

The BCRs are regarded as the gold standard for ensuring compliance with personal data transfer requirements, as they contain and mandate strict requirements as to GDPR compliance. In addition, BCRs are the only international data transfer mechanism under the GDPR that  requires official review and receipt of formal approval from the EU data protection authorities.

Whether Northern Trust is acting as a controller or a processor of personal data, the standards and requirements of our BCRs will apply to personal data that we may transfer to our group entities globally. 

What are the Binding Corporate Rules (“BCRs”)

BCRs are explicitly recognized in the GDPR as a mechanism for providing safeguards to transfers of personal data from the EU/EEA to other countries whose data protection laws may be less protective than the EU/EEA.

The BCRs are a set of legally-binding internal rules and standards that apply to the transfer of personal data from Northern Trust group entities in the EU/EEA to other group entities outside the EU/EEA.

The BCRs are underpinned by Policies and Standards that reflect the strict data protection requirements applicable under the GDPR, including transparency, data protection, individual rights, and accountability. 

Difference between Controller and Processor Binding Corporate Rules 

Controller Binding Corporate Rules (BCR-C) apply to transfers of personal data that Northern Trust may hold for its own purposes. For example, this includes personal data that Northern Trust may need to comply with applicable law; manage client relationships or human resources. 

Processor Binding Corporate Rules (BCR-P) apply to transfers of personal data that Northern Trust may hold on behalf of its institutional clients. For example, this includes administering investor and beneficiary accounts on behalf of clients.  

 EU Binding Corporate Rules

Links

Binding Corporate Rules for Controllers

Learn More

Binding Corporate Rules for Processors

Learn More

Switzerland Binding Corporate Rules

Swiss Addendum to the EU BCRs: The EU BCRs create a binding corporate rules (BCR) framework which has been approved by the relevant European Supervisory Authorities as providing an adequate level of protection for Personal Data transferred to members of the Northern Trust Group outside the EEA and located in a Third Country.

According to Article 16 paragraph 2 letter e of the Swiss Federal Act on Data Protection, this approval by the relevant European Supervisory Authorities also constitutes a guarantee of adequate data protection for transfers of Personal Data from Switzerland to countries without an adequate level of data protection according to Swiss data protection legislation.

In view of and within the scope of applicability of Swiss data protection laws, the BCRs are supplemented as follows:

Links

Binding Corporate Rules Swiss Addendum (BCR-C)

Learn More

Binding Corporate Rules Swiss Addendum (BCR-P)

Learn More

Guernsey Binding Corporate Rules

Guernsey Addendum to the EU BCRs: The EU BCRs create a binding corporate rules (BCR) framework which has been approved by the relevant European Supervisory Authorities as providing an adequate level of protection for Personal Data transferred to members of the Northern Trust Group outside the EEA and located in a Third Country.

According to Section 56(1)(a) and (2)(b)(ii) of the Data Protection (Bailiwick of Guernsey) Law, 2017, this approval by the relevant European Supervisory Authorities also constitutes a guarantee of adequate data protection for transfers of Personal Data from Guernsey to countries without an adequate level of data protection according to Guernsey data protection legislation.

In view of and within the scope of applicability of Guernsey data protection laws, the BCRs are supplemented as follows:

Links

Binding Corporate Rules Guernsey Addendum (BCR-C)

Learn More

Binding Corporate Rules Guernsey Addendum (BCR-P)

Learn More

EMEA - Additional Information

Links

EMEA Privacy Notice

Learn More

EMEA Sub-Processor List

Accessible to EMEA Controller clients

Learn More

Contact the Global Privacy Team

Get in touch by Emailing: Privacy_Compliance@ntrs.com

Contact Us