Binding Corporate Rules

As a world leader in high technology with affiliated companies processing personal data in more than 60 countries, Thales ensures that this data can be transferred securely between Thales Group companies, with an adequate level of protection.

Guaranteeing such a level of protection is one of the reasons why Thales has adopted Binding Corporate Rules (the “BCR”), which were approved by the French Data Protection Authority (“Commission Nationale de l'Informatique et des Libertés”) in December 2023.
 

The Thales BCR constitute the Thales Group's global policy on the protection of personal data, defining the principles and procedures applicable to all Thales Group companies.

Two series of BCR have been adopted by Thales: the BCR-C ("Controller") and the BCR-P ("Processor").
The BCR-C are applicable to Thales when :

• a Thales company acts as data controller or,
• a Thales company acts as an internal data processor, following the instructions of another Thales company acting as data controller.

The BCR-P are applicable to Thales when :

• a Thales company  acts as data processor, following the instructions of a customer or any other third-party acting as data controller.

The BCR-C and the BCR-P are intended to govern transfers of personal data from a Thales company established in the European Economic Area (EEA) or in the United Kingdom (UK) to a Thales company established outside the EEA or the UK, in a third country which has not been recognized as offering an adequate level of protection by an adequacy decision of the European Commission or the UK.

All Thales Group companies and their employees undertake to comply with the BCR and to protect the personal data entrusted to them in the course of their activities. 

This is all the more important as the protection and security of personal data is crucial for Thales.