What is HPE BCR (Binding Corporate Rules)

Binding Corporate Rules

HPE's BCR is a corporate privacy compliance framework made up of a binding agreement, business processes and policies, training and guidelines which has been approved by the Data Protection Authorities of most EU Member States. By such approval HPE is able to transfer the personal data of its European employees and customers to other members ("HPE Personal Data") of the worldwide group of HPE companies in compliance with EU data protection law.

1. Data Protection Safeguards

HPE Companies processing HPE Personal Data must comply with the BCR to ensure that your data is processed fairly and in compliance with applicable law. In particular, HPE Companies will;

  • Only process your personal data where they have a legal basis for doing so, which may be based on your consent, the performance of a contract you have entered into with HPE or is required in connection with the legitimate interests of HPE;
  • Notify you of the specific purposes for which your data is collected and will not process your data in a way which is incompatible with those purposes; only collect the type and amount of your personal data which is necessary in connection with the purpose for which it is collected;
  • Keep your personal data accurate and up to date where necessary and destroy the data once it is no longer needed in line with HPE's Record Retention Policy and applicable law; and
  • Put in place security and confidentiality measures to ensure your personal data is protected against unauthorized use or disclosure.


HPE Companies may disclose your personal data to third parties, for example, to service providers and suppliers who support the provision of our retail services in the field of customer support and marketing and companies managing employee benefit schemes. HPE Companies will not disclose your personal data to third parties unless they have agreed to safeguard your data and conduct the processing of your data in compliance with applicable law. Where the third parties are located in certain countries outside the EU, HPE Companies will ensure your personal data is transferred to those countries in compliance with applicable law and protected by BCR, model contracts or any other measure relevant to the specific case.

In limited circumstances you may provide HPE Companies with what is defined as sensitive personal data under certain laws. This is data which relates to your racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health or sex life. HPE Companies will only process sensitive personal data in compliance with applicable law, which may require HPE Companies to obtain your consent to the processing.

2. Data Subject Rights

If you are a European employee or customer of HPE, you have the following rights under EU data protection law:

  • The right of access to your personal data processed by HPE. HPE reserves the right to charge a fee for such access where permitted under applicable law. HPE may not be able to disclose certain data to you if it is not permitted to do so by applicable law, for example data which relates to another person.
  • The right to have incomplete or inaccurate personal data about you corrected, erased or blocked.
  • The right to object to HPE processing your personal data and to require HPE to stop processing your data where there are legitimate grounds for doing so.
  • The right to request that significant decisions about you are not made through the automatic processing of your personal data.

3. Additional Data Subject Rights under HPE's BCR

In addition, if you are a European employee or customer of HPE, the BCR give you the following rights, as a third party beneficiary, where you believe your personal data has been transferred to an HPE Company located in certain countries outside the EU and processed by that company in breach of the BCR;

  • To lodge a complaint with the EU HPE Company which transferred your data outside the EU. This can be done by contacting the Privacy Office at "Privacy feedback form" link at end of this text. Any complaint shall be fully investigated by the company with a view to resolving the complaint; and /or
  • To lodge a complaint with the Data Protection Authority located in the same country as the European HPE Company which transferred your data outside the EU; and/or
  • To bring a court action against the EU HPE Company which transferred your data outside the EU. In which case the European HPE Company shall defend any claim, have the burden of proving that breach of the rules did not take place, and the responsibility to pay any damages awarded to you by the court.


HPE's BCR is part of HPE's continued commitment to the protection of personal data and to be accountable for any mistakes or mishandling of personal data. If you would like any further information on HPE's BCR or wish to exercise any of your rights, please contact the HPE Privacy Office at Privacy feedback link below.