Binding Corporate Rules (BCR’s) are a set of rules implemented at corporate level by Multinational Groups of Organisations carrying out international data transfers within the Group. The scope of BCR’s is to allow the carrying out of intra-group data transfers, providing at the same time an adequate level of data protection across the Group. BCR’s are considered a useful tool for Multinational Organisations which by nature of their business operations are likely to carry out similar data transfers on a regular basis. An approval of a BCR implies that personal data may within the Group without necessarily having to sign an agreement with every intra-group entity in each and every processing operation involving an international data transfer.
The idea behind BCR’s is to have corporate rules which are both internally and externally binding. Internal commitment is ensured by means of appropriate intra-group agreements, undertakings, other regulatory measures and internal policies applicable between group entities and other rules directly binding upon employees. BCR’s should also be enforceable externally and therefore data subjects should be in a position to exercise third party beneficiary rights and seek compensation for damages even where information is transferred to non-EU jurisdictions.
In principle a BCR is only enforceable for transfers of personal data within the group. Therefore, in the case of data controllers or processors who are not group entities, and who are established in third countries not ensuring an adequate level of data protection, these should still be regulated by the appropriate model contractual clauses issued by the EU Commission. In the case of data controllers or processors operating in EU jurisdictions, the general provisions within community law would apply and therefore in the case of a data processor, a contractual agreement within the meaning of article 25 of the Data Protection Act would be sufficient.
In order to initiate the coordinated procedure for implementing Binding Corporate Rules, the corporate group should:
- Approach a Data Protection Authority to act as lead DPA; (the criteria for choosing the lead DPA are normally the location of the EU Headquarters of the Group or the EU Group Entity with delegated data protection responsibilities;
- Submit a standard application form for BCR’s adopted by way of Recommendation 1/2007 of the Article 29 Working Party which is a European Independent Advisory Body on Data Protection and Privacy.
Click here for more information.
So far the following procedure has been used to approve BCR’s:
- There is first contact with the DPA chosen to act as lead authority, and part I of the application form (WP 133) is submitted;
- The selected DPA informs other DPA’s on the application and acceptance of the lead authority is given within 1 month;
- The applicant submits part II of the application (WP 133) together with supporting documents to the lead DPA for review and discussion in order to agree on a consolidated draft and application;
- The lead DPA circulates the consolidated draft and DPA’s are requested to comment and suggest changes to the text within one month (time frame may be prolonged if there are comments/ amendments and a new version is circulated);
- Final draft is circulated to DPA’s for approval, after which the lead authority formally informs Article 29 Working Party that the procedure has been concluded.