Binding Corporate Rules (“BCR”) are internal rules (such as a Code of Conduct) adopted by multinational group of companies which define its global policy with regard to the international transfers of personal data within the same corporate group to entities located in countries which do not provide an adequate level of protection.
What is the purpose of BCR?
BCR are used by multinational companies in order to adduce adequate safeguards for the protection of the privacy and fundamental rights and freedoms of individuals for all transfers of personal data protected under a European law.
BCR ensure that all transfers are made within a group benefit from an adequate level of protection. This is an alternative to the company having to sign standard contractual clauses each time it needs to transfer data to a member of its group and may be preferable where it becomes too burdensome to sign contractual clauses for each transfer made within a group.
Once approved under the EU cooperation procedure, BCR provide a sufficient level of protection to companies to get authorisation of transfers by national data protection authorities (DPA). It should be noted that the BCR do not provide a basis for transfers made outside the group.
What are the advantages of BCR?
BCR make it possible to:
- be in compliance with the principles set out by the GDPR for all flows of data within the group which are covered by the scope of the BCR
- harmonise practices relating to the protection of personal data within a group
- prevent the risks resulting from data transfers to third countries
- avoid the need for a contract for each single transfer
- communicate externally on the company’s data protection policy
- have an internal guide for employees with regard to the personal data management
- make data protection integral to the way the company carries out its business
Which companies can be interested in BCR?
BCR must contain in particular:
- privacy principles (transparency, data quality, security, etc.)
- tools of effectiveness (audit, training, complaint handling system, etc.)
- and an element proving that BCR are binding
What procedure should be followed?
The procedure for applying for authorisation of BCR involves the national DPA reviewing the various elements of the BCR to ensure that it meets the criteria set out by the Article 29 Working Party.
The elements are set out in the different documents adopted by the Working Party. The review procedure has been designed to have one lead authority which means that the applicant company does not need to approach each individual DPA separately.
The DPA follow the co-operation procedure but some DPA are members of the mutual recognition group. Both the documents and the mutual recognition procedure contribute to make the procedure smoother.
The approval of the BCR can be summarised in 5 main steps:
- The company shall designate the lead authority, i.e. the authority which will be handling the EU co-operation procedure amongst the other European DPAs.
- The company drafts the BCR which meet the requirements set up in the working papers adopted by the Article 29 Working Party. This draft is submitted to the lead authority which reviews it and provides comments to the company to ensure that the document matches the requirements set out in paper WP 153.
- The lead authority starts the EU cooperation procedure by circulating the BCR to the relevant DPA i.e. of those countries from where entities of the group transfer personal data to entities located in countries which do not ensure an adequate level of protection.
- The EU co-operation procedure is closed after the countries under mutual recognition have acknowledged of receipt of the BCR and those which are not under mutual recognition have considered that the BCR complies with the requirements set out in WP29 (within one month).
- Once the BCR have been considered as final by all DPA, the company shall request authorisation of transfers on the basis of the adopted BCR by each national DPA.