Binding Corporate Rules (BCRs) are data protection directives to which companies established in the EU adhere for the transfer of personal data outside the EU within a group of companies or a company. These rules include all general data protection principles and enforceable rights to ensure adequate safeguards for data transfers. They must be legally binding and enforced by any member of the group concerned. (on behalf of Verizon Enterprise Solutions) BCRs may apply to both the organization`s controller and subcontracting agreements and personal data activities. One problem mentioned in WP 74 that turned out to be a problem in practice is that the national law of some Member States does not allow the notion of unilateral declarations. It is on this basis that some applications are structured to take into account how BCRs are mandatory throughout the group. In such cases, the applicant may have to find another enforceable solution under the law of the Member State concerned in order to satisfy that requirement. This is the kind of issue that was discussed with the data protection authority before a request was issued as part of the cooperation procedure. The Article 29 Working Party adopted the following documents, which were approved by the European Data Protection Board. These documents describe the approval process and provide guidance on the structure and requirements of binding corporate regulations.
Another solution available to multinational enterprises to put in place adequate safeguards is to use the standard contractual clauses approved by the European Commission. However, the use of contracts has drawbacks, especially in multinational companies with complex structures, as sometimes hundreds of contracts are needed to cover transfers between all affiliated companies. The task of ensuring that contracts are kept up to date to keep up with the changing structure of the business can also be challenging and time-consuming. You can find information about what we do with personal data in our Privacy Policy. BCRs typically form strict and internal global privacy policies, a set of practices, processes and policies that comply with EU standards and are available as an alternative way to allow the transfer of personal data (e.B, customer databases, HR information, etc.) outside of Europe. The Article 29 Working Party has created a BCR framework (WP154) that illustrates what all the requirements of WP 74 and WP 108 could look like in a single document. You are free to base your BCR on this framework, but this is not a requirement. The sample checklist (WP 108) sets out the requirements for submitting a set of BCRs. These requirements have now been included in WP 133. If you look at them, you will notice that on this list there are some organizations from the technology industry in the broadest sense (IT, building management, online tools), the financial industry (including some that are also online players like PayPal), the life sciences industry (pharmaceuticals), global consultants and accounting firms, and what we would call the big players in Industry 4.0.
both high-tech manufacturers (BMW, Airbus,…) and data-intensive solution providers. Of course, this is no coincidence. Keep in mind that only the business terms of the CLCs can be changed, so if you want to change other aspects of the agreement, you will need to create a new contract. In addition, as the infographic below and the related article indicates, this could also mean that not only a group of companies can fall under a BCR, but also, for example, business partners. A group of companies that carry out a joint economic activity is not strictly defined in the GDPR. However, the fact that it is mentioned in this scope of binding corporate rules is one of the reasons why BCRs are interesting as they cross the group of companies and, as mentioned, may apply to certain sectors. BCRs are also defined in Article 1 of the GDPR: “Binding corporate rules are personal data protection strategies that are respected by a controller or processor established in the territory of a Member State in the event of transfers or a series of transfers of personal data to a controller or processor in one or more third countries within a group of companies; or a group of undertakings carrying out a common economic activity`. .