Binding Corporate Rules (BCRs) are data protection directives to which companies established in the EU adhere for the transfer of personal data outside the EU within a group of companies or a company. These rules include all general data protection principles and enforceable rights to ensure adequate safeguards for data transfers. They must be legally binding and enforced by any member of the group concerned. (on behalf of Verizon Enterprise Solutions) BCRs may apply to both the organization`s controller and subcontracting agreements and personal data activities. One problem mentioned in WP 74 that turned out to be a problem in practice is that the national law of some Member States does not allow the notion of unilateral declarations. It is on this basis that some applications are structured to take into account how BCRs are mandatory throughout the group. In such cases, the applicant may have to find another enforceable solution under the law of the Member State concerned in order to satisfy that requirement. This is the kind of issue that was discussed with the data protection authority before a request was issued as part of the cooperation procedure. The Article 29 Working Party adopted the following documents, which were approved by the European Data Protection Board. These documents describe the approval process and provide guidance on the structure and requirements of binding corporate regulations.
both high-tech manufacturers (BMW, Airbus,…) and data-intensive solution providers. Of course, this is no coincidence. Keep in mind that only the business terms of the CLCs can be changed, so if you want to change other aspects of the agreement, you will need to create a new contract. In addition, as the infographic below and the related article indicates, this could also mean that not only a group of companies can fall under a BCR, but also, for example, business partners. A group of companies that carry out a joint economic activity is not strictly defined in the GDPR. However, the fact that it is mentioned in this scope of binding corporate rules is one of the reasons why BCRs are interesting as they cross the group of companies and, as mentioned, may apply to certain sectors. BCRs are also defined in Article 1 of the GDPR: “Binding corporate rules are personal data protection strategies that are respected by a controller or processor established in the territory of a Member State in the event of transfers or a series of transfers of personal data to a controller or processor in one or more third countries within a group of companies; or a group of undertakings carrying out a common economic activity`. .