Binding Corporate Rules (BCRs) are data protection directives to which companies established in the EU adhere for the transfer of personal data outside the EU within a group of companies or a company. These rules include all general data protection principles and enforceable rights to ensure adequate safeguards for data transfers. They must be legally binding and enforced by any member of the group concerned. BCRs are a way to streamline this process. Instead of creating hundreds, if not thousands, of documents related to their data transfer methods, organizations can use BCRs to cover their entire group data exchange activities. BCRs (Binding Corporate Rules) help companies demonstrate that they have adequate safeguards for international intra-group data transfers. The Article 29 Working Party adopted the following documents, which were approved by the European Data Protection Board. These documents describe the approval process and provide guidance on the structure and requirements of binding corporate regulations. As mentioned earlier, BCRs must be approved by both the bodies subject to their regulation and the appropriate regulatory authority. BCRs should be seen as a framework for various elements (internal legal agreements, policies, training, audits, etc.) that ensure compliance with EU data protection rules and effective privacy and data protection.
BCRs are intended for multinational companies, groups of companies or a group of companies that carry out a joint economic activity such as franchises, joint ventures or professional partnerships. The rules are legally binding and must be approved by the competent data protection authority. BCRs contain a set of internal rules (such as a code of conduct) that all organizations involved in information must accept. Companies must submit binding corporate rules to the competent data protection authority in the EU for approval. The Authority shall approve bcRs in accordance with the consistency mechanism provided for in Article 63 of the GDPR. Several supervisory authorities may be involved in this procedure, as the group applying for authorisation of its BCRs may have companies in more than one Member State. The competent authority shall submit its draft decision to the European Data Protection Board, which will deliver its opinion on the binding corporate rules. Where the BCRs have been finalised in accordance with the opinion of the European Data Protection Board, the competent authority shall approve the BCRs. BCRs cover an entire organization with offices in different countries, providing clarity, consistency and legal certainty for data transfers within the group. The rules were discussed in detail in the context of the GDPR (General Data Protection Regulation) and Brexit.
In fact, these two milestones have changed the way businesses can make cross-border data transfers, making BCRs more widely applicable. Corporate rules for data transfer within multinational companies. The lead supervisor will disclose bcRs to all relevant regulatory authorities to ensure that they comply with the requirements. Once an agreement is reached, the BCR will be approved. BCRs typically form strict internal global privacy policies, a set of practices, processes and policies that comply with EU standards and are available as an alternative way to allow the transfer of personal data (e.g. customer databases, HR information, etc.) outside of Europe. Binding corporate rules or “BCRs” have been developed by the European Union`s Article 29 Working Party to allow multinational companies, international organisations and enterprise groups to carry out intra-company transfers of personal data across borders in accordance with EU data protection legislation. BCRs were developed as an alternative to the EU Standard Contractual Clauses and the US Department of Commerce`s Now-defunct Safe Harbor Agreement (which only applied to US organisations, but declared invalid and approved by the EU-US and the Swiss-US Privacy Shield Frameworks, which were also declared invalid by the CJEU judgment C-311/18 of 16 July 2020).
An BCR must contain information on the structure of the group involved in the data exchange activities, as well as the contact details of the group concerned and its members. Binding Corporate Rules (BCRs) are data protection policies that companies use when transferring personal data to and from the EU. It should be noted that while BCRs were originally designed to provide a legal basis for international transfers, they have de facto become a company that demonstrates its ability to “generally” meet the requirements of personal data processing. A company with BCRs applies this framework independently of international transfers and should be considered part of “corporate governance” or “data governance”. In this blog, we`ll help you understand when to use BCRs, what benefits they offer, and how to create them. In the EU, it`s the European Commission, and in the UK, it`s the ICO (Information Commissioner`s Office). Binding Corporate Rules (BCRs) are designed to allow multinational companies to transfer personal data from the European Economic Area (EEA) to their subsidiaries outside the EEA in accordance with the requirements of European data protection law. Learn more about the difference between BCRs and CTCs>> BCRs must be contacted by the data protection authority of each EU Member State (e.g. the Information Commissioner`s Office in the UK, the CNIL in France, the AEPD in Spain, etc.) relying on bcRs. The EU has developed a mutual recognition mechanism under which BCRs approved by a Member State`s data protection authority (known as the `lead` authority) and two other `co-managing` authorities can be approved by the other Member States concerned, which can comment and request amendments. Other Member States not participating in the mutual recognition procedure will also be involved by the lead authority and will apply their own independent review process within a limited period of time. The overall process of accepting BCRs usually takes between 6 and 9 months.
This period does not include the required data protection facility, which should already be implemented in the company to comply with the current policy and its local implementation. BCRs should also explain the responsibility of controllers or processors if they violate those principles or rights or if there is a personal data breach. Before an organisation can submit its BCRs for review, it must first designate a lead supervisory authority. This is usually the national data protection authority for which the organisation has its registered office or carries out most of its business activities. Authorisations granted by supervisory authorities on the basis of Directive 95/46/EC shall remain valid until, where appropriate, they are amended, replaced or revoked by those supervisory authorities. 25. July 2022 – Publication of new guidelines, application forms and tables for data controllers and subcontractors. BCRs should also document information about the privacy principles of the GDPR: Organizations that need help completing their BCRs should consider GRCI Law`s contract AND GDPR legal services. To obtain the approval of our BCRs, AstraZeneca (We, Us, Our) had to demonstrate to a number of European data protection authorities that we have put in place adequate safeguards to protect personal data throughout our organisation, in accordance with the requirements set out in the published BCR guides published by the European Data Protection Authorities. Although we received approval from our BCRs in 2014, we approved our BCRs after the EU`s General Data Protection Regulation (GDPR) came into force on 25 September. May 2018 update to provide even better protection for personal data exchanged between AstraZeneca subsidiaries.
You can make a restricted transfer within an international organization if you and the recipient have signed approved BCRs. The BCRs of the United Kingdom shall be approved by the Commissioner in accordance with Article 58.3(j). BCRs are explicitly designed for multinational companies. Their size and complexity are not appropriate for small organizations that would be better off using SCCs (standard contractual clauses). In the UK, it will always be the ICO (Information Commissioner`s Office). The BCRs themselves do not automatically allow all transfers for all EU Member States. Most Member States still require a formal “transfer notification”, which is usually given when the BCRs have been accepted by the country concerned. The concept of using Binding Corporate Rules (BCRs) to provide adequate safeguards for restricted transfers has been developed in EU law and continues to be part of UK law under the UK GDPR, in particular Article 47.