Binding corporate rules (BCR) were introduced as a data transfer instrument in Article 47 of the General Data Protection Regulation. BCR are policies based on the European data protection standards that are formulated by multinational corporations in order to ensure appropriate safeguards for data transfers between the companies within the corporation and must include all general data protection principles and enforceable rights, be legally binding and enforced by every member concerned of the group.
BCR must specify at least:
– the structure and contact details of the group of undertakings, or group of enterprises engaged in a joint economic activity and of each of its members;
– the data transfers or set of transfers, including the categories of personal data, the type of processing and its purposes, the type of data subjects affected and the identification of the third country or countries in question;
– their legally binding nature, both internally and externally;
– the application of the general data protection principles;
– the rights of data subjects in regard to the processing of their personal data and the means to exercise those rights;
– the acceptance by the controller or processor located in a Member State of liability for any breaches of the binding corporate rules by any member concerned not established in the Union;
– how the information on the binding corporate rules is provided to the data subjects in addition to Articles 13 and 14 of the GDPR;
– the tasks of any data protection officer or any other person or entity in charge of monitoring compliance with the binding corporate rules within the group of undertakings, or group of enterprises engaged in a joint economic activity, as well as monitoring training and complaint-handling;
– the complaint procedures;
– the mechanisms within the group of undertakings, or group of enterprises engaged in a joint economic activity for ensuring the verification of compliance with the binding corporate rules;
– the mechanisms for reporting and recording changes to the rules and reporting those changes to the supervisory authority;
– the cooperation mechanism with the supervisory authority to ensure compliance by any member of the group of undertakings, or group of enterprises engaged in a join economic activity;
– the mechanisms for reporting to the competent supervisory authority any legal requirements to which a member of the group of undertakings, or group of enterprises engaged in a joint economic activity is subject in a third country which are likely to have a substantial adverse effect on the guarantees provided by the binding corporate rules;
– the appropriate data protection training to personnel having permanent or regular access to personal data.
Companies must submit binding corporate rules for approval to the national data protection authorities of the countries of destination of the transfer. The process is facilitated by applying the consistency mechanism set out in Article 63 of the GDPR. The idea is, basically, to enable companies to pass through the process of applying for authorisation via one of the data protection authorities of the Member States (the lead authority in charge of coordinating approval), which clears the documents submitted with the data protection authorities concerned and coordinates the whole process. When all authorities concerned have assessed the documents and have submitted their comments, the lead authority communicates its draft decision to the European Data Protection Board, which will issue its opinion based on the documents presented. When the procedure has been finalised (following the EDPB opinion and the ensuring BCR actions), the competent authority will approve the rules.
Previous BCR approvals based on Directive 95/46/EC remain valid until amended, replaced or repealed, if necessary, by the competent supervisory authorities.
The EDPB has approved the following working documents which describe the procedure of approval and provide guidance on the structure and requirements of binding corporate rules:
Recommendation on the approval of the Controller Binding Corporate Rules form (wp264)
Working Document on Binding Corporate Rules for Controllers (wp256rev.01)
Working Document on Binding Corporate Rules for Processors (wp257rev.01)
17.05.2021
