GDPR - What are Binding Corporate Rules designed to achieve?
Binding Corporate Rules (BCRs) are designed to allow multinational companies to transfer personal data from the European Economic Area (EEA) to their affiliates located outside of the EEA in compliance with the 8th data protection principle and Article 25 of Directive 95/46/EC.
Applicants must demonstrate that their BCRs put in place adequate safeguards for protecting personal data throughout the organisation in line with the requirements of the Article 29 Working Party papers on Binding Corporate Rules (see below).
How do I get authorisation for my BCRs?
The procedure is designed to avoid you having to approach each individual data protection authority separately.
You need to choose a data protection authority (DPAs) to be a lead authority. Your choice of lead authority depends on the location of the EU headquarters of your company or the location within Europe of that part of your company best placed to take responsibility for global data protection compliance. Detailed criteria as to choice of lead authority are set out in Working Party papers (see below).
If the lead authority is satisfied as to the adequacy of the safeguards put in place in your BCRs, that authority circulates the draft BCRs to the other DPAs in Europe from which you need an authorisation. The lead DPA communicates any comments received to you. The role of the lead data protection authority is to facilitate the authorisation process.
When submitting an application, you should use Working Party paper 133, which is an application form based on WP 108, or you can put together your own application. We and other DPAs strongly recommend that you use WP133 – see below.
It is important to note that BCRs do not provide a basis for transfers made outside the group.
What are the benefits of BCRs compared with other ways of satisfying the 8th Data Protection Principle?
The main advantage of BCRs over other means of providing adequate safeguards is that, once developed and operational, BCRs can provide a framework for a variety of intra-group transfers to meet your organisation’s requirements. You will have an ongoing obligation to monitor your compliance with your BCRs. This will include regular audits and a requirement to maintain a training programme for staff handling personal data.
The BCRs should also help you to address privacy concerns and raise awareness of data protection within your organisation. This is because you will need to consider the type of personal data you are transferring, and how you will make staff aware of and respect the rules when you are preparing your application. An essential part of the authorisation process is the requirement for the applicant to demonstrate how staff in affiliates in third countries are made aware of the implications of processing personal data transferred from the EEA for example, through its staff training programmes.
Provided your BCRs are drafted widely enough, they should be able to accommodate changes in your company structure and some variation in the types of data flow. You do not need to tell the DPAs which have given authorisations if company changes don’t affect the authorisation. BCRs therefore allow for significant flexibility.
However, if you make changes to your company or the data flows that go beyond the scope of the authorisations, you will have to reapply for authorisation for all or part of your processing.
Another solution available to multinationals as a means of putting in place adequate safeguards is the use of the model contract clauses authorised by the European Commission. However, there are drawbacks with the use of contracts, particularly in multinational companies with complex structures, because sometimes hundreds of contracts are required to cover transfers between all affiliates. The task of making sure that contracts are kept up to date to keep pace with the changing corporate structure can also be difficult and time consuming.
The extent to which individual DPAs will permit the adaptation of the model contracts to allow for multi-party as opposed to bilateral arrangements also varies from one DPA to another limiting the scope for companies to reduce the number of contracts required. There are also situations in which model contracts cannot be used, for example, where the organisation is only one legal entity.
Despite the fact that the model clauses have been approved for use by the European Commission, in some countries there is still a requirement for exporting data controllers to go through a form of authorisation process which can also be time consuming.
Another option open to data controllers is the Safe Harbor scheme, but this is limited to transfers to the US and also does not include certain sectors, such as financial services.
In the UK, the 8th data protection principle allows you to make your own assessment of adequacy but this, of course, is of limited use if you are a multinational company that also transfers personal data from other parts of the EEA.