Overview on Binding Corporate rules
What is it?
Binding Corporate Rules ("BCR") are internal rules (such as a Code of Conduct) adopted by multinational group of companies which define its global policy with regard to the international transfers of personal data within the same corporate group to entities located in countries which do not provide an adequate level of protection.
What is the purpose of BCR?
BCR are used by multinational companies in order to adduce adequate safeguards for the protection of the privacy and fundamental rights and freedoms of individuals within the meaning of article 26 (2) of the Directive 95/46/CE for all transfers of personal data protected under a European law.
To that extent, BCR ensure that all transfers are made within a group benefit from an adequate level of protection. This is an alternative to the company having to sign standard contractual clauses each time it needs to transfer data to a member of its group and may be preferable where it becomes to burdensome to sign contractual clauses for each transfer made within a group.
Once approved under the EU cooperation procedure, BCR provide a sufficient level of protection to companies to get authorisation of transfers by national data protection authorities ("DPA"). It should be noted that the BCR do not provide a basis for transfers made outside the group.
What are the advantages of BCR?
BCR make it possible to...
- be in compliance with the principles set out by with article 25 and 26 of the European Directive 95/46 for all flows of data within the group which are covered by the scope of the BCR,
- harmonise practices relating to the protection of personal data within a group,
- prevent the risks resulting from data transfers to third countries,
- avoid the need for a contract for each single transfer,
- communicate externally on the company's data protection policy,
- have an internal guide for employees with regard to the personal data management,
- make data protection integral to the way the company carries out its business.
Which companies can be interested in BCR?
BCR are a solution for multinational companies which export personal data from the European Economic Area to other group entities located in third countries which do not ensure an adequate level of protection.
Interested in BCR? You want to know more about BCR and would like to implement BCR in your company? Contact the authority (National Data Protection Commissioners: European Union - EEA countries) you think could be designated as the lead authority.
What are BCR in practice?
BCR must contain in particular:
- Privacy principles (transparency, data quality, security, etc.),
- Tools of effectiveness (audit, training, complaint handling system, etc.),
- And an element proving that BCR are binding.