What are binding corporate rules?

Binding corporate rules are internal rules for data transfers within multinational companies.

Binding corporate rules are like a code of conduct. They allow multinational companies to transfer personal data internationally within the same corporate group to countries that do not provide an adequate level of protection.

Binding corporate rules ensure that all data transfers within a corporate group are safe. They must contain

  • privacy principles, such as transparency, data quality, security
  • tools of effectiveness (such as audit, training, or complaint handling systems)
  • an element proving that the rules are binding

Approval of binding corporate rules

First step

The company designates the lead authority.This is the authority which handles the EU cooperation procedure with the other European data protection authorities (DPAs). 

Second step

The company drafts the binding corporate rules. These rules have to meet the requirements set up in the working papers adopted by the article 29 working party. This draft is submitted to the lead authority which reviews it and provides comments to the company to ensure that the document matches the requirements set out in paper WP 153.

Third step

The lead authority starts the EU cooperation procedure by circulating the binding corporate rules to the relevant DPA.The authority will be located where group members transfer personal data to entities located in countries that do not ensure an adequate level of protection.

Fourth step

The EU co-operation procedure is closed after the countries under mutual recognition have acknowledged of receipt of the binding corporate rules, and those which are not considerthat the rules complywith the requirements set out in WP29 (within one month).

In order to speed up the EU cooperation procedure for the binding corporate rules review by data protection authorities, a mutual recognition procedure has been agreed. Under this procedure, once the lead authority considers that binding corporate rules meet the requirements as set out in the working papers, the DPAs under mutual recognition accept this opinion as sufficient basis for providing their own national permit or authorisation for the binding corporate rules , or for giving positive advice to the body that provides that authorisation.

At the moment, 21 countries are part of the mutual recognition procedure: Austria, Belgium,  Bulgaria, Cyprus, Czech Republic, Estonia, France, Germany, Iceland, Ireland, Italy, Latvia, Liechtenstein, Luxembourg, Malta, the Netherlands, Norway, Slovakia, Slovenia, Spain, and the United Kingdom.

Fifth step

Once the binding corporate rules have been considered as final by all DPAs, the company shall request authorisation of transfers on the basis of the adopted rules by each national DPA.

How is the lead authority chosen?

Companies which intend to adopt binding corporate rules shall designate a lead authority which will be the contact point and which will handle the procedure for the review of the rules by all DPAs.

The decision as to which DPA should act as the lead authority is based upon relevant criteria such as:

  • the location of the group’s European headquarters
  • the location of the company within the group with delegated data protection responsibilities
  • the location of the company which is best placed,in terms of management function, administrative burden, etc, to deal with the application, and to enforce the binding corporate rules in the group
  • the place where most decisions in terms of the purposes and means of processing are taken
  • the EU country from which most transfers outside the EEA will take place.

In order to officially designate an authority as the lead authority, the company needs to fulfil and to communicate it to the authority it intends to designate. The lead authority circulates this document to the other authorities which have 15 days (extendable to 1 month) to give their approval and/ or refusal for the designation of this authority as the lead.

Documents to be provided to the lead authority

  • WP133
  • binding corporate rules
  • list of entities bound by the rules
  • Element showing that the rules are binding

Any documentation that shows that the commitments in the rules are being respected , such as:

  • privacy policies in relation to the procedure, ( in order to inform people such as customers and employees about the way the company protects their personal data
  • guidelines for employees
  • data protection audit plan and programme
  • examples and/or explanation of the training programme
  • description of the internal complaint system
  • security policy for IT systems processing personal data
  • certification process to make sure that all new IT applications processing data are compliant with binding corporate rules
  • job description of data protection officers or other persons in charge of data protection in the company

Founding binding corporate rules documents

The WP29 adopted the first founding binding corporate rules documents in 2003 and 2005:

  • working paper 74 was the first document adopted which presented binding corporate rules
  • working paper 107 describes the EU cooperation procedure
  • working paper 108 is designed to assist a group of companies when it applies for approval of its binding corporate rules

Documents useful when drafting binding corporate rules

The working party has adopted in 2008 several documents which aim at clarifying the commitments companies shall implement when adopting binding corporate rules . These documents should be used when companies draft rules.

  • working paper 154 provides guidance to what the binding corporate rules should look like by providing a structure
  • working paper 153 provides a full checklist of the requirements which needs to be set in the rules.
  • working paper 155 provides frequently asked questions (FAQs) and provides interpretation guidance of key issues

Documents useful for the application procedure

Working paper 133 is the standard application for binding corporate rules approval. You will need to fill in this form in order to designate the lead authority (Part I) and to present to DPAs the commitments you are making in the rules(Part II).

Documents useful for the national authorisations of transfers based on binding corporate rules

 

Companies for which the EU binding corporate rules cooperation procedure is closed

 

Company name

Lead authority

ABN AMRO Bank N.V. Dutch DPA
Astra Zeneca plc ICO (UK)
Accenture ICO (UK)
Airbus (Controller) CNIL (FR)
Akastor ASA (Controller) Norwegian DPA
Aker Solutions ASA (Controller) Norwegian DPA
Akzo Nobel N.V.
(Controller)
Dutch DPA
Align Technologies B.V.
(Controller and Processor)
Dutch DPA
American Express ICO (UK)
ArcelorMittal Group Luxemburg
Atmel ICO (UK)
Atos (Controller and Processor) CNIL (FR)
AXA CNIL (FR)
Axa Private Equity CNIL (FR)
BakerCorp International Holdings Inc. (Controller) Dutch DPA

BMC Software (Controller and Processor)

CNIL (FR)
BMW DPA of Bavaria (Germany)
BP ICO (UK)
Bristol Myers Squibb CNIL (FR)
CA plc ICO (UK)
Capgemini (Controller and Processor) CNIL (FR)
Cardinal Health, Inc. IDPC (MT)
Care Fusion ICO (UK)
Cargill, Inc. ICO (UK)
Citigroup ICO (UK)
CMA-CGM CNIL (FR)
Continental Group DPA of Lower Saxony (Germany)
Corning (Controller) CNIL (FR)
D.E. Master Blenders 1753 ("DEMB")
ex Sara Lee International B.V.
(indirect subsidiary of Sara Lee Corporation)
Dutch DPA
Deutsche Post DHL BfDI, Germany
Deutsche Telekom BfDI, Germany
DSM Dutch DPA
e-Bay Luxemburg
ENGIE (ex GDF SUEZ; Controller) CNIL (FR)
Ernst & Young ICO (UK)
First Data Corporation (Controller and Processor) ICO (UK)
Fluor Corporation Inc. ICO (UK)
Flextronics International Ltd ICO (UK)
General Electric (GE) CNIL (FR)
Giesecke & Devrient DPA of Bavaria (Germany)
GlaxoSmithKline plc ICO (UK)
Hermès CNIL (FR)
HP Enterprise (Controller) CNIL (FR)
HP Inc. (ex Hewlett Packard; Controller) CNIL (FR)
Hyatt ICO (UK)
IMS Health Incorporated ICO (UK)
ING Bank N.V. Dutch DPA
Intel Corporation Ireland
International SOS CNIL (FR)
Johnson Controls Belgian DPA
JPMC ICO (UK)
Koninklijke DSM N.V. and affiliated companies Dutch DPA
Kvaerner ASA Norwegian DPA
LeasePlan Corporation N.V. (Controller) Dutch DPA
Legrand (Controller) CNIL (FR)
Linkbynet (Controller and Processor) CNIL (FR)
Linklaters ICO (UK)
LVMH CNIL (FR)
Maersk Group Danish DPA
Mastercard (Controller and Processor) Belgian DPA
Merck Sharp & Dohme (MSD) Belgian DPA
Michelin CNIL (FR)
Motorola Mobility LLC ICO (UK)
Motorola Solutions, Inc. ICO (UK)
NetApp Inc. (Controller) Dutch DPA
NOVARTIS CNIL (FR)
Novo Nordisk A/S Danish DPA
Nutreco N.V.(Controller) Dutch DPA
Osram DPA of Bavaria (Germany)
OVH CNIL (FR)
Rabobank Nederland Dutch DPA
Rockwool Danish DPA
Royal Philips Electronics Dutch DPA
Safran CNIL (FR)
Salesforce (Processor) CNIL (FR)
Sanofi Aventis CNIL (FR)
Schlumberger Ltd. Dutch DPA
Schneider Electric CNIL (FR)
Shell International B.V. Dutch DPA
Siemens Group DPA of Bavaria (Germany)
Simon-Kucher & Partners DPA of North Rhine-Westphalia (Germany)
Société Générale CNIL (FR)
Sopra HR Software (ex HR Access; Controller and Processor) CNIL (FR)
Spencer Stuart ICO (UK)
Starwood Hotels and Resorts (Controller) Belgian DPA
TMF Group B.V. (Controller and Processor) Dutch DPA
Total CNIL (FR)
UCB (Controller) Belgian DPA