What are binding corporate rules?
Binding corporate rules are internal rules for data transfers within multinational companies.
Binding corporate rules are like a code of conduct. They allow multinational companies to transfer personal data internationally within the same corporate group to countries that do not provide an adequate level of protection.
Binding corporate rules ensure that all data transfers within a corporate group are safe. They must contain
- privacy principles, such as transparency, data quality, security
- tools of effectiveness (such as audit, training, or complaint handling systems)
- an element proving that the rules are binding
Approval of binding corporate rules
The company designates the lead authority.This is the authority which handles the EU cooperation procedure with the other European data protection authorities (DPAs).
The company drafts the binding corporate rules. These rules have to meet the requirements set up in the working papers adopted by the article 29 working party. This draft is submitted to the lead authority which reviews it and provides comments to the company to ensure that the document matches the requirements set out in paper WP 153.
The lead authority starts the EU cooperation procedure by circulating the binding corporate rules to the relevant DPA.The authority will be located where group members transfer personal data to entities located in countries that do not ensure an adequate level of protection.
The EU co-operation procedure is closed after the countries under mutual recognition have acknowledged of receipt of the binding corporate rules, and those which are not considerthat the rules complywith the requirements set out in WP29 (within one month).
In order to speed up the EU cooperation procedure for the binding corporate rules review by data protection authorities, a mutual recognition procedure has been agreed. Under this procedure, once the lead authority considers that binding corporate rules meet the requirements as set out in the working papers, the DPAs under mutual recognition accept this opinion as sufficient basis for providing their own national permit or authorisation for the binding corporate rules , or for giving positive advice to the body that provides that authorisation.
At the moment, 21 countries are part of the mutual recognition procedure: Austria, Belgium, Bulgaria, Cyprus, Czech Republic, Estonia, France, Germany, Iceland, Ireland, Italy, Latvia, Liechtenstein, Luxembourg, Malta, the Netherlands, Norway, Slovakia, Slovenia, Spain, and the United Kingdom.
Once the binding corporate rules have been considered as final by all DPAs, the company shall request authorisation of transfers on the basis of the adopted rules by each national DPA.
How is the lead authority chosen?
Companies which intend to adopt binding corporate rules shall designate a lead authority which will be the contact point and which will handle the procedure for the review of the rules by all DPAs.
The decision as to which DPA should act as the lead authority is based upon relevant criteria such as:
- the location of the group’s European headquarters
- the location of the company within the group with delegated data protection responsibilities
- the location of the company which is best placed,in terms of management function, administrative burden, etc, to deal with the application, and to enforce the binding corporate rules in the group
- the place where most decisions in terms of the purposes and means of processing are taken
- the EU country from which most transfers outside the EEA will take place.
In order to officially designate an authority as the lead authority, the company needs to fulfil and to communicate it to the authority it intends to designate. The lead authority circulates this document to the other authorities which have 15 days (extendable to 1 month) to give their approval and/ or refusal for the designation of this authority as the lead.
Documents to be provided to the lead authority
- binding corporate rules
- list of entities bound by the rules
- Element showing that the rules are binding
Any documentation that shows that the commitments in the rules are being respected , such as:
- privacy policies in relation to the procedure, ( in order to inform people such as customers and employees about the way the company protects their personal data
- guidelines for employees
- data protection audit plan and programme
- examples and/or explanation of the training programme
- description of the internal complaint system
- security policy for IT systems processing personal data
- certification process to make sure that all new IT applications processing data are compliant with binding corporate rules
- job description of data protection officers or other persons in charge of data protection in the company
Founding binding corporate rules documents
The WP29 adopted the first founding binding corporate rules documents in 2003 and 2005:
- working paper 74 was the first document adopted which presented binding corporate rules
- working paper 107 describes the EU cooperation procedure
- working paper 108 is designed to assist a group of companies when it applies for approval of its binding corporate rules
Documents useful when drafting binding corporate rules
The working party has adopted in 2008 several documents which aim at clarifying the commitments companies shall implement when adopting binding corporate rules . These documents should be used when companies draft rules.
- working paper 154 provides guidance to what the binding corporate rules should look like by providing a structure
- working paper 153 provides a full checklist of the requirements which needs to be set in the rules.
- working paper 155 provides frequently asked questions (FAQs) and provides interpretation guidance of key issues
Documents useful for the application procedure
Working paper 133 is the standard application for binding corporate rules approval. You will need to fill in this form in order to designate the lead authority (Part I) and to present to DPAs the commitments you are making in the rules(Part II).
Documents useful for the national authorisations of transfers based on binding corporate rules
Companies for which the EU binding corporate rules cooperation procedure is closed
|ABN AMRO Bank N.V.||Dutch DPA|
|Astra Zeneca plc||ICO (UK)|
|Airbus (Controller)||CNIL (FR)|
|Akastor ASA (Controller)||Norwegian DPA|
|Aker Solutions ASA (Controller)||Norwegian DPA|
|Akzo Nobel N.V.
|Align Technologies B.V.
(Controller and Processor)
|American Express||ICO (UK)|
|Atos (Controller and Processor)||CNIL (FR)|
|Axa Private Equity||CNIL (FR)|
|BakerCorp International Holdings Inc. (Controller)||Dutch DPA|
BMC Software (Controller and Processor)
|BMW||DPA of Bavaria (Germany)|
|Bristol Myers Squibb||CNIL (FR)|
|CA plc||ICO (UK)|
|Capgemini (Controller and Processor)||CNIL (FR)|
|Cardinal Health, Inc.||IDPC (MT)|
|Care Fusion||ICO (UK)|
|Cargill, Inc.||ICO (UK)|
|Continental Group||DPA of Lower Saxony (Germany)|
|Corning (Controller)||CNIL (FR)|
|D.E. Master Blenders 1753 ("DEMB")
ex Sara Lee International B.V.
(indirect subsidiary of Sara Lee Corporation)
|Deutsche Post DHL||BfDI, Germany|
|Deutsche Telekom||BfDI, Germany|
|ENGIE (ex GDF SUEZ; Controller)||CNIL (FR)|
|Ernst & Young||ICO (UK)|
|First Data Corporation (Controller and Processor)||ICO (UK)|
|Fluor Corporation Inc.||ICO (UK)|
|Flextronics International Ltd||ICO (UK)|
|General Electric (GE)||CNIL (FR)|
|Giesecke & Devrient||DPA of Bavaria (Germany)|
|GlaxoSmithKline plc||ICO (UK)|
|HP Enterprise (Controller)||CNIL (FR)|
|HP Inc. (ex Hewlett Packard; Controller)||CNIL (FR)|
|IMS Health Incorporated||ICO (UK)|
|ING Bank N.V.||Dutch DPA|
|International SOS||CNIL (FR)|
|Johnson Controls||Belgian DPA|
|Koninklijke DSM N.V. and affiliated companies||Dutch DPA|
|Kvaerner ASA||Norwegian DPA|
|LeasePlan Corporation N.V. (Controller)||Dutch DPA|
|Legrand (Controller)||CNIL (FR)|
|Linkbynet (Controller and Processor)||CNIL (FR)|
|Maersk Group||Danish DPA|
|Mastercard (Controller and Processor)||Belgian DPA|
|Merck Sharp & Dohme (MSD)||Belgian DPA|
|Motorola Mobility LLC||ICO (UK)|
|Motorola Solutions, Inc.||ICO (UK)|
|NetApp Inc. (Controller)||Dutch DPA|
|Novo Nordisk A/S||Danish DPA|
|Nutreco N.V.(Controller)||Dutch DPA|
|Osram||DPA of Bavaria (Germany)|
|Rabobank Nederland||Dutch DPA|
|Royal Philips Electronics||Dutch DPA|
|Salesforce (Processor)||CNIL (FR)|
|Sanofi Aventis||CNIL (FR)|
|Schlumberger Ltd.||Dutch DPA|
|Schneider Electric||CNIL (FR)|
|Shell International B.V.||Dutch DPA|
|Siemens Group||DPA of Bavaria (Germany)|
|Simon-Kucher & Partners||DPA of North Rhine-Westphalia (Germany)|
|Société Générale||CNIL (FR)|
|Sopra HR Software (ex HR Access; Controller and Processor)||CNIL (FR)|
|Spencer Stuart||ICO (UK)|
|Starwood Hotels and Resorts (Controller)||Belgian DPA|
|TMF Group B.V. (Controller and Processor)||Dutch DPA|
|UCB (Controller)||Belgian DPA|