Binding Corporate Rules (BCR’s) are internal rules for international data transfers within multinational companies. They allow to transfer personal data internationally within the (same corporate) group to countries that do not provide an adequate level of protection as the GDPR. Binding corporate rules must contain privacy principles, tools of effectiveness and an element proving that the rules are binding.
We see that in the past, Model Contractual Clauses have been a more popular option for data transfers than Binding Corporate Rules, but the reality is that these Model Contractual Clauses are very difficult to do right in practice.
For one, a separate contract is required for each export of data, which can mean “hundreds of contracts”.
Next to that, they are subject to a challenge of validity since they do not meet all GDPR requirements, meaning there is a high risk that they will disappear in the near future.
In case your organization is dynamic and seeks for a long-term solution, it is thus recommended to consider alternative tools. Binding Corporate Rules are the best alternative to the model contractual clauses, for the following reasons:
- Allow information on European data subjects to be transferred worldwide within your organization;
- Any company exporting data within the group to a third country can apply for BCR’s;
- Long term less administrative hassle and work to do regarding cross-border transfers. Only one agreement needs to be signed instead of all different agreements with all your subsidiaries;
- A competitive edge as you have the BCR’s as a sort of seal on top of the benefits.
- A proof that you have your data protection framework in order and have harmonized data practices;
- A demonstration of GDPR compliance and attention to data protection;
- Having an internal guide for employees with regard to the personal data management;
Applying for BCR’s.
The approval of the BCR’s can be summarized in 6 main steps.
Updating existing BCR’s
In November 2017, the WP 29 issued a working document setting up a table with the elements and principles to be found in Binding Corporate Rules (BCRs) in order to reflect the requirements as set out by the GDPR. (Article 29 Data protection working party, WP 256 and WP 257, Working document setting up a table with the elements and principles to be found in (Processor) Binding Corporate Rules, Adopted on 29 November 2017).
Approved BCRs will remain valid until amended, replaced or repealed, if necessary. However, groups with approved BCRs should bring their BCRs in line with GDPR requirements.
Main elements to consider when updating BCR’s:
- Right to lodge a complaint
- Scope of application
- Personal data protection principles:
- Third country legislation