Binding Corporate Rules or BCRs are internal rules which define the international policy in a multinational group of companies and international organizations regarding intra-organizational personal data cross-border transfers. Under the GDPR they become far more important.
Binding Corporate Rules are strict and approved codes of conduct but not in the broadest sense of approved codes of conduct under the GDPR: they are internal codes of conduct which concern transfers of personal data to third countries in the context of cross-border data transfers to entities of the international organization or multinationals (a group of undertakings, or group of enterprises engaged in a joint economic activity, including members) which are outside the EU.
Binding Corporate Rules or BCRs aren’t new. However, with the GDPR the attractiveness of having Binding Corporate Rules in place is far higher as for international organizations it makes cross-border data transfers much easier. On top of that, BCRs offer ample benefits and aren’t limited to a group of undertakings. They do require a lot of effort and mean that GDPR compliance is attained, personal data processing principles are respected, data subject rights are ensured, legal grounds for lawful processing are in place, data practices are streamlined and far more. Yet, they also offer, among others, important competitive benefits.
Binding Corporate Rules in the context of personal data transfer mechanisms to third countries or international organizations
Binding Corporate Rules are one of several international data transfer tools under the GDPR and of course need to be approved. By way of a reminder of cross-border personal data mechanisms under the GDPR check out the infographic below, which includes BCRs.
In the GDPR Articles, Binding Corporate Rules are covered in Article 47, where they are part of Chapter 5 on the transfer of personal data to third countries or international organizations.
BCRs as guarantees for proper safeguards when an adequacy decision is lacking
The general principle for international cross-border personal data transfers is that the transfer of personal data where the personal data processing happens or is intended is allowed and controllers or processors meet the conditions of the GDPR.
This obviously also goes in case there are further international transfers, for example from one country to another, one internal organization to another or to another country and all other combinations.
A key international data transfer mechanism in general is the adequacy decision: after a so-called adequacy assessment, whereby the European Commission essentially looks if a third country, a territory, a particular sector within a third country or an international organization offer sufficient guarantees on the level of the protection of personal data, the EC takes such adequacy decisions. Where they exist, then in principle no additional approvals are needed.
In case there isn’t such an adequacy decision, controllers or processors can transfer personal data to international organizations (or third countries) only if the proper safeguards are in place, if there are possibilities for data subjects to exercise their data subject rights AND if there are effective legal possibilities for data subjects in case these legal remedies would be needed.
It’s here that Binding Corporate Rules or BCRs are mentioned a first time in the GDPR text: BCRs are namely one of the ways which essentially guarantee that these safeguards are in place and thus need no further approval by a supervisory authority. They can also be used for specific sectors (e.g. the travel industry).
SCCs, BCRs and conditions for Binding Corporate Rules to get approved
Other such “guarantees” include approved codes of conduct in the general sense of GDPR Article 40 and approved certification mechanisms as, they are also recognized by the GDPR in general.
However, in the scope of cross-border data transfers these aren’t of course enough as such of course and ‘general’ means that they still need additional commitments from the controller or processor in the third country.
That’s why Standard Contractual Clauses (SCCs), whereby using the proper and approved model transfer terms of the EC which are also appropriate guarantees regarding safeguards (and which can also relate to specific industries such as health) are preferred, along with BCRs. With the scope of BCRs in the GDPR that degree of preference might shift even more towards BCRs, given the explicit mention and clear rules regarding BCRs and their benefits.
In order to get Binding Corporate Rules approved, in accordance with the consistency mechanism of the GDPR, Binding Corporate Rules must:
- Be legally binding.
- Apply to every concerned member of the multinational or international organization.
- Be enforced by each of these concerned members.
- Have clear ways for data subjects to exercise their data subject rights.
- Mention specific information with regards to the organization, the processing and more.
In the context of the above mentioned members and multinationals, the GDPR, in Article 47 on BCRs, speaks about that group of undertakings or group of enterprises engaged in a joint economic activity, including their employees.
As a reminder: GDPR Article 1 (the definitions) define a group of undertakings as follows: a group of undertakings means a controlling undertaking and its controlled undertakings.
The definition of BCRs under the GDPR and the consequences of joint economic activity
Also BCRs are defined in GDPR Article 1: “binding corporate rules means personal data protection policies which are adhered to by a controller or processor established on the territory of a Member State for transfers or a set of transfers of personal data to a controller or processor in one or more third countries within a group of undertakings, or group of enterprises engaged in a joint economic activity”.
A group of enterprises engaged in a joint economic activity is not strictly defined in the GDPR. The fact that it is, however, mentioned in this scope of Binding Corporate Rules is one of the reasons why BCRs are interesting since they can transgress the corporate group and apply to specific sectors as mentioned.
Moreover, as the infographic below and the related article states it could also mean that not just a corporate group can fall under a BCR but also, for example, business partners.
In a communication from the European Commission to the European Parliament and Council on ‘exchanging and protecting personal data in a globalized world’ the text indeed states that “this reform formalises and expands the possibilities to use existing instrument as the BCRs, which until now has been limited to arrangements among entities of the same corporate group, and now can be used by a group of enterprises engaged in a joint economic activity, but not necessarily forming part of the same group.”
Does that mean business partners? It most certainly includes BCRs for specific sectors which seems to be the main scope of what the mentioned communication addresses.
End 2017 the Article 29 Data Protection Working Party published a working document setting up a table with the elements and principles to be found in Binding Corporate Rules and a working document setting up a table with the elements and principles to be found in Processor Binding Corporate Rules.
However, these mainly concern the earlier mentioned specific information that needs to be in a BCR in order to be approved and dive pretty deep into the details of that information.
With regards to the scope of application, the working document states that “The BCRs shall specify the structure and contact details of the group of undertakings or group of enterprises engaged in a joint economic activity and of each of its members. The BCRs must also specify its material scope, for instance the data transfers or set of transfers, including the categories of personal data, the type of processing and its purposes, the types of data subjects affected and the identification of the recipients in the third country or countries”.
Benefits of Binding Corporate Rules
No one said it was easy (and surely not cheap or fast) but that has to do with the impact and benefits too. Perhaps the best way to get started is to contact the appropriate leading supervisory authority or one of several companies for which the EU BCR cooperation procedure is closed (meaning: they have a BCR) and even consult those BCRs.
What is for sure is that the fact that BCRs are mentioned as appropriate safeguards in the GDPR and that the GDPR also pays attention to details with regards to BCRs as cross-border data transfer mechanisms is important. So is the fact that as of end September 2017, 100 entities (large companies) are on that list of organizations for which the EU BCR cooperation procedure is closed, either as controller, processor or both.
When checking them out, you’ll notice that there are quite some organizations on that list from the technology industry in the broadest sense (IT, building management, online tools), financial industry (including some who are also online players such as PayPal), the life sciences industry (pharma), global consultants and accounting firms and what we would call big Industry 4.0 players, both manufacturers with a high tech focus (BMW, Airbus,…) and providers of data-intensive solutions. This is not a coincidence of course.
The benefits of BCRs for them?
- Far less administrative hassle and work to do regarding cross-border transfers (no separate contracts and so forth).
- A competitive edge as they have the BCR as a sort of seal on top of the benefits.
- A proof that they have their data house in order and have harmonized data practices.
- The essence to have a global data protection framework is there (with the US covered separately).
- A demonstration of GDPR compliance, attention for data protection and policies for employees.
- An adherence to data protection principles, including trained personnel.
The information BCRs should contain
Several of those benefits are also related with the information that needs to be at least present in the BCR:
- Structure of the group of undertakings or group of enterprises sharing joint economic activities and their members.
- Contact details of the concerned group (and each member).
- Details on the data transfers or sets: which personal data, what processing purpose, what types of processing, what type of concerned data subjects, which countries,…?
- Legally binding nature, both internally and towards the outside world.
- Application of the general data processing principles and the general data protection principles (purpose limitation, data minimization, storage limitation, data quality/accuracy, protection by design and by default, legal basis for lawful processing, special categories of data, measures to ensure data security and more).
- Data subject rights, ways to exercise those rights, right to lodge a complaint and so on.
- Liability of controller or processor in EU with regards to breaches of the BCRs by any member outside the EU (except if proven not responsible).
- Provision of information on the BCRs towards data subjects, in accordance with duty and right of information of the GDPR.
- The tasks of any DPO or other entity charged with compliance monitoring.
- Complaint procedures and handling.
- Data protection audits and methods of correction to protect data subject rights.
- Various obligations towards the supervisory authority.
- The proper data protection training for staff with regular or permanent access to personal data.
As mentioned previously there are working documents for a list of all information needed in a BCR. Below are the links for, respectively the general working document and the one for processor Corporate Binding Rules.
- The working document setting up a table with the elements and principles to be found in
Binding Corporate Rules (PDF opens).
- The working document setting up a table with the elements and principles for processor Corporate Binding Rules (PDF opens).
List of organizations for which the EU BCR cooperation procedure is closed
Last but not least, below is that list of BCRs and organizations with BCRs including the lead authority for each one, as of end September 2017.
List of companies for which the EU BCR cooperation procedure is closed
|Company name||Lead authority|
|ABN AMRO Bank N.V.||Dutch DPA|
|Astra Zeneca plc||ICO (UK)|
|Airbus (Controller)||CNIL (FR)|
|Akastor ASA (Controller)||Norwegian DPA|
|Aker Solutions ASA (Controller)||Norwegian DPA|
|Akzo Nobel N.V.||Dutch DPA|
|Align Technologies B.V.||Dutch DPA|
|(Controller and Processor)|
|American Express||ICO (UK)|
|Atos (Controller and Processor)||CNIL (FR)|
|Axa Private Equity||CNIL (FR)|
|BakerCorp International Holdings Inc.
|BMC Software(Controller and Processor)||CNIL (FR)|
|BMW||DPA of Bavaria (DE)|
|Box, Inc (Controller and Processor)||ICO (UK)|
|Bristol Myers Squibb||CNIL (FR)|
|BT Group plc (Controller and Processor)||ICO (UK)|
CA plc (trading as CA Technologies)
Capgemini (Controller and Processor)
Cardinal Health, Inc.
|Care Fusion||ICO (UK)|
|Cargill, Inc.||ICO (UK)|
|DPA of Lower Saxony (DE)|
D.E. Master Blenders 1753 (“DEMB”), ex-Sara Lee International B.V., (indirect subsidiary of
Deutsche Post DHL
ENGIE (ex GDF SUEZ; Controller)
|Ericsson AB||Swedish DPA|
|Ernst & Young||ICO (UK)|
|Festo Group||DPA of Baden-Württemberg|
|First Data Corporation (Controller and
Fluor Corporation Inc.
Flextronics International Ltd
General Electric (GE)
Giesecke & Devrient
|DPA of Bavaria (DE)|
|HP Enterprise (Controller)||CNIL (FR)|
|HP Inc. (ex Hewlett Packard; Controller)||CNIL (FR)|
|Hewlett Packard Enterprise (Processor)||CNIL (FR)|
|IMS Health Incorporated||ICO (UK)|
|ING Bank N.V.||Dutch DPA|
|International SOS||CNIL (FR)|
|Johnson Controls||Belgian DPA|
|Koninklijke DSM N.V. and affiliated companies||Dutch DPA|
|Kvaerner ASA||Norwegian DPA|
|Latham & Watkins LLP (Controller)||ICO (UK)|
|LeasePlan Corporation N.V. (Controller)||Dutch DPA|
|Ledvance||DPA of Bavaria (DE)|
|Lego Group||Danish DPA|
|Legrand (Controller)||CNIL (FR)|
|Linkbynet (Controller and Processor)||CNIL (FR)|
|Maersk Group||Danish DPA|
|Mastercard (Controller and Processor)||Belgian DPA|
|Merck Sharp & Dohme (MSD)||Belgian DPA|
|Motorola Mobility LLC||ICO (UK)|
|Motorola Solutions, Inc.||ICO (UK)|
|NetApp Inc. (Controller)||Dutch DPA|
|Novo Nordisk A/S||Danish DPA|
|Nutreco N.V.(Controller)||Dutch DPA|
|Osram||DPA of Bavaria (DE)|
|Rabobank Nederland||Dutch DPA|
|Royal Philips Electronics||Dutch DPA|
|Salesforce (Processor)||CNIL (FR)|
|Sanofi Aventis||CNIL (FR)|
|Schlumberger Ltd.||Dutch DPA|
|Schneider Electric||CNIL (FR)|
|Shell International B.V.||Dutch DPA|
|Siemens Group||DPA of Bavaria (DE)|
|Simon-Kucher & Partners||DPA of North Rhine-Westphalia (DE)|
|Société Générale||CNIL (FR)|
|Sopra HR Software (ex HR Access; Controller
|Spencer Stuart||ICO (UK)|
|Starwood Hotels and Resorts (Controller)||Belgian DPA|
|TMF Group B.V. (Controller and Processor)||Dutch DPA|
|UCB (Controller)||Belgian DPA|
|Zendesk International Limited||Irish DPA|
Next in regulations and compliance: EU DORA Digital Operational Resilience Act
Top image: Shutterstock – Copyright: Wolfilser. Although our GDPR content has been carefully verified, we are not liable for potential mistakes and advice you to seek assistance in preparing for GDPR.