International personal data transfers: binding corporate rules (BCRs) under the GDPR

Binding Corporate Rules or BCRs are internal rules which define the international policy in a multinational group of companies and international organizations regarding intra-organizational personal data cross-border transfers. Under the GDPR they become far more important.

Every entity acting as data controller must be responsible for and able to demonstrate compliance with the BCRs

Binding Corporate Rules are strict and approved codes of conduct but not in the broadest sense of approved codes of conduct under the GDPR: they are internal codes of conduct which concern transfers of personal data to third countries in the context of cross-border data transfers to entities of the international organization or multinationals (a group of undertakings, or group of enterprises engaged in a joint economic activity, including members) which are outside the EU.

Binding Corporate Rules or BCRs aren’t new. However, with the GDPR the attractiveness of having Binding Corporate Rules in place is far higher as for international organizations it makes cross-border data transfers much easier. On top of that, BCRs offer ample benefits and aren’t limited to a group of undertakings. They do require a lot of effort and mean that GDPR compliance is attained, personal data processing principles are respected, data subject rights are ensured, legal grounds for lawful processing are in place, data practices are streamlined and far more. Yet, they also offer, among others, important competitive benefits.

Binding corporate rules BCRs in the General Data Protection Regulation GDPR

Binding Corporate Rules in the context of personal data transfer mechanisms to third countries or international organizations

Binding Corporate Rules are one of several international data transfer tools under the GDPR and of course need to be approved. By way of a reminder of cross-border personal data mechanisms under the GDPR check out the infographic below, which includes BCRs.

In the GDPR Articles, Binding Corporate Rules are covered in Article 47, where they are part of Chapter 5 on the transfer of personal data to third countries or international organizations.

BCRs as guarantees for proper safeguards when an adequacy decision is lacking

The general principle for international cross-border personal data transfers is that the transfer of personal data where the personal data processing happens or is intended is allowed and controllers or processors meet the conditions of the GDPR.

This obviously also goes in case there are further international transfers, for example from one country to another, one internal organization to another or to another country and all other combinations.

A key international data transfer mechanism in general is the adequacy decision: after a so-called adequacy assessment, whereby the European Commission essentially looks if a third country, a territory, a particular sector within a third country or an international organization offer sufficient guarantees on the level of the protection of personal data, the EC takes such adequacy decisions. Where they exist, then in principle no additional approvals are needed.

In case there isn’t such an adequacy decision, controllers or processors can transfer personal data to international organizations (or third countries) only if the proper safeguards are in place, if there are possibilities for data subjects to exercise their data subject rights AND if there are effective legal possibilities for data subjects in case these legal remedies would be needed.

It’s here that Binding Corporate Rules or BCRs are mentioned a first time in the GDPR text: BCRs are namely one of the ways which essentially guarantee that these safeguards are in place and thus need no further approval by a supervisory authority. They can also be used for specific sectors (e.g. the travel industry).

The place of binding corporate rules or BCRs in mechanisms for personal data transfer outside the EU under the GDPR - source and courtesy GDPR Awareness Coalition
The place of binding corporate rules or BCRs in mechanisms for personal data transfer outside the EU under the GDPR – source and courtesy GDPR Awareness Coalition

SCCs, BCRs and conditions for Binding Corporate Rules to get approved

Other such “guarantees” include approved codes of conduct in the general sense of GDPR Article 40 and approved certification mechanisms as, they are also recognized by the GDPR in general.

However, in the scope of cross-border data transfers these aren’t of course enough as such of course and ‘general’ means that they still need additional commitments from the controller or processor in the third country.

That’s why Standard Contractual Clauses (SCCs), whereby using the proper and approved model transfer terms of the EC which are also appropriate guarantees regarding safeguards (and which can also relate to specific industries such as health) are preferred, along with BCRs. With the scope of BCRs in the GDPR that degree of preference might shift even more towards BCRs, given the explicit mention and clear rules regarding BCRs and their benefits.

In order to get Binding Corporate Rules approved, in accordance with the consistency mechanism of the GDPR, Binding Corporate Rules must:

  • Be legally binding.
  • Apply to every concerned member of the multinational or international organization.
  • Be enforced by each of these concerned members.
  • Have clear ways for data subjects to exercise their data subject rights.
  • Mention specific information with regards to the organization, the processing and more.

In the context of the above mentioned members and multinationals, the GDPR, in Article 47 on BCRs, speaks about that group of undertakings or group of enterprises engaged in a joint economic activity, including their employees.

As a reminder: GDPR Article 1 (the definitions) define a group of undertakings as follows: a group of undertakings means a controlling undertaking and its controlled undertakings.

The definition of BCRs under the GDPR and the consequences of joint economic activity

Also BCRs are defined in GDPR Article 1: “binding corporate rules means personal data protection policies which are adhered to by a controller or processor established on the territory of a Member State for transfers or a set of transfers of personal data to a controller or processor in one or more third countries within a group of undertakings, or group of enterprises engaged in a joint economic activity”.

A group of enterprises engaged in a joint economic activity is not strictly defined in the GDPR. The fact that it is, however, mentioned in this scope of Binding Corporate Rules is one of the reasons why BCRs are interesting since they can transgress the corporate group and apply to specific sectors as mentioned.

Moreover, as the infographic below and the related article states it could also mean that not just a corporate group can fall under a BCR but also, for example, business partners.

In a communication from the European Commission to the European Parliament and Council on ‘exchanging and protecting personal data in a globalized world’ the text indeed states that “this reform formalises and expands the possibilities to use existing instrument as the BCRs, which until now has been limited to arrangements among entities of the same corporate group, and now can be used by a group of enterprises engaged in a joint economic activity, but not necessarily forming part of the same group.

A group of undertakings, or a group of enterprises engaged in a joint economic activity, should be able to make use of approved binding corporate rules for its international transfers from the Union to organisations within the same group of undertakings, or group of enterprises engaged in a joint economic activity (GDPR Recital 110)

Does that mean business partners? It most certainly includes BCRs for specific sectors which seems to be the main scope of what the mentioned communication addresses.

End 2017 the Article 29 Data Protection Working Party published a working document setting up a table with the elements and principles to be found in Binding Corporate Rules and a working document setting up a table with the elements and principles to be found in Processor Binding Corporate Rules.

However, these mainly concern the earlier mentioned specific information that needs to be in a BCR in order to be approved and dive pretty deep into the details of that information.

With regards to the scope of application, the working document states that “The BCRs shall specify the structure and contact details of the group of undertakings or group of enterprises engaged in a joint economic activity and of each of its members. The BCRs must also specify its material scope, for instance the data transfers or set of transfers, including the categories of personal data, the type of processing and its purposes, the types of data subjects affected and the identification of the recipients in the third country or countries”.

How far can the inclusion of a group of enterprises engaged in a joint economic activity in the scope of Binding Corporate Rules be interpreted - source and full article on Law Infographic
How far can the inclusion of a group of enterprises engaged in a joint economic activity in the scope of Binding Corporate Rules be interpreted – source and full article on Law Infographic

Benefits of Binding Corporate Rules

No one said it was easy (and surely not cheap or fast) but that has to do with the impact and benefits too. Perhaps the best way to get started is to contact the appropriate leading supervisory authority or one of several companies for which the EU BCR cooperation procedure is closed (meaning: they have a BCR) and even consult those BCRs.

What is for sure is that the fact that BCRs are mentioned as appropriate safeguards in the GDPR and that the GDPR also pays attention to details with regards to BCRs as cross-border data transfer mechanisms is important. So is the fact that as of end September 2017, 100 entities (large companies) are on that list of organizations for which the EU BCR cooperation procedure is closed, either as controller, processor or both.

Research by PwC, which we mentioned in 2017 found that the attention for Binding Corporate Rules was growing and that 75 percent of US (corporate) respondents intended to pursue BCRs in cross-border data transfers with the EU under the GDPR.

When checking them out, you’ll notice that there are quite some organizations on that list from the technology industry in the broadest sense (IT, building management, online tools), financial industry (including some who are also online players such as PayPal), the life sciences industry (pharma), global consultants and accounting firms and what we would call big Industry 4.0 players, both manufacturers with a high tech focus (BMW, Airbus,…) and providers of data-intensive solutions. This is not a coincidence of course.

The benefits of BCRs for them?

  • Far less administrative hassle and work to do regarding cross-border transfers (no separate contracts and so forth).
  • A competitive edge as they have the BCR as a sort of seal on top of the benefits.
  • A proof that they have their data house in order and have harmonized data practices.
  • The essence to have a global data protection framework is there (with the US covered separately).
  • A demonstration of GDPR compliance, attention for data protection and policies for employees.
  • An adherence to data protection principles, including trained personnel.

The information BCRs should contain

Several of those benefits are also related with the information that needs to be at least present in the BCR:

  • Structure of the group of undertakings or group of enterprises sharing joint economic activities and their members.
  • Contact details of the concerned group (and each member).
  • Details on the data transfers or sets: which personal data, what processing purpose, what types of processing, what type of concerned data subjects, which countries,…?
  • Legally binding nature, both internally and towards the outside world.
  • Application of the general data processing principles and the general data protection principles (purpose limitation, data minimization, storage limitation, data quality/accuracy, protection by design and by default, legal basis for lawful processing, special categories of data, measures to ensure data security and more).
  • Data subject rights, ways to exercise those rights, right to lodge a complaint and so on.
  • Liability of controller or processor in EU with regards to breaches of the BCRs by any member outside the EU (except if proven not responsible).
  • Provision of information on the BCRs towards data subjects, in accordance with duty and right of information of the GDPR.
  • The tasks of any DPO or other entity charged with compliance monitoring.
  • Complaint procedures and handling.
  • Data protection audits and methods of correction to protect data subject rights.
  • Various obligations towards the supervisory authority.
  • The proper data protection training for staff with regular or permanent access to personal data.

As mentioned previously there are working documents for a list of all information needed in a BCR. Below are the links for, respectively the general working document and the one for processor Corporate Binding Rules.

List of organizations for which the EU BCR cooperation procedure is closed

Last but not least, below is that list of BCRs and organizations with BCRs including the lead authority for each one, as of end September 2017.

List of companies for which the EU BCR cooperation procedure is closed

Company name Lead authority
ABN AMRO Bank N.V. Dutch DPA
ADIENT Belgian DPA
AMGEN CNIL (FR)
Astra Zeneca plc ICO (UK)
Accenture ICO (UK)
Airbus (Controller) CNIL (FR)
Akastor ASA (Controller) Norwegian DPA
Aker Solutions ASA (Controller) Norwegian DPA
Akzo Nobel N.V. Dutch DPA
(Controller)
Align Technologies B.V. Dutch DPA
(Controller and Processor)
American Express ICO (UK)
ArcelorMittal Group Luxemburg
Atmel ICO (UK)
Atos (Controller and Processor) CNIL (FR)
AXA CNIL (FR)
Axa Private Equity CNIL (FR)
BakerCorp International Holdings Inc.
(Controller)
Dutch DPA
BMC Software(Controller and Processor) CNIL (FR)
BMW DPA of Bavaria (DE)
Box, Inc (Controller and Processor) ICO (UK)
BP ICO (UK)
Bristol Myers Squibb CNIL (FR)
BT Group plc (Controller and Processor) ICO (UK)

CA plc (trading as CA Technologies)

ICO (UK)

Capgemini (Controller and Processor)

CNIL (FR)

Cardinal Health, Inc.

IDPC (MT)
Care Fusion ICO (UK)
Cargill, Inc. ICO (UK)
Citigroup ICO (UK)
CMA-CGM CNIL (FR)

Continental Group

DPA of Lower Saxony (DE)

Corning (Controller)

CNIL (FR)

D.E. Master Blenders 1753 (“DEMB”), ex-Sara Lee International B.V., (indirect subsidiary of
Sara Lee Corporation)

Dutch DPA

Deutsche Post DHL

BfDI (DE)

Deutsche Telekom

BfDI (DE)
DSM Dutch DPA
e-Bay Luxemburg

ENGIE (ex GDF SUEZ; Controller)

CNIL (FR)
Ericsson AB Swedish DPA
Ernst & Young ICO (UK)
Festo Group DPA of Baden-Württemberg
First Data Corporation (Controller and
Processor)
ICO (UK)

Fluor Corporation Inc.

ICO (UK)

Flextronics International Ltd

ICO (UK)

General Electric (GE)

CNIL (FR)

Giesecke & Devrient

DPA of Bavaria (DE)

GlaxoSmithKline plc

ICO (UK)
Hermès CNIL (FR)
HP Enterprise (Controller) CNIL (FR)
HP Inc. (ex Hewlett Packard; Controller) CNIL (FR)
Hewlett Packard Enterprise (Processor) CNIL (FR)
Hyatt ICO (UK)
IMS Health Incorporated ICO (UK)
ING Bank N.V. Dutch DPA
Intel Corporation Ireland
International SOS CNIL (FR)
Johnson Controls Belgian DPA
JPMC ICO (UK)
Koninklijke DSM N.V. and affiliated companies Dutch DPA
Kvaerner ASA Norwegian DPA
Latham & Watkins LLP (Controller) ICO (UK)
LeasePlan Corporation N.V. (Controller) Dutch DPA
Ledvance DPA of Bavaria (DE)
Lego Group Danish DPA
Legrand (Controller) CNIL (FR)
Linkbynet (Controller and Processor) CNIL (FR)
Linklaters ICO (UK)
LVMH CNIL (FR)
Maersk Group Danish DPA
Mastercard (Controller and Processor) Belgian DPA
Merck Sharp & Dohme (MSD) Belgian DPA
Michelin CNIL (FR)
Motorola Mobility LLC ICO (UK)
Motorola Solutions, Inc. ICO (UK)
NetApp Inc. (Controller) Dutch DPA
NOVARTIS CNIL (FR)
Novo Nordisk A/S Danish DPA
Nutreco N.V.(Controller) Dutch DPA
Osram DPA of Bavaria (DE)
OVH CNIL (FR)
PayPal Luxemburg
Rabobank Nederland Dutch DPA
Rakuten Luxemburg
Rockwool Danish DPA
Royal Philips Electronics Dutch DPA
Safran CNIL (FR)
Salesforce (Processor) CNIL (FR)
Sanofi Aventis CNIL (FR)
Schlumberger Ltd. Dutch DPA
Schneider Electric CNIL (FR)
Shell International B.V. Dutch DPA
Siemens Group DPA of Bavaria (DE)
Simon-Kucher & Partners DPA of North Rhine-Westphalia (DE)
Société Générale CNIL (FR)
Sopra HR Software (ex HR Access; Controller
and Processor)
CNIL (FR)
Spencer Stuart ICO (UK)
Starwood Hotels and Resorts (Controller) Belgian DPA
TMF Group B.V. (Controller and Processor) Dutch DPA
Total CNIL (FR)
UCB (Controller) Belgian DPA
UTC Belgian DPA
Zendesk International Limited Irish DPA

 

 

 

Top image: Shutterstock – Copyright: Wolfilser. Although our GDPR content has been carefully verified, we are not liable for potential mistakes and advice you to seek assistance in preparing for GDPR.