When and how to adopt Binding Corporate Rules (BCR)

European data protection laws provide for the option of adopting BCR – an effective solution for multinational companies that regularly transfer personal data to group companies outside the EU.

Companies operating in Europe as well as in other non-EU countries generally have to comply with European data protection regulations regarding transfer of personal data. If, for example, a European subsidiary wants to share its customer data with other non-EU group companies, or if the European subsidiary wants to store its employee data in a data center outside the EU, that company will have to comply with European regulations on the transfer of personal data outside the EU.

The rule is as follows. Under the European Data Protection Directive (DPR) personal data may only be transferred to a third country (i.e. a non-Member State) if that third country ensures an “adequate level of protection”. The European Commission (EC) can find that a certain third country does not ensure an adequate level of protection, in which case the Member States must take measures to prevent any transfer of personal data to that specific country. Currently only a handful of third countries are considered by the EC to provide an adequate level of protection.

This, however, does not rule out the possibility of transferring personal data to countries that do not ensure an adequate level of protection. Under the DPR a transfer can nevertheless take place if the data subject has unambiguously given consent for the transfer, if the transfer is necessary for the performance of a contract between the data subject and the controller, etc. Also, Member States as well the EC can authorize a (set of) transfer(s) where the controller “adduces adequate safeguards with respect to the protection of personal data”. This has led to the well-known Model Contracts for the transfer of personal data to third countries – model contracts that the parties to a transfer can enter into stipulating how personal data should be handled.

Entering into a separate contract each time a company within a group of companies wants to share personal data with another company within that same group, however, can be an administrative burden. The EC has therefore created the possibility for controllers to adopt Binding Corporate Rules (BCR) – basically a policy describing the way a group of companies regards and handles personal data.

So what to do when a company wants to adopt BCR? The EC has provided a number of tools for companies that decide to work with BCR. The procedure is as follows. First, the company has to designate a lead data protection authority (DPA) within the EU that will be assessing the draft BCR. This can, under circumstances, be the DPA of the Member State where the company has its (European) Headquarters. DPAs of other Member States can protest against the designation, but if this does not happen, then the lead DPA will review the company’s draft BCR. If the lead DPA finds that the draft BCR are adequate, then it sends the draft to the other DPAs involved with the request to approve the BCR. Certain DPAs have adopted a mutual recognition procedure, and automatically approve BCR when another DPA finds that the BCR are adequate.

Once the BCR have been approved by all DPAs involved, then the company has to notify the DPAs involved about the international data transfer and request authorization if required by national law. A company will have to this in each Member State from which the company is transferring personal data. For example, if a company is transferring from employee data from the UK, the Netherlands, and France, to “non-adequate” third countries, then the company will have to notify the DPAs in each of these Member States. The DPAs will generally grant authorization when a company transfers personal data in accordance with the approved BCR. This follows from the WP107 – a document drafted by the Article 29 Data Protection Working Party.

BCR can provide an effective solution for multinational companies that transfer personal data to group companies outside the EU on a regular basis. Not only do BCR simplify the process of transferring personal outside the EU but they also represent a statement of the company on its stance towards the protection of personal data. If you are interested in learning which companies have already adopted BCR: the EC has provided a list of companies.