Lexicon > Binding Corporate Rules (BCR)

IT Glossary

Binding Corporate Rules (BCR)

Binding Corporate Rules are internal rules for the protection of personal data which may be applied by private law organizations, data controller or subcontractor, established on the territory of a Member State of the European Union, for transfers or for a set of transfers of personal data to other bodies under private law, controller or processor, established in one or more countries outside the European Union within the same group of companies, or a group of companies engaged in a joint economic activity.

The possibility of using binding corporate rules is thus mainly relevant for private multinational organizations, established in several countries of the European Union and outside the European Union.

They can provide appropriate safeguards for the protection of personal data for international data transfers:

  • where the laws or practices of the country of the data importer do not compromise the adequate level of protection afforded by the company’s policies, and/or;
  • in the absence of a decision by the European Commission finding that the third country provides an adequate level of protection (adequacy decision).

They are also an alternative to the European Commission’s standard contractual clauses.

In order to provide appropriate safeguards for the transfer of data, binding corporate rules must be assessed and validated by the competent supervisory authority.

In order to be validated by the supervisory authority, binding corporate rules must specify, among other things:

  • The structure and contact information of the group of companies;
  • Data transfers, including categories of personal data;
  • The type of processing and its purposes;
  • The type of people involved;
  • The name of the third country or countries;
  • Their legally binding nature ;
  • Application of general data protection principles;
  • The rights of the persons concerned ;
  • The tasks of any data protection officer;
  • Claims procedures;
  • Mechanisms put in place to ensure that compliance is monitored.

In any event, even without the approval of the supervisory authority, binding corporate rules are a compliance tool that contributes to the accountability of a group of companies and sets an example for groups that have decided to implement them.

RGPD Point

A group of undertakings, or a group of enterprises engaged in a joint economic activity, should be able to make use of approved binding corporate rules for its international transfers from the Union to organisations within the same group of undertakings, or group of enterprises engaged in a joint economic activity, provided that such corporate rules include all essential principles and enforceable rights to ensure appropriate safeguards for transfers or categories of transfers of personal data.”

Recital 110 of the GDPR

Point of jurisprudence

The Swedish supervisory authority points out that ” the purpose of the CJEU Schrems II ruling may also affect transfers of personal data that take place with the help of binding corporate rules, as the legislation of a third country may affect the protection offered by those binding corporate rules. The Court of Justice of the European Union has ruled that it is up to the data controller to assess whether the level of protection required by European legislation is respected in the third country concerned “.

Datainspektionen, December 10, 2020, No. DI-2019-9432

The Bouchara Law firm assists you in particular in :

  • Making your organization GDPR compliant;
  • The drafting of data protection policies (privacy policy, computer charter …);
  • Documentation of your processing (register of processing activities, register of violations, privacy impact analysis, prior consultation…);
  • Obtaining certifications and adhering to codes of conduct;
  • The study of the legal feasibility of the implementation of a new personal data processing;
  • The drafting and transmission of your codes of conduct to the CNIL for approval;
  • Legal analysis of the compliance of your data processing, including data transfers outside the European Economic Area;
  • Drafting and negotiating your data processing agreements (DPA);
  • Drafting your Binding Corporate Rules (BCR) and Codes of Conduct;
  • Training and awareness of your employees.

We are also the external Data Protection Officer of many data processors and subcontractors.