Our new Data Protection and Privacy Support Portal "PrivacyAssist" in now available. Learn More!
Resources
Glossary
    ← Back to glossary

    Binding Corporate Rules (BCRs)

    Glossary Contents

    Binding Corporate Rules, commonly referred to as BCRs, are a set of internal rules (such as a Code of Conduct) adopted by multinational companies to ensure that all of their operations comply with the high data protection standards established by the European Union's General Data Protection Regulation (GDPR).

    BCRs are a crucial tool for multinational corporations as they provide a legal basis for transferring personal data between different company branches, including transfers outside of the European Economic Area (EEA). This article will delve into the intricacies of BCRs, their importance, how they work, and the process of obtaining approval for them.

    Understanding BCRs

    BCRs are designed to allow multinational companies to transfer personal data from the EEA to their affiliates located outside of the EEA in a manner that complies with the GDPR. They are a form of 'appropriate safeguard' that multinational companies can implement to legitimise these transfers.

    BCRs are not a one-size-fits-all solution; they must be tailored to the specific operations and structure of the company. They must also be legally binding and enforceable by every member of the corporate group.

    Key Elements of BCRs

    BCRs must contain certain key elements to be considered valid under the GDPR. These include the rights of data subjects, the duties and responsibilities of the data exporter and importer, and the mechanisms for ensuring compliance with the rules.

    BCRs must also provide for effective and enforceable data subject rights, including the right to lodge a complaint with a supervisory authority and to seek judicial redress.

    BCRs vs Standard Contractual Clauses

    BCRs are often compared to Standard Contractual Clauses (SCCs), another mechanism for transferring personal data outside the EEA. However, there are key differences between the two. Unlike SCCs, BCRs are tailored to the company's specific operations and structure and must be approved by the relevant data protection authorities.

    On the other hand, SCCs are pre-approved clauses that can be used by any company, regardless of its size or structure. They do not require approval from a data protection authority, making them a quicker and simpler solution for many companies.

    Obtaining Approval for BCRs

    Obtaining approval for BCRs is complex and time-consuming. It involves several steps, including preparing a detailed application, reviewing it by the relevant data protection authorities, and potentially consulting with the European Data Protection Board (EDPB).

    Despite the complexity of the process, many multinational companies choose to go through it because of the benefits BCRs offer, including the ability to transfer data within the corporate group without the need for additional contractual safeguards.

    Preparation of the Application

    The first step in obtaining approval for BCRs is to prepare a detailed application. This application must include a comprehensive description of the company's data processing activities, the structure and operations of the corporate group, and the proposed BCRs.

    The application must also include evidence that the BCRs are legally binding and enforceable by all members of the corporate group. This can be a complex task, particularly for multinational companies with operations in multiple jurisdictions.

    Review by Data Protection Authorities

    Once the application has been prepared, it must be submitted to the relevant data protection authorities for review. These authorities will assess whether the proposed BCRs comply with the GDPR's requirements.

    This review process can take several months and may involve back-and-forth communication between the company and the authorities. If the authorities have any concerns or questions about the proposed BCRs, they will raise these with the company and may request additional information or modifications.

    Compliance and Enforcement of BCRs

    Once BCRs have been approved, the company must ensure that they are complied with by all members of the corporate group. This involves implementing appropriate mechanisms for monitoring compliance and addressing any breaches.

    Failure to comply with BCRs can result in significant penalties, including fines of up to 20 million euros or 4% of the company's global annual turnover, whichever is higher.

    Monitoring Compliance

    Companies are required to implement appropriate mechanisms for monitoring compliance with BCRs. These may include internal audits, regular reviews of data processing activities, and employee training.

    Companies must also establish a process for handling complaints from data subjects and for reporting breaches to the relevant authorities. This process must be clearly communicated to all corporate group members.

    Addressing Breaches

    If the BCRs are breached, the company must take prompt action to address it. This may involve conducting an investigation, notifying the relevant authorities, and taking steps to prevent further breaches.

    Companies are also required to provide remedies to data subjects affected by the breach. This may include compensation for any damage suffered as a result of the breach.

    Benefits and Challenges of BCRs

    BCRs offer several benefits for multinational companies. They provide a legal basis for transferring personal data within the corporate group, eliminating the need for additional contractual safeguards. They also offer a degree of flexibility, as they can be tailored to the company's specific operations and structure.

    However, BCRs also present several challenges. The process of obtaining approval for BCRs is complex and time-consuming, and the requirements for compliance and enforcement are stringent. Furthermore, BCRs are not a solution for transfers of personal data to third parties outside of the corporate group.

    Benefits of BCRs

    One of the main benefits of BCRs is that they provide a legal basis for transferring personal data within the corporate group. This eliminates the need for additional contractual safeguards, which can be complex and time-consuming to implement.

    BCRs also offer a degree of flexibility, as they can be tailored to the company's specific operations and structure. This allows companies to implement a data transfer solution that is aligned with their business needs and objectives.

    Challenges of BCRs

    Obtaining approval for BCRs is complex and time-consuming. It involves preparing a detailed application, reviewing it by the relevant data protection authorities, and potentially consulting the EDPB. This can be a daunting task, particularly for companies new to the world of data protection.

    Once BCRs have been approved, the company must ensure that they are complied with by all members of the corporate group. This involves implementing appropriate mechanisms for monitoring compliance and addressing any breaches. Failure to comply with BCRs can result in significant penalties.

    Conclusion

    BCRs are powerful tools for multinational companies that need to transfer personal data outside the EEA. They provide a legal basis for these transfers and offer a degree of flexibility that other data transfer mechanisms do not.

    However, BCRs are not a solution for all companies or all types of data transfers. They are best suited to large multinational companies with complex data processing activities and the resources to navigate the approval process and ensure ongoing compliance.

    Try PrivacyEngine
    For Free

    Learn the platform in less than an hour
    Become a power user in less than a day

    Get Started For Free
    Schedule Demo
    PrivacyEngine Onboarding Screen