BCRs (binding corporate rules) help organisations demonstrate that they have adequate protections in place when making intra-group international data transfers.
The rules have been widely discussed in relation to the GDPR (General Data Protection Regulation) and Brexit. Indeed, those two landmarks changed the way organisations could make cross-border data transfers, making BCRs more widely applicable.
In this blog, we help you understand when you are required to use BCRs, what benefits they offer, and how you can create them.
What are binding corporate rules under the GDPR?
Binding corporate rules (BCR) are data protection policies organisations use when transferring personal data into and out of the EU.
BCRs are intended for use by multinational corporate groups, groups of undertakings or a group of enterprises engaged in a joint economic activity such as franchises, joint ventures or professional partnerships.
BCRs contain a set of internal rules (like a code of conduct) that all organisations that are a party to the information must agree to.
The rules are legally binding and must be approved by the relevant data protection body.
In the EU, this is the European Commission, and in the UK, it’s the ICO (Information Commissioner’s Office).
BCRs are explicitly designed for multinational companies. Their size and complexity aren’t suitable for smaller organisations, which would be better off using SCCs (standard contractual clauses).
The purpose of BCRs
Organisations are only permitted to transfer personal information into and out of the EU if they can prove that they are doing so in accordance with the GDPR’s requirements.
BCRs are a way of streamlining this process. Rather than creating hundreds, if not thousands, of documents related to their data transfer methods, organisations can use BCRs to cover the entirety of their group data sharing activities.
Benefits of BCRs
The main benefit of BCRs is that it makes it much easier for multinational organisations to transfer personal data internationally.
Once an organisation has established a BCR, it will be required to do minimal administrative work in the future.
BCRs cover an entire organisation with offices in various countries, providing clarity, consistency and legal certainty for data transfers across the group.
Additionally, BCRs provide flexibility when introducing new products and reduce data protection compliance costs when processing changes.
BCRs can also give an organisation a competitive advantage by demonstrating that it has harmonised its data protection practices.
What should a BCR contain?
A BCR must contain information related to the group structure involved in data sharing activities and contact details of the concerned group and its members.
Next, it should list details about the information that’s being shared. This should include what types of personal data are involved, why it is being shared, how it’s processed and which countries the information is being transferred between.
The BCR should also document information related to the GDPR’s data protection principles:
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimisation
- Storage limitation
- Integrity and confidentiality
Likewise, it should contain information about data subject rights:
- The right to be informed
- The right of access
- The right to rectification
- The right to be forgotten
- The right to restrict processing
- The right to data portability
- The right to object
- Rights related to automated decision-making, including profiling
Alongside this, BCRs should state how individuals can exercise those rights and the steps the organisation will take to comply with their request within the 30-day deadline.
The BCR should also explain the liability of data controllers or data processors if they violate these principles or rights or if there is a breach of personal data.
Another requirement of BCRs is that they must state the tasks of the DPO (data protection officer) or whoever within the organisation is responsible for GDPR compliance.
This includes the organisation’s obligations for communicating with its supervisory authority. The BCR should also cover information related to data protection audits and staff awareness training.
Submitting binding corporate rules for review
As we previously mentioned, BCRs must be approved by both the organisations subject to its rules and the relevant supervisory authority.
Before an organisation can submit its BCRs for review, it must first designate a lead supervisory authority. This will typically be the national data protection body for which the organisation is based or does most of its business.
In the UK, this will always be the ICO (Information Commissioner’s Office).
The lead supervisory authority will circulate the BCR among all relevant regulatory bodies to ensure that it meets requirements. Once an agreement has been reached, the BCR will be approved.
Bring your data transfers in line with the GDPR
Organisations looking for help completing their BCRs should consider GRCI Law’s GDPR Contract and Legal Services.
Our team of qualified lawyers has extensive experience working in data protection law, including writing contracts, enabling GDPR compliance and dealing with supervisory authorities.
We can help you negotiate the complexities of international data transfers and ensure you have the proper safeguards in place.