GDPR: Standard contractual clauses vs binding corporate rules

The EU GDPR (EU General Data Protection Regulation) and – following Brexit – the UK GDPR (UK General Data Protection Regulation) restrict transfers of personal data outside of the EU and UK respectively.

You may have been told that, to transfer personal data, you need to draft SCCs (standard contractual clauses) or BCRs (binding corporate rules).

However, following recent developments following the UK’s departure from the EU, this only applies in certain circumstances.

In this blog, we explain when SCCs and BCRs are required and how you can create them.

How and when should I implement standard contract clauses?

SCCs work well for organisations that are likely to participate in two-way data sharing, and in internal personal data transfers where the processing is straightforward.

SCCs only apply to the data processing activities set out in them, meaning new contracts will have to be drafted every time personal data processing activities change.

They are currently the only practical, useable mechanism for transferring personal data internationally between organisations.

For example, a business based in Spain that uses a data cleansing service based in Brazil (which does not have an adequacy decision) could use SCCs to ensure the data is protected as it is being processed.

SCCs are legal contracts, and we urge organisations to consult a data protection lawyer when creating them, because oversights in their terms could cause major problems.

Remember, only the commercial terms of SCCs can be amended, so if you wanted to modify other aspects of the agreement, you will need to create a new contract.

You also need different SCCs in accordance with whether you are the data controller or data processor – and depending on the countries through which your data flows you may need both UK SCCs and EU SCCs.

Say, for example, an international organisation has an ongoing or complicated set of internal personal data transfers to undertake and has offices in the UK and EU.

In that case, it could soon be tied up with hundreds of SCCs to cover each of its group companies’ various processing activities, which is where BCRs are more suitable.

Looking for helping creating SCCs and BCRs?

With GRCI Law’s GDPR Contract and Legal Services, you can receive expert guidance at the click of button.

Our team of qualified lawyers has extensive experience working in data protection law, including writing contracts, enabling GDPR compliance and dealing with the supervisory authorities.

How and when should I implement binding corporate rules?

There are certain circumstances in which implementing BCRs may be suitable. Still, they apply only to single organisations and are therefore specifically useful for large businesses.

BCRs can apply to both the organisation’s controller and processor agreements and personal data activities and you might need UK and EU BCRs depending on your organisational structure.

BCRs cover an entire organisation with offices in various countries, providing clarity, consistency and legal certainty for data transfers across the group.

They also act as a public acknowledgement of the privacy rights of individuals whose data is being processed, improving the organisation’s reputation among anyone who may be considering handing over their personal information.

BCRs can be cumbersome to implement, because they cover a much larger and more complex set of processing activities than SCCs.

For EU BCRs, an organisation would need to designate a lead authority, who advises other affected authorities (e.g., in all countries where the organisation has offices).

The rules are then drafted, as well as the supporting documents, e.g., data privacy policies, data protection audit plans, list of entities included and guidelines for employees.

These are supplied to the ICO for the UK BCRs or the lead authority for the EU BCRs. EU BCRs are then circulated among all the relevant public authorities (such as the  CNIL in France, AEPD in Spain, etc.).

The role of the EU lead data protection authority is to facilitate the other applicable EU data protection authorities’ authorisation process.

EU BCRs can currently take 12 months or more to complete and, without legal assistance, can become extremely onerous and time-consuming.  However, once implemented, they have many advantages.

For example, BCRs provide flexibility when introducing new products, reduce data protection compliance costs when processing changes, and make data protection an integral part of the organisation’s processes.

BCRs can also give an organisation a competitive advantage by demonstrating that it has harmonised its data protection practices.

Adequacy decision

For a data transfer to be allowed under the regulations, the level of data protection afforded by the organisation receiving the data must be equivalent to the protections offered under the GDPR.

As such, any organisation’s subject to the GDPR or based in a country that had received an adequacy decision doesn’t need to take any additional steps.

But when the UK left the EU, it created a compliance gap that was to be filled with SCCs and BCRs.

The UK quickly made an adequacy decision in regard to the EU, meaning data flows from the region are unchanged.

Meanwhile, in February 2021, the European Commission began the process of granting the UK an adequacy decision.

In a statement, the Commission noted it had reviewed the UK’s data laws and deemed them equal to or exceeding those of the EU.

As such, the UK will be added to the list of countries that can share data freely with the EU, pending a review by the EDPB (European Data Protection Board) and committee of EU member states.

Find out more about this decision >>

How to transfer personal data outside the EU

Although transfers between the UK and EU will again be covered by an adequacy decision, it still leaves questions regarding international data transfers.

This is where SCCs and BCRs come in. The European Commission and the UK Government have ruled that SCCs offer sufficient safeguards, meaning they are acceptable methods to transfer data out of the EU and the UK.

BCRs are a set of internal rules (like a code of conduct) that regulate international personal data transfers within multinational companies.

The European Commission and the UK’s ICO (Information Commissioner’s Office) regulates the use of the EU BCRs and UK BCRs respectively.

Data importers and data exporters that wish to use EU BCRs must apply to one of the relevant supervisory authorities to have their rules approved and those wishing to utilise UK BCRs would apply to the ICO.

Let GRCI Law help

GRCI Law offers Contract and Legal Services, including reviewing, drafting or updating SCCs and BCRs. We can also manage the registration of BCRs with the supervisory authorities for you.

Our team of qualified lawyers has extensive experience working in data protection law, including writing contracts, enabling GDPR compliance and dealing with the supervisory authorities.

A version of this blog was originally published on 8 September 2020.