Binding Corporate Rules

BCR or “Binding Corporate Rules” is a mechanism under the GDPR that can be used by group companies for intra-group personal data flows, whereby the recipients (group entities) are established in a country without adequate level of protection.

Once approval is obtained for the group’s BCR, it is a “catch all” meaning personal data can flow freely between the group companies (it will be considered “regular” data transfers under the GDPR, as if they were conducted between two EEA based entities), without the need to conclude for example Standard Contractual Clauses between different group entities or to determine whether a legal ground under article 49 GDPR exists.

How to establish such BCR is explained step by step on a high level in this newsflash.

• What are BCR?

BCR or “Binding Corporate Rules” is a mechanism under article 46 GDPR for international personal data transfers to recipients in countries without adequate level of protection, in an intra-group context.

BCR are legally binding guidelines that will apply to all group companies, setting out the different aspects of the personal data processing (the “data flows”) within such group and determining enforceable rights and binding commitments to create, for the personal data transferred under the BCR, a level of protection equivalent to the one provided by the GDPR.

• Who can use BCR?

There are two types of BCR:

BCR-C: controller to controller/processor

• transfer of personal data from controllers covered by the GDPR’s geographical scope pursuant to article 3 to other controllers or processors within the same group established in countries without adequate level of protection (meaning that they are for example not included in the ‘whitelist’ of the European Commission, or there is no separate agreement in place between such country and the European Commission).

BCR-P: processor to sub-processor

• applies to personal data processing by group members covered by the GDPR’s geographical scope, acting as processors on behalf of a controller that is not a member of the group, and whereby such group entity acting as processor will transfer the personal data to another group member in a country without adequate level of protection, acting as sub-processor.

A “group” is a group of undertakings, or a group of enterprises engaged in a joint economic activity.

• How to establish BCR for your group?

To establish BCR, the following process could be followed:

Step 1:

Conduct a mapping of the data flows and subsequent processing activities within the group and what group entities within and outside the EEA would be involved.

Step 2:

Determine what type of BCR are required (BCR-C and/or BCR-P) based on such data mapping.

Step 3:

Draft appropriate BCR, keeping in mind the list of required information as set out in article 47 GDPR.

Step 4:

Determine the lead supervisory authority for the group, i.e. the supervisory authority of the ‘main establishment’ of the controller or processor (article 56 GDPR).

The EDPB Guidelines 8/2022 on identifying a controller or processor’s lead supervisory authority, to be consulted here, and section 1 of the WP29 Working Document on the approval procedure of the Binding Corporate Rules for controllers and processors (wp263rev.01), to be consulted here, can provide further guidance in this regard.

Step 5:

File the draft BCR with the lead supervisory authority for approval.

An application form should be filled out in this regard. This form can be found in the EDPB Recommendations 1/2022 on the Application for Approval and on the elements and principles to be found in Controller Binding Corporate Rules (Art. 47 GDPR), to be consulted here, on page 10 et seq.

In case of application for both BCR-C and BCR-P, separate forms should be filled out for each BCR.

In a first stage only Part I of the application form should be submitted to the presumed lead supervisory authority. As soon as such authority confirms it is indeed to be considered the lead supervisory authority it will invite you to fill out and submit Part II of the application form, including its annexes.

Once the complete application form is submitted, the approval procedure will be followed (see in this regard WP29 Working Document on the approval procedure of the Binding Corporate Rules for controllers and processors (wp263rev.01), to be consulted here).

Step 6:

If approved, check what other obligations under the GDPR and/or national data protection legislation may apply. Indeed, once the BCR are approved and deployed, non-EEA personal data transfers conducted under such BCR will be considered to provide for an adequate level of protection, hence as if they would take place between two companies within the EEA.

Such transfers are still subject to the general principles and obligations laid down in the GDPR, for example article 28 GDPR requiring controllers and processors to conclude a data processing agreement or article 35 GDPR requiring a data protection impact assessments in some events.

If new processing activities are set up and/or existing processing activities are altered under the BCR, one should also adjust its record of processing activities (ROPA).

Data subjects should be informed regarding the existence and content of the BCR (article 47.2 (g) and articles 13-14 GDPR). Keep in mind that it may be necessary to translate the BCR into the different national languages, to guarantee the data subject’s ‘easy access’ thereto.

Where a DPO is appointed in the context of the intra-group processing activities, do not forget to notify this to the national data protection authorities (article 37 GDPR).

For any further questions related to BCR, please contact our IP, IT and data protection team by sending an e-mail to IP/IT-team@liedekerke.com.