Binding corporate rules

Binding Corporate Rules or "BCRs" were developed by the European Union Article 29 Working Party to allow multinational corporations, international organizations, and groups of companies to make intra-organizational transfers of personal data across borders in compliance with EU Data Protection Law. The BCRs were developed as an alternative to the EU Model Contract Clauses and the now defunct U.S. Department of Commerce EU Safe Harbor (which was for US organizations only, but has been declared invalid and replaced by the EU-U.S. and Swiss-U.S Privacy Shield Frameworks, which has equally been declared invalid on 16 July 2020 by CJEU judgment C-311/18).

BCRs are required to be approved by the data protection authority in each EU Member State (such as the Information Commissioner's Office in the United Kingdom, CNIL in France, AEPD in Spain, etc.) in which the organization will rely on the BCRs. The EU has developed a mutual recognition process under which BCRs approved by one member state's data protection authority (known as the "lead" authority) and two other "co-lead" authorities, may be approved by the other relevant member states who may make comments and ask for amendments. Other members states, not part of mutual recognition process, will be also involved by the lead authority and will apply their own independent review process within a limited time-frame. The overall process for BCR acceptance takes usually between 6 and 9 months. This time frame does not include the required Data Protection setup, which should be already implemented within the company in order to comply with the current directive and its local implementation.

BCRs typically form stringent, intra-corporate global privacy policies, set of practices, processes and guidelines that satisfy EU standards and may be available as an alternative means of authorizing transfers of personal data (e.g., customer databases, HR information, etc.) outside of Europe.

BCRs should be seen as a framework for having different elements (internal legal agreement, policies, training, audit, etc.) providing compliance with EU data protection regulations and effective privacy and data protection.

It has to be noticed that, while originally designed for providing legal ground to international transfers, BCRs became de facto a corporation demonstration of its capacity to comply "at large" with personal data processing requirements. A corporation having BCRs applies this framework independently of international transfers and should be seen as part of the "Corporate Governance" or "Data Governance"

The Article 29 Working Party issued several guidance documents on BCR content, acceptance criteria and submission process.[1]

BCRs by themselves do not "authorize" all transfers automatically for all EU member states. Most of member states still require a formal "transfer notification" which is normally granted if the BCRs have been accepted by the relevant country.

The following companies have obtained authorizations for BCRs:[2]

ABN AMRO Bank N.V. with the Dutch DPA as the lead DPA
Accenture with the ICO (UK) as the lead DPA
ADP (controller and processor) with the Dutch DPA as the lead DPA
American Express with the ICO (UK) as the lead DPA
ArcelorMittal Group with the Luxemburg DPA as the lead DPA
Atmel with the ICO (UK) as the lead DPA
AXA with the CNIL (French) as the lead DPA
Axa Private Equity with the CNIL (French) as the lead DPA
BMC Software (Controller and Processor) with the CNIL (FR) as the lead DPA
BP with the ICO (UK) as the lead DPA
Bristol-Myers Squibb with the CNIL (FR) as the lead DPA
BT with the ICO (UK) as the lead DPA
Care Fusion with the ICO (UK) as the lead DPA
Cargill, Inc. with the ICO (UK) as the lead DPA
Cisco, with the Dutch DPA as the lead DPA
Citigroup with the ICO (UK) as the lead DPA
CMA-CGM with the CNIL (FR) as the lead DPA
D.E. Master Blenders 1753 ("DEMB") ex Sara Lee International B.V. (indirect subsidiary of Sara Lee Corporation) with the Dutch DPA
Deutsche Post DHL with the BfDI, Germany as the lead DPA
DocuSign (Controller and Processor) with Ireland's DPA as the lead DPA
DSM with the Dutch DPA as the lead DPA
eBay with the Luxemburg DPA as the lead DPA
Ernst & Young with the ICO (UK) as the lead DPA
First Data Corporation with the ICO (UK) as the lead DPA
General Electric (GE) with the CNIL (FR) as the lead DPA
GlaxoSmithKline plc with the ICO (UK) as the lead DPA
Hermès with the CNIL (FR) as the lead DPA
Hewlett Packard with the CNIL (FR) as the lead DPA
HR Access with the CNIL (FR) as the lead DPA
Hyatt with the ICO (UK) as the lead DPA
IMS Health Incorporated with the ICO (UK) as the lead DPA
ING Bank N.V. with the Dutch DPA as the lead DPA
Intel Corporation with Ireland's DPA as the lead DPA
International SOS with the CNIL (FR) as the lead DPA
JPMC with the ICO (UK) as the lead DPA
Koninklijke DSM N.V. and affiliated companies with the Dutch DPA as the lead DPA
Linklaters with the ICO (UK) as the lead DPA
LVMH with the CNIL (FR) as the lead DPA
Michelin with the CNIL (FR) as the lead DPA
Motorola Mobility LLC with the ICO (UK) as the lead DPA
Motorola Solutions, Inc. with the ICO (UK) as the lead DPA
Novartis with the CNIL (FR) as the lead DPA
Novo Nordisk A/S with the Danish DPA as the lead DPA
OVH with the CNIL (FR) as the lead DPA
Royal Philips Electronics with the Dutch DPA as the lead DPA
Safran with the CNIL (FR) as the lead DPA
Sanofi Aventis with the CNIL (FR) as the lead DPA
Schlumberger Ltd. with the Dutch DPA
Schneider Electric with the CNIL (FR) as the lead DPA
Shell International B.V. with the Dutch DPA as the lead DPA
Siemens Group with the DPA of Bavaria (Germany) as the lead DPA
Simon-Kucher & Partners Strategy & Marketing Consultants with DPA of North Rhine-Westphalia (DE)
Société Générale with the CNIL (FR) as the lead DPA
Spencer Stuart with the ICO (UK) as the lead DPA
Teleperformance (Controller and Processor) with the CNIL (FR) as the lead DPA
Zendesk International Limited (Controller and Processor) with Ireland's DPA as the lead DPA

In addition, the Article 29 Working Party has introduced guidance for BCRs for processors (also known as Processor BCR, as opposed to the traditional Controller BCR).[3]

References

See http://ec.europa.eu/justice_home/fsj/privacy/workinggroup/index_en.htm, see in particular documents WP 133, WP 153, WP 154, WP 155 at http://ec.europa.eu/justice_home/fsj/privacy/workinggroup/wpdocs/2008_en.htm.
European Commission, List of companies for which the EU BCR cooperation procedure is closed,http://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=613841
See Article 29 Working Party's Explanatory Document on the Processor Binding Corporate Rules (April 19, 2013): http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2013/wp204_en.pdf and Working Document 02/2012 setting up a table with the elements and principles to be found in Processor Binding Corporate Rules (June 6, 2012): http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2012/wp195_en.pdf (last visited November 30, 2012).

External links

This article is issued from Wikipedia. The text is licensed under Creative Commons - Attribution - Sharealike. Additional terms may apply for the media files.

[1] See http://ec.europa.eu/justice_home/fsj/privacy/workinggroup/index_en.htm, see in particular documents WP 133, WP 153, WP 154, WP 155 at http://ec.europa.eu/justice_home/fsj/privacy/workinggroup/wpdocs/2008_en.htm.

[2] European Commission, List of companies for which the EU BCR cooperation procedure is closed,http://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=613841

[3] See Article 29 Working Party's Explanatory Document on the Processor Binding Corporate Rules (April 19, 2013): http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2013/wp204_en.pdf and Working Document 02/2012 setting up a table with the elements and principles to be found in Processor Binding Corporate Rules (June 6, 2012): http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2012/wp195_en.pdf (last visited November 30, 2012).