On December 6, 2017, the European Union’s Article 29 Working Party released two sets of guidelines on Binding Corporate Rules (“BCRs”) it had adopted a week earlier. BCRs are internal rules that define a group of companies’ global policy regarding the processing and international transfers of personal data. Based on the approval by the EU Supervisory Authorities, companies can use BCRs to transfer personal data to group entities located outside the EU. The two documents replace the earlier Working Papers 153 and 195.
How Does This Help Companies?
The Article 29 Working Party further clarifies the necessary content of BCRs as already stated in Article 47 of the GDPR to facilitate BCRs applications. The guidelines consist in tables that distinguish what must be included in the text of the BCRs themselves from what must be submitted to the competent Supervisory Authority in the context of a BCRs application (i.e. the list of entities bound by BCRs, how the rules are made binding on the group entities and its employees, and confirmation that the company has sufficient assets to pay compensation for damages resulting from a violation of the BCRs). These guidelines will therefore be the primary resource companies will use when applying for BCRs.
The Background for Two Sets of Guidelines
Companies should refer to the appropriate guidelines depending on whether they are controllers (i.e. companies that determine the means and purposes of the processing) or processors (i.e. companies that process personal data on behalf of a controller).
- Controller BCRs. These BCRs apply to transfers of personal data from controllers established in the EU to other entities of the same group established outside the EU ("Working Document setting up a table with the elements and principles to be found in Binding Corporate Rules,” WP256).
- Processor BCRs. These BCRs apply to personal data received from a controller (established in the EU) which is not a member of the group and then processed by the group entities as Processors and/or Sub-processors (“Working Document setting up a table with the elements and principles to be found in Processor Binding Corporate Rules.” WP257).
Three Points to Bear in Mind Regarding BCRs
- BCRs should be effective. This is clearly not simply about paperwork.
- BCRs must be easily accessible. For instance, a company may indicate that it will publish at least the parts of the BCRs on which information to individuals is mandatory on the internet.
- BCRs involve responsibility. Every entity must be responsible for and be able to demonstrate compliance with the BCRs.
The guidelines provide a quite detailed description of the information that BCRs must include. Here is an overview of this information.
- Scope. BCRs must provide a description of the processing activities and data flows covered, including the geographical scope of the BCRs.
- Binding Nature. BCRs must include a duty of the group entities, including their employees, to respect the BCRs. BCRs must also confer rights on individuals and enable them to lodge a complaint before the competent Supervisory Authority and Courts. BCRs must provide that all group entities accept responsibility of any breach of the GDPR by any entity of the group, wherever it takes place.
- Effectiveness. BCRs must provide the existence of a training program, a complaint handling process, an audit program covering the BCRs, and the creation of a network of data protection officers or appropriate staff for monitoring the BCRs.
- Data Protection Safeguards. BCRs must provide a description of the data protection principles laid down in the GDPR, including the rules on transfers or onwards transfers out of the EU. All group entities should be able to demonstrate compliance with the BCRs. Also, all group entities must be transparent where national legislation prevents them from complying with the BCRs.
- Cooperation with Supervisory Authorities. BCRs must show that the company and all group entities will cooperate with Supervisory Authorities and comply with their advice.
- Changes. BCRs must set up a process for updating the BCRs and reporting changes to the competent Supervisory Authority.
The same principles apply to Processor BCRs, with a few adjustments.
- Processor BCRs should mention that individuals can enforce the BCRs directly against the processor where the requirements at stake are specifically directed to processors in accordance with the GDPR.
- The Processor engages its responsibility towards the controller.
- The Processor has a duty to cooperate with the controller.