If you look at them, you will see that there are quite a few organizations on this list, from the technology industry in the broad sense (IT, facilities management, online tools), the financial industry (including some that are also online players like PayPal), the life sciences industry (pharmaceuticals), global consultants and accounting firms, and what we would call the big players in Industry 4.0. both high-tech manufacturers (BMW, Airbus,…) and data-intensive solution providers. Of course, this is no coincidence. An applicant organisation submits the BCR application to its chosen EU lead supervisory authority (which can no longer include the UK ICO). Once the BCRs have been reviewed and commented on by the lead supervisory authority, they will be forwarded to two joint supervisory authorities for further review and comment. Subsequently, a committee composed of the lead supervisory authority, one or both co-auditors, an independent supervisory authority and a member of the secretariat of the European Data Protection Board (EDPS) will provide comments, which will feed into a final version of the BCRs. This final version will be submitted to the European Data Protection Board. While technically all regulators have the right to comment during this final review period, in practice further comments are unlikely. Finally, the European Data Protection Board will issue an opinion on the decision approving the BCRs, according to which the lead supervisory authority will allow the group to subject intra-group data transfers to the authorised BCRs. BCRs are intended for multinational groups, groups of companies or a group of companies that carry out a common economic activity such as franchises.
Joint ventures or professional partnerships. BCRs contain a set of internal rules (such as a code of conduct) that all organizations involved in information must accept. BCRs are also defined in Article 1 of the GDPR: « Binding Corporate Rules means the personal data protection strategies that are followed by a controller or processor established in the territory of a Member State for transfers or a series of transfers of personal data to a controller or processor in one or more third countries within a group of Companies; or a group of enterprises engaged in a joint economic activity`. The rules have been discussed extensively under the GDPR (General Data Protection Regulation) and Brexit. In fact, these two milestones changed the way organizations could conduct cross-border data transfers and made BCRs more widely applicable. As noted earlier, BCRs must be approved both by the organizations subject to their rules and by the appropriate regulatory body. A group of companies engaged in a common economic activity is not strictly defined in the GDPR. However, the fact that binding corporate rules are mentioned in this scope is one of the reasons why BCRs are interesting as they transcend the group of companies and, as mentioned, may apply to certain sectors. Binding Corporate Rules (BCRs) are data protection directives that companies established in the EU comply with for the transfer of personal data outside the EU within a group of companies. These rules must include all general data protection principles and enforceable rights in order to ensure adequate safeguards for data transfers. They must be legally binding and enforced by each member of the group concerned.
In this blog, we`ll help you understand when to use BCRs, what benefits they offer, and how to create them. Does it mean a trading partner? It certainly contains BCRs for certain sectors, which seems to be the main area of what is addressed in the above-mentioned communication. In addition, as the infographic below and the accompanying article indicates, it could also mean that not only a group of companies may fall under a BCR, but also, for example, trading partners. Binding Corporate Rules or BCRs are internal rules that define the international policy of a multinational group of companies and international organizations regarding the cross-border transfer of personal data within organizations. Under the GDPR, they become much more important. To meet these European requirements, Accenture has implemented a set of data protection rules known as the Binding Corporate Rules for Data Controller (BCR). These are legally binding on all Accenture participating companies and Accenture must integrate the requirements into our business practices. As of 1 January 2021, the UK ICO is no longer a recognised supervisory authority within the meaning of the GDPR and therefore cannot act as the lead supervisory authority for the BCR approval process. The European Data Protection Board published a briefing note in July 2020 to explain what this means for UK-based groups.
Indeed, a communication from the European Commission to the European Parliament and the Council on « The exchange and protection of personal data in a globalised world » states: « This reform formalises and extends the possibilities of using existing instruments such as BCRs, which were previously limited to agreements between companies of the same group. and can now be used by a group of enterprises which carry out a common economic activity but are not necessarily part of the same group. BCRs also offer a high degree of flexibility as a means of data transmission. While BCRs can easily absorb changes in a group`s corporate structure, time-consuming intra-group data transfer agreements with standard contractual clauses need to be reviewed and updated frequently to reflect structural or data flow changes. These rules contain general data protection principles and allow a data subject to have a right of action against the Group for non-compliance with the rules. As a package, BCRs can take appropriate security precautions to govern all data transfers within a group in accordance with the GDPR. Corporate rules for data transfers within multinational companies. Binding Corporate Rules (BCRs) are internal data protection rules that govern the transfer of personal data within a group of EEA companies to companies located outside the EEA (third countries). The Article 29 Working Party adopted the following documents, which were approved by the European Data Protection Board. These documents describe the approval procedure and provide information on the structure and requirements of the company`s binding internal rules. Companies must submit binding corporate rules to the relevant data protection authority in the EU for approval.
The Authority shall approve BCRs in accordance with the consistency mechanism provided for in Article 63 of the GDPR. Several supervisory authorities may be involved in this procedure, as the group applying for authorisation of its BCRs may have companies in more than one Member State. The competent authority shall submit its draft decision to the European Data Protection Board, which shall issue its opinion on the binding corporate rules. Once the BCRs have been finalised in accordance with the opinion of the European Data Protection Board, the competent authority shall approve the BCRs. Next, you need to list the details of the information that will be shared. This should include what types of personal data are involved, why it is shared, how it is processed and between which countries the information is transferred.
Commentaires récents