Binding Corporate Rules ("BCR") are internal rules (such as a Code of Conduct) adopted by multinational group of companies which define its global policy with regard to the international transfers of personal data within the same corporate group to entities located in countries which do not provide an adequate level of protection.
BCR are used by multinational companies in order to adduce adequate safeguards for the protection of the privacy and fundamental rights and freedoms of individuals within the meaning of article 26 (2) of the Directive 95/46/CE for all transfers of personal data protected under a European law.
To that extent, BCR ensure that all transfers are made within a group benefit from an adequate level of protection. This is an alternative to the company having to sign standard contractual clauses each time it needs to transfer data to a member of its group and may be preferable where it becomes to burdensome to sign contractual clauses for each transfer made within a group.
Once approved under the EU cooperation procedure, BCR provide a sufficient level of protection to companies to get authorisation of transfers by national data protection authorities ("DPA"). It should be noted that the BCR do not provide a basis for transfers made outside the group.
BCR make it possible to...
BCR are a solution for multinational companies which export personal data from the European Economic Area to other group entities located in third countries which do not ensure an adequate level of protection.
Interested in BCR? You want to know more about BCR and would like to implement BCR in your company? Contact the authority (National Data Protection Commissioners: European Union - EEA countries) you think could be designated as the lead authority.
BCR must contain in particular: