Binding corporate rules (BCR) are internal rules for international data transfers within multinational companies. An important distinction is that BCR are put in place between linked companies, for example subsidiaries in different countries, rather than through a commercial contract, which would instead be protected by standard contractual clauses.
They are similar to a code of conduct. They allow multinational companies to transfer personal data internationally within the same corporate group to countries that do not provide an adequate level of protection.
Binding corporate rules ensure that all data transfers within a corporate group are safe. They must be approved by a supervisory authority and they must contain:
- privacy principles, such as transparency, data quality, security
- tools of effectiveness (such as audit, training, or complaint handling systems)
- an element proving that the rules are binding
The approval of BCR can be both complex and lengthy, so if they are not currently in place, it will be unlikely that an organisation will be able to rely on them to protect a transfer to a third country.
To learn more about how to apply for the approval of binding corporate rules please read this guidance: https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/binding-corporate-rules-bcr_en#:~:text=Binding%20corporate%20rules%20(BCR)%20are,group%20of%20undertakings%20or%20enterprises.
How can ProvePrivacy Help?
ProvePrivacy allows RoPA users to add all contracts as part of the Data Sharing Assessment, all of the above clauses are noted within this assessment and if any are identified as absent then a risk will be added to the risk log.