Binding corporate rules

Binding corporate rules (in the General Data Protection Regulation as binding internal data protection legislation called), often abbreviated BCR are one of the European Commission used Article 29 Working Party developed framework for binding guidelines on handling personal data . The term is often used as a synonym for the individual rules of a company based on this framework. These allow multinational corporations, international organizations and groups of companies in accordance with applicable European law to transfer personal data internally to third countries with an inadequate level of data protection. In addition to the Binding Corporate Rules, there are other frameworks for handling personal data, such as: B. the Cross-border Privacy Enforcement Arrangement (CPEA) of the Asia-Pacific Economic Community . Because of their legally binding character and the possibility of design, corporate rules fall into the area of corporate governance .

A company's binding corporate rules must be verified by the European data protection authority of the country from which data is to be transferred. In order to speed up this process, the Article 29 Data Protection Working Party has developed a coordination procedure with some European data protection authorities for the verification of binding corporate rules. In the process called “Mutual Recognition”, a lead data protection authority, together with two associate authorities, checks whether the company's rules are adhering to the framework. After completing this process, the data protection authorities of all 21 countries participating in the process recognize the Binding Corporate Rules as a sufficient guarantee. If data is to be transferred from other European countries, their data protection authorities will independently review the binding corporate rules. If data is transferred on the basis of Binding Corporate Rules, permission must be obtained from the competent authority in a transfer notification prior to the transfer. The transfer will then be approved on the basis of these Binding Corporate Rules.

history

The reason for the creation of the Binding Corporate Rules was the European Directive 95/46 / EC, which came into force in 1995, for the protection of natural persons when processing personal data. According to this, individual contracts must be concluded for each data transfer to insecure third countries. This turned out to be very time-consuming, especially for large international companies. This is why the idea of binding company guidelines arose in the economy at the end of the 1990s in order to guarantee a sufficient level of data protection when data is transferred to parts of the group in third countries. In the following years, scientists debated whether the data protection guideline allowed such a construct. It came to the conclusion that Article 26 (2) of the European Data Protection Directive was a suitable legal basis for this and that binding company rules are therefore permissible.

When implementing the European data protection directive in 2001, the German legislator took up these considerations and explicitly mentioned company regulations as an example of a sufficient data protection guarantee when transferring personal data to third countries ( Federal Law Gazette I, p. 904 ). As a result, in July 2002 DaimlerChrysler AG adopted two company guidelines. Shortly afterwards, the supervisory authority in Berlin approved two data transfers based on this. At around the same time, the German, Dutch and Austrian authorities were discussing the coordination of procedures for the mutual recognition of company guidelines due to the growing interest of the economy. However, the efforts of the authorities were discontinued because the Article 29 Data Protection Working Party had signaled that it would deal with the subject of company regulations at European level.

The expression Binding Corporate Rules appears for the first time in WP 74 of Art. 29 Data Protection Working Party in June 2003. This contained fundamental considerations on binding company rules, which were linked to the existing knowledge of individual European authorities. In 2004, under the supervision of Art. 29 Data Protection Group, the go-ahead was given for five test cases for the planned coordination of procedures for the adoption of Binding Corporate Rules. This also included the corporate rules of Daimler Chrysler AG that were already in force in Germany. On April 15, 2005, the Art. 29 data protection group agreed to assess company rules according to a uniform European standard. Since then, the mutual recognition procedure has been further elaborated on the basis of the results of the test runs and further developments in the form of working papers.

Binding Corporate Rules under the General Data Protection Regulation

The European General Data Protection Regulation largely incorporates the previous practice into the law. The prerequisites and requirements for Binding Corporate Rules are regulated in Article 47 GDPR. In addition, they are acc. Article 46 (2) b) now expressly provides an example of a suitable guarantee of an adequate level of data protection in a third country. The current procedure of mutual recognition is supported by the coherence procedure according to Article 63 GDPR replaced. However, this follows a largely similar process. BCRs adopted through a coherence procedure are now having an effect on all European data protection authorities. In addition, the transmission of data no longer needs to be approved by the individual authorities. The scope of Binding Corporate Rules is extended in Article 46 (1) GDPR from corporate groups to contract data processors.

content

The content of the Binding Corporate is designed individually by each company, but the following points are prescribed by framework conditions:

Definition of the scope. This consists of the parts of the company that are subject to the Binding Corporate Rules and their country of residence
Development and implementation of a security concept to protect personal data
Data protection training for employees
Participation in an audit program
Further contracts to ensure that the binding corporate rules are legally binding internally and externally
Obligation to pay compensation in the event of a breach
Procedure for handling data protection complaints
Assurance of transparency. This includes easy access to the Binding Corporate Rules as well as to personal data by the person concerned

Advantages and disadvantages

The advantage of Binding Corporate Rules compared to the use of EU standard contractual clauses or the Safe Harbor Agreement is that they can be customized. This offers the company the opportunity to incorporate the topic of data protection into the corporate culture . This results in higher compliance . In addition, the European legislator continues to adhere to the concept of Binding Corporate Rules with the General Data Protection Regulation.

Since the Safe Harbor Agreement was declared invalid by the European Court of Justice (ECJ) in its decision of October 6, 2015, it can no longer be used as a legal basis for data transfers, but Binding Corporate Rules can.

The idea behind introducing Binding Corporate Rules has expanded since the framework was created. At the beginning, the aim was to legitimize data transfers to insecure third countries. Nowadays they are de facto a demonstration of large companies to comply with the legal requirements of data protection. Often this is used for a marketing strategy or to communicate the topic of data protection to the outside world.

The advantage of free design also turns out to be the greatest disadvantage of binding corporate rules. The associated high organizational effort and the necessary review by several data protection authorities lead to a lengthy process. The duration of the process from the creation to the introduction of the Binding Corporate Rules is around 1–2 years. This results in a high cost factor that cannot be compared with the preparation of EU standard contracts. Therefore, despite some advantages, the introduction of Binding Corporate Rules only pays off for international companies with a correspondingly high number of data transfers to insecure third countries.

Official documents

With regard to Binding Corporate Rules, the Article 29 Data Protection Working Party has published a number of Working Papers :

WP 74, http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2003/wp74_en.pdf (English, PDF file)
WP 107, http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2005/wp107_en.pdf (in English, PDF file)
WP 108, http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2005/wp108_en.pdf (English, PDF file)
WP 133, http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2007/wp133_en.doc (in English, Word document format)
WP 153, http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2008/wp153_de.pdf (in German, PDF file)
WP 154, http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2008/wp154_de.pdf (in German, PDF file)
WP 155, http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2008/wp155_rev.04_en.pdf (English, PDF file)

Web links

List of all companies whose BCR approved by regulators (English)

Individual evidence

^ Founding BCR documents. Retrieved September 6, 2015 .
↑ APEC Cross-border Privacy Enforcement Arrangement (CPEA). Retrieved September 6, 2015 .
^ What is mutual recognition. European Commissioner for Justice, accessed on September 6, 2015 .
↑ Anja-Maria Gardain: Transfer of personal data to third countries - Binding Corporate Rules - The new legal instruments - applicable law. (PDF) Berlin Commissioner for Data Protection and Freedom of Information, April 19, 2005, accessed on September 6, 2015 .
↑ 25 years of data protection, 5 years of freedom of information in Berlin. (PDF) (No longer available online.) Berlin Commissioner for Data Protection and Freedom of Information, November 2004, archived from the original on December 5, 2012 ; accessed on September 6, 2015 . Info: The archive link was inserted automatically and has not yet been checked. Please check the original and archive link according to the instructions and then remove this notice. @1@ 2
↑ General Data Protection Regulation (GDPR); Regulation (EU) 2016/679 of April 27, 2016 (final version). Retrieved August 8, 2016 .
↑ Compliance and corporate culture - the current situation in large German companies. (PDF) PricewaterhouseCoopers , February 2010, accessed on August 8, 2016 .
↑ European Court of Justice: Press Release No. 117/15 on the judgment in Case C-362/14 - Maximillian Schrems / Data Protection Commissioner. October 6, 2015. Retrieved October 19, 2015.
↑ Judgment in Case C-362/14 - Maximillian Schrems v Data Protection Commissioner of October 6, 2015. , accessed on October 6, 2015
^ Binding Corporate Rules. February 16, 2015, accessed March 18, 2019 .

[1] Founding BCR documents. Retrieved September 6, 2015 .

[2] APEC Cross-border Privacy Enforcement Arrangement (CPEA). Retrieved September 6, 2015 .

[3] What is mutual recognition. European Commissioner for Justice, accessed on September 6, 2015 .

[4] Anja-Maria Gardain: Transfer of personal data to third countries - Binding Corporate Rules - The new legal instruments - applicable law. (PDF) Berlin Commissioner for Data Protection and Freedom of Information, April 19, 2005, accessed on September 6, 2015 .

[5] 25 years of data protection, 5 years of freedom of information in Berlin. (PDF) (No longer available online.) Berlin Commissioner for Data Protection and Freedom of Information, November 2004, archived from the original on December 5, 2012 ; accessed on September 6, 2015 . Info: The archive link was inserted automatically and has not yet been checked. Please check the original and archive link according to the instructions and then remove this notice. @1@ 2

[6] General Data Protection Regulation (GDPR); Regulation (EU) 2016/679 of April 27, 2016 (final version). Retrieved August 8, 2016 .

[7] Compliance and corporate culture - the current situation in large German companies. (PDF) PricewaterhouseCoopers , February 2010, accessed on August 8, 2016 .

[eugh-oktober-2015-8] European Court of Justice: Press Release No. 117/15 on the judgment in Case C-362/14 - Maximillian Schrems / Data Protection Commissioner. October 6, 2015. Retrieved October 19, 2015.

[eugh_c362-14_urteil-9] Judgment in Case C-362/14 - Maximillian Schrems v Data Protection Commissioner of October 6, 2015. , accessed on October 6, 2015

[10] Binding Corporate Rules. February 16, 2015, accessed March 18, 2019 .