In connection with the operation of a group of companies, there is a very frequent need to transfer personal data within the company group, even when some of the group companies operate outside the EU.
In cases where certain members of a group of companies operate in third countries for which there is no accepted adequacy decision, binding corporate rules (BCRs) may serve as a means of transferring personal data to third countries.
According to the definition set out in the GDPR (Article 4, Point 20), binding corporate rules means personal data protection policies which are adhered to by a controller or processor established on the territory of a Member State for transfers or a set of transfers of personal data to a controller or processor in one or more third countries within a group of undertakings, or group of enterprises engaged in a joint economic activity.
- It is a policy that protects personal data.
- There is at least one data controller or data processor established on the territory of a Member State.
- The group includes one or more data controllers or data processors operating in third countries.
- Personal data is transferred to companies operating in third countries.
Acceptance of compulsory corporate rules
Binding corporate rules may only be applied once the competent supervisory authority has approved the BCRs in accordance with the consistency mechanism. This may happen if the BCRs meet the following criteria:
- the BCRs are legally binding and apply to and are enforced by every member of the group of undertakings concerned, or group of enterprises engaged in a joint economic activity, including their employees;
- they expressly confer enforceable rights on data subjects with regards to the processing of their personal data; and
- they contain those mandatory elements that are set forth in Section 47 (2) of the GDPR.
Under Directive 95/46/EC, the Article 29 Working Party (WP 29) has issued a number of guidelines on the content of the BCRs and the process of the approval, including the review of the procedural rules for each Member State. Based on the GDPR, WP 29 has published the updated spreadsheets for both data controllers and data processors regarding expectations in connection with BCRs.
Many groups of undertakings have approved BCRs (the list is available here) and the number of accepted BCRs is expected to increase further in the future. (This legal institution arrived a little late in Hungary, as BCRs were only introduced by the amendment of the Hungarian Data Protection Act in October 2015. The list of data controllers using BCRs in Hungary can be found on the website of the Hungarian Data Protection Authority.)