The PayPal Group has adopted Binding Corporate Rules (or “BCR”), which define its global data protection policy with regard to international transfers of personal data. The purpose of these rules is to ensure that the same level of protection as in the European Union is provided to employees and clients of PayPal when their personal data are transferred to entities within the same group located outside of the EU.
BCR are considered as appropriate safeguards in terms of data protection and thus can be used as a solution for multinational companies like PayPal that need to do a lot of international transfers of personal data. PayPal (Europe) S.à r.l. et Cie, S.C.A. is a credit institution based in Luxembourg and supervised by the CSSF (Commission de Surveillance du Secteur Financier). Its mother company, PayPal Inc., is located in California, United States. Until July 2015, the company was part of the eBay Group, which also adopted BCR approved by the CNPD. Following the separation from eBay, PayPal wished to have new binding corporate rules in order to maintain a high level of protection with regards to the protection of personal data processed by PayPal entities around the world.
Since PayPal’s split-off from the eBay Group, the CNPD, as lead authority, has cooperated with its European counterparts under the co-operation and mutual recognition procedure. Following the analysis made by the CNPD, all European data protection authorities approved the results obtained by the CNPD, and agreed to provide the necessary permit or authorization at national level for transfers of personal data in the context of those BCR.