Binding Corporate Rules ("BCRs") help ensure an adequate level of protection for data exchanged within a group of companies located both inside and outside the European Economic Area, and are ideal for a multinational group of companies that carries out a large number of international data transfers.
BCRs are internal rules adopted by a group of companies, which set out its global policy for international transfers of personal data. These rules must be binding and respected by all group entities, regardless of their host countries, as well as by all their employees. Moreover, they must expressly confer enforceable rights on data subjects with regard to the processing of their personal data.
BCRs offer many advantages for a multinational group of companies by:
- aiding compliance with the General Data Protection Regulation (Article 47),
- reducing the need for appropriate safeguards for each individual transfer (for example, by adopting BCRs on a group level, data exporters would not be required to sign as many standard contractual clauses as there are transfers);
- harmonising practices relating to the protection of personal data within a group,
- providing an internal guide for employees with regard to the personal data management, as part of the ‘accountability’ principle,
- communicating externally on the company's data protection policy,
- to consider data protection as part of the group’s corporate social responsibility.
Approval process for BCRs
The procedure for approving binding corporate rules (BCRs) for controllers and processors is laid out in Articles 47 (1), 63, 64 and (where necessary) 65 of the GDPR, and further described in the Working Document WP263 rev.01 adopted on 11 April 2018 by the “Article 29” Data Protection Working Party (predecessor of the European Data Protection Board).
It consists of the following steps:
- identification of the BCRs lead supervisory authority,
- cooperation procedure for the approval of BCRs between the lead supervisory authority, the “co-reviewers” supervisory authorities and the other concerned supervisory authorities,
- (non-binding) opinion adopted by the EDPB in accordance with Article 64 (3) of the GDPR,
- approval (or not) of the BCRs by the lead supervisory authority, taking into account the EDPB’s opinion.
In accordance with Regulation n°7/2020 of 3 April 2020 of the National Data Protection Commission laying down the amount and payment terms of the fees within the framework of its powers of authorisation and consultation, each group of undertakings established on the territory of Luxembourg, who submits binding corporate rules to the CNPD for approval pursuant to Article 47 of the GDPR, must pay a fee of 1.500 € to the CNPD.