Binding corporate rules
   HOME

TheInfoList



Click Here for Items Related To - Binding corporate rules
OR:
Binding corporate rules on:   [Wikipedia]   [Google]   [Amazon]

Binding Corporate Rules (BCRs) were developed by the
European Union The European Union (EU) is a supranational political and economic union of member states that are located primarily in Europe. The union has a total area of and an estimated total population of about 447million. The EU has often been de ...
Article 29 Working Party The Article 29 Working Party (Art. 29 WP), full name "The Working Party on the Protection of Individuals with regard to the Processing of Personal Data", was an advisory body made up of a representative from the data protection authority of each ...
(today the
European Data Protection Board The European Data Protection Board (EDPB) is a European Union independent body with juridical personality whose purpose is to ensure consistent application of the General Data Protection Regulation The General Data Protection Regulation (GD ...
) to allow multinational
corporation A corporation is an organization—usually a group of people or a company—authorized by the state to act as a single entity (a legal entity recognized by private and public law "born out of statute"; a legal person in legal context) and ...
s, international organizations, and groups of companies to make intra-organizational transfers of personal data across borders in compliance with EU Data Protection Law. BCRs are a framework for having different elements (internal legal agreements, policies, trainings, audits, etc.) that allow for compliance with EU data protection regulations and privacy protection. The BCRs were developed as an alternative to the "standard contractual clauses" (SCCs) and the now defunct U.S. Department of Commerce EU Safe Harbor (which was for US organizations only, but has been declared invalid). BCRs are required to be approved by the data protection authority in each EU member state (such as the CNIL in France and AEPD in Spain) in which the organization will rely on the BCRs. The EU has developed a mutual recognition process under which BCRs approved by one member state's data protection authority (known as the "lead" authority) and two other "co-lead" authorities, may be approved by the other relevant member states who may make comments and ask for amendments. Other members states, not part of mutual recognition process, will be also involved by the lead authority and will apply their own independent review process within a limited time-frame. The overall process for BCR acceptance takes usually between 6 and 9 months. This time frame does not include the required Data Protection setup, which should be already implemented within the company in order to comply with the current directive and its local implementation. BCRs typically form stringent, intra-corporate global privacy policies, set of practices, processes and guidelines that satisfy EU standards and may be available as an alternative means of authorizing transfers of personal data (e.g., customer databases, HR information, etc.) outside of Europe. BCRs are considered the most "robust" and accepted regime for data transfers. It has to be noticed that, while originally designed for providing legal ground to international transfers, BCRs became de facto a corporation demonstration of its capacity to comply "at large" with personal data processing requirements. A corporation having BCRs applies this framework independently of international transfers and should be seen as part of the "Corporate Governance" or "Data Governance".


References

{{reflist


External links

* https://edpb.europa.eu/our-work-tools/accountability-tools/bcr_en International business Privacy law