Binding Corporate Rules (BCR) refer to an intra-group data protection policy for transferring personal data outside the European Union. They can cover all processing activities carried out by the organization or specifically focus on data transferred outside the EU. They mainly apply to private multinational companies established in several countries in and outside the European Union.

Since 2003, Binding Corporate Rules, also known as BCRs, have allowed many groups to implement internal procedures aimed at ensuring continuous data protection when transferring data outside the European Union.

BCRs are primarily a tool for large groups whose scale leads to numerous consequences regarding international data transfers. BCRs represent an “appropriate safeguard” under the GDPR to establish the legal basis for transfers (Article 46.2(b)). They are also used by groups as a data management tool, serving as proof of compliance by formalizing their data protection policies.

Actions to Implement Within a Group

The applicable BCR frameworks require a minimum content. Beyond the commitment to comply with GDPR provisions, each applicant must explain in their BCR how the group plans to implement:

• A liability regime resting on the European headquarters or a European subsidiary responsible by delegation for data protection (or another justified liability regime);
• A staff training procedure regarding the rules established by the BCR;
• An audit procedure to monitor BCR compliance;
• An internal complaint management procedure;
• A network of data protection officers or qualified staff for handling complaints, monitoring, and ensuring compliance with internal rules;
• A procedure for determining whether a Data Protection Impact Assessment (DPIA) is necessary;
• Appropriate technical and organizational measures to ensure data protection principles are met.

Data subjects must be able to exercise their rights (access, rectification, erasure, information) and file complaints when they identify, for example, a breach of purpose limitation and retention period principles or security and data confidentiality issues.

It is worth noting that the CNIL provides a self-assessment questionnaire allowing groups seeking to implement BCRs to assess the maturity level of their project against the requirements of the BCR frameworks adopted by the European Data Protection Board (EDPB). This questionnaire can be completed by the group’s Data Protection Officer (DPO) or any other person in charge of the BCR project, or even the group’s legal counsel.

Upon completing the questionnaire, a compliance score and an action plan are provided. Depending on this score, the project may be reworked based on the gap analysis and action plan generated. Conversely, if mature, the project can be submitted to the CNIL for review. Implementing BCRs requires prior approval through a multi-step process, both at the national level with the competent authority and at the European level with the EDPB. Only after this process is the project approved by the competent authority, with the EDPB’s opinion published.

International Recognition

BCRs now benefit from international recognition and reflect the exemplary conduct of groups that have chosen to implement them. These groups often leverage BCRs to join other equivalent frameworks abroad, such as the Cross Border Privacy Rules (CBPR) system established by the Asia-Pacific Economic Cooperation (APEC) or the Binding Corporate Rules for French-speaking countries. An example is the tool developed by the Association Francophone des Autorités de Protection des Données Personnelles (AFAPDP) to govern transfers outside French-speaking countries.

Between 2007 and May 25, 2018, 151 BCRs were approved by all European data protection authorities. Since the GDPR’s adoption, the demand for BCR approval has increased significantly, both in France and abroad.

Dans un encadré :

On July 10, 2023, the European Commission adopted a new adequacy decision recognizing that the United States ensures a level of protection substantially equivalent to that of the European Union (EU). This decision, effective the same day, establishes a framework similar to the previous EU-U.S. Privacy Shield, based on a self-certification mechanism for U.S. entities.

This mechanism applies to all newly certified entities and those previously certified under the Privacy Shield and maintained their certification after the adequacy decision was invalidated. These entities were automatically added to the new list maintained by the U.S. Department of Commerce. They had three months to update their privacy policies (until October 10, 2023). Whether the importing entity is listed determines whether the exporter must implement one of the safeguards provided under Article 46 of the GDPR, including BCRs.