Transfers of personal data to a third country
Binding corporate rules
It is common for international groups of companies, with group companies in third countries, to transfer personal data between themselves.
Binding corporate rules
This may be allowed if they develop binding corporate rules (BCRs) that regulate the processing of personal data. In addition, for example, a group of undertakings may establish binding corporate rules if they have an economic activity together.
Binding corporate rules are an example of an appropriate safeguard under Article 46(2)(b) GDPR. Rules on binding corporate rules are governed by Article 47 of the GDPR and by Recital 110.
The purpose of BCRs is to regulate the transfer of personal data by the group to companies within its own group located in a third country.
Advantages of Binding Corporate Rules
It is both a proof of, and an image of, the company’s commitment to compliance with data protection rules.
- The company processes personal data in accordance with the principles and rules set out in the GDPR.
- All companies within the corporate group do not have to enter into separate agreements regarding the transfer of personal data between each other.
- The group may have consistent data protection practices across all of its companies.
Binding corporate rules must be approved
Please note that a data protection authority in the EU must approve the binding corporate rules in order for them to be valid. In addition, the data protection authority must request an opinion from the European Data Protection Board (EDPB). This includes all GDPR supervisory authorities from the EU and EEA countries. It is important that the company takes appropriate safeguards to protect personal data, which is something that is taken into account when approving binding corporate rules.
Here you can read more about the criteria for getting binding corporate rules approved.
Steps to get binding corporate rules approved
1. Responsible Data Protection Authority
The company needs to propose and justify which EU country’s supervisory authority will be the lead data protection authority for the case. The proposal should be justified on the basis of certain criteria. Please note that it is not these criteria that constitute a formal requirement, but they are nevertheless taken into account. These are some factors to take into account in the assessment:
Parent company
The country within the EU or EEA in which the group parent company is established.
Delegated responsibility
The country within the EU or EEA in which the company within the group that has been given responsibility for data protection is established.
Managing the application process
Which country within the EU or EEA that the company within the group can best manage the application process and apply the binding corporate rules within the group.
Decision-making for GDPR
Which country within the EU or EEA that the majority of decision-making regarding GDPR comes from.
Country of transfer
The country within the EU or EEA from which personal data will be transferred to the third country.
2. Send the application
Fill in the application form and send it to the lead data protection authority. In addition, it may be useful to submit a list of the companies in the group to which the binding corporate rules are intended to refer, in order to facilitate the data protection authority in its handling of the application.
Please note that companies must submit two separate application forms if the binding corporate rules apply to both controllers and processors.
3. Assessment by the responsible data protection authority
Just because a company makes the assessment that a data protection authority in a particular country should be the lead, does not mean that the data protection authority or the European Data Protection Board thinks so.
Therefore, upon application, the data protection authority will make its own assessment as to whether they are the most appropriate as the lead data protection authority. If not, they may send the application to another data protection authority that they deem more appropriate.
4. Submit proposals for binding corporate rules
The company shall submit its proposal of the binding corporate rules it has drawn up. In addition, the data protection authority may request additional information if it considers that the submitted documentation and information is not complete.
5. Examination of the application
The application is then reviewed by the designated lead data protection authority. Please note that the data protection authority does not carry out the review itself. At least one other data protection authority is involved in carrying out the review. In addition, all other data protection authorities in the EU/EEA area are given the opportunity to give their opinion, before the application is sent to the European Data Protection Board.
6. Opinion of the European Data Protection Board
The European Data Protection Board gives its opinion after having been given access to all documentation and information. On the other hand, the decision is not taken by the European Data Protection Board, which merely gives its opinion on the matter.
7. Decision of the responsible data protection authority
Following the opinion of the European Data Protection Board, the company is given an opportunity to make any changes to its draft of the binding corporate rules. Thereafter, the designated lead data protection authority will take a final decision. Please note, however, that the time for processing may be affected by the number of additional information, documents and similar that may be required.
More about Transfers of personal data to a third country
Adequate level of protection
Companies, whether controllers or processors, are allowed to transfer personal data to a third country if the third country has an adequate level of protection. Only the European Commission can take such a decision. In other words, a company cannot itself conclude that a third country ensures an adequate level of protection and therefore transfer personal data there. Please note that the adequacy decision does not necessarily have to cover an entire country. It may also be, for example, a territory within that third country, such as a federal state or a specific sector, that is considered to provide an adequate level of protection.