Applying Binding Corporate Rules in transfers of data

As of 1 October 2015 Binding Corporate Rules (BCR) have to be applied. What is BCR? Internal rules adopted by a multinational group of companies which define its global policy with regard to the international transfers of personal data within the same corporate group to entities located in countries which don’t provide an adequate level of protection (article 26 (2) of the Directive 95/46/CE). Once approved under the EU cooperation procedure, BCR provide a sufficient level of protection. For an adequate level of protection, the rules must contain the obligation to comply with the BCR and basic principles of data protection, third party rights, damages rules for the case the BCR are infringed and tools that ensure its efficiency. Companies need to have their compliance with BCR checked with both internal and external audits. Data protection authorities have the right to revoke the BCR approval if a company doesn’t cooperate. It is the company’s task to ask for the authorities’ approval of the BCR and the company has to pay a fee for having their BCR approved. Companies’ applications for approval have to contain the data affected by data management, the BCR plan and the data verifying the binding nature of the BCR.