The following provides background concerning the approved Binding Corporate Rules ("BCR") procedure. BCRs are in-kind privacy rules and standards that allow multinational groups of companies to transfer personal data within their group of companies, including to corporate affiliates outside of the EU. In order to obtain approval at a BCR, a company's privacy policy has to demonstrate that it ensures an adequate level of data protection and respective safeguards under EU law. BCR are an internal tool only and do not allow for any data transfers outside of a corporate group.
Companies should go through the following five steps if they choose to obtain BCR approval:
Step 1: Designate the lead EU data protection authority (“DPA”), i.e. the authority which will be handling the EU co-operation procedure among the other European DPAs.
Step 2: Draft and submit a BCR which meets the safeguards required by the Directive.
Step 3: The lead authority will start the EU cooperation procedure by circulating the draft BCR to the relevant DPA, i.e. of those countries from where entities of the group transfer personal data to entities located outside of the EU.
Step 4: The EU co-operation procedure is closed after the countries under mutual recognition have acknowledged receipt of the BCR and those which are not under mutual recognition have determined that the BCR provides sufficient safeguards.
Step 5: When the draft BCR has been considered final by all concerned DPAs, the company requests authorization to transfer data on the basis of the adopted BCR.