Binding Corporate Rules (BCR): the CNIL publishes a self-assessment tool

What are Binding Corporate Rules?

Binding corporate rules (BCR) refer to an intra-group data protection policy. They allow entities bound by the BCR to transfer personal data outside the European Economic Area. They constitute one of the compliance tools under the General Data Protection Regulation (GDPR).

The concerned companies are multinationals, established in several countries of the European Economic Area and abroad.

In order to support these organisations, the CNIL offers a set of ressources covering all stages of the project, from its preparation to the approval procedure.

A new self-assessment tool

The self-assessment questionnaire allows groups wishing to implement BCR to assess the level of maturity of the project in relation to the requirements of the BCR referentials adopted by the European Data Protection Board (EDPB).

It may be completed by the Group Data Protection Officer or any other person in charge of the BCR project, or by the Group Board.

At the end of the questionnaire, a compliance score and an action plan are proposed.

It is therefore recommended to test the level of the project before submitting it to the CNIL.

Depending on this level, the project may be reworked on the basis of the gap analysis and the resulting action plan. Conversely, it may be submitted to the CNIL if it proves to be mature.

The implementation of BCR involves first going through an approval procedure which includes several stages, first, at national level in conjunction with the competent authority, and then, at European level, within the EDPB. It is only at the end of this process that the draft will be adopted by the competent authority, and that the EDPB opinion will be published.

Access the self-assessment tool