Binding Corporate Rules (BCRs)
What are binding corporate rules? Why set up such mechanisms? Is the project sufficiently thought-out to be submitted to the CNIL? What actions need to be done before setting up BCRs? How the approval procedure works?
What you need to know on BCRs
Binding Corporate Rules are an intra-group data protection policy for transfers of personal data outside of the European Union. They may cover all processing carried out by the organization or more specifically data transferred outside the EU.
Why implement BCRs?
BCRs are aimed at organizations that are located in more than one EU country and regularly transfer data outside the European Union.
How to prepare a BCR file?
BCRs are not only a tool to control the transfer of personal data outside the EU, they constitute a real intra-group compliance and data protection policy, applicable to all entities of a group that adhere to its’ system.
When and how to submit your BCRs project to the data protection authorities?
The new BCRs approval procedure resulting from the GDPR now provides for the referral of the European Data Protection Board (EDPB).
BCRs: the CNIL publishes a self-assessment tool
In order to support groups wishing to implement BCR, the CNIL provides them with a tool allowing them to test the level of maturity of their project for themselves.
BCRs: the CNIL publishes a monitoring tool
In order to support groups holding BCR in verifying their implementation, the CNIL provides them with a tool and precises the steps for its deployment.