How to prepare a BCR file?
Binding Corporate Rules (BCR) are not only a tool to control the transfer of personal data outside the European Union, they constitute a real intra-group compliance and data protection policy, applicable to all entities of a group that adhere to its’ system.
To this end, the group must identify in advance the areas that will be covered by the BCRs and explain, in the documents submitted to the authorities, how it plans to implement these various rules and procedures in its own environment.
Actions to be implemented within a group
The working documents applicable to BCRs provide for a minimum content. In addition to the commitment to comply with the GDPR’s provisions, each applicant is required to explain in its BCRs how the group plans to implement:
- a liability regime falling on the European headquarters or the European BCR member with delegated responsibilities on data protection (or another liability regime, upon justification);
- a staff training program as to the rules laid down by the BCRs;
- an audit program to ensure compliance with the BCRs;
- an internal complaint handling process;
- a network of data protection officers or qualified employees to manage complaints, monitor and control compliance with the internal rules;
- a procedure to determine the appropriateness of conducting a privacy impact assessment (PIA);
- for "processor’s" BCRs, the processor’s obligations towards the controller;
- appropriate technical and organizational measures to comply with data protection principles.
The BCRs commit the group of undertaking to respect the rights of the data subjects whose personal data is being processed.
Data subjects must be able to exercise their rights (of access, rectification, erasure, information) and lodge complaints when they observe, for example, a failure to comply with the principles of limiting the purposes and storage periods, or a problem with data security or confidentiality of the data.
The elements that must be included in the BCRs are set out in the working documents adopted by the European Data Protection Board (EDPB).
You can now test your project's level of maturity using the self-assessment tool.
Preparing BCRs draft
Before submitting a BCRs draft to a supervisory authority, it is necessary to :
- Determine the scope of application of the BCRs to which the group of undertaking wishes to adhere, as this may vary. For example, it is possible to frame only the processing operations carried out in the capacity of data controller or to limit the BCRs to transfers of personal data from entities located in the EU to entities located outside of the EU. BCRs may also apply to transfers of personal data between adherent entities located outside of the EU.
- Put in place the various data protection governance procedures and ensure that companies adhering to the BCRs are compliant with the data protection principles. Therefore, once the BCRs are approved, following the European approval process, the adhering companies will be compliant with their provisions.
- Determine the competent data protection authority, based on a set of criterions (location of the Group’s EEA headquarters or of the data protection officer, location of the Group entity agreeing to take on delegated data protection responsibility, or location of the decision-making entity in terms of personal data processing and transfers outside the European Union). This authority will be the sole point of contact of the applicant group throughout the approval process.
- Ensure that the processing’s concerned by the BCRs are compliant with the GDPR (example: HR processing).
For more information, you can refer to the elements contained in the working documents and the Standard application for approval forms:
