Binding Corporate Rules (BCR): the CNIL publishes a monitoring tool

What are binding corporate rules and which groups should implement them?

Binding corporate rules (BCR) refer to an intra-group data protection policy. They allow entities bound by the BCR to transfer personal data outside the European Union. They constitute one of the compliance tools under the General Data Protection Regulation (GDPR).

BCR approval is part of the CNIL’s support approach.

BCR holders are responsible for implementing, in practice, the obligations arising from the BCR. The concerned companies are multinationals, established in several countries of the European Union and abroad (see the list of groups holding BCR approved by the CNIL).

A new monitoring tool to verify compliance with BCRs

In order to allow BCR holders to verify their level of compliance with the requirements of these rules, the CNIL publishes a monitoring tool both in French and English. 

It is to be deployed in three stages, using two questionnaires that can be adapted according to needs:

1. The data protection officer or the person in charge of compliance at the group level select the entities to be monitored. The latter may or may not be located in the EU.
2. These entities complete the first questionnaire ‘Local Entity’ and address it to the person in charge at group level. This feedback ensures a concrete and harmonized deployment of the BCR and appropriate governance.
3. The second questionnaire ‘group DPO’ is filled-in directly by the group’s data protection officer, on the basis of the feedback received via the first questionnaire. It should allow the group DPO to have a synthetic view of the governance deployment. 

On the basis of the results obtained, the DPO or the person in charge at group level may complete the group compliance documentation, propose an action plan or request the setting up of audits.