Why implement BCRs?

BCRs: a tool for accountability

The principle of accountability is essential to BCRs, which are the first tools to have introduced this general principle of accountability of actors in addition to the implementation of practical measures, both organisational and technical.

BCRs are often described by these groups of undertaking as a compliance accelerator and proof of concept for the purpose data processing compliance: they are "appropriate data protection policies" under the GDPR. Legally securing data transfers is only a direct consequence of having a comprehensive group-wide privacy program in place.

With the GDPR, the content for BCRs is subject to fourteen requirements listed in Article 47 of the GDPR, ranging from the definition of the group of undertakings’ structure to its internal training plan, not to mention the controller’s or processor’s established on the territory of a Member State liability for any breaches of the BCRs by any member concerned not established in the Union or the internal audit mechanisms.

BCRs are perfectly combined with other compliance mechanisms provided for by the GDPR, such as codes of conduct or certification mechanisms. Indeed, the GDPR has put in place a renewed and diversified toolbox that allows to consider the different needs of the organizations concerned. The breakdown of the use of one or the other of these tools will essentially be done via the organic criterion. In fact, certification will target products or services, the code of conduct is a practical tool that meets the operational needs of a sector of activity and the binding corporate rules formalise the internal governance of large groups.

BCRs allow:

• to comply with the principles of the GDPR;
• to avoid concluding as many contracts as there are transfers within a group;
• to standardize practices relating to the protection of personal data within a group;
• to communicate the group of undertakings’ policies on the protection of personal data to its clients, partners and employees and to ensure them an adequate level of protection during transfers of their personal data;
• to place data protection at the forefront of the group's ethical concerns.

“Controller’s” BCRS and “Processor’s” BCRs

There are two types of BCRs:

Example: Company A, a controller, is located in an EU country. It wishes to transfer data to company B, which will also act as a controller. Both companies are part of the same group but company B is located in a country outside of the European Union. If data transfers such as this occur regularly between entities in this group, then the use of the so-called "BCR-C’ is a solution to consider.

Example: Company A, the data controller, is located in an EU country and wishes to use the services of Company C for subcontracting services. These services involve the transfer of HR data of A's employees to C. Both companies are part of the same group, but company C is located in a country outside of the European Union. If data transfers such as this occur regularly between the companies in this group, then the use of so-called “BCR-C” is a solution to be considered.

In both cases, the controller, company A, is part of the group that has set up the BCRs.

Example: Company A, the controller, transfers data to a processor, Company B. This processor B, in order to carry out its task, will subcontract again to 3 other companies C, D and E which are located outside of the European Union. If companies B, C, D and E belong to the same group, processor BCRs will make it possible to control transfers between these entities.

Company A, the controller, is not part of the group that has implemented the BCRs.

A group may adopt for one or the other of these BCRs, depending on the activities it wishes to control. It is also possible to adopt both types of BCRs together. In this case, groups are asked to set up two separate documents, in order to be able to easily identify the processing operations concerned by the different procedures set up by the BCRs.