A number of multinational companies operating across multiple jurisdictions and sharing personal data between different countries, have adopted Binding Corporate Rules (BCRs) as a transfer mechanism under Art. 47 of the General Data Protection Regulation (GDPR).

BCRs are internal data protection compliance rules to ensure that personal data transferred between their entities, particularly from the EU to non-EU countries, complies with the GDPR. They serve as a legally binding commitment across all relevant company entities to maintain high standards of data protection.

The process of approval

Io order to hold BCRs, companies must submit their application to the relevant Data Protection Authority (DPA), often the lead authority where the company has its EU headquarters and obtain the approval by that DPA, in cooperation with other EU DPAs. The process of approval is complex and involves different pillars, where the most important are:

  • Comprehensive Documentation: The company must provide detailed documentation outlining how its BCRs ensure compliance with GDPR requirements. This includes provisions on data security, privacy policies, individual rights, and the scope of data transfers.
  • Accountability Mechanisms: The group must ensure regular internal audits, training programs, and compliance measures must be in place across all group entities.
  • Data Subject Rights: BCRs must guarantee the rights of individuals (e.g., the right to access, correct, or erase their data).
  • Liability: The parent company or another designated entity must take legal responsibility for ensuring compliance with the BCRs and resolving any potential violations.

Compliance Review

After obtaining the approval of the BCRs, an effective oversight of BCRs compliance is crucial to maintaining their integrity, especially under the framework of the accountability principle. The compliance review of the BCRs typically falls under the responsibility of:

  • Data Protection Officers (DPOs): Large companies often appoint a DPO to oversee compliance with data protection laws, including BCRs. This individual should be well-versed in GDPR requirements and act as a point of contact for both data subjects and regulators.
  • Internal Compliance Teams: Multinational companies should appoint a data protection coordination team across the entities to ensure that BCRs are consistently applied across all members of the group and jurisdictions.
  • External Auditors: In some cases, external auditors may be engaged to ensure an objective review of how the BCRs are implemented and whether any corrective actions are needed.

The CNIL’s BCR Monitoring Tool

With the aim to support multinational groups in monitoring the compliance of the approved BCRs across the members of the group, the French DPA, La Commission Nationale de l’Informatique et des Libertés (CNIL), has developed a BCR Monitoring Tool to facilitate the process of supervision and verification of the status of the implementation of the obligations arising from the BCRs.

The tool involves two types of questionnaires for a three-step process:

  1. The DPO (or the responsible stakeholder for BCRs compliance) selects the entities to audit;
  2. The local selected entities complete the ‘Local Entity’ first questionnaire, which is a sort of checklist designed on the principles of the criteria for BCRs approval;
  3. Based on the answers to the first questionnaire from local entities, the DPO completes the second questionnaire and proceeds with the assessment of the status of governance deployment, the preparation of a plan to address the risks identified, the request of further audits or the design of a strategy to support/improve the compliance process.

The main benefits of the CNIL monitoring tool are:

  • Assess BCRs Implementation: The tool allows companies to self-assess and report on how their BCRs are being applied across their global operations.
  • Track Performance: By using the tool, companies can benchmark their BCRs compliance against the specific criteria, helping them identify areas for improvement and ensuring continuous adherence to the GDPR’s standards.
  • Accountability tool: The tool represents a practicable mean for multinational groups to demonstrate compliance and prepare plans to address the gaps.

Conclusion

The BCRs are a robust and legally sound mechanism to manage international data transfers and it can be defined as a “compliance journey” for the multinational groups which have the responsibility to overlook at the implementation of the rules and ensure instruments and support to the affiliate entities in order to meet the standards set by the BCRs. The CNIL’s monitoring tool is a useful instrument to help companies in monitoring the status of compliance and to design specific plans to drive the multinational groups through the compliance journey.