Cross Border Transfer Mechanisms : Binding Corporate Rules



Outside of consent and contract there are number of mechanisms that a company can use to transfer (cross border) personal data from the EU to outside of the EU. One of those mechanisms is Binding Corporate Rules (BCRs).

BCRs were developed by the Art. 29 Data Protection Working Party as a transfer mechanism that permits multinational groups to create a contractual instrument that corresponds to their specific data processing needs.

Application
(a)    Must be uniform throughout organization.
(b)    Must be enforceable by data subject.
(c)    Must indicate clear cooperation with DPA (Data Protection Authority).
(d)    Multinational companies must seek the approval of each DPA located in the country where the data is transferred from.

Pros 
BCRs allow data transfers to entities located in third countries, irrespective of whether the country can provide for an adequate level of data protection or not.

Cons
BCRs do not apply to transfers to external sub-processors (outside of the group), so that adequate protection for transfers must be achieved by other legal means.

Attached you will find the BCRs planning tool kit.

Comments

Popular posts from this blog

Sample Privacy Risk Assesment Example and Explanation

Preserving User Privacy in Digital Advertising: Navigating Consent and Privacy by Design

Cross Border Transfer Mechanism: Model Clauses