ⓘ Binding corporate rules

                                     

ⓘ Binding corporate rules

Binding Corporate Rules or "BCRs" were developed by the European Union Article 29 Working Party to allow multinational corporations, international organizations, and groups of companies to make intra-organizational transfers of personal data across borders in compliance with EU Data Protection Law. The BCRs were developed as an alternative to the U.S. Department of Commerce EU Safe Harbor and the EU Model Contract Clauses.

BCRs are required to be approved by the data protection authority in each EU Member State in which the organization will rely on the BCRs. The EU has developed a mutual recognition process under which BCRs approved by one member states data protection authority known as the "lead" authority and two other "co-lead" authorities, may be approved by the other relevant member states who may make comments and ask for amendments. Other members states, not part of mutual recognition process, will be also involved by the lead authority and will apply their own independent review process within a limited time-frame. The overall process for BCR acceptance takes usually between 6 and 9 months. This time frame does not include the required Data Protection setup, which should be already implemented within the company in order to comply with the current directive and its local implementation.

BCRs typically form stringent, intra-corporate global privacy policies, set of practices, processes and guidelines that satisfy EU standards and may be available as an alternative means of authorizing transfers of personal data outside of Europe.

BCRs should be seen as a framework for having different elements providing compliance with EU data protection regulations and effective privacy and data protection.

It has to be noticed that, while originally designed for providing legal ground to international transfers, BCRs became de facto a corporation demonstration of its capacity to comply "at large" with personal data processing requirements. A corporation having BCRs applies this framework independently of international transfers and should be seen as part of the "Corporate Governance" or "Data Governance"

The Article 29 Working Party issued several guidance documents on BCR content, acceptance criteria and submission process.

BCRs by themselves do not "authorize" all transfers automatically for all EU member states. Most of member states still require a formal "transfer notification" which is normally granted if the BCRs have been accepted by the relevant country.

The following companies have obtained authorizations for BCRs:

  • Societe Generale with the CNIL FR as the lead DPA
  • Teleperformance Controller and Processor with the CNIL FR as the lead DPA
  • eBay with the Luxemburg as the lead DPA
  • HR Access with the CNIL FR as the lead DPA
  • Hyatt with the ICO UK as the lead DPA
  • Motorola Mobility LLC with the ICO UK as the lead DPA
  • DocuSign Controller and Processor with Irelands DPA as the lead DPA
  • Safran with the CNIL FR as the lead DPA
  • Siemens Group with the DPA of Bavaria Germany as the lead DPA
  • GlaxoSmithKline plc with the ICO UK as the lead DPA
  • Zendesk International Limited Controller and Processor with Irelands DPA as the lead DPA
  • Accenture with the ICO UK as the lead DPA
  • American Express with the ICO UK as the lead DPA
  • Deutsche Post DHL with the BfDI, Germany as the lead DPA
  • Novartis with the CNIL FR as the lead DPA
  • IMS Health Incorporated with the ICO UK as the lead DPA
  • Sanofi Aventis with the CNIL FR as the lead DPA
  • Spencer Stuart with the ICO UK as the lead DPA
  • Michelin with the CNIL FR as the lead DPA
  • Motorola Solutions, Inc. with the ICO UK as the lead DPA
  • BP with the ICO UK as the lead DPA
  • D.E. Master Blenders 1753 "DEMB" ex Sara Lee International B.V. indirect subsidiary of Sara Lee Corporation with the Dutch DPA
  • Schneider Electric with the CNIL FR as the lead DPA
  • Hewlett Packard with the CNIL FR as the lead DPA
  • AXA with the CNIL FR as the lead DPA
  • ADP Controller and Processor with the Dutch DPA as the lead DPA
  • DSM with the Dutch DPA as the lead DPA
  • Shell International B.V. with the Dutch DPA as the lead DPA
  • Cisco, with the Dutch DPA as the lead DPA
  • Hermes with the CNIL FR as the lead DPA
  • Care Fusion with the ICO UK as the lead DPA
  • First Data Corporation with the ICO UK as the lead DPA
  • BMC Software Controller and Processor with the CNIL FR as the lead DPA
  • LVMH with the CNIL FR as the lead DPA
  • Intel Corporation with Irelands DPA as the lead DPA
  • ArcelorMittal Group with the Luxemburg DPA as the lead DPA
  • Bristol-Myers Squibb with the CNIL FR as the lead DPA
  • ING Bank N.V. with the Dutch DPA as the lead DPA
  • International SOS with the CNIL FR as the lead DPA
  • Atmel with the ICO UK as the lead DPA
  • Citigroup with the ICO UK as the lead DPA
  • Axa Private Equity with the CNIL FR as the lead DPA
  • BT with the ICO UK as the lead DPA
  • ABN AMRO Bank N.V. with the Dutch DPA as the lead DPA
  • Cargill, Inc. with the ICO UK as the lead DPA
  • General Electric GE with the CNIL FR as the lead DPA
  • Royal Philips Electronics with the Dutch DPA as the lead DPA
  • Schlumberger Ltd. with the Dutch DPA
  • Koninklijke DSM N.V. and affiliated companies with the Dutch DPA as the lead DPA
  • OVH with the CNIL FR as the lead DPA
  • CMA-CGM with the CNIL FR as the lead DPA
  • Novo Nordisk A/S with the Danish DPA as the lead DPA
  • Simon-Kucher & Partners Strategy & Marketing Consultants with DPA of North Rhine-Westphalia DE
  • Linklaters with the ICO UK as the lead DPA
  • JPMC with the ICO UK as the lead DPA
  • Ernst & Young with the ICO UK as the lead DPA

In addition, the Article 29 Working Party has introduced guidance for BCRs for processors also known as Processor BCR, as opposed to the traditional Controller BCR.

                                     
  • A corporate group or group of companies is a collection of parent and subsidiary corporations that function as a single economic entity through a common
  • unlimited capacity and purposes. However, not all actions by corporate agents are binding For instance, in South Sacramento Drayage Co v Campbell Soup
  • Corporate social responsibility CSR is a type of international private business self - regulation that aims to contribute to societal goals of a philanthropic
  • band of the 1970s Benefit cost ratio, in cost - benefit analysis Binding corporate rules a means of authorizing transfers of personal data Bionic Commando
  • internal company rules so long as the mandatory minimum rights of investors under its legislation are complied with. Company law, or corporate law, can be
  • however, be issued. to call a meeting with 20 of the votes, AktG 122 a non - binding say on pay, AktG 120 changes to the constitution by a three quarter majority
  • that directors pay themselves. Australia has had a non - binding say on pay since the Corporate Law Economic Reform Program Act 2004 for its shareholders
  • of rules outlining the norms, rules and responsibilities of, and or proper practices for, an individual. A company code of conduct is a set of rules which
  • rights, and animal welfare. Virtually all shareholder resolutions are non - binding or precatory, to use the legal term of art In this sense the voting
  • effect of say on pay measures can be binding or non - binding depending on regulatory requirements or internal corporate policy as determined by proxy votes
  • Corporate litigation in the United Kingdom is that part of UK company law which gives investors the right to sue the directors of a company, or vindicate