Binding corporate rules

From Wikipedia, the free encyclopedia
Jump to: navigation, search

Binding Corporate Rules or "BCRs" were developed by the European Union Article 29 Working Party to allow multinational corporations, international organizations and groups of companies to make intra-organizational transfers of personal data across borders in compliance with EU Data Protection Law. The BCRs were developed as an alternative to the U.S. Department of Commerce EU Safe Harbor Safe Harbor (which is for US organizations only) and the EU Model Contract Clauses.

BCRs are required to be approved by the data protection authority in each EU Member State (such as the Information Commissioner's Office in the United Kingdom) in which the organization will rely on the BCRs. The EU has developed a mutual recognition process under which BCRs approved by one member state's data protection authority (known as the "lead" authority) may be approved by the other relevant member states who may make comments and ask for amendments.

BCRs typically form a stringent, intra-corporate global privacy policy that satisfies EU standards and may be available as an alternative means of authorizing transfers of personal data (e.g., customer databases, HR information, etc.) outside of Europe.

BCRs should be seen as a framework having different elements (Internal legal agreement, Policies, training, audit, etc.) providing compliance with EU data protection regulations and effective privacy and data protection.

The Article 29 Working Party issued several guidance documents on BCR content, acceptance criteria and submission process.[1]

BCR's by themselves do not "authorize" all transfers automatically for all EU member states. Most of member states still require a formal "transfer notification" which is normally granted if the BCR has been accepted by the relevant country.

The following companies have obtained authorizations for BCRs:[2]


  • ABN AMRO Bank N.V. with the Dutch DPA as the lead DPA
  • Accenture with the ICO (UK) as the lead DPA
  • American Express with the ICO (UK) as the lead DPA
  • ArcelorMittal Group with the Luxemburg as the lead DPA
  • Atmel with the ICO (UK) as the lead DPA
  • AXA with the CNIL (FR) as the lead DPA
  • Axa Private Equity with the CNIL (FR) as the lead DPA
  • BP with the ICO (UK) as the lead DPA
  • Bristol Myers Squibb with the CNIL (FR) as the lead DPA
  • Care Fusion with the ICO (UK) as the lead DPA
  • Cargill, Inc. with the ICO (UK) as the lead DPA
  • Citigroup with the ICO (UK) as the lead DPA
  • CMA-CGM with the CNIL (FR) as the lead DPA
  • D.E. Master Blenders 1753 ("DEMB") as the lead DPA
  • ex Sara Lee International B.V. as the lead DPA
  • (indirect subsidiary of Sara Lee Corporation) with the Dutch DPA as the lead DPA
  • Deutsche Post DHL with the BfDI, Germany as the lead DPA
  • DSM with the Dutch DPA as the lead DPA
  • e-Bay with the Luxemburg as the lead DPA
  • Ernst & Young with the ICO (UK) as the lead DPA
  • First Data Corporation with the ICO (UK) as the lead DPA
  • General Electric (GE) with the CNIL (FR) as the lead DPA
  • GlaxoSmithKline plc with the ICO (UK) as the lead DPA
  • Hermès with the CNIL (FR) as the lead DPA
  • Hewlett Packard with the CNIL (FR) as the lead DPA
  • HR Access with the CNIL (FR) as the lead DPA
  • Hyatt with the ICO (UK) as the lead DPA
  • IMS Health Incorporated with the ICO (UK) as the lead DPA
  • ING Bank N.V. with the Dutch DPA as the lead DPA
  • Intel Corporation with the Ireland as the lead DPA
  • International SOS with the CNIL (FR) as the lead DPA
  • JPMC with the ICO (UK) as the lead DPA
  • Koninklijke DSM N.V. and affiliated companies with the Dutch DPA as the lead DPA
  • Linklaters with the ICO (UK) as the lead DPA
  • LVMH with the CNIL (FR) as the lead DPA
  • Michelin with the CNIL (FR) as the lead DPA
  • Motorola Mobility LLC with the ICO (UK) as the lead DPA
  • Motorola Solutions, Inc. with the ICO (UK) as the lead DPA
  • NOVARTIS with the CNIL (FR) as the lead DPA
  • Novo Nordisk A/S with the Danish DPA as the lead DPA
  • OVH with the CNIL (FR) as the lead DPA
  • Royal Philips Electronics with the Dutch DPA as the lead DPA
  • Safran with the CNIL (FR) as the lead DPA
  • Sanofi Aventis with the CNIL (FR) as the lead DPA
  • Schlumberger Ltd. with the Dutch DPA
  • Schneider Electric with the CNIL (FR) as the lead DPA
  • Shell International B.V. with the Dutch DPA as the lead DPA
  • Siemens Group with the DPA of Bavaria (Germany) as the lead DPA
  • Société Générale with the CNIL (FR) as the lead DPA
  • Spencer Stuart with the ICO (UK) as the lead DPA


In addition, the Article 29 Working Party has introduced guidance for BCRs for processors (also known as Processor BCR, as opposed to the traditional Controller BCR).[3]

References[edit]

  1. ^ See http://ec.europa.eu/justice_home/fsj/privacy/workinggroup/index_en.htm, see in particular documents WP 133, WP 153, WP 154, WP 155 at http://ec.europa.eu/justice_home/fsj/privacy/workinggroup/wpdocs/2008_en.htm.
  2. ^ European Commission, List of companies for which the EU BCR cooperation procedure is closed, http://ec.europa.eu/justice/data-protection/document/international-transfers/binding-corporate-rules/bcr_cooperation/index_en.htm (last visited February 27, 2014); Tsibouris Privacy and Technology Law Blog, Binding Corporate Rules and the Proposed EU Data Protection Regulation, http://blog.tsibouris.com/2011/12/binding-corporate-rules-and-proposed-eu.html (last visited November 30, 2012).
  3. ^ See Article 29 Working Party´s Explanatory Document on the Processor Binding Corporate Rules (April 19, 2013): http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2013/wp204_en.pdf and Working Document 02/2012 setting up a table with the elements and principles to be found in Processor Binding Corporate Rules (June 6, 2012): http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2012/wp195_en.pdf (last visited November 30, 2012).