Author: Peter Schantz
(20) ‘Binding corporate rules’ means personal data protection policies which are adhered to by a controller or processor established on the territory of a Member State for transfers or a set of transfers of personal data to a controller or processor in one or more third countries within a group of undertakings, or group of enterprises engaged in a joint economic activity;
Art. 4 no. 20 defines the term “binding corporate rules”, commonly referred to as “BCR”. BCR are appropriate safeguards for transfers to third countries in accordance with Art. 46 para. 1 lit. b and Art. 47. Art. 4 no. 20 defines the scope of BCR.
It is crucial that a controller or processor established in the EU undertakes to adhere to BCR as personal data protection policies with regard to data transferred from the EU to members of a group of undertakings in third countries. This ensures both the external liability of the BCR (→ Art. 47 mn. 17) and an easily reachable point of contact for data subjects and SAs in the EU.
BCR could previously only be used within a group of undertakings (Art. 4 no.19), i.e., a hierarchically organized group with a controlling parent company and dependent subsidiaries (cf. recital 37). Beyond its wording, there is little doubt about applying BCR to a single company with branches in the EU as well as third countries.
The GDPR extends the scope of BCR to groups of enterprises engaged in a joint economic activity, such as joint ventures, but also other forms of permanent cooperation. One example is the cooperation between a controller and processor, although the European Parliament’s proposal to include the controller-processor cooperation was not adopted (Art. 43 para. 1 lit. a European Parliament’s draft). The scope of BCR was extended beyond this proposal by generally including enterprises engaged in a joint economic activity (Art. 43 para. 1 lit. a Council’s draft). Furthermore, the enforceability of BCR is guaranteed in the relationship between a controller and a processor, as the processor is acting only on the controller’s instructions.