Once the GDPR enters into force, the Binding Corporate Rules (BCRs) will be explicitly recognized as mechanism adducing appropriate safeguards to the transfer of personal data outside the EU. This new inclusion, not only recognizes the use of BCRs for the transfer of personal data within a corporate group but also allow it to a “group of enterprises engaged in a joint economic activity”, which may be interpreted to include business partners.
Useful? Embed this infographic on your website.
In words of the European Commission –Brussels, 10.1.2017 COM (2017) 7 final– “this reform formalises and expands the possibilities to use existing instrument as the BCRs, which until now has been limited to arrangements among entities of the same corporate group, and now can be used by a group of enterprises engaged in a joint economic activity, but not necessarily forming part of the same group.”
Indeed, this addition will help international transfers to take place, but the question is to which type of international transfers? By “engaged in a joint economic activity” are BCRs only applicable for the transfer of personal data to business partners providing the same service or product; or, also to business partners providing related services in the same economic field?
Clearly, it will apply to airline alliances or franchise group in the hotel sector, since they provide the same service; but it would also apply to partnership business with related business activities? For instance, a company providing websites (in Austria) and a company providing graphic design (in Peru) or, a company providing fund platform services (in the Isle of Man) and a company providing management services (in Luxembourg), in both cases, the companies are business partners (different legal entities, share customers and have a shared loyalty program) Are they allow to use BCRs for the transfer of personal data outside the EU?
It seems that the answer is; yes, it is possible. And this opens a lot of opportunities. However, we should be careful with our perusal, BCRs are not meant to cover transfers with third party services providers and must be internally legally binding, including employees, and externally legally binding, giving data subjects the right to enforce the BCRs in the EU.
As specialist and co-founder of the BCR idea, Jeroen Terstegge, once mentioned, “BCRs are a management solution to a legal problem.” As always good management decisions and implementations would make the difference.
The infographic of this article aims to show how BCRs may be used between business partners. The aim is to provide companies with an idea of how this inclusion in the law can impact the use of BCRs; and also, to give knowledge to consumers about international transfers of personal data.
Each lawinfographic has a visual presentation and keywords that will allow comprehending at a glance the main topic. The articles contain several examples and/or references that have been taken from the EU law, regulations, guidelines and opinions on the matter. If you require more information, do not hesitate to consult the lawinfographic sources below each article o reach me on LinkedIn.
Recitals 108,110 and Art. 47 of the GDPR
European Commission Communication on Exchanging and Protecting Personal Data in a Globalised World Q&As
Comparison Approach: Standard Contractual Clauses or Binding Corporate Rules?