The Article 29 Working Party (WP29) has recently published an adopted working document setting out a co-operation procedure for the approval of binding corporate rules (BCRs) for controllers and processors under the General Data Protection Regulation (GDPR). This can be found here.
BCRs are sets of rules that enable undertakings, or a group of enterprises engaged in a joint economic activity, to jointly sign up to common data processing standards that are compatible with EU data protection law. Personal data can then be transferred from organisations within the EU to their affiliates outside of the EU. BCRs have to be approved by the Information Commissioner (Article 47, GDPR) and will ensure that the data subject's rights will not be prejudiced as a result of transfers made to countries outside the EEA that do not have an adequate level of protection. The procedure for approving binding corporate rules is primarily contained in Article 47.1, 63, 64 and (only if necessary) 65 of the GDPR.
The guidance includes information relating to:
- Identification of a BCR Lead Supervisory Authority where a group of undertakings, or group of enterprises engaged in a joint economic activity are interested in submitting draft BCRs for approval
- The cooperation procedure to be undertaken by the proposed BCR lead in order to seek approval of the draft BCRs and how the lead should communicate with the supervisory authorities.
These new Guidelines will provide useful assistance for any organisation applying for the approval of their binding corporate rules.