Through the GDPR, all EU Member States, as well as the EEA countries, are considered to provide equal protection of personal data and privacy. Consequently, personal data may be transferred freely within this area. Corresponding rules, ensuring the protection of personal integrity when processing personal data, do, however, not exist in all countries outside the EU/EEA. The GDPR thus contains rules regarding the conditions under which it is permitted to transfer personal data to third countries. Binding Corporate Rules (or BCR’s) are an instrument that can be used for this purpose.
In short, BCR’s are a set of rules, drafted by multinational companies or groups themselves, in order to regulate their processing of personal data and ensure that appropriate protection measures are in place when personal data is transferred between the group companies including companies situated outside the EU/EEA.
BCR’s must be approved by the responsible European data protection authority. In a recent decision (the first of its kind in Sweden), the Swedish Data Protection Authority (“Datainspektionen”), as the responsible data protection authority, approved the BCR’s drafted and adopted by the Tetra Pak group. The approval was preceded by an extensive review process, during which the Tetra Pak Group’s application and proposal for BCR’s was examined by Datainspektionen, working together with co-examining data protection authorities. In addition, the European Data Protection Board, EDPB, which includes all data protection authorities within the EU / EEA, has commented on the application.
At Zacco, we advise on all matters concerning the EU data protection regulation. We cover both legal and technical aspects, making sure that your handling of personal data complies with all relevant regulations. If you are considering drafting and adopting BCR’s for your organisation, we can advise and assist.