To meet these European requirements, Accenture has put in place a set of privacy rules known as the Binding Corporate Rules for Data Controllers (BCRs). These are legally binding on all companies participating in Accenture and Accenture must incorporate the requirements into its business practices. In addition, as the infographic below and the related article indicates, this could also mean that not only a group of companies can fall under a BCR, but also, for example, business partners. Binding Corporate Rules (BCRs) are data protection directives to which companies established in the EU adhere for the transfer of personal data outside the EU within a group of companies or a company. These rules include all general data protection principles and enforceable rights to ensure adequate safeguards for data transfers. They must be legally binding and enforced by any member of the group concerned. BCRs should also help you address privacy concerns and raise awareness of privacy in your organization. Indeed, you must take into account the type of personal data you transfer and how to raise awareness and comply with the rules to employees when preparing your application. An essential part of the authorisation procedure is the obligation for the applicant to demonstrate how the staff of third-country affiliates are informed of the effects of the processing of personal data transferred, for example, from the EEA through its staff training programmes. The sample checklist (WP 108) sets out the requirements for submitting a set of BCRs. These requirements have now been included in WP 133.
BCRs typically form strict and internal global privacy policies, a set of practices, processes and policies that comply with EU standards and are available as an alternative way to allow the transfer of personal data (e.B, customer databases, HR information, etc.) outside of Europe. Binding Corporate Rules (BCRs) are an appropriate safeguard allowed by the General Data Protection Regulation to facilitate the cross-border transfer of personal data between different companies in a group of companies worldwide. To that end, they shall ensure that the same high level of protection of personal data is maintained by all members of the organising group by means of a single set of binding and enforceable rules. BCRs require organisations to demonstrate compliance with all aspects of applicable data protection laws and are approved by a data protection authority in a Member State. To date, relatively few organizations have had BCRs approved. Corporate rules for data transfer within multinational companies. The Article 29 Working Party has created a BCR framework (WP154) that illustrates what all the requirements of WP 74 and WP 108 could look like in a single document. You are free to base your BCR on this framework, but this is not a requirement. A group of companies that carry out a joint economic activity is not strictly defined in the GDPR.
However, the fact that it is mentioned in this scope of binding corporate rules is one of the reasons why BCRs are interesting as they cross the group of companies and, as mentioned, may apply to certain sectors. The Article 29 Working Party adopted the following documents, which were approved by the European Data Protection Board. These documents describe the approval process and provide guidance on the structure and requirements of binding corporate regulations. They should include all the elements specified in the table of bcr requirements (WP153) in one or more documents that make up the rules, and should also refer to the FAQ of the Article 29 Working Party (WP155), which deals with liability and other issues requiring a common interpretation. If you look at them, you will notice that on this list there are some organizations from the technology industry in the broadest sense (IT, building management, online tools), the financial industry (including some that are also online players like PayPal), the life sciences industry (pharmaceuticals), global consultants and accounting firms, and what we would call the big players in Industry 4.0. both high-tech manufacturers (BMW, Airbus,…) and data-intensive solution providers. Of course, this is no coincidence. Another solution available to multinational enterprises to put in place adequate safeguards is to use the standard contractual clauses approved by the European Commission. However, the use of contracts has drawbacks, especially in multinational companies with complex structures, as sometimes hundreds of contracts are needed to cover transfers between all affiliated companies. The task of ensuring that contracts are kept up to date to keep up with the changing structure of the business can also be challenging and time-consuming. One problem mentioned in WP 74 that turned out to be a problem in practice is that the national law of some Member States does not allow the notion of unilateral declarations. It is on this basis that some applications are structured to take into account how BCRs are mandatory throughout the group.
In such cases, the applicant may have to find another enforceable solution under the law of the Member State concerned in order to satisfy that requirement. This is the kind of issue that was discussed with the data protection authority before a request was issued as part of the cooperation procedure. For this reason, preference is given to Standard Contractual Clauses (SCCs) that promote the use of appropriate and approved EC standard transfer conditions, which are also appropriate safeguards (and may also apply to certain industries such as healthcare), as well as BCRs. With the scope of BCRs in the GDPR, this level of preference could shift even more towards BCRs given the explicit mention and clear rules regarding BCRs and their benefits. .