Search for:

Jump straight to:

An unexpected error has occurred

Please enter a search term

Please select

What sectors are you interested in?

We can use your selection to show you more of the content that you’re interested in.

Want to speak to an advisor from your closest office?

Find other offices

Search for:

An unexpected error has occurred

Please enter a search term

Out-Law / Your Daily Need-To-Know

Out-Law Guide 2 min. read

The effect of binding corporate rules on overseas transfers of personal data

26 Jun 2007, 3:06 pm

Please note:  This is one of a   series   of guides about overseas transfers of personal data. If you're new to that subject, read the   introduction to overseas transfers   first.

Following the widespread use of the model contractual clauses, Binding Corporate Rules were developed by the EU Article 29 Working Party for use by a multinational organisation or group of companies as a mechanism of transferring personal data throughout the organisation. Such rules are intended as an alternative to model contracts (see our OUT-LAW guide EU model contractual clauses) and Safe Harbor (see our OUT-LAW guide The US Safe Harbor scheme) and are aimed at providing a compliance solution to multinational organisations.

Approval process

Binding corporate rules need to be approved by every European data protection authority in whose jurisdiction a member of the group will rely on them, but the advantage is that the approval process is simplified as an application is made to one national "lead" data protection supervisory authority in Europe and that authority liaises with all other authorities to seek approval. For example, a group with entities in five European countries could submit its rules to the UK Information Commissioner for approval. The UK Commissioner would then obtain approval, on behalf of the organisation, from the four other countries. However, in practice the requirements of EU privacy authorities vary and so the approval process may be lengthy.

Content of rules

Although referred to as rules, an organisation does not have to have one document or policy to comply; a set of policies and procedures or measures taken together could be sufficient.

The UK Information Commissioner requires for approval:

  • a background paper summarising compliance;
  • the "binding corporate rules" themselves; and
  • contact details of the responsible person within the organisation to whom queries may be addressed.

The ICO then requires a set of questions to be answered including:

  • Does the organisation have its HQ in the UK and/or is the UK group company responsible for data protection? (This determines that the UK Information Commission is the appropriate authority to act as "lead" Authority and for the organisation to submit the rules to);
  • How are the measures legally binding? (The rules must be binding both within the organisation and for the benefit of data subjects);
  • How will compliance be verified? (The rules must be audited either internally or by external auditors);
  • What is the processing being done and what flows of information are there? (Details of the nature of the data, purposes for processing and extent of transfers should be provided);
  • What safeguards are in place? (There must be a description of the safeguards in place to protect the data);
  • What is the mechanism for reporting and recording changes? (There should be a system in place for dealing with changes to the rules both internally and externally).

Large multinational organisations are starting to look at binding corporate rules as an alternative to Safe Harbor and contracts, primarily because it does offer a global solution. So far only Philip, Daimler Chrysler and GE have submitted binding corporate rules in the UK. However, the concept is at a relatively early stage and organisations may wish to learn from the experience of others before committing to this solution.

Latest News

Draft legislation envisages Ireland’s first electronic health information system

DIFC sets out AI requirements in updated data protection regulations

UK regulators’ diversity plans for finance industry

FCA outlines UK retail and wholesale insurance market regulatory priorities

Coalition launched to promote diversity in UK’s construction sector

You might also like

Out-Law News

Calls for reform of corporate homicide law amid surge in workplace fatalities

New figures showing that the number of people dying as a result of workplace incidents in Scotland has reached its highest level since 2019 have prompted urgent calls for reforms to corporate homicide legislation.

Corporate Manslaughter

Out-Law News

Crypto-asset transfers to be traced in the EU under new rules

Transactions of crypto assets including bitcoin and electronic money tokens could be traced and blocked in the EU to fight financial crime and curb sanctions evasion, as new legislation creates additional compliance and regulatory obligations for service providers.

Fintech

Out-Law News

New duty for sponsors to report hybrid or remote working arrangements

Alex Wright tells HRNews about new UKVI guidance on UK immigration reporting duties for hybrid workers

Employment & Reward

Out-Law News

UK government plans to revamp holiday pay calculation for part-year workers

Show me more

Out-Law Analysis

Pensions disputes: managing member expectations paramount

Show me more

Out-Law Analysis

UK subsidy control post-Brexit: access to effective judicial remedies

Show me more

Out-Law News

'Steps of court' settlement was not negligent, court rules

Show me more

Out-Law News

'Vast majority' of companies not seeking to avoid tax

Show me more

Out-Law News

'World first' industrial decarbonisation strategy developed in the UK

Show me more

Out-Law Analysis

3D printing: UK product safety issues

Show me more

Out-Law News

5G potential for business highlighted in UK funding programme

Show me more
We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.