Search for:

Jump straight to:

An unexpected error has occurred

Please enter a search term

Please select

What sectors are you interested in?

We can use your selection to show you more of the content that you’re interested in.

Want to speak to an advisor from your closest office?

Find other offices

Search for:

An unexpected error has occurred

Please enter a search term

Out-Law / Your Daily Need-To-Know

The effect of binding corporate rules on overseas transfers of personal data

Out-Law Guide | 26 Jun 2007 | 3:06 pm | 2 min. read

Please note:  This is one of a   series   of guides about overseas transfers of personal data. If you're new to that subject, read the   introduction to overseas transfers   first.

Following the widespread use of the model contractual clauses, Binding Corporate Rules were developed by the EU Article 29 Working Party for use by a multinational organisation or group of companies as a mechanism of transferring personal data throughout the organisation. Such rules are intended as an alternative to model contracts (see our OUT-LAW guide EU model contractual clauses) and Safe Harbor (see our OUT-LAW guide The US Safe Harbor scheme) and are aimed at providing a compliance solution to multinational organisations.

Approval process

Binding corporate rules need to be approved by every European data protection authority in whose jurisdiction a member of the group will rely on them, but the advantage is that the approval process is simplified as an application is made to one national "lead" data protection supervisory authority in Europe and that authority liaises with all other authorities to seek approval. For example, a group with entities in five European countries could submit its rules to the UK Information Commissioner for approval. The UK Commissioner would then obtain approval, on behalf of the organisation, from the four other countries. However, in practice the requirements of EU privacy authorities vary and so the approval process may be lengthy.

Content of rules

Although referred to as rules, an organisation does not have to have one document or policy to comply; a set of policies and procedures or measures taken together could be sufficient.

The UK Information Commissioner requires for approval:

  • a background paper summarising compliance;
  • the "binding corporate rules" themselves; and
  • contact details of the responsible person within the organisation to whom queries may be addressed.

The ICO then requires a set of questions to be answered including:

  • Does the organisation have its HQ in the UK and/or is the UK group company responsible for data protection? (This determines that the UK Information Commission is the appropriate authority to act as "lead" Authority and for the organisation to submit the rules to);
  • How are the measures legally binding? (The rules must be binding both within the organisation and for the benefit of data subjects);
  • How will compliance be verified? (The rules must be audited either internally or by external auditors);
  • What is the processing being done and what flows of information are there? (Details of the nature of the data, purposes for processing and extent of transfers should be provided);
  • What safeguards are in place? (There must be a description of the safeguards in place to protect the data);
  • What is the mechanism for reporting and recording changes? (There should be a system in place for dealing with changes to the rules both internally and externally).

Large multinational organisations are starting to look at binding corporate rules as an alternative to Safe Harbor and contracts, primarily because it does offer a global solution. So far only Philip, Daimler Chrysler and GE have submitted binding corporate rules in the UK. However, the concept is at a relatively early stage and organisations may wish to learn from the experience of others before committing to this solution.

Latest News

Construction workers to be added to Shortage Occupation List

Does your WFA policy cover business travel risk?

FAQ/redundancy - how do procedures in GB and NI differ?

Shift from EAs to environmental outcomes reports considered in DLUHC paper

UK defers aggregates levy changes

You might also like

Out-Law Guide

Managing construction supply chain insolvency

The construction and infrastructure sector in the UK has consistently seen the highest level of insolvencies across all sectors of the UK economy since 2018.

Construction Advisory & Disputes

Out-Law News

No TUPE service provision change when activity fundamentally different due to staff availability

Gill Ross tells HRNews about the Employment Appeal Tribunal’s decision in the insourcing case Tuitt v London Borough of Richmond Upon Thames

Out-Law News

'Compelling reason' for large firms to use CEST for IR35 determinations

Penny Simmons tells HRNews why new guidance from HMRC is a green light for large businesses to use its ‘CEST’ tool

Out-Law News

UK government plans to revamp holiday pay calculation for part-year workers

Show me more

Out-Law Analysis

Pensions disputes: managing member expectations paramount

Show me more

Out-Law Analysis

UK subsidy control post-Brexit: access to effective judicial remedies

Show me more

Out-Law News

'Steps of court' settlement was not negligent, court rules

Show me more

Out-Law News

'Vast majority' of companies not seeking to avoid tax

Show me more

Out-Law News

'World first' industrial decarbonisation strategy developed in the UK

Show me more

Out-Law Analysis

3D printing: UK product safety issues

Show me more

Out-Law News

5G potential for business highlighted in UK funding programme

Show me more
We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.