Binding Corporate Rules - A Corporate Privacy Shield for Companies in Germany

A BCR is an internal, fixed framework or guidelines for the handling of personal data. BCRs are thus part of a comprehensive data protection concept. These guidelines apply to all members of a group of companies and thus guarantee the uniform handling of personal data within this group of companies.

The transfer of data from Germany to a non-EU country is only possible under strict conditions. For example, the transfer is permitted if the country to which the data is to be transferred is certified as having an adequate level of data protection by an adequacy decision of the European Commission. In such a case, one speaks of a safe non-EU country. In the absence of such a decision, data may only be transferred to that country if an adequate level of protection for personal data is guaranteed by other means.

To ensure the appropriate level of protection, a contract can be concluded which regulates the handling of personal data. In such a contract, the transmitter and the recipient of the data shall lay down binding rules for the transfer of personal data. This is possible, for example, through standard data protection clauses (also called standard contract clauses). This is a model contract of the EU Commission, the conclusion of which leads to the assumption of an adequate level of protection.

The General Data Protection Regulation (GDPR) offers a further possibility for a company to issue internal data protection regulations that are binding for all members of the group. These are known as Binding Corporate Rules.

The BCRs govern the overall handling of personal data within the company. In particular, they regulate

• the collection,
• the processing and
• the transmission

of data within the group of companies.

In addition to these points, BCRs are often used to regulate training for employees and similar issues. BCRs also regulate the rights of the data subjects, such as the right to information and the right to delete or correct the data.

Thus, a group of companies ultimately lays down internal rules that apply equally to all group companies, regardless of the country in which the actual data processing takes place.

BCRs must be approved by the competent German data protection authority. For this purpose, an application must be submitted to the authority. The BCRs are then examined in detail by the authority in a so called coherence procedure (i.e. jointly with other supervisory authorities) and approved if the legal requirements are met.

The biggest advantage of Binding Corporate Rules is that the group of companies receives a data protection program that is tailored to their specific needs. This makes it possible to integrate data protection into the corporate culture, which also leads to higher compliance.

If a company decides to use BCRs, it will also have a positive effect on the outside world, as it shows that data protection is important to the company and that the company is addressing this issue in a forceful manner.

The scope of BCRs and the length of the development process also ensure that employees are aware of the issue of data protection. A further advantage is that approval by the supervisory authority ensures that the data protection concept developed by the company does not contain any significant gaps.

Due to the rather time-consuming approval process, the time required to produce BCRs is a drawback. The preparation and approval of BCRs is rarely feasible within twelve months.

All things considered, BCRs are a good way of designing and implementing data protection in a way that is suitable for a corporate group. In contrast to standard contractual clauses, BCRs can consider individual company needs and are generally more secure, as the standard contractual clauses are consistently contested as a transfer mechanism.

Most recently, the ECJ stated in the famous Schrems II decision (ECJ, dated 16.07.2020 - C-311/18) that the agreement of standard contract clauses alone is insufficient. Instead, an additional examination must be made as to whether the provisions contained therein are actually enforceable in the country of the data importer. With regard to BCRs, a detailed examination must also be made of the level of data protection in the country of the data exporter and which supplementary security measures must be implemented to ensure effective protection.

If your company needs help in designing and implementing BCRs, we will be happy to advise you throughout the process. We offer assistance with

• the identification of the competent European supervisory authority in Europe, if there are several group companies
• the creation and formulation of the Binding Corporate Rules,
• communication with the supervisory authority, and
• cooperation with partners abroad, if data is to be transferred to different non-EU countries.