Binding Corporate Agreements

The BBC can apply to both processing managers and processing contracts and activities related to the organisation`s personal data. In particular, standard clauses are often not suitable for a situation where complex processing of personal data is required. An organization, which is a single legal entity, could work on a branch structure and find itself in a difficult situation. The larger the company, the more difficult it will be, because a particular organization would require hundreds of clauses, both administrative and costly. On the other hand, small businesses may find the costs unattractive to the BBCR. In addition, the BBC does not cover transfers to third parties – other means are needed when the organisation transfers personal data outside its group. Many argue that the more complex the installation, the greater the degree of vulnerability and the more vulnerable a company becomes to injury. Compelling business rules (BCRs) are data protection policies that are followed by EU-based companies for the transfer of personal data outside the EU within a group of companies or companies. These rules must include all general data protection principles and applicable rights to ensure appropriate guarantees for data transfers. They must be legally binding and enforced by each member of the group concerned. BDRs are also defined in Article 1 of the RGPD: “Compulsory business rules are personal data protection measures adopted by a processing manager or subcontractor established in the territory of a Member State for the transfer or transmission of personal data to a processing manager or subcontractor in one or more third countries within a group of companies or a group of companies that are engaged in a group of companies joint law are respected.” In addition, as the infographic and the article below indicate, it could also mean that not only can a group of companies be covered by a BCR, but also, for example, counterparties. These are standard contractual clauses (SCCs) known before the RGPD as standard contractual clauses and BBCRs (binding corporate rules). Companies must submit binding rules for companies for approval to the EU data protection authority.

The Authority approves the BDR in accordance with the coherence mechanism defined in Article 63 of the RGPD. Several supervisory authorities may be involved in this procedure, as the group seeking authorisation for its BK may have companies in more than one Member State.