The General Data Protection Regulation
Under the General Data Protection Regulation (‘GDPR’), transfers of personal data outside of the EU are restricted to ensure that the level of protection afforded by the GDPR is not undermined. Personal data may only be transferred to a jurisdiction outside the EU (a ‘third country’) or international organisation in compliance with certain safeguards and conditions for transfers. Binding Corporate Rules (‘BCRs’) are one way that controllers and processors can comply with the GDPR’s third country data transfer requirements. They are explicitly recognised in the GDPR as a mechanism providing appropriate safeguards for third country data transfers (Article 46(2)(b) and 47, GDPR).
BCRs are legally binding and enforceable internal rules and policies for data transfers within multinational group companies and work in a way somewhat similar to an internal code of conduct. They allow multinational companies to transfer personal data internationally within the same corporate group to countries that do not provide an adequate level of protection for personal data as required under the GDPR.
BCRs ensure that all data transfers within a corporate group comply with the GDPR and must contain:
There are two types of BCRs – Controller BCRs and Processor BCR’s – and this article focus on Controller BCRs.
Legal Data Protection and Privacy Leader, PwC Middle East
Tel: +971 (0) 4 304 3729
Senior Data Protection and Privacy Lawyer, PwC Middle East
Tel: +971 (0) 4 515 7149
Data Protection and Privacy Senior Associate, PwC Middle East
Tel: +971 502 134 884