GDPR Guidelines on Binding Corporate Rules

The Article 29 working party has produced two documents which detail General Data Protection Regulation (GDPR) requirements, in relation to Binding Corporate Rules (BCRs). One document deals with controller BCRs and the other deals with processor BCRs.

What is Included in the Documents?

Here are some of the elements which are included in the documents.

In the controller BCR document:

  • There should be complete transparency for all data subjects who benefit from third party beneficiary rights.
  • All data protection principles, such as security and quality of data, should be included in the BCR. This includes all principles referred to in Article 47(2(d)) of GDPR.
  • The controller needs to be able to demonstrate compliance with the BCR.

In the processor BCR document:

  • Data subjects can enforce a BCR directly against a processor.
  • All data protection principles should be explained in the BCR, including those relating to sub-processing and data subject rights. The processor needs to explain how they will meet the requirements.
  • The processor has to provide all of the information necessary to the controller, in  order to prove that they are compliant.
  • Any service agreement between a controller and a processor has to contain all of the required elements, as detailed in Article 28 of GDPR.

Included in both documents:

  • Data subjects have to be given the choice of whether to bring a complaint to the competent court of an EU state or to the relevant Data Protection Authority (DPA). The relevant DPA can be the one where the data subject lives, the one where they work or the one where an infringement is alleged to have happened.
  • The BCR needs to include details of who is involved in the BCR, as well as its scope.

All of these requirements apply to BCRs that are created following the introduction of GDPR, as well as those that are already in place.