menu MENU
arrow_back Tilbake til alle artikler
Endre land (Nåværende : Norway) language
Kontakt vårt medlem i Norway mail_outline
Besøk nettstedet til Bull & Co account_balance

arrow_backTidligere artikkel
Artikkel 47
Neste artikkelarrow_forward

Binding corporate rules

Offisielle tekster Retningslinjer Beslutninger Vurderinger
EU-regulering Vurderinger
nasj. regulering
Vis nøkkelord og artikler relatert til art. 47 i forordningen keyboard_arrow_down Skjul nøkkelord og artikler relatert til art. 47 keyboard_arrow_up

Nøkkelord relatert til art. 47

Vis forordningens fortaletekst relatert til art. 47 keyboard_arrow_down Skjul forordningens fortaletekst relatert til art. 47 keyboard_arrow_up

(101) Flows of personal data to and from countries outside the Union and international organisations are necessary for the expansion of international trade and international cooperation. The increase in such flows has raised new challenges and concerns with regard to the protection of personal data. However, when personal data are transferred from the Union to controllers, processors or other recipients in third countries or to international organisations, the level of protection of natural persons ensured in the Union by this Regulation should not be undermined, including in cases of onward transfers of personal data from the third country or international organisation to controllers, processors in the same or another third country or international organisation. In any event, transfers to third countries and international organisations may only be carried out in full compliance with this Regulation. A transfer could take place only if, subject to the other provisions of this Regulation, the conditions laid down in the provisions of this Regulation relating to the transfer of personal data to third countries or international organisations are complied with by the controller or processor.

(108) In the absence of an adequacy decision, the controller or processor should take measures to compensate for the lack of data protection in a third country by way of appropriate safeguards for the data subject. Such appropriate safeguards may consist of making use of binding corporate rules, standard data protection clauses adopted by the Commission, standard data protection clauses adopted by a supervisory authority or contractual clauses authorised by a supervisory authority. Those safeguards should ensure compliance with data protection requirements and the rights of the data subjects appropriate to processing within the Union, including the availability of enforceable data subject rights and of effective legal remedies, including to obtain effective administrative or judicial redress and to claim compensation, in the Union or in a third country. They should relate in particular to compliance with the general principles relating to personal data processing, the principles of data protection by design and by default. Transfers may also be carried out by public authorities or bodies with public authorities or bodies in third countries or with international organisations with corresponding duties or functions, including on the basis of provisions to be inserted into administrative arrangements, such as a memorandum of understanding, providing for enforceable and effective rights for data subjects. Authorisation by the competent supervisory authority should be obtained when the safeguards are provided for in administrative arrangements that are not legally binding.

(110) A group of undertakings, or a group of enterprises engaged in a joint economic activity, should be able to make use of approved binding corporate rules for its international transfers from the Union to organisations within the same group of undertakings, or group of enterprises engaged in a joint economic activity, provided that such corporate rules include all essential principles and enforceable rights to ensure appropriate safeguards for transfers or categories of transfers of personal data.

Vis direktivets fortaletekst relatert til art. 47 keyboard_arrow_down Skjul direktivets fortaletekst relatert til art. 47 keyboard_arrow_up

(56) Whereas cross-border flows of personal data are necessary to the expansion of international trade; whereas the protection of individuals guaranteed in the Community by this Directive does not stand in the way of transfers of personal data to third countries which ensure an adequate level of protection; whereas the adequacy of the level of protection afforded by a third country must be assessed in the light of all the circumstances surrounding the transfer operation or set of transfer operations;

(57) Whereas, on the other hand, the transfer of personal data to a third country which does not ensure an adequate level of protection must be prohibited;

(58) Whereas provisions should be made for exemptions from this prohibition in certain circumstances where the data subject has given his consent, where the transfer is necessary in relation to a contract or a legal claim, where protection of an important public interest so requires, for example in cases of international transfers of data between tax or customs administrations or between services competent for social security matters, or where the transfer is made from a register established by law and intended for consultation by the public or persons having a legitimate interest; whereas in this case such a transfer should not involve the entirety of the data or entire categories of the data contained in the register and, when the register is intended for consultation by persons having a legitimate interest, the transfer should be made only at the request of those persons or if they are to be the recipients;

(59) Whereas particular measures may be taken to compensate for the lack of protection in a third country in cases where the controller offers appropriate safeguards; whereas, moreover, provision must be made for procedures for negotiations between the Community and such third countries;

(60) Whereas, in any event, transfers to third countries may be effected only in full compliance with the provisions adopted by the Member States pursuant to this Directive, and in particular Article 8 thereof;

(66) Whereas, with regard to the transfer of data to third countries, the application of this Directive calls for the conferment of powers of implementation on the Commission and the establishment of a procedure as laid down in Council Decision 87/373/EEC (1);

GDPR

Article 47 of the Regulation addresses the system of binding corporate rules that can be adopted by groups of undertakings facing intra-group transfers outside the Union.

Its understanding depends on various definitions introduced in article 4 of the Regulation.

“Binding corporate rules” are defined in Article 4 (20) as being: “personal data protection policies which are adhered to by a controller or processor established on the territory of a Member State for transfers or a set of transfers of personal data to a controller or processor in one or more third countries within a group of undertakings, or group of enterprises engaged in a joint economic activity”.

 

The “groups of undertakings” receive a less accurate definition, “a controlling undertaking and its controlled undertakings” (Art. 4 (19)). Doubtless, we can use the rules applicable to competition in this area. According to recital 37, a group of undertakings should cover a controlling undertaking and its controlled undertakings, whereby the controlling undertaking should be the undertaking which can exert a dominant influence over the other undertakings by virtue, for example, of ownership, financial participation or the rules which govern it or the power to have personal data protection rules implemented. An undertaking which controls the processing of personal data in undertakings affiliated to it should be regarded, together with those undertakings, as a “group of undertakings”.

 

As to the “enterprise”, it is more classically defined as “a natural or legal person engaged in an economic activity, irrespective of its legal form, including partnerships or associations regularly engaged in an economic activity” (Art. 4 (19)).

 

The binding corporate rules must meet several conditions defined by Article 47 (1) and be approved by the competent supervisory authority according to the consistency mechanism specified in Article 63. In this regard, Article 64 (1) (f) states that the European Data Protection Committee shall issue an opinion where a competent supervisory authority intends to adopt any binding corporate rules.

The first condition addresses their legally binding nature: the binding corporate rules must bind every member of the group of undertakings, or group of enterprises engaged in a joint economic activity, including their employees (a).

The second condition consists in the fact that the binding corporate rules must expressly confer enforceable rights on data subjects with regard to the processing of their personal data (b).

The third condition addresses the specific content of the binding corporate rules: they must at least specify:

- the structure and contact details of the group of undertakings, or group of enterprises engaged in a joint economic activity and of each of its members; the data transfers or set of transfers, including the categories of personal data, the type of processing and its purposes, the type of data subjects affected and the identification of the third country or countries in question; their legally binding nature, both internally and externally (a) to (c).

- the application of the general data protection principles, in particular purpose limitation, data minimization, limited storage periods, data quality, data protection by design and by default, the legal basis for processing, processing of special categories of personal data, measures to ensure data security, and the requirements in respect of onward transfers to bodies not bound by the binding corporate rules (d);

- the rights of data subjects in regard to processing and the means to exercise those rights. The binding corporate rules must also provide for the right to lodge a complaint with the competent supervisory authority and before the competent courts of the Member States to obtain redress and, where appropriate, compensation for a breach of the binding corporate rules (e);

- the acceptance by the controller or processor established on the territory of a Member State for  liability for any breaches of the binding corporate rules by any member concerned not established in the Union; the controller or the processor shall be exempt from that liability, in whole or in part, only if it proves that that member is not responsible for the event giving rise to the damage (f);

- the tasks of any data protection officer or any other person or entity in charge of monitoring compliance with the binding corporate rules must also be specified by the rules, such as monitoring training and complaint-handling (h)  et seq..

Finally,  47(3) provides that the Commission may specify the format and relevant procedures for the exchange of information between controllers, processors and supervisory authorities for binding corporate rules.

Direktivet

As the possibility to resort to binding corporate rules was not explicitly covered by the Directive, the Article 29 Working Party has developed in a concrete way the notion of internal corporate rules (called Binding Corporate Rules) in its working document WP 74 of 3 June 2003 ((Transfers of personal data to third countries. Application of Article 26 (2) of the EU Directive on data protection to binding corporate rules for international transfers of data, adopted on 3 June 2003).

At present, this mechanism is mainly applied for  by multinationals exporting data from their entities located within the EU to third countries that do not meet the criterion of adequacy. At present, these provisions exclude any transfer between two companies not belonging to the same group (GA29, working paper on binding corporate rules applicable to the international transfers of data, 3 June 2003, WP 74, p. 8).

Utfordringer

All binding corporate rules already adopted must be reviewed for compliance with the new provision. The mandatory content imposed by the new provision is indeed extremely broad.

arrow_back Tidligere artikkelArtikkel 47Neste artikkel arrow_forward
arrow_back Tidligere artikkelArtikkel 47 Neste artikkel arrow_forward
arrow_back Tidligere artikkel Artikkel 47 Neste artikkel arrow_forward
Retour au sommaire
arrow_back Tidligere artikkel Artikkel 47 Neste artikkel arrow_forward
Forordning
1e 2e

Art. 47

1.   The competent supervisory authority shall approve binding corporate rules in accordance with the consistency mechanism set out in Article 63, provided that they:

a) are legally binding and apply to and are enforced by every member concerned of the group of undertakings, or group of enterprises engaged in a joint economic activity, including their employees;

b) expressly confer enforceable rights on data subjects with regard to the processing of their personal data; and

c) fulfil the requirements laid down in paragraph 2.

2.   The binding corporate rules referred to in paragraph 1 shall specify at least:

a) the structure and contact details of the group of undertakings, or group of enterprises engaged in a joint economic activity and of each of its members;

b) the data transfers or set of transfers, including the categories of personal data, the type of processing and its purposes, the type of data subjects affected and the identification of the third country or countries in question;

c) their legally binding nature, both internally and externally

d) the application of the general data protection principles, in particular purpose limitation, data minimisation, limited storage periods, data quality, data protection by design and by default, legal basis for processing, processing of special categories of personal data, measures to ensure data security, and the requirements in respect of onward transfers to bodies not bound by the binding corporate rules

e) the rights of data subjects in regard to processing and the means to exercise those rights, including the right not to be subject to decisions based solely on automated processing, including profiling in accordance with Article 22, the right to lodge a complaint with the competent supervisory authority and before the competent courts of the Member States in accordance with Article 79, and to obtain redress and, where appropriate, compensation for a breach of the binding corporate rules

f) the acceptance by the controller or processor established on the territory of a Member State of liability for any breaches of the binding corporate rules by any member concerned not established in the Union; the controller or the processor shall be exempt from that liability, in whole or in part, only if it proves that that member is not responsible for the event giving rise to the damage;

g) how the information on the binding corporate rules, in particular on the provisions referred to in points (d), (e) and (f) of this paragraph is provided to the data subjects in addition to Articles 13 and 14;

h) the tasks of any data protection officer designated in accordance with Article 37 or any other person or entity in charge of the monitoring compliance with the binding corporate rules within the group of undertakings, or group of enterprises engaged in a joint economic activity, as well as monitoring training and complaint-handling

i) the complaint procedures;

j) the mechanisms within the group of undertakings, or group of enterprises engaged in a joint economic activity for ensuring the verification of compliance with the binding corporate rules. Such mechanisms shall include data protection audits and methods for ensuring corrective actions to protect the rights of the data subject. Results of such verification should be communicated to the person or entity referred to in point (h) and to the board of the controlling undertaking of a group of undertakings, or of the group of enterprises engaged in a joint economic activity, and should be available upon request to the competent supervisory authority;

k) the mechanisms for reporting and recording changes to the rules and reporting those changes to the supervisory authority;

l) the cooperation mechanism with the supervisory authority to ensure compliance by any member of the group of undertakings, or group of enterprises engaged in a joint economic activity, in particular by making available to the supervisory authority the results of verifications of the measures referred to in point (j);

m) the mechanisms for reporting to the competent supervisory authority any legal requirements to which a member of the group of undertakings, or group of enterprises engaged in a joint economic activity is subject in a third country which are likely to have a substantial adverse effect on the guarantees provided by the binding corporate rules; and

n) the appropriate data protection training to personnel having permanent or regular access to personal data.

3.   The Commission may specify the format and procedures for the exchange of information between controllers, processors and supervisory authorities for binding corporate rules within the meaning of this Article. Those implementing acts shall be adopted in accordance with the examination procedure set out in Article 93(2).
1. forslag close

Art. 43

1.           A supervisory authority shall in accordance with the consistency mechanism set out in Article 58 approve binding corporate rules, provided that they:

(a)     are legally binding and apply to and are enforced by every member within the controller’s or processor's group of undertakings, and include their employees;

(b)     expressly confer enforceable rights on data subjects;

(c)     fulfil the requirements laid down in paragraph 2.

2.           The binding corporate rules shall at least specify:

(a)     the structure and contact details of the group of undertakings and its members;

(b)     the data transfers or set of transfers, including the categories of personal data, the type of processing and its purposes, the type of data subjects affected and the identification of the third country or countries in question;

(c)     their legally binding nature, both internally and externally;

(d)     the general data protection principles, in particular purpose limitation, data quality, legal basis for the processing, processing of sensitive personal data; measures to ensure data security; and the requirements for onward transfers to organisations which are not bound by the policies;

(e)     the rights of data subjects and the means to exercise these rights, including the right not to be subject to a measure based on profiling in accordance with Article 20, the right to lodge a complaint before the competent supervisory authority and before the competent courts of the Member States in accordance with Article 75, and to obtain redress and, where appropriate, compensation for a breach of the binding corporate rules;

(f)      the acceptance by the controller or processor established on the territory of a Member State of liability for any breaches of the binding corporate rules by any member of the group of undertakings not established in the Union; the controller or the processor may only be exempted from this liability, in whole or in part, if he proves that that member is not responsible for the event giving rise to the damage;

(g)     how the information on the binding corporate rules, in particular on the provisions referred to in points (d), (e) and (f) of this paragraph is provided to the data subjects in accordance with Article 11;

(h)     the tasks of the data protection officer designated in accordance with Article 35, including monitoring within the group of undertakings the compliance with the binding corporate rules, as well as monitoring the training and complaint handling;

(i)      the mechanisms within the group of undertakings aiming at ensuring the verification of compliance with the binding corporate rules;

(j)      the mechanisms for reporting and recording changes to the policies and reporting these changes to the supervisory authority;

(k)     the co-operation mechanism with the supervisory authority to ensure compliance by any member of the group of undertakings, in particular by making available to the supervisory authority the results of the verifications of the measures referred to in point (i) of this paragraph.

3.           The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements for binding corporate rules within the meaning of this Article, in particular as regards the criteria for their approval, the application of points (b), (d), (e) and (f) of paragraph 2 to binding corporate rules adhered to by processors and on further necessary requirements to ensure the protection of personal data of the data subjects concerned.

4.           The Commission may specify the format and procedures for the exchange of information by electronic means between controllers, processors and supervisory authorities for binding corporate rules within the meaning of this Article. Those implementing acts shall be adopted in accordance with the examination procedure set out in Article 87(2).
2. forslag close

Art. 43

1. The competent supervisory authority shall approve binding corporate rules in accordance with the consistency mechanism set out in Article 57 provided that they:

(a) are legally binding and apply to, and are enforced by, every member concerned of the group of undertakings or group of enterprises engaged in a joint economic activity ;

(b) expressly confer enforceable rights on data subjects with regard to the processing of their personal data;

(c) fulfil the requirements laid down in paragraph 2.

2. The binding corporate rules referred to in paragraph 1 shall specify at least:

(a) the structure and contact details of the concerned group and of each of its members;

(b) the data transfers or categories of transfers, including the types of personal data, the type of processing and its purposes, the type of data subjects affected and the identification of the third country or countries in question;

(c) their legally binding nature, both internally and externally;

(d) application of the general data protection principles, in particular purpose limitation, (...) data quality, lega l basis for the processing, processing of special categories of personal data, measures to ensure data security, and the requirements in respect of onward transfers to bodies (...) not bound by the binding corporate rules;

(e) the rights of data subjects in regard to the processing of their personal data and the means to exercise these rights, including the right not to be subject to (...)decisions based solely on automated processing, including profiling, in accordance with Article 20, the right to lodge a complaint before the competent supervisory authority and before the competent courts of the Member States in accordance with Article 75, and to obtain redress and, where appropriate, compensation for a breach of the binding corporate rules;

(f) the acceptance by the controller or processor established on the territory of a Member State of liability for any breaches of the binding corporate rules by any member concerned not established in the Union; the controller or the processor may only be exempted from t his liability, in whole or in part, on proving that that member is not responsible for the event giving rise to the damage;

(g) how the information on the binding corporate rules, in particular on the provisions referred to in points (d), (e) and (f) of this paragraph is provided to the data subjects in accordance with Articles 14 and 14a;

(h) the tasks of any data protection officer designated in accordance with Article 35 or any other person or entity in charge of monitoring (...) compliance with the binding corporate rules within the group, as well as monitoring the training and complaint handling;

(hh) the complaint procedures;

(i) the mechanisms within the group, for ensuring the verification of compliance with the binding corporate rules. Such mechanisms shall include data protection audits and methods for ensuring corrective actions to protect the rights of the data subject. Results of such verification should be communicated to the person or entity referred under point (h) and to the board of the controlling undertaking or of the group of enterprises, and should be available upon request to the competent supervisory authority;

(j) the mechanisms for reporting and recording changes to the rules and reporting these changes to the supervisory authority;

(k) the co-operation mechanism with the supervisory authority to ensure compliance by any member of the group (...), in particular by making available to the supervisory authority the results of (...) verifications of the measures referred to in point (i) of this paragraph;

(l) the mechanisms for reporting to the competent supervisory authority any legal  requirements to which a member of the group is subject in a third country which are likely to have a substantial adverse effect on the guarantees provided by the binding corporate rules; and

(m) the appropriate data protection training to personnel having permanent or regular access to personal data (...).

2a. The European Data Protection Board shall advise the Commission on the format and procedures for the exchange of information between controllers, processors and supervisory authorities for binding corporate rules.

3. (...)

4. The Commission may specify the format and procedures for the exchange of information (...) between controllers, processors and supervisory authorities for binding corporate rules within the meaning of this Article. Those implementing acts shall be adopted in accordance with the examination procedure set out in Article 87(2)
Direktiv close

No specific provision
Norway
compare_arrows
visibility Gamle loven

Art. 47

Bindende virksomhetsregler

1. Vedkommende tilsynsmyndighet skal godkjenne bindende virksomhetsregler i samsvar med konsistensmekanismen fastsatt i artikkel 63, forutsatt at de

a) er rettslig bindende og får anvendelse på og håndheves av hvert berørte foretak i konsernet eller gruppen av foretak som utøver en felles økonomisk virksomhet, herunder deres ansatte,

b) uttrykkelig gir de registrerte håndhevbare rettigheter med hensyn til behandling av deres personopplysninger og

c) oppfyller kravene fastsatt i nr. 2.

2. De bindende virksomhetsreglene nevnt i nr. 1 skal minst angi

a) strukturen og kontaktopplysninger til konsernet eller gruppen av foretak som utøver en felles økonomisk virksomhet, og hvert av dets/dens medlemmer,

b) overføringene eller rekken av overføringer av opplysninger, herunder kategorier av personopplysninger, behandlingstype og -formål, typen av berørte registrerte samt angivelse av den aktuelle tredjestaten eller de aktuelle tredjestatene,

c) reglenes rettslig bindende art, både internt og eksternt,

d) anvendelsen av de allmenne prinsippene for vern av personopplysninger, særlig formålsbegrensning, dataminimering, begrenset lagringstid, datakvalitet, innebygd personvern og personvern som standardinnstilling, rettslig grunnlag for behandlingen, behandling av særlige kategorier av personopplysninger, tiltak for å ivareta datasikkerheten og krav med hensyn til videreoverføring til organer som ikke er bundet av de bindende virksomhetsreglene,

e) rettighetene til registrerte i forbindelse med behandlingen samt midler for å utøve nevnte rettigheter, herunder retten til ikke å være gjenstand for avgjørelser som utelukkende er truffet på grunnlag av automatisert behandling, herunder profilering i samsvar med artikkel 22, retten til å klage til vedkommende tilsynsmyndighet og til vedkommende domstoler i medlemsstatene i samsvar med artikkel 79 samt til å motta erstatning og, dersom det er relevant, godtgjøring for brudd på de bindende virksomhetsreglene,

f) at den behandlingsansvarlige eller databehandleren som er etablert på territoriet til en medlemsstat, påtar seg ansvaret dersom et berørt foretak som ikke er etablert i Unionen, bryter de bindende virksomhetsreglene; den behandlingsansvarlige eller databehandleren skal fritas for nevnte ansvar, helt eller delvis, bare dersom vedkommende beviser at nevnte foretak ikke er ansvarlig for hendelsen som forvoldte skaden,

g) hvordan informasjonen om de bindende virksomhetsreglene, særlig om bestemmelsene nevnt i bokstav d), e) og f) i dette nummer, gis til de registrerte i tillegg til informasjonen nevnt i artikkel 13 og 14,

h) oppgavene til et personvernombud som er utpekt i samsvar med artikkel 37, eller enhver annen person eller enhet med ansvar for å kontrollere at de bindende virksomhetsreglene overholdes i konsernet eller gruppen av foretak som utøver en felles økonomisk virksomhet, samt oppfølging av opplæring og håndtering av klager,

i) framgangsmåtene for å inngi klage,

j) mekanismene i konsernet eller gruppen av foretak som utøver en felles økonomisk virksomhet, for å kontrollere at de bindende virksomhetsreglene overholdes. Nevnte mekanismer skal omfatte personvernrevisjoner og metoder for å sikre korrigerende tiltak for å verne de registrertes rettigheter. Resultatene av en slik kontroll bør meddeles personen eller enheten nevnt i bokstav h) og styret i foretaket som utøver kontroll i et konsern, eller i gruppen av foretak som utøver en felles økonomisk virksomhet, og bør på anmodning være tilgjengelig for vedkommende tilsynsmyndighet,

k) mekanismene for rapportering og registrering av endringer i reglene og for rapportering av nevnte endringer til tilsynsmyndigheten,

l) mekanismene for samarbeid med tilsynsmyndigheten for å sikre at alle foretak i konsernet eller gruppen av foretak som utøver en felles økonomisk virksomhet, overholder reglene, særlig ved å gjøre resultatene av kontrollen av tiltakene nevnt i bokstav j) tilgjengelig for tilsynsmyndigheten,

m) mekanismene for rapportering til vedkommende tilsynsmyndighet av eventuelle lovfestede krav som et foretak i konsernet eller gruppen av foretak som utøver en felles økonomisk virksomhet, er underlagt i en tredjestat, og som sannsynligvis vil ha en betydelig negativ virkning på garantiene fastsatt i de bindende virksomhetsreglene, og

n) egnet opplæring om personvern for personell som har permanent eller regelmessig tilgang til personopplysninger.

3. Kommisjonen kan fastsette formatet og framgangsmåtene for utveksling av informasjon mellom behandlingsansvarlige, databehandlere og tilsynsmyndigheter om bindende virksomhetsregler som omhandlet i denne artikkel. Disse gjennomføringsrettsaktene skal vedtas i samsvar med undersøkelsesprosedyren fastsatt i artikkel 93 nr. 2.
Gamle loven close

Ingen tilsvarende bestemmelse
arrow_back Tidligere artikkelArtikkel 47 Neste artikkel arrow_forward
close

2016 - www.itiplaw.eu.