Article 47
Binding corporate rules

Official
Texts
Guidelines
& Caselaw
Review of
EU Regulation
Review of
Nat. Regulation
Show the recitals of the Regulation related to article 47 keyboard_arrow_down Hide the recitals of the Regulation related to article 47 keyboard_arrow_up

(101) Flows of personal data to and from countries outside the Union and international organisations are necessary for the expansion of international trade and international cooperation. The increase in such flows has raised new challenges and concerns with regard to the protection of personal data. However, when personal data are transferred from the Union to controllers, processors or other recipients in third countries or to international organisations, the level of protection of natural persons ensured in the Union by this Regulation should not be undermined, including in cases of onward transfers of personal data from the third country or international organisation to controllers, processors in the same or another third country or international organisation. In any event, transfers to third countries and international organisations may only be carried out in full compliance with this Regulation. A transfer could take place only if, subject to the other provisions of this Regulation, the conditions laid down in the provisions of this Regulation relating to the transfer of personal data to third countries or international organisations are complied with by the controller or processor.

(108) In the absence of an adequacy decision, the controller or processor should take measures to compensate for the lack of data protection in a third country by way of appropriate safeguards for the data subject. Such appropriate safeguards may consist of making use of binding corporate rules, standard data protection clauses adopted by the Commission, standard data protection clauses adopted by a supervisory authority or contractual clauses authorised by a supervisory authority. Those safeguards should ensure compliance with data protection requirements and the rights of the data subjects appropriate to processing within the Union, including the availability of enforceable data subject rights and of effective legal remedies, including to obtain effective administrative or judicial redress and to claim compensation, in the Union or in a third country. They should relate in particular to compliance with the general principles relating to personal data processing, the principles of data protection by design and by default. Transfers may also be carried out by public authorities or bodies with public authorities or bodies in third countries or with international organisations with corresponding duties or functions, including on the basis of provisions to be inserted into administrative arrangements, such as a memorandum of understanding, providing for enforceable and effective rights for data subjects. Authorisation by the competent supervisory authority should be obtained when the safeguards are provided for in administrative arrangements that are not legally binding.

(110) A group of undertakings, or a group of enterprises engaged in a joint economic activity, should be able to make use of approved binding corporate rules for its international transfers from the Union to organisations within the same group of undertakings, or group of enterprises engaged in a joint economic activity, provided that such corporate rules include all essential principles and enforceable rights to ensure appropriate safeguards for transfers or categories of transfers of personal data.

Show the recitals of the Directive related to article 47 keyboard_arrow_down Hide the recitals of the Directive related to article 47 keyboard_arrow_up

(56) Whereas cross-border flows of personal data are necessary to the expansion of international trade; whereas the protection of individuals guaranteed in the Community by this Directive does not stand in the way of transfers of personal data to third countries which ensure an adequate level of protection; whereas the adequacy of the level of protection afforded by a third country must be assessed in the light of all the circumstances surrounding the transfer operation or set of transfer operations;

(57) Whereas, on the other hand, the transfer of personal data to a third country which does not ensure an adequate level of protection must be prohibited;

(58) Whereas provisions should be made for exemptions from this prohibition in certain circumstances where the data subject has given his consent, where the transfer is necessary in relation to a contract or a legal claim, where protection of an important public interest so requires, for example in cases of international transfers of data between tax or customs administrations or between services competent for social security matters, or where the transfer is made from a register established by law and intended for consultation by the public or persons having a legitimate interest; whereas in this case such a transfer should not involve the entirety of the data or entire categories of the data contained in the register and, when the register is intended for consultation by persons having a legitimate interest, the transfer should be made only at the request of those persons or if they are to be the recipients;

(59) Whereas particular measures may be taken to compensate for the lack of protection in a third country in cases where the controller offers appropriate safeguards; whereas, moreover, provision must be made for procedures for negotiations between the Community and such third countries;

(60) Whereas, in any event, transfers to third countries may be effected only in full compliance with the provisions adopted by the Member States pursuant to this Directive, and in particular Article 8 thereof;

(66) Whereas, with regard to the transfer of data to third countries, the application of this Directive calls for the conferment of powers of implementation on the Commission and the establishment of a procedure as laid down in Council Decision 87/373/EEC (1);

The GDPR

Article 47 of the Regulation addresses the system of binding corporate rules that can be adopted by groups of undertakings facing intra-group transfers outside the Union.

Its understanding depends on various definitions introduced in article 4 of the Regulation.

“Binding corporate rules” are defined in Article 4 (20) as being: “personal data protection policies which are adhered to by a controller or processor established on the territory of a Member State for transfers or a set of transfers of personal data to a controller or processor in one or more third countries within a group of undertakings, or group of enterprises engaged in a joint economic activity”.

 

The “groups of undertakings” receive a less accurate definition, “a controlling undertaking and its controlled undertakings” (Art. 4 (19)). Doubtless, we can use the rules applicable to competition in this area. According to recital 37, a group of undertakings should cover a controlling undertaking and its controlled undertakings, whereby the controlling undertaking should be the undertaking which can exert a dominant influence over the other undertakings by virtue, for example, of ownership, financial participation or the rules which govern it or the power to have personal data protection rules implemented. An undertaking which controls the processing of personal data in undertakings affiliated to it should be regarded, together with those undertakings, as a “group of undertakings”.

 

As to the “enterprise”, it is more classically defined as “a natural or legal person engaged in an economic activity, irrespective of its legal form, including partnerships or associations regularly engaged in an economic activity” (Art. 4 (19)).

 

The binding corporate rules must meet several conditions defined by Article 47 (1) and be approved by the competent supervisory authority according to the consistency mechanism specified in Article 63. In this regard, Article 64 (1) (f) states that the European Data Protection Committee shall issue an opinion where a competent supervisory authority intends to adopt any binding corporate rules.

The first condition addresses their legally binding nature: the binding corporate rules must bind every member of the group of undertakings, or group of enterprises engaged in a joint economic activity, including their employees (a).

The second condition consists in the fact that the binding corporate rules must expressly confer enforceable rights on data subjects with regard to the processing of their personal data (b).

The third condition addresses the specific content of the binding corporate rules: they must at least specify:

- the structure and contact details of the group of undertakings, or group of enterprises engaged in a joint economic activity and of each of its members; the data transfers or set of transfers, including the categories of personal data, the type of processing and its purposes, the type of data subjects affected and the identification of the third country or countries in question; their legally binding nature, both internally and externally (a) to (c).

- the application of the general data protection principles, in particular purpose limitation, data minimization, limited storage periods, data quality, data protection by design and by default, the legal basis for processing, processing of special categories of personal data, measures to ensure data security, and the requirements in respect of onward transfers to bodies not bound by the binding corporate rules (d);

- the rights of data subjects in regard to processing and the means to exercise those rights. The binding corporate rules must also provide for the right to lodge a complaint with the competent supervisory authority and before the competent courts of the Member States to obtain redress and, where appropriate, compensation for a breach of the binding corporate rules (e);

- the acceptance by the controller or processor established on the territory of a Member State for  liability for any breaches of the binding corporate rules by any member concerned not established in the Union; the controller or the processor shall be exempt from that liability, in whole or in part, only if it proves that that member is not responsible for the event giving rise to the damage (f);

- the tasks of any data protection officer or any other person or entity in charge of monitoring compliance with the binding corporate rules must also be specified by the rules, such as monitoring training and complaint-handling (h)  et seq..

Finally,  47(3) provides that the Commission may specify the format and relevant procedures for the exchange of information between controllers, processors and supervisory authorities for binding corporate rules.

The Directive

As the possibility to resort to binding corporate rules was not explicitly covered by the Directive, the Article 29 Working Party has developed in a concrete way the notion of internal corporate rules (called Binding Corporate Rules) in its working document WP 74 of 3 June 2003 ((Transfers of personal data to third countries. Application of Article 26 (2) of the EU Directive on data protection to binding corporate rules for international transfers of data, adopted on 3 June 2003).

At present, this mechanism is mainly applied for  by multinationals exporting data from their entities located within the EU to third countries that do not meet the criterion of adequacy. At present, these provisions exclude any transfer between two companies not belonging to the same group (GA29, working paper on binding corporate rules applicable to the international transfers of data, 3 June 2003, WP 74, p. 8).

Potential issues

All binding corporate rules already adopted must be reviewed for compliance with the new provision. The mandatory content imposed by the new provision is indeed extremely broad.

Group 29

Explanatory Document on the Processor Binding Corporate Rules (22 May 2015)

(Approved by the EDPB)

The Directive requires that data transfers outside the European Union shall be strictly framed in order to make sure that data subjects benefit from an adequate level of protection even when their data is sent outside the European Union (hereinafter “EU”).

Art. 26.2 of the Directive provides that “(…) a Member State may authorize a transfer or a set of transfers of personal data to a third country which does not ensure an adequate level of protection (…), where the controller adduces adequate safeguards with respect to the protection of individuals and as regards the exercise of the corresponding rights; such safeguards may in particular result from appropriate contractual clauses.”

Consequently, when the country of the importer of data does not ensure an adequate level of protection, the Controller must provide sufficient guarantees to the data transferred, for instance by the adoption of contractual clauses.

On this basis, and in order to facilitate compliance with the Directive 95/46 of data transfers outside the EU, the European Commission adopted sets of standard contractual clauses - 2001/497/EC on 15 June 2001 and 2004/915/EC on 27 December 2004 – in order to frame transfers between Controllers; and 2010/87/EU on 5 February 2010 for transfers between Controllers and Processors.

Link

Working Document Setting Forth a Co-Operation Procedure for the approval of “Binding Corporate Rules” for controllers and processors under the GDPR (11 April 2018)

(Approved by the EDPB)

The procedure for approving binding corporate rules (BCRs) for controllers and processors is laid out by provisions contained in Articles 47.1, 63, 64 and (only if necessary) 65 of the Regulation (EU) 2016/679 (GDPR).

As a result, binding corporate rules are to be approved by the competent supervisory authority1 in the relevant jurisdiction in accordance with the consistency mechanism set out in Article 63, under which the European Data Protection Board (EDPB) will issue a non-binding opinion on the draft decision submitted by the competent Supervisory Authority (Article 64 GDPR).

As the group applying for approval of its BCRs may have entities in more than one Member State, this procedure may involve a number of concerned Supervisory Authorities (SAs)2 , e.g. in those countries from where the transfers are to take place. However, the GDPR does not lay down specific rules for the cooperation phase which should take place among the concerned SAs in advance of referral to the EDPB. It also does not set out specific rules for identifying the competent SA – which will act as Lead Authority for the BCRs (‘BCR Lead’) 3 . The role of such BCR Lead includes acting as a single point of contact with the applicant organization or group during the approval process and managing the application procedure in its cooperation phase.

The aim of this document is to update the WP 107 and identify smooth and effective cooperation procedures in line with the GDPR whilst taking full advantage of the previous fruitful experience of the Data Protection Authorities in dealing with the approval of BCRs.

This document will be reviewed and if necessary updated, based on the practical experience gained through the application of the GDPR.

Link

Recommendation on the Standard Application form for Approval of Processor Binding Corporate Rules for the Transfer of Personal Data (11 April 2018)

(Approved by the EDPB)

Link

Working Document setting up a table with the elements and principles to be found in Binding Corporate Rules (7 Fébruary 2018)

(Approved by the EDPB)

In order to facilitate the use of Binding Corporate Rules for Controllers (BCR-C) by a corporate group or a group of enterprises engaged in a joint economic activity for international transfers from organisations established in the EU to organisations within the same group established outside the EU, the Article 29 Working Party (WP29) has amended the Working Document 153 (which was adopted in 2008) setting up a table with the elements and principles to be found in Binding Corporate Rulesin order to reflect the requirements referring to BCRs now expressly set out by the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation / GDPR) .

It should be recalled that BCR-Controllers are suitable for framing transfers of personal data from Controllers established in the EU to other Controllers or to Processors (established outside the EU) within the same group, whereas BCR-Processors (BCR-P) apply to data received from a Controller (established in the EU) which is not a member of the group and then processed by the concerned group members as Processors and/or Sub-processors. Hence the obligations set out in the BCR-C apply in relation to entities within the same group acting as controllers and to entities acting as ‘internal’ processors. As for this very last case, it is worth recalling that a contract or other legal act under Union or Member State law, binding on the processor with regard to the controller and which comprise all requirements as set out in Art. 28.3 GDPR, should be signed with all internal and external subcontractors/processors (e.g. Service Agreement or other instruments meeting the same requirements) . Indeed, the obligations set forth in the BCR-C apply to entities of the group receiving personal data as (‘internal’) processors to the extent that this does not lead to a contradiction with the Service Agreement (i.e. the Processors members of the group processing on behalf of Controllers members of the group shall primarily abide by this contract).

Taking into account that Article 47.2 GDPR sets forth a minimum set of elements to be inserted within Binding Corporate Rules, this amended table is meant to:

- Adjust the wording of the previous referential so as to keep it in line with Article 47 GDPR,

- Clarify the necessary content of BCRs as stated in Article 47 (taking into account documents WP 743 & WP 1084 adopted by the WP29 within the framework of the directive 95/46/EC),

- Make the distinction between what must be included in BCRs and what must be presented to the competent Supervisory Authority in the BCRs application (document WP 1335 ),

- Give the principles the corresponding text references in Article 47 GDPR, and

- Provide explanations/comments on the principles one by one.

Article 47 GDPR is clearly modelled on the Working documents relating to BCRs adopted by the WP29. However, it specifies some new elements that need to be taken into account when updating already existing BCRs or adopting new sets of BCRs so as to ensure their compatibility with the new framework established by the GDPR.

Link

Regulation
1e 2e

Art. 47

1.   The competent supervisory authority shall approve binding corporate rules in accordance with the consistency mechanism set out in Article 63, provided that they:

a) are legally binding and apply to and are enforced by every member concerned of the group of undertakings, or group of enterprises engaged in a joint economic activity, including their employees;

b) expressly confer enforceable rights on data subjects with regard to the processing of their personal data; and

c) fulfil the requirements laid down in paragraph 2.

2.   The binding corporate rules referred to in paragraph 1 shall specify at least:

a) the structure and contact details of the group of undertakings, or group of enterprises engaged in a joint economic activity and of each of its members;

b) the data transfers or set of transfers, including the categories of personal data, the type of processing and its purposes, the type of data subjects affected and the identification of the third country or countries in question;

c) their legally binding nature, both internally and externally

d) the application of the general data protection principles, in particular purpose limitation, data minimisation, limited storage periods, data quality, data protection by design and by default, legal basis for processing, processing of special categories of personal data, measures to ensure data security, and the requirements in respect of onward transfers to bodies not bound by the binding corporate rules

e) the rights of data subjects in regard to processing and the means to exercise those rights, including the right not to be subject to decisions based solely on automated processing, including profiling in accordance with Article 22, the right to lodge a complaint with the competent supervisory authority and before the competent courts of the Member States in accordance with Article 79, and to obtain redress and, where appropriate, compensation for a breach of the binding corporate rules

f) the acceptance by the controller or processor established on the territory of a Member State of liability for any breaches of the binding corporate rules by any member concerned not established in the Union; the controller or the processor shall be exempt from that liability, in whole or in part, only if it proves that that member is not responsible for the event giving rise to the damage;

g) how the information on the binding corporate rules, in particular on the provisions referred to in points (d), (e) and (f) of this paragraph is provided to the data subjects in addition to Articles 13 and 14;

h) the tasks of any data protection officer designated in accordance with Article 37 or any other person or entity in charge of the monitoring compliance with the binding corporate rules within the group of undertakings, or group of enterprises engaged in a joint economic activity, as well as monitoring training and complaint-handling

i) the complaint procedures;

j) the mechanisms within the group of undertakings, or group of enterprises engaged in a joint economic activity for ensuring the verification of compliance with the binding corporate rules. Such mechanisms shall include data protection audits and methods for ensuring corrective actions to protect the rights of the data subject. Results of such verification should be communicated to the person or entity referred to in point (h) and to the board of the controlling undertaking of a group of undertakings, or of the group of enterprises engaged in a joint economic activity, and should be available upon request to the competent supervisory authority;

k) the mechanisms for reporting and recording changes to the rules and reporting those changes to the supervisory authority;

l) the cooperation mechanism with the supervisory authority to ensure compliance by any member of the group of undertakings, or group of enterprises engaged in a joint economic activity, in particular by making available to the supervisory authority the results of verifications of the measures referred to in point (j);

m) the mechanisms for reporting to the competent supervisory authority any legal requirements to which a member of the group of undertakings, or group of enterprises engaged in a joint economic activity is subject in a third country which are likely to have a substantial adverse effect on the guarantees provided by the binding corporate rules; and

n) the appropriate data protection training to personnel having permanent or regular access to personal data.

3.   The Commission may specify the format and procedures for the exchange of information between controllers, processors and supervisory authorities for binding corporate rules within the meaning of this Article. Those implementing acts shall be adopted in accordance with the examination procedure set out in Article 93(2).

1st proposal close

Art. 43

1.           A supervisory authority shall in accordance with the consistency mechanism set out in Article 58 approve binding corporate rules, provided that they:

(a)     are legally binding and apply to and are enforced by every member within the controller’s or processor's group of undertakings, and include their employees;

(b)     expressly confer enforceable rights on data subjects;

(c)     fulfil the requirements laid down in paragraph 2.

2.           The binding corporate rules shall at least specify:

(a)     the structure and contact details of the group of undertakings and its members;

(b)     the data transfers or set of transfers, including the categories of personal data, the type of processing and its purposes, the type of data subjects affected and the identification of the third country or countries in question;

(c)     their legally binding nature, both internally and externally;

(d)     the general data protection principles, in particular purpose limitation, data quality, legal basis for the processing, processing of sensitive personal data; measures to ensure data security; and the requirements for onward transfers to organisations which are not bound by the policies;

(e)     the rights of data subjects and the means to exercise these rights, including the right not to be subject to a measure based on profiling in accordance with Article 20, the right to lodge a complaint before the competent supervisory authority and before the competent courts of the Member States in accordance with Article 75, and to obtain redress and, where appropriate, compensation for a breach of the binding corporate rules;

(f)      the acceptance by the controller or processor established on the territory of a Member State of liability for any breaches of the binding corporate rules by any member of the group of undertakings not established in the Union; the controller or the processor may only be exempted from this liability, in whole or in part, if he proves that that member is not responsible for the event giving rise to the damage;

(g)     how the information on the binding corporate rules, in particular on the provisions referred to in points (d), (e) and (f) of this paragraph is provided to the data subjects in accordance with Article 11;

(h)     the tasks of the data protection officer designated in accordance with Article 35, including monitoring within the group of undertakings the compliance with the binding corporate rules, as well as monitoring the training and complaint handling;

(i)      the mechanisms within the group of undertakings aiming at ensuring the verification of compliance with the binding corporate rules;

(j)      the mechanisms for reporting and recording changes to the policies and reporting these changes to the supervisory authority;

(k)     the co-operation mechanism with the supervisory authority to ensure compliance by any member of the group of undertakings, in particular by making available to the supervisory authority the results of the verifications of the measures referred to in point (i) of this paragraph.

3.           The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements for binding corporate rules within the meaning of this Article, in particular as regards the criteria for their approval, the application of points (b), (d), (e) and (f) of paragraph 2 to binding corporate rules adhered to by processors and on further necessary requirements to ensure the protection of personal data of the data subjects concerned.

4.           The Commission may specify the format and procedures for the exchange of information by electronic means between controllers, processors and supervisory authorities for binding corporate rules within the meaning of this Article. Those implementing acts shall be adopted in accordance with the examination procedure set out in Article 87(2).

2nd proposal close

Art. 43

1. The competent supervisory authority shall approve binding corporate rules in accordance with the consistency mechanism set out in Article 57 provided that they:

(a) are legally binding and apply to, and are enforced by, every member concerned of the group of undertakings or group of enterprises engaged in a joint economic activity ;

(b) expressly confer enforceable rights on data subjects with regard to the processing of their personal data;

(c) fulfil the requirements laid down in paragraph 2.

2. The binding corporate rules referred to in paragraph 1 shall specify at least:

(a) the structure and contact details of the concerned group and of each of its members;

(b) the data transfers or categories of transfers, including the types of personal data, the type of processing and its purposes, the type of data subjects affected and the identification of the third country or countries in question;

(c) their legally binding nature, both internally and externally;

(d) application of the general data protection principles, in particular purpose limitation, (...) data quality, lega l basis for the processing, processing of special categories of personal data, measures to ensure data security, and the requirements in respect of onward transfers to bodies (...) not bound by the binding corporate rules;

(e) the rights of data subjects in regard to the processing of their personal data and the means to exercise these rights, including the right not to be subject to (...)decisions based solely on automated processing, including profiling, in accordance with Article 20, the right to lodge a complaint before the competent supervisory authority and before the competent courts of the Member States in accordance with Article 75, and to obtain redress and, where appropriate, compensation for a breach of the binding corporate rules;

(f) the acceptance by the controller or processor established on the territory of a Member State of liability for any breaches of the binding corporate rules by any member concerned not established in the Union; the controller or the processor may only be exempted from t his liability, in whole or in part, on proving that that member is not responsible for the event giving rise to the damage;

(g) how the information on the binding corporate rules, in particular on the provisions referred to in points (d), (e) and (f) of this paragraph is provided to the data subjects in accordance with Articles 14 and 14a;

(h) the tasks of any data protection officer designated in accordance with Article 35 or any other person or entity in charge of monitoring (...) compliance with the binding corporate rules within the group, as well as monitoring the training and complaint handling;

(hh) the complaint procedures;

(i) the mechanisms within the group, for ensuring the verification of compliance with the binding corporate rules. Such mechanisms shall include data protection audits and methods for ensuring corrective actions to protect the rights of the data subject. Results of such verification should be communicated to the person or entity referred under point (h) and to the board of the controlling undertaking or of the group of enterprises, and should be available upon request to the competent supervisory authority;

(j) the mechanisms for reporting and recording changes to the rules and reporting these changes to the supervisory authority;

(k) the co-operation mechanism with the supervisory authority to ensure compliance by any member of the group (...), in particular by making available to the supervisory authority the results of (...) verifications of the measures referred to in point (i) of this paragraph;

(l) the mechanisms for reporting to the competent supervisory authority any legal  requirements to which a member of the group is subject in a third country which are likely to have a substantial adverse effect on the guarantees provided by the binding corporate rules; and

(m) the appropriate data protection training to personnel having permanent or regular access to personal data (...).

2a. The European Data Protection Board shall advise the Commission on the format and procedures for the exchange of information between controllers, processors and supervisory authorities for binding corporate rules.

3. (...)

4. The Commission may specify the format and procedures for the exchange of information (...) between controllers, processors and supervisory authorities for binding corporate rules within the meaning of this Article. Those implementing acts shall be adopted in accordance with the examination procedure set out in Article 87(2)

Directive close

No specific provision

No specific provision.

close