menu MENU
arrow_back Back to the list of all Articles
Change country (Currently : Czechia) language
Contact our local member in Czechia mail_outline
Visit the website of Havlik Svorcik & Partners account_balance

arrow_backPrevious Article
Article 47
Next Articlearrow_forward

Binding corporate rules

Official
Texts Guidelines Caselaw Review of
EU Regulation Review of
Nat. Regulation
Show key term(s) and Article(s) related to article 47 of the Regulation keyboard_arrow_down Hide key term(s) and Article(s) related to article 47 keyboard_arrow_up

Key words related to article 47

Show the recitals of the Regulation related to article 47 keyboard_arrow_down Hide the recitals of the Regulation related to article 47 keyboard_arrow_up

(101) Flows of personal data to and from countries outside the Union and international organisations are necessary for the expansion of international trade and international cooperation. The increase in such flows has raised new challenges and concerns with regard to the protection of personal data. However, when personal data are transferred from the Union to controllers, processors or other recipients in third countries or to international organisations, the level of protection of natural persons ensured in the Union by this Regulation should not be undermined, including in cases of onward transfers of personal data from the third country or international organisation to controllers, processors in the same or another third country or international organisation. In any event, transfers to third countries and international organisations may only be carried out in full compliance with this Regulation. A transfer could take place only if, subject to the other provisions of this Regulation, the conditions laid down in the provisions of this Regulation relating to the transfer of personal data to third countries or international organisations are complied with by the controller or processor.

(108) In the absence of an adequacy decision, the controller or processor should take measures to compensate for the lack of data protection in a third country by way of appropriate safeguards for the data subject. Such appropriate safeguards may consist of making use of binding corporate rules, standard data protection clauses adopted by the Commission, standard data protection clauses adopted by a supervisory authority or contractual clauses authorised by a supervisory authority. Those safeguards should ensure compliance with data protection requirements and the rights of the data subjects appropriate to processing within the Union, including the availability of enforceable data subject rights and of effective legal remedies, including to obtain effective administrative or judicial redress and to claim compensation, in the Union or in a third country. They should relate in particular to compliance with the general principles relating to personal data processing, the principles of data protection by design and by default. Transfers may also be carried out by public authorities or bodies with public authorities or bodies in third countries or with international organisations with corresponding duties or functions, including on the basis of provisions to be inserted into administrative arrangements, such as a memorandum of understanding, providing for enforceable and effective rights for data subjects. Authorisation by the competent supervisory authority should be obtained when the safeguards are provided for in administrative arrangements that are not legally binding.

(110) A group of undertakings, or a group of enterprises engaged in a joint economic activity, should be able to make use of approved binding corporate rules for its international transfers from the Union to organisations within the same group of undertakings, or group of enterprises engaged in a joint economic activity, provided that such corporate rules include all essential principles and enforceable rights to ensure appropriate safeguards for transfers or categories of transfers of personal data.

Show the recitals of the Directive related to article 47 keyboard_arrow_down Hide the recitals of the Directive related to article 47 keyboard_arrow_up

(56) Whereas cross-border flows of personal data are necessary to the expansion of international trade; whereas the protection of individuals guaranteed in the Community by this Directive does not stand in the way of transfers of personal data to third countries which ensure an adequate level of protection; whereas the adequacy of the level of protection afforded by a third country must be assessed in the light of all the circumstances surrounding the transfer operation or set of transfer operations;

(57) Whereas, on the other hand, the transfer of personal data to a third country which does not ensure an adequate level of protection must be prohibited;

(58) Whereas provisions should be made for exemptions from this prohibition in certain circumstances where the data subject has given his consent, where the transfer is necessary in relation to a contract or a legal claim, where protection of an important public interest so requires, for example in cases of international transfers of data between tax or customs administrations or between services competent for social security matters, or where the transfer is made from a register established by law and intended for consultation by the public or persons having a legitimate interest; whereas in this case such a transfer should not involve the entirety of the data or entire categories of the data contained in the register and, when the register is intended for consultation by persons having a legitimate interest, the transfer should be made only at the request of those persons or if they are to be the recipients;

(59) Whereas particular measures may be taken to compensate for the lack of protection in a third country in cases where the controller offers appropriate safeguards; whereas, moreover, provision must be made for procedures for negotiations between the Community and such third countries;

(60) Whereas, in any event, transfers to third countries may be effected only in full compliance with the provisions adopted by the Member States pursuant to this Directive, and in particular Article 8 thereof;

(66) Whereas, with regard to the transfer of data to third countries, the application of this Directive calls for the conferment of powers of implementation on the Commission and the establishment of a procedure as laid down in Council Decision 87/373/EEC (1);

The GDPR

Article 47 of the Regulation addresses the system of binding corporate rules that can be adopted by groups of undertakings facing intra-group transfers outside the Union.

Its understanding depends on various definitions introduced in article 4 of the Regulation.

“Binding corporate rules” are defined in Article 4 (20) as being: “personal data protection policies which are adhered to by a controller or processor established on the territory of a Member State for transfers or a set of transfers of personal data to a controller or processor in one or more third countries within a group of undertakings, or group of enterprises engaged in a joint economic activity”.

The “groups of undertakings” receive a less accurate definition, “a controlling undertaking and its controlled undertakings” (Art. 4 (19)). Doubtless, we can use the rules applicable to competition in this area. According to recital 37, a group of undertakings should cover a controlling undertaking and its controlled undertakings, whereby the controlling undertaking should be the undertaking which can exert a dominant influence over the other undertakings by virtue, for example, of ownership, financial participation or the rules which govern it or the power to have personal data protection rules implemented. An undertaking which controls the processing of personal data in undertakings affiliated to it should be regarded, together with those undertakings, as a “group of undertakings”.

As to the “enterprise”, it is more classically defined as “a natural or legal person engaged in an economic activity, irrespective of its legal form, including partnerships or associations regularly engaged in an economic activity” (Art. 4 (19)).

The binding corporate rules must meet several conditions defined by Article 47 (1) and be approved by the competent supervisory authority according to the consistency mechanism specified in Article 63. In this regard, Article 64 (1) (f) states that the European Data Protection Committee shall issue an opinion where a competent supervisory authority intends to adopt any binding corporate rules.

The first condition addresses their legally binding nature: the binding corporate rules must bind every member of the group of undertakings, or group of enterprises engaged in a joint economic activity, including their employees (a).

The second condition consists in the fact that the binding corporate rules must expressly confer enforceable rights on data subjects with regard to the processing of their personal data (b).

The third condition addresses the specific content of the binding corporate rules: they must at least specify:

- the structure and contact details of the group of undertakings, or group of enterprises engaged in a joint economic activity and of each of its members; the data transfers or set of transfers, including the categories of personal data, the type of processing and its purposes, the type of data subjects affected and the identification of the third country or countries in question; their legally binding nature, both internally and externally (a) to (c).

- the application of the general data protection principles, in particular purpose limitation, data minimization, limited storage periods, data quality, data protection by design and by default, the legal basis for processing, processing of special categories of personal data, measures to ensure data security, and the requirements in respect of onward transfers to bodies not bound by the binding corporate rules (d);

- the rights of data subjects in regard to processing and the means to exercise those rights. The binding corporate rules must also provide for the right to lodge a complaint with the competent supervisory authority and before the competent courts of the Member States to obtain redress and, where appropriate, compensation for a breach of the binding corporate rules (e);

- the acceptance by the controller or processor established on the territory of a Member State for  liability for any breaches of the binding corporate rules by any member concerned not established in the Union; the controller or the processor shall be exempt from that liability, in whole or in part, only if it proves that that member is not responsible for the event giving rise to the damage (f);

- the tasks of any data protection officer or any other person or entity in charge of monitoring compliance with the binding corporate rules must also be specified by the rules, such as monitoring training and complaint-handling (h)  et seq..

Finally,  47(3) provides that the Commission may specify the format and relevant procedures for the exchange of information between controllers, processors and supervisory authorities for binding corporate rules.

The Directive

As the possibility to resort to binding corporate rules was not explicitly covered by the Directive, the Article 29 Working Party has developed in a concrete way the notion of internal corporate rules (called Binding Corporate Rules) in its working document WP 74 of 3 June 2003 ((Transfers of personal data to third countries. Application of Article 26 (2) of the EU Directive on data protection to binding corporate rules for international transfers of data, adopted on 3 June 2003).

At present, this mechanism is mainly applied for  by multinationals exporting data from their entities located within the EU to third countries that do not meet the criterion of adequacy. At present, these provisions exclude any transfer between two companies not belonging to the same group (GA29, working paper on binding corporate rules applicable to the international transfers of data, 3 June 2003, WP 74, p. 8).

Potential issues

All binding corporate rules already adopted must be reviewed for compliance with the new provision. The mandatory content imposed by the new provision is indeed extremely broad.

arrow_back Previous ArticleArticle 47Next Article arrow_forward
arrow_back Previous ArticleArticle 47 Next Article arrow_forward

Summary

European Union

European Union

European data protection board (EDPB)

Recommendations 1/2022 on the Application for Approval and on the elements and principles to be found in Controller Binding Corporate Rules (Art. 47 GDPR) (14 november 2022 - public consultation)

1. The GDPR expressly provides for the use of binding corporate rules (hereinafter “BCR”) by a group of undertakings, or a group of enterprises engaged in a joint economic activity (hereinafter “Group”) for transfers of personal data in the sense of Article 44 GDPR.

2. On 6 February 2018, the Article 29 Working Party (hereinafter “WP29”) adopted a table with the elements and principles to be found in BCR in order to reflect the requirements referring to BCR (hereinafter “WP256 rev.01”). The European Data Protection Board (hereinafter “EDPB”) endorsed WP256 rev.01 on 25 May 2018 . These Recommendations also repeal and replace WP256 rev.01, while in substance building on it.

3. On 11 April 2018, the Article 29 Working Party (thereinafter “WP29”) adopted Recommendations on the Standard Application for Approval of Controller Binding Corporate Rules for the Transfer of Personal Data (hereinafter: “WP264”). The European Data Protection Board (hereinafter “EDPB”) endorsed WP256 rev.01 on 25 May 2018. These Recommendations repeal and replace WP264, while in substance building on it.

4. These recommendations are meant to: - Provide a standard form for the application for approval of BCR for controllers (hereinafter “BCR-C”);

  • Clarify the necessary content of BCR-C as stated in Article 47 GDPR;
  • Make a distinction between what must be included in BCR-C and what must be presented to the BCR Lead supervisory authority (hereinafter “BCR Lead”)2 in the BCR application; and 
  • Provide explanations and comments on the requirements.

5. BCR-C are suitable for framing transfers of personal data from controllers covered by the geographical scope of the GDPR pursuant to Article 3 GDPR to other controllers or to processors (established outside the EEA) within the same Group, whereas BCR for processors (hereinafter “BCR-P”) apply to data received from a controller that is not a member of the Group, and which are then processed by the concerned Group members as processors and/or sub-processors. Hence, the obligations set out in BCR-C apply in relation to entities within the same Group acting as controllers and to entities acting as ‘internal’ processors. As for this very last case, it is worth recalling that, in addition to the BCR-C, a contract or other legal act under Union or Member State law, binding on the processor with regard to the controller and which comprises all requirements as set out in Article 28(3) GDPR, must be signed by each controller acting as data exporter with all internal processors4 . Indeed, the obligations set forth in BCR-C apply to entities of the Group receiving personal data as (‘internal’) processors to the extent that this does not lead to a contradiction with the contract or other legal act entered into under Article 28(3) GDPR (i.e., the processors members of the Group processing on behalf of controllers members of the Group should primarily abide by this contract).

6. EU data protection legislation applicable to members of the Group must be complied with and cannot be overruled by provisions in the BCR-C, unless the BCR- C voluntarily provide for a higher level of protection.

7. Pursuant to Article 46(2)(b) GDPR, BCR are appropriate safeguards for transfers of personal data to third countries. BCR create enforceable rights and set out commitments in order to create, for the personal data transferred under the BCR, a level of protection essentially equivalent to the one provided by the GDPR. Therefore, it is not sufficient for the BCR-C to only make reference to provisions of the GDPR, and BCR-C applicants should rather expressly formulate the requirements within their BCR-C.

8. BCR are subject to approval5 by the BCR Lead. In this respect, it is worth highlighting the difference between the BCR Lead – which is competent for issuing the approval of the BCR - and the SA that is competent for a specific transfer carried out by a certain controller under that BCR-C

9. The draft approval decision of the BCR Lead is subject to an opinion by the EDPB . The approval confirms that the requirements set out in Article 47 GDPR are met, and therefore, that the commitments included in the BCR will provide for appropriate safeguards in the sense of Article 46 GDPR.

10. However, the approval does not include an assessment of whether each processing is in line with all requirements of the GDPR and the BCR. For instance, each data exporter needs to ensure that the requirements set out in Article 6 GDPR (Lawfulness of processing) and Article 28 GDPR (for transfers to processors) or any additional formalities specified by the national law of a Member State, if any, are met for each transfer. Furthermore, it is, for instance, the responsibility of each data exporter to assess, for each transfer, on a case-by-case basis, whether there is a need to implement supplementary measures in order to provide for a level of protection essentially equivalent to the one provided by the GDPR . Such supplementary measures are in the responsibility of the data exporter, and as such, are not assessed by supervisory authorities (hereinafter “SAs”) as part of the process of approval of BCR.

11. The BCR approval only covers transfers of personal data to third countries. However, Groups may design BCR to be used as their global data protection policy. However, the scope of the approval of the BCR by the BCR Lead is always limited to transfers of personal data from entities under the scope of application of the GDPR to third countries and their onward transfers to other Group members that are bound by the BCR (hereinafter “BCR member(s)”) outside the EEA.

12. Once approved, BCR can be used for transfers from all relevant Member States, and the SA competent for the data exporter will also be competent to assess the respect of the BCR by the data importer in the third country in relation to the relevant transfers.

13. The EDPB expects all BCR-C holders to bring their BCR-C in line with the requirements set out below. This includes BCR-C that have been approved before the publication of these Recommendations. Such changes will have to be done in compliance with the commitments taken in their BCR-C in accordance with Section 5.1 .

Link

Recommendations on the Application for Approval and on the elements and principles to be found in Controller Binding Corporate Rules (Art. 47 GDPR) -  1/2022 (20 June 2023)

Link

EDPB Document Setting Forth a Co-Operation procedure for the approval of Binding Corporate Rules for controllers and processors (13 March 2025)

The procedure for approving BCR for controllers and processors is laid out by provisions contained in Articles 47(1), 63, 64 and (only if necessary) 65 GDPR.

As a result, BCR are to be approved by the competent supervisory authority in the relevant jurisdiction in accordance with the consistency mechanism set out in Article 63, under which the EDPB will issue a non-binding opinion on the draft decision submitted by the competent Supervisory Authority (Article 64 GDPR).

As the group applying for approval of its BCR may have entities in more than one Member State, this procedure will involve all the concerned Supervisory Authorities (hereinafter, “SAs”), e.g. in those countries from where the transfers are to take place. However, the GDPR does not lay down specific rules for the cooperation phase which should take place among the concerned SAs in advance of referral to the EDPB. It also does not set out specific rules for identifying the competent SA – which will act as Lead Authority for the BCR (“BCR Lead”). The role of such BCR Lead includes acting as a single point of contact with the applicant organization or group during the approval process and managing the application procedure in its cooperation phase.

Link

Retour au sommaire

Article 29 Working Party

Explanatory Document on the Processor Binding Corporate Rules - wp204rev.01 (22 May 2015)

(Approved by the EDPB)

The Directive requires that data transfers outside the European Union shall be strictly framed in order to make sure that data subjects benefit from an adequate level of protection even when their data is sent outside the European Union (hereinafter “EU”).

Art. 26.2 of the Directive provides that “(…) a Member State may authorize a transfer or a set of transfers of personal data to a third country which does not ensure an adequate level of protection (…), where the controller adduces adequate safeguards with respect to the protection of individuals and as regards the exercise of the corresponding rights; such safeguards may in particular result from appropriate contractual clauses.”

Consequently, when the country of the importer of data does not ensure an adequate level of protection, the Controller must provide sufficient guarantees to the data transferred, for instance by the adoption of contractual clauses.

On this basis, and in order to facilitate compliance with the Directive 95/46 of data transfers outside the EU, the European Commission adopted sets of standard contractual clauses - 2001/497/EC on 15 June 2001 and 2004/915/EC on 27 December 2004 – in order to frame transfers between Controllers; and 2010/87/EU on 5 February 2010 for transfers between Controllers and Processors.

Link

Working Document Setting Forth a Co-Operation Procedure for the approval of “Binding Corporate Rules” for controllers and processors - wp263rev.01 (11 April 2018)

(Approved by the EDPB)

The procedure for approving binding corporate rules (BCRs) for controllers and processors is laid out by provisions contained in Articles 47.1, 63, 64 and (only if necessary) 65 of the Regulation (EU) 2016/679 (GDPR).

As a result, binding corporate rules are to be approved by the competent supervisory authority1 in the relevant jurisdiction in accordance with the consistency mechanism set out in Article 63, under which the European Data Protection Board (EDPB) will issue a non-binding opinion on the draft decision submitted by the competent Supervisory Authority (Article 64 GDPR).

As the group applying for approval of its BCRs may have entities in more than one Member State, this procedure may involve a number of concerned Supervisory Authorities (SAs)2 , e.g. in those countries from where the transfers are to take place. However, the GDPR does not lay down specific rules for the cooperation phase which should take place among the concerned SAs in advance of referral to the EDPB. It also does not set out specific rules for identifying the competent SA – which will act as Lead Authority for the BCRs (‘BCR Lead’) 3 . The role of such BCR Lead includes acting as a single point of contact with the applicant organization or group during the approval process and managing the application procedure in its cooperation phase.

The aim of this document is to update the WP 107 and identify smooth and effective cooperation procedures in line with the GDPR whilst taking full advantage of the previous fruitful experience of the Data Protection Authorities in dealing with the approval of BCRs.

This document will be reviewed and if necessary updated, based on the practical experience gained through the application of the GDPR.

Link

Recommendation on the approval of the Processor Binding Corporate Rules form - wp265 (11 April 2018)

(Approved by the EDPB)

Link

Working Document on Binding Corporate Rules for Controllers - wp256rev.01 (7 February 2018)

(Approved by the EDPB)

In order to facilitate the use of Binding Corporate Rules for Controllers (BCR-C) by a corporate group or a group of enterprises engaged in a joint economic activity for international transfers from organisations established in the EU to organisations within the same group established outside the EU, the Article 29 Working Party (WP29) has amended the Working Document 153 (which was adopted in 2008) setting up a table with the elements and principles to be found in Binding Corporate Rulesin order to reflect the requirements referring to BCRs now expressly set out by the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation / GDPR) .

It should be recalled that BCR-Controllers are suitable for framing transfers of personal data from Controllers established in the EU to other Controllers or to Processors (established outside the EU) within the same group, whereas BCR-Processors (BCR-P) apply to data received from a Controller (established in the EU) which is not a member of the group and then processed by the concerned group members as Processors and/or Sub-processors. Hence the obligations set out in the BCR-C apply in relation to entities within the same group acting as controllers and to entities acting as ‘internal’ processors. As for this very last case, it is worth recalling that a contract or other legal act under Union or Member State law, binding on the processor with regard to the controller and which comprise all requirements as set out in Art. 28.3 GDPR, should be signed with all internal and external subcontractors/processors (e.g. Service Agreement or other instruments meeting the same requirements) . Indeed, the obligations set forth in the BCR-C apply to entities of the group receiving personal data as (‘internal’) processors to the extent that this does not lead to a contradiction with the Service Agreement (i.e. the Processors members of the group processing on behalf of Controllers members of the group shall primarily abide by this contract).

Taking into account that Article 47.2 GDPR sets forth a minimum set of elements to be inserted within Binding Corporate Rules, this amended table is meant to:

- Adjust the wording of the previous referential so as to keep it in line with Article 47 GDPR,

- Clarify the necessary content of BCRs as stated in Article 47 (taking into account documents WP 743 & WP 1084 adopted by the WP29 within the framework of the directive 95/46/EC),

- Make the distinction between what must be included in BCRs and what must be presented to the competent Supervisory Authority in the BCRs application (document WP 1335 ),

- Give the principles the corresponding text references in Article 47 GDPR, and

- Provide explanations/comments on the principles one by one.

Article 47 GDPR is clearly modelled on the Working documents relating to BCRs adopted by the WP29. However, it specifies some new elements that need to be taken into account when updating already existing BCRs or adopting new sets of BCRs so as to ensure their compatibility with the new framework established by the GDPR.

Link

Retour au sommaire
arrow_back Previous Article Article 47 Next Article arrow_forward
Retour au sommaire
arrow_back Previous Article Article 47 Next Article arrow_forward
Regulation
1e 2e

Art. 47

1.   The competent supervisory authority shall approve binding corporate rules in accordance with the consistency mechanism set out in Article 63, provided that they:

a) are legally binding and apply to and are enforced by every member concerned of the group of undertakings, or group of enterprises engaged in a joint economic activity, including their employees;

b) expressly confer enforceable rights on data subjects with regard to the processing of their personal data; and

c) fulfil the requirements laid down in paragraph 2.

2.   The binding corporate rules referred to in paragraph 1 shall specify at least:

a) the structure and contact details of the group of undertakings, or group of enterprises engaged in a joint economic activity and of each of its members;

b) the data transfers or set of transfers, including the categories of personal data, the type of processing and its purposes, the type of data subjects affected and the identification of the third country or countries in question;

c) their legally binding nature, both internally and externally

d) the application of the general data protection principles, in particular purpose limitation, data minimisation, limited storage periods, data quality, data protection by design and by default, legal basis for processing, processing of special categories of personal data, measures to ensure data security, and the requirements in respect of onward transfers to bodies not bound by the binding corporate rules

e) the rights of data subjects in regard to processing and the means to exercise those rights, including the right not to be subject to decisions based solely on automated processing, including profiling in accordance with Article 22, the right to lodge a complaint with the competent supervisory authority and before the competent courts of the Member States in accordance with Article 79, and to obtain redress and, where appropriate, compensation for a breach of the binding corporate rules

f) the acceptance by the controller or processor established on the territory of a Member State of liability for any breaches of the binding corporate rules by any member concerned not established in the Union; the controller or the processor shall be exempt from that liability, in whole or in part, only if it proves that that member is not responsible for the event giving rise to the damage;

g) how the information on the binding corporate rules, in particular on the provisions referred to in points (d), (e) and (f) of this paragraph is provided to the data subjects in addition to Articles 13 and 14;

h) the tasks of any data protection officer designated in accordance with Article 37 or any other person or entity in charge of the monitoring compliance with the binding corporate rules within the group of undertakings, or group of enterprises engaged in a joint economic activity, as well as monitoring training and complaint-handling

i) the complaint procedures;

j) the mechanisms within the group of undertakings, or group of enterprises engaged in a joint economic activity for ensuring the verification of compliance with the binding corporate rules. Such mechanisms shall include data protection audits and methods for ensuring corrective actions to protect the rights of the data subject. Results of such verification should be communicated to the person or entity referred to in point (h) and to the board of the controlling undertaking of a group of undertakings, or of the group of enterprises engaged in a joint economic activity, and should be available upon request to the competent supervisory authority;

k) the mechanisms for reporting and recording changes to the rules and reporting those changes to the supervisory authority;

l) the cooperation mechanism with the supervisory authority to ensure compliance by any member of the group of undertakings, or group of enterprises engaged in a joint economic activity, in particular by making available to the supervisory authority the results of verifications of the measures referred to in point (j);

m) the mechanisms for reporting to the competent supervisory authority any legal requirements to which a member of the group of undertakings, or group of enterprises engaged in a joint economic activity is subject in a third country which are likely to have a substantial adverse effect on the guarantees provided by the binding corporate rules; and

n) the appropriate data protection training to personnel having permanent or regular access to personal data.

3.   The Commission may specify the format and procedures for the exchange of information between controllers, processors and supervisory authorities for binding corporate rules within the meaning of this Article. Those implementing acts shall be adopted in accordance with the examination procedure set out in Article 93(2).
1st proposal close

Art. 43

1.           A supervisory authority shall in accordance with the consistency mechanism set out in Article 58 approve binding corporate rules, provided that they:

(a)     are legally binding and apply to and are enforced by every member within the controller’s or processor's group of undertakings, and include their employees;

(b)     expressly confer enforceable rights on data subjects;

(c)     fulfil the requirements laid down in paragraph 2.

2.           The binding corporate rules shall at least specify:

(a)     the structure and contact details of the group of undertakings and its members;

(b)     the data transfers or set of transfers, including the categories of personal data, the type of processing and its purposes, the type of data subjects affected and the identification of the third country or countries in question;

(c)     their legally binding nature, both internally and externally;

(d)     the general data protection principles, in particular purpose limitation, data quality, legal basis for the processing, processing of sensitive personal data; measures to ensure data security; and the requirements for onward transfers to organisations which are not bound by the policies;

(e)     the rights of data subjects and the means to exercise these rights, including the right not to be subject to a measure based on profiling in accordance with Article 20, the right to lodge a complaint before the competent supervisory authority and before the competent courts of the Member States in accordance with Article 75, and to obtain redress and, where appropriate, compensation for a breach of the binding corporate rules;

(f)      the acceptance by the controller or processor established on the territory of a Member State of liability for any breaches of the binding corporate rules by any member of the group of undertakings not established in the Union; the controller or the processor may only be exempted from this liability, in whole or in part, if he proves that that member is not responsible for the event giving rise to the damage;

(g)     how the information on the binding corporate rules, in particular on the provisions referred to in points (d), (e) and (f) of this paragraph is provided to the data subjects in accordance with Article 11;

(h)     the tasks of the data protection officer designated in accordance with Article 35, including monitoring within the group of undertakings the compliance with the binding corporate rules, as well as monitoring the training and complaint handling;

(i)      the mechanisms within the group of undertakings aiming at ensuring the verification of compliance with the binding corporate rules;

(j)      the mechanisms for reporting and recording changes to the policies and reporting these changes to the supervisory authority;

(k)     the co-operation mechanism with the supervisory authority to ensure compliance by any member of the group of undertakings, in particular by making available to the supervisory authority the results of the verifications of the measures referred to in point (i) of this paragraph.

3.           The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements for binding corporate rules within the meaning of this Article, in particular as regards the criteria for their approval, the application of points (b), (d), (e) and (f) of paragraph 2 to binding corporate rules adhered to by processors and on further necessary requirements to ensure the protection of personal data of the data subjects concerned.

4.           The Commission may specify the format and procedures for the exchange of information by electronic means between controllers, processors and supervisory authorities for binding corporate rules within the meaning of this Article. Those implementing acts shall be adopted in accordance with the examination procedure set out in Article 87(2).
2nd proposal close

Art. 43

1. The competent supervisory authority shall approve binding corporate rules in accordance with the consistency mechanism set out in Article 57 provided that they:

(a) are legally binding and apply to, and are enforced by, every member concerned of the group of undertakings or group of enterprises engaged in a joint economic activity ;

(b) expressly confer enforceable rights on data subjects with regard to the processing of their personal data;

(c) fulfil the requirements laid down in paragraph 2.

2. The binding corporate rules referred to in paragraph 1 shall specify at least:

(a) the structure and contact details of the concerned group and of each of its members;

(b) the data transfers or categories of transfers, including the types of personal data, the type of processing and its purposes, the type of data subjects affected and the identification of the third country or countries in question;

(c) their legally binding nature, both internally and externally;

(d) application of the general data protection principles, in particular purpose limitation, (...) data quality, lega l basis for the processing, processing of special categories of personal data, measures to ensure data security, and the requirements in respect of onward transfers to bodies (...) not bound by the binding corporate rules;

(e) the rights of data subjects in regard to the processing of their personal data and the means to exercise these rights, including the right not to be subject to (...)decisions based solely on automated processing, including profiling, in accordance with Article 20, the right to lodge a complaint before the competent supervisory authority and before the competent courts of the Member States in accordance with Article 75, and to obtain redress and, where appropriate, compensation for a breach of the binding corporate rules;

(f) the acceptance by the controller or processor established on the territory of a Member State of liability for any breaches of the binding corporate rules by any member concerned not established in the Union; the controller or the processor may only be exempted from t his liability, in whole or in part, on proving that that member is not responsible for the event giving rise to the damage;

(g) how the information on the binding corporate rules, in particular on the provisions referred to in points (d), (e) and (f) of this paragraph is provided to the data subjects in accordance with Articles 14 and 14a;

(h) the tasks of any data protection officer designated in accordance with Article 35 or any other person or entity in charge of monitoring (...) compliance with the binding corporate rules within the group, as well as monitoring the training and complaint handling;

(hh) the complaint procedures;

(i) the mechanisms within the group, for ensuring the verification of compliance with the binding corporate rules. Such mechanisms shall include data protection audits and methods for ensuring corrective actions to protect the rights of the data subject. Results of such verification should be communicated to the person or entity referred under point (h) and to the board of the controlling undertaking or of the group of enterprises, and should be available upon request to the competent supervisory authority;

(j) the mechanisms for reporting and recording changes to the rules and reporting these changes to the supervisory authority;

(k) the co-operation mechanism with the supervisory authority to ensure compliance by any member of the group (...), in particular by making available to the supervisory authority the results of (...) verifications of the measures referred to in point (i) of this paragraph;

(l) the mechanisms for reporting to the competent supervisory authority any legal  requirements to which a member of the group is subject in a third country which are likely to have a substantial adverse effect on the guarantees provided by the binding corporate rules; and

(m) the appropriate data protection training to personnel having permanent or regular access to personal data (...).

2a. The European Data Protection Board shall advise the Commission on the format and procedures for the exchange of information between controllers, processors and supervisory authorities for binding corporate rules.

3. (...)

4. The Commission may specify the format and procedures for the exchange of information (...) between controllers, processors and supervisory authorities for binding corporate rules within the meaning of this Article. Those implementing acts shall be adopted in accordance with the examination procedure set out in Article 87(2)
Directive close

No specific provision
Czechia
compare_arrows
visibility Old law

No specific provision
Old law close

Act No. 101/2000 Coll., on the Protection of Personal Data and on Amendments to Certain Acts, as amended - repealed as of April 24, 2019

Art. 27

(...)

(3) Where the condition pursuant to paragraphs 1 and 2 is not met, the transfer of personal data may be carried out if the controller proves that:

(a) the data transfer takes place with the consent of, or on the basis of an instruction by the data subject;

(b) in a third country, where personal data are to be processed, has been created sufficient specific guarantees for personal data protection, e.g. by other legal or professional regulations and security measures. Such guarantees may be specified in particular by a contract concluded between the controller and the recipient, if this contract ensures application of these requirements, or if the contract contains contractual clauses for personal data transfer to third countries published in the Official Journal of the Office;

(c) the personal data concerned are part of publicly accessible data files on the basis of a special Act or are, on the basis of a special Act accessible to someone who proves legal interest; in such case the personal data may be disclosed only in the scope and under conditions provided by a special Act;

(d) the transfer is necessary to exercise an important public interest following from a special Act or from an international treaty binding the Czech Republic;

(e) the transfer is necessary for negotiating the conclusion or change of a contract, carried out on the data subject´s incentive, or for the performance of a contract to which the data subject is a contracting party;

(f) the transfer is necessary to perform a contract between the controller and a third party, concluded in the interest of the data subject, or to exercise other legal claims, or

(g) the transfer is necessary for the protection of rights or important vital interests of the data subject, in particular for rescuing life or providing health services.
arrow_back Previous ArticleArticle 47 Next Article arrow_forward
close

2016 - www.itiplaw.eu.