Once the GDPR enters into force, the Binding Corporate Rules (BCRs) will be explicitly recognized as mechanism adducing appropriate safeguards to the transfer of personal data outside the EU. This new inclusion, not only recognizes the use of BCRs for the transfer of personal data within a corporate group but also allow it to a “group of enterprises engaged in a joint economic activity”, which may be interpreted to include business partners.
Useful? Embed this infographic on your website.
In words of the European Commission –Brussels, 10.1.2017 COM (2017) 7 final– “this reform formalises and expands the possibilities to use the existing instrument as the BCRs, which until now has been limited to arrangements among entities of the same corporate group, and now can be used by a group of enterprises engaged in a joint economic activity, but not necessarily forming part of the same group.”
Indeed, this addition will help international transfers to take place, but the question is to which type of international transfers? By “engaged in a joint economic activity” are BCRs only applicable for the transfer of personal data to business partners providing the same service or product; or, also to business partners providing related services in the same economic field?
Clearly, it will apply to airline alliances or franchise group in the hotel sector, since they provide the same service; but it would also apply to partnership business with related business activities? For instance, a company providing websites (in Austria) and a company providing graphic design (in Peru) or, a company providing fund platform services (in the Isle of Man) and a company providing management services (in Luxembourg), in both cases, the companies are business partners (different legal entities, share customers and have a shared loyalty program) Are they allowed to use BCRs for the transfer of personal data outside the EU?
It seems that the answer is; yes, it is possible. And this opens a lot of opportunities. However, we should be careful with our perusal, BCRs are not meant to cover transfers with third-party services providers and must be internally legally binding, including employees, and externally legally binding, giving data subjects the right to enforce the BCRs in the EU.
As specialist and co-founder of the BCR idea, Jeroen Terstegge, once mentioned, “BCRs are a management solution to a legal problem.” As always good management decisions and implementations would make the difference.