1.19 What are BCRs ?
The EU Data Protection Directive and the Data Protection Acts impose conditions on the transfer of personal data to countries outside of Europe that are not considered to provide and "adequate" level of data protection. Organisations that transfer large quantities of personal data outside of Europe must do so in accordance with the provision of Section 11 of the Data Protection Acts. To facilitate multinational companies with operations in many countries, the Article 29 Working Party developed an alternative system of "Binding Corporate Rules" (BCRs). BCRs allow the composite legal entities of a corporation to jointly sign up to common data processing standards that are compatible with EU data protection law.
In order to secure approval for BCRs a company must choose a lead data protection authority to coordinate securing approval from other relevant data protection authorities. The lead authority must also as part of this process approve the BCRs. This approval receives mutual recognition from a number of other data protection authorities across the EU.