Binding Corporate Rules (BCR)

If multinationals wish to put in place data transfers within their own company and some of their establishments are outside the European Economic Area, they can also offer sufficient data protection safeguards by means of internal codes of conduct (Binding Corporate Rules).

These codes of conduct must be ratified by the different data protection authorities involved in the transfer. In Belgium a Royal Decree needs to be adopted following the opinion of the Privacy Commission - see the protocol agreement adopted between the Ministry of Justice and the Privacy Commission (Dutch version/French version).

A coordinated European procedure has been introduced enabling multinationals to apply to a national authority (which in this case takes the lead at European level) that will then contact the other European authorities involved to conduct a common study of the draft code of conduct. The idea is to come to coherent decisions of the various data protection authorities. Moreover, a number of authorities including Belgium have agreed on a system of mutual recognition in order to adopt harmonised positions, based on mutual trust when internal codes of conduct have been examined by three data protection authorities.

BCRs were initially intended for multinationals acting as controllers (for instance for personal data relating to their own employees, customers, suppliers), but since January 2013 there have also been BCRs for processors (for data they process on behalf of their customers, for example in the context of outsourcing services.)

A standard form to submit a request for authorisation is available for controller BCRs ((WP 133), but also for processor BCRs (WP 195a). For more information about the requirements at European level for the approval of internal codes of conduct you can consult the section on Binding Corporate Rules on the European Commission's website, as well as the working papers adopted by the Article 29 Working Party

  • controller BCRs: documents WP153 (list of conditions), WP154 (BCR model structure), WP155 (FAQ) and basic documents WP74, WP107, WP108;
  • processor BCRs: documents WP 195  (list of conditions) and WP 204 (explanatory document).

At the end of the European procedure binding corporate rules can be submitted to the different national authorities for approval.

In Belgium the multinational will send the following documents to the Privacycommission by letter or e-mail:

  • the BCR and the document published for data subjects with regard to the BCR if this document is not directly accessible;
  • a list of related entities;
  • specific addenda for Belgium, if any;
  • the completed harmonised authorisation request form (WP133 or WP195a);
  • a description of data flows from Belgium (Belgian entities requesting authorisation (name and official number at the Crossroads Bank of Enterprises) - check whether they have a legal personality and if not, identify the company with a legal personality), a list of importers (which can be all the entities bound by the BCR if they are all data recipients), the purpose of the data processing, the category of data and of data subjects. This description will determine the scope of the authorisation - view model for this description in Dutch or French);
  • an explanation on how the Belgian entities are legally bound by the BCR and proof of this (e.g. a signature);
  • an explanation on how the entities liable for mistakes made outside the EU are legally bound by the BCR (if they are different from the Belgian entities).

As soon as the Privacy Commission is of the opinion that the case file is complete, it will inform the multinational and the Ministry of Justice. The Ministry of Justice will then submit an official request for an opinion to the Privacy Commission. The opinion is issued within 60 days. In case of a favourable opinion, the Privacy Commission will draw up a draft royal decree based on the model in the protocol agreement. These documents will then be submitted to the Ministry of Justice which will examine whether the procedure has been respect and ensure that the document is signed and published in the Belgian Official Journal.

More information can be found in the protocol agreement adopted between the Ministry of Justice and the Privacy Commission (Dutch version/French version).