The Article 29 working party has generated 2 papers which describe General Data Protection Regulation (GDPR) prerequisites, in connection to Binding Corporate Rules (BCRs). One paper deals with processor BCRs and the other deals with controller BCRs.
What is Contained in the Papers?
Here are a few of the basics which are contained in the papers.
In the controller BCR paper:
- There must be complete openness for all data followers who gain from third-party receiver rights.
- All data safety rules, like quality and security of data, must be incorporated in the BCR. This contains all rules mentioned in Article 47(2(d)) of GDPR.
- The controller must be able to show compliance with the BCR.
In the processor BCR paper:
- Data followers can implement a BCR directly versus a processor.
- All data safety rules must be described in the BCR, comprising those concerning sub-processing as well as data follower rights. The processors must describe how they will fulfill the prerequisites.
- The processor should provide all of the info essential for the controller, to verify that they are compliant.
- Any facility contract between a processor and a controller must contain all of the needed elements, as described in Clause 28 of GDPR.
Incorporated in both papers:
- Data followers must be provided the selection of whether to bring a grievance to the capable court of an EU country or to the pertinent Data Protection Authority (DPA). The relevant Data Protection Authority can be the one where the data follower resides, the one where they perform or the one where a breach is suspected to have occurred.
- The BCR must include particulars of who is involved in the Binding corporate rule and its scope.
All of these conditions apply to Binding corporate rules which are generated after the launch of GDPR and those that are now ready.