Binding Corporate Rules explained

Binding Corporate Rules are a set of data processing rules created by the Article 29 Working Party of the European Union on January 1st, 2013. They allow companies from all over the world to process personal data with strict safeguards that have been approved by the Article 29 Working Party. 


This is a party made up of one representative from each state in the European Union. These Binding Corporate Rules were designed so that data processors didn’t have to get the individual authority for data protection from each of the member states of the European Union. Meaning, they don’t have to get a contract for every transfer of data to each state. 

These states of the European Union are actually individual countries in Europe. Some of these countries include Ireland, Italy, Greece, Germany, France, Finland and Austria; just to name a few. Using the Binding Corporate Rules is an alternative to using Safe Harbor, which is where organizations within the United States and European Union keep customer data. It was created by the United States Department of Commerce under the directives of the European Union. Safe Harbor is often criticized for not being as secure in protecting personal data as with the Binding Corporate Rules, since it only protects transfers going to the United States.  Binding Corporate Rules are designed to assist in the international transferring of personal information to locations that do not provide a high amount of data protection in their area. The European Union officials make sure that all the personal data that is transferred outside the Economic European Area will be guided by the European Union’s rules of data protection. 

The companies that elect to use the binding corporate rules have to comply with its strict rules. In order for a company to be accepted under these rules they must implement the binding corporate rules into their own system. To keep compliance the company’s system must contain privacy principles, such as transparency, security, and data quality. They just have tools of effectiveness, such as auditing, training and some sort of complaint handling system. There must also be an element that proves the binding corporate rules are actually binding. 

Once compliance is verified these organizations can transfer personal information outside of the Economic European Area. This allows companies to export personal data outside of the Economic European Area to locations in other countries that don’t have the same level of protection. This is important because data protection is fundamental towards the way companies carry out their business.