Binding Corporate Rules explained
Binding Corporate Rules are a set of data
processing rules created by the Article 29 Working Party of the European Union
on January 1st, 2013. They allow companies from all over the world to
process personal data with strict safeguards that have been approved by the
Article 29 Working Party.
This is a party made up of one representative from
each state in the European Union. These Binding Corporate Rules were designed
so that data processors didn’t have to get the individual authority for data
protection from each of the member states of the European Union. Meaning, they
don’t have to get a contract for every transfer of data to each state.
These
states of the European Union are actually individual countries in Europe. Some
of these countries include Ireland, Italy, Greece, Germany, France, Finland and
Austria; just to name a few. Using the Binding Corporate Rules is an
alternative to using Safe Harbor, which is where organizations within the
United States and European Union keep customer data. It was created by the
United States Department of Commerce under the directives of the European
Union. Safe Harbor is often criticized for not being as secure in protecting
personal data as with the Binding Corporate Rules, since it only protects
transfers going to the United States. Binding Corporate Rules are designed to
assist in the international transferring of personal information to locations
that do not provide a high amount of data protection in their area. The
European Union officials make sure that all the personal data that is
transferred outside the Economic European Area will be guided by the European
Union’s rules of data protection.
The companies that elect to use the binding
corporate rules have to comply with its strict rules. In order for a company to
be accepted under these rules they must implement the binding corporate rules
into their own system. To keep compliance the company’s system must contain
privacy principles, such as transparency, security, and data quality. They just
have tools of effectiveness, such as auditing, training and some sort of
complaint handling system. There must also be an element that proves the
binding corporate rules are actually binding.
Once compliance is verified these
organizations can transfer personal information outside of the Economic
European Area. This allows companies to export personal data outside of the
Economic European Area to locations in other countries that don’t have the same
level of protection. This is important because data protection is fundamental
towards the way companies carry out their business.