Application and approval process
• Complaint handling
5
: There must be
an established system that allows data
subjects to complain about any BCR
member. Any such complaints must be
dealt with by a clearly identified
department without undue delay, and in
any event, within one month.
Additionally, the people handling the
complaints must have an appropriate
level of independence in exercising
their functions.
• Third party beneficiary rights
6
: The
BCRs must grant data subjects the
right to enforce BCRs as
third-party beneficiaries.
• Transparency: Data subjects should
be provided with the information in
articles 13 and 14 GDPR and
information on their third party
beneficiary rights in relation to how
their data is processed and how they
can exercise those rights. Specifically,
the BCRs must include clauses on
liability and the data protection
principles, and information must be
provided in full or provide links to other
data protection notices such as to
privacy policies
7
.
• Easy Access
8
: BCRs must contain the
right for every data subject to have
access to them. For example, relevant
information should be published on the
website or internet for employees.
5
Article 47(2)(i), GDPR. WP29 256 1.4 https://ec.europa.eu/newsroom/just/document.cfm?doc_id=48798
6
Article 28, 29, 79 GDPR. WP 256 1.3 https://ec.europa.eu/newsroom/just/document.cfm?doc_id=48798
7
Article 47.2(g) GDPR.
• Third country legislation
9
: The BCRs
must include a commitment that any
third country legal requirements likely
to have a substantial adverse effect on
the guarantees of the BCRs will be
reported to a competent supervisory
authority; for example, any legally
binding request for disclosure by law
enforcement or state security authorities
must be reported. The BCRs must also
include a commitment that if there is a
conflict between national laws and the
BCRs, the EEA headquarter, the
member with delegated data protection
responsibilities, or any other relevant
privacy officer or function, will take a
reasonable decision on the appropriate
action and consult with supervisory
authorities if there is any doubt.
• Right to lodge a complaint
10
: Data
subjects should be able to bring a claim
before a supervisory authority in their
home country, country of work, where
the alleged infringement took place,
before a competent EU court where the
data exporter has an establishment, or
in the data subject’s country of
residence.
• Relationship with national laws
11
: The
BCRs should state that where local
laws require a higher level of protection
for personal data, the local laws will
take precedence over the BCRs.
• Cooperation with supervisory
authorities
12
: The BCRs must contain
clear and unambiguous undertakings
that all BCR members as a whole, and
any members of the group separately,
will cooperate with the relevant
supervisory authorities, accept to be
audited by the relevant supervisory
authorities; and comply with the advice
of relevant supervisory authorities.
• Liability
13
: The EEA member with
delegated data protection
responsibilities must accept
responsibility for and agree to take the
necessary action to remedy acts of
other group members outside the EEA.
The BCRs must also contain an
obligation on the EEA member with
delegated data protection
responsibilities to pay compensation
for damages arising from a breach of
BCRs by any member of the group.
There must also be a statement that the
responsible EEA group member bears
the burden of proof in relation to
alleged breaches of BCRs by a group
member outside the EEA.
PwC | Binding Corporate Rules | 3