Sunday, September 17, 2017

GDPR requires Binding Corporate Rules

The GDPR requires Binding Corporate Rules, a legally binding and enforceable agreement with a public agency, which is deemed to be one of the appropriate safeguards when data is transferred outside of the EU States.  [GDPR Article 46, Paragraph (2)].  

The local, Supervisory Authority shall approve each Binding Corporate Rule, and with approval, the companies and their employees are legally bound by those rules.  

Per the GDPR, "The competent supervisory authority shall approve binding corporate rules in accordance with the consistency mechanism set out in Article 63, provided that they: 

(a) are legally binding and apply to and are enforced by every member concerned of the group of undertakings, or group of enterprises engaged in a joint economic activity, including their employees;"  [GDPR Article 47, Paragraph (1-1a)]

In addition to 10 other requirements of the Binding Corporate Rules, [GDPR Article 47, Paragraph (2a-2m)]., the GDPR requires "the appropriate data protection training to personnel having permanent or regular access to personal data."  [GDPR Article 47, Paragraph (2n)]