Binding Corporate rules (BCr) ManageMent prograM

eu law imposes restrictions on the transfer of data between the european economic area (eea) and the

rest of the world. this includes internal transfers of personal data such as employee or customer

information within a corporate group. if your company does business or has employees in the eea then

you need to demonstrate compliance with eu privacy and data protection standards. Ways to achieve

this include:

Binding Corporate Rules authorization, enabling you to transfer data freely within your corporate group

using a matrix of contracts incorporating Model Contract Clauses for data transfers within your corporate group

using EU Safe Harbor for data transfers from the eea to the us. May not be an option for certain transfers e.g. Cloud transfer going forward

What are Binding Corporate rules?BCrs are internal rules adopted by multinational companies to facilitate

the intra-organizational transfer of personal data from group companies

within the eea to group companies located outside the eea. BCrs

were developed by the article 29 Working party as a solution to enable

large organizations with a global presence to transfer personal data

freely across the corporate group in accordance with the european data

protection directive 95/46/eC.

BCrs are widely recognised across most eea member states, the

majority of which participate in the mutual recognition procedure

designed to deliver a streamlined BCr approval process through a lead

data protection authority.

the proposed european general data protection regulation provides

a stronger legal basis for the use of BCrs to make international data

transfers, and would extend the scope of lead data protection authority

mutual recognition to all eu member states which is expected to

generate increased adoption of BCrs.

advantages of BCrs• provide a sustainable framework for a range of intra-group data transfers

• Help an organization achieve an elevated and consistent level of data protection compliance and accountability, by ensuring that all group entities work towards enhanced data handling standards

• strengthen an organization’s brand, in the eyes of customers third-parties and regulators, by providing evidence of commitment to data protection compliance

• Help to reduce administrative complexity which can occur when using model contract clauses

• More comprehensive than eu safe Harbor

Why Choose the truste - promontory BCr management program?the cost of BCr adoption has typically been substantial and many organizations currently see the

application process as complicated, lengthy and expensive. the truste-promontory BCr Management

program is designed to make it quicker, simpler and more affordable for businesses to prepare for

compliance with the Binding Corporate rules (BCrs) regime, apply for authorization from their data

protection authority to use BCr’s for international data transfers within their organization, and

self-certify their ongoing BCr compliance through the program.

learn more:truste.com/bcr

Managing the compliance challenges of international data transfers

21Support Mutual

Recognitionof BCR Decisions

28Recognize

BCRs

30EEA Member

States

What Can the program do for your organization?

Reduce administrative burden

• delivery of a streamlined and consistent BCr framework to facilitate a broad range of intra-group data transfers

• oversight and management of the BCr application process including pre-submission review and regulatory liaison with data protection authorities as part of approval process

Cost management

• pre-program suitability assessment to ensure compatibility of organization’s structure and data protection compliance framework with BCr adoption

• project-based pricing structure reducing risk of resource over-spend

• delivering efficiencies by building on a proven BCr framework

Technical expertise

• promontory’s experience of privacy and data protection regulation in europe and across the globe

• truste’s global privacy expertise and leading edge certification practice

Demonstrate on-going compliance

• annual attestation of compliance with the BCr commitments and corresponding trust mark to demonstrate on-going organizational compliance with the BCrs

BCR Scheme Frameworkrequirements and workflow framework including BCr commitments and control statements

Scopingestablish the suitability of BCr implementation, scoping of the BCr commitments and identification of likely lead dpa

Readinesstruste & promontory provide roadmap to BCr implementation including any necessary

pre-application remediation work

Adoption & Deploymentorganization undertakes remediation and implementation requirements defined in roadmap. progress tracked by truste and support provided if issues arise during implementation work

Approvaltruste & promontory collate relevant documentation and produce a BCr Management program application pack prior to application submission to lead dpa and two

secondary dpas

Compliancetruste oversee process for organization to undertake its annual attestation of on-going compliance with BCr commitments, in addition to re-certifications in relation to

new data handling activities

Redresstruste operate an independent complaints arbitration and dispute resolution service where complaints cannot be resolved by the organization, prior to involvement of dpa(s)

Binding Corporate Rules (BCR) Management Program 2

hoW does the proCess Work?

BCR SchemeFramework Scoping Readiness Approval Compliance RedressAdoption &

Deployment

experienCed program partnerstruste is the leading global provider of data privacy management solutions, offering a broad suite of

technologies and certifications to help companies build trust and increase engagement across their online

channels, including websites, mobile apps, advertising, and cloud services. More than 5,000 companies, including

top international brands like apple, eBay, linkedin and Microsoft, rely on truste to build trust and address

evolving and complex privacy challenges. truste® Certified privacy seal is widely recognised and trusted by millions of

consumers worldwide as a sign of responsible privacy practices. www.truste.com

promontory is a global consulting firm for regulated companies. the firm specializes in solving

regulatory, risk, controls, compliance and governance issues. since its founding in 2001 by former u.s.

Comptroller of the Currency eugene a. ludwig, promontory’s reputation for excellence and frank,

proactive, and practical advice has fueled its growth. With 15 offices in north america, europe, asia, australia, and the

Middle east, our professionals assist clients in more than 50 countries on six continents. Visit us at www.promontoryprivacy.com

CONTACT US us: 888.878.7830 www.truste.com | eu: +44 (0) 203 626 0109 www.truste.co.uk