Rina Steenkamp - Privacy and technology
Chapter V Transfer of personal data to third countries or international organisations
Article 43 Transfers by way of binding corporate rules
October 2013
Article 43(1)
1. The supervisory authority shall in accordance with the consistency mechanism set out in Article 58 approve binding corporate rules, provided that they:
- (a) are legally binding and apply to and are enforced by every member within the controller’s group of undertakings and those external subcontractors that are covered by the scope of the binding corporate rules, and include their employees;
- (b) expressly confer enforceable rights on data subjects;
- (c) fulfil the requirements laid down in paragraph 2.
Article 43(1a)
1a. With regard to employment data, the representatives of the employees shall be informed about and, in accordance with Union or Member State law and practice, be involved in the drawing-up of binding corporate rules pursuant to Article 43.
Article 43(2)
2. The binding corporate rules shall at least specify:
- (a) the structure and contact details of the group of undertakings and its members and those external subcontractors that are covered by the scope of the binding corporate rules;
- (b) the data transfers or set of transfers, including the categories of personal data, the type of processing and its purposes, the type of data subjects affected and the identification of the third country or countries in question;
- (c) their legally binding nature, both internally and externally;
- (d) the general data protection principles, in particular purpose limitation, data minimisation, limited retention periods, data quality, data protection by design and by default, legal basis for the processing, processing of sensitive personal data; measures to ensure data security; and the requirements for onward transfers to organisations which are not bound by the policies;
- (e) the rights of data subjects and the means to exercise these rights, including the right not to be subject to a measure based on profiling in accordance with Article 20, the right to lodge a complaint before the competent supervisory authority and before the competent courts of the Member States in accordance with Article 75, and to obtain redress and, where appropriate, compensation for a breach of the binding corporate rules;
- (f) the acceptance by the controller established on the territory of a Member State of liability for any breaches of the binding corporate rules by any member of the group of undertakings not established in the Union; the controller or the processor may only be exempted from this liability, in whole or in part, if he proves that that member is not responsible for the event giving rise to the damage;
- (g) how the information on the binding corporate rules, in particular on the provisions referred to in points (d), (e) and (f) of this paragraph is provided to the data subjects in accordance with Article 11;
- (h) the tasks of the data protection officer designated in accordance with Article 35, including monitoring within the group of undertakings the compliance with the binding corporate rules, as well as monitoring the training and complaint handling;
- (i) the mechanisms within the group of undertakings aiming at ensuring the verification of compliance with the binding corporate rules;
- (j) the mechanisms for reporting and recording changes to the policies and reporting these changes to the supervisory authority;
- (k) the co-operation mechanism with the supervisory authority to ensure compliance by any member of the group of undertakings, in particular by making available to the supervisory authority the results of the verifications of the measures referred to in point (i) of this paragraph.
Article 43(3)
3. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the format, procedures, criteria and requirements for binding corporate rules within the meaning of this Article, in particular as regards the criteria for their approval, including transparency for data subjects, the application of points (b), (d), (e) and (f) of paragraph 2 to binding corporate rules adhered to by processors and on further necessary requirements to ensure the protection of personal data of the data subjects concerned.
Article 43(4)
4. (deleted)
[Source: October 2013]
Recital 85
(85) A corporate group should be able to make use of approved binding corporate rules for its international transfers from the Union to organisations within the same corporate group of undertakings, as long as such corporate rules include all essential principles and enforceable rights to ensure appropriate safeguards for transfers or categories of transfers of personal data.
[Source: October 2013 | Notes: Recitals | Context: Recitals]
January 2012
Explanatory memorandum
3.4. Detailed explanation of the proposal
Article 43 describes in further detail the conditions for transfers by way of binding corporate rules, based on the current practices and requirements of supervisory authorities.
[Source: January 2012 | Context: Proposal from the European Commission]
Article 43(1) [Amended: October 2013]
1. A supervisory authority shall in accordance with the consistency mechanism set out in Article 58 approve binding corporate rules, provided that they:
- (a) are legally binding and apply to and are enforced by every member within the controller’s or processor's group of undertakings, and include their employees;
- (b) expressly confer enforceable rights on data subjects;
- (c) fulfil the requirements laid down in paragraph 2.
Article 43(2) [Amended: October 2013]
2. The binding corporate rules shall at least specify:
- (a) the structure and contact details of the group of undertakings and its members;
- (b) the data transfers or set of transfers, including the categories of personal data, the type of processing and its purposes, the type of data subjects affected and the identification of the third country or countries in question;
- (c) their legally binding nature, both internally and externally;
- (d) the general data protection principles, in particular purpose limitation, data quality, legal basis for the processing, processing of sensitive personal data; measures to ensure data security; and the requirements for onward transfers to organisations which are not bound by the policies;
- (e) the rights of data subjects and the means to exercise these rights, including the right not to be subject to a measure based on profiling in accordance with Article 20, the right to lodge a complaint before the competent supervisory authority and before the competent courts of the Member States in accordance with Article 75, and to obtain redress and, where appropriate, compensation for a breach of the binding corporate rules;
- (f) he acceptance by the controller or processor established on the territory of a Member State of liability for any breaches of the binding corporate rules by any member of the group of undertakings not established in the Union; the controller or the processor may only be exempted from this liability, in whole or in part, if he proves that that member is not responsible for the event giving rise to the damage;
- (g) how the information on the binding corporate rules, in particular on the provisions referred to in points (d), (e) and (f) of this paragraph is provided to the data subjects in accordance with Article 11;
- (h) the tasks of the data protection officer designated in accordance with Article 35, including monitoring within the group of undertakings the compliance with the binding corporate rules, as well as monitoring the training and complaint handling;
- (i) the mechanisms within the group of undertakings aiming at ensuring the verification of compliance with the binding corporate rules;
- (j) the mechanisms for reporting and recording changes to the policies and reporting these changes to the supervisory authority;
- (k) the co-operation mechanism with the supervisory authority to ensure compliance by any member of the group of undertakings, in particular by making available to the supervisory authority the results of the verifications of the measures referred to in point (i) of this paragraph.
Article 43(3) [Amended: October 2013]
3. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements for binding corporate rules within the meaning of this Article, in particular as regards the criteria for their approval, the application of points (b), (d), (e) and (f) of paragraph 2 to binding corporate rules adhered to by processors and on further necessary requirements to ensure the protection of personal data of the data subjects concerned.
Article 43(4) [Deleted: October 2013]
4. The Commission may specify the format and procedures for the exchange of information by electronic means between controllers, processors and supervisory authorities for binding corporate rules within the meaning of this Article. Those implementing acts shall be adopted in accordance with the examination procedure set out in Article 87(2).
[Source: January 2012 | Context: Proposal from the European Commission]
Recital 85 [Amended: October 2013]
(85) A corporate group should be able to make use of approved binding corporate rules for its international transfers from the Union to organisations within the same corporate group of undertakings, as long as such corporate rules include essential principles and enforceable rights to ensure appropriate safeguards for transfers or categories of transfers of personal data.
[Source: January 2012 | Notes: Recitals | Context: Proposal from the European Commission, Recitals]
Menu |
My annotated General Data Protection Regulation |
Chapter V |
Previous |
Next |
Additional information | Meta |
Contact |
Nederlands
