By Dr Damian Karwala, counsel in the IP/TMC Practice at CMS
cms_pole

 

It is a cliché to say that data, including personal data, is what drives business today. It is also clear that without the exchange of data, it would be impossible to do business, either domestically or internationally. Companies exchange data with their suppliers, vendors, business partners and also within the groups of which they are part. This includes fairly basic contact details of employees and contractors or customer information, but also much more sensitive financial or health data.

Yet relatively few Polish, British as well as companies from other countries are aware that there is a mechanism in place that successfully supports cross-border data exchange within capital groups. This mechanism does not suffer from the weaknesses that affect other popular data transfer instruments – difficulties that have become increasingly apparent in recent years, especially after the high-profile decision of the Court of Justice of the European Union (CJEU) in the Schrems II case. Since then, the signing of Standard Contractual Clauses (SCCs) has not been without risk. In addition, another (the third in history) set of rules for transatlantic data transfers to the US is also uncertain, as it may be invalidated by the CJEU in the future.

Binding Corporate Rules (BCRs) are increasingly being used to address these weaknesses. They are being used successfully by multinational corporations in a wide range of sectors, including banking, insurance, pharmaceuticals, manufacturing and IT. In the almost two decades that BCRs have been in existence, more than 150 corporations have chosen to adopt them, including MasterCard, Allianz, Motorola, Novartis and Siemens, to name but a few. More recently, they have also attracted the interest of Polish companies, both with their headquarters in Poland as well international with strong local presence.

BCRs – their advantages and variants

The underlying assumption and function of BCRs is to enable groups operating in multiple countries around the world to exchange personal data within the group as freely as possible. This is done through the adoption of internal policies, procedures, and many other internal mechanisms that are binding on the group affiliates. What is crucial though (and what distinguishes BCRs from SCCs) is that they are “tailor-made” for the organisation. This is because, BCRs are adopted and implemented by the interested parties themselves, allowing BCRs to be tailored to their individual needs and circumstances.

By adopting BCRs, the corporation avoids the need to enter into dozens of data transfer agreements between its various entities, including agreements based on SCCs. Another strength of BCRs is that they are flexible and can be applied in different ways: both by corporate groups acting as controllers and as processors. In practice, some corporations have adopted and approved both types of BCRs.

The first variant of BCRs protects data shared by, for example, HR or compliance functions, for internal recruitment or reporting purposes. The other protects data shared with group companies by external controllers, such as the corporation’s customers. This makes it possible to ensure compliance not only internally (within the group), but also externally, especially in such a sensitive area as customer relations.

Formal approval of BCRs

BCRs, initially drafted by the group, require formal approval by the competent Data Protection Authority. It is this element (i.e., individual formal approval) that gives this instrument a much higher level of legal certainty – higher than the SCCs or even the Data Privacy Framework that covers transatlantic data flows (as both latter instruments are generally, and not individually, approved by the European Commission).

The BCRs approval process itself, although it can be lengthy, is well defined in the guidelines issued by the European Data Protection Board (EDPB). A kind of ‘BCR toolbox’ developed by the EDPB consists of numerous working documents, recommendations and guidelines that clarify the requirements for the content of BCRs, as well as procedural issues. These documents even specify the form of the application for approval of BCRs. This ensures that the process is consistent across the EU, or – more broadly – the EEA. More importantly, BCRs approved by an authority in one Member State will allow for the lawful transfer of data from all EEA countries in which the group operates.

BCRs as a robust mechanism for accountability

Thanks to the implementation of BCRs, personal data are adequately protected both during the transfer itself and on the territory of third countries. This is because BCRs introduce a single set of data protection rules within the corporation, based on EU law, the strongest data protection legislation in the world. Properly implemented, BCRs can raise the overall level of personal data protection within the group. As a result, it contributes to a fuller implementation of accountability, one of the fundamental principle under the GDPR, and fits into the broader context – the internal compliance programme. This can be achieved through, among other things, an audit mechanism and a training programme, the streamlining of internal procedures or the strengthening of data protection teams and positions at different levels of the organisation.

By using this innovative tool, companies can also feel more confident in their relationship with the Data Protection Authorities across the EEA. But the benefits go much further: BCRs allow a company to communicate to its employees, customers and business partners the crucial importance it attaches to data protection and privacy. This creates greater trust, including with data subjects (clients), which affects the organisation’s image and is important in the context of the GDPR and far beyond. It is no coincidence that BCRs are increasingly being compared to certification mechanisms as so-called ‘seal of global compliance’.

When can we expect ‘Polish BCRs’?

Although the BCRs mechanism has been in place for almost 20 years now, we have yet to see ‘Polish BCRs’. This was not particularly surprising 15 or even 10 years ago, given the lack of experience of UODO, the Polish Data Protection Authority or the low importance of Poland on the business map of Europe and more globally. However, the situation has changed in recent years, as more and more domestic companies do business globally. There is also an increasing number of multinationals that strengthen its presence in Warsaw, Kraków or other Polish cities.

It is thus not a big surprise that the first multinational corporations are electing the UODO to lead their BCRs approval process. This is currently the case for those organisations that had their BCRs approved by the Information Commissioner’s Office (ICO), the UK’s Data Protection Authority, which is no longer able to act as the ‘lead authority’ as a result of Brexit. The time has come for the first fully ‘Polish’ BCRs.