Customize data protection: The Binding Corporate Rules (BCR)

In 1995, the EU adopted Directive 95/46/EC. Since then, it has regulated the protection of natural persons with regard to the processing of personal data. For each data transfer to 'unsafe third countries' (e.g. USA or India), individual contracts had to be concluded at first, which proved to be a cost-intensive obstacle, especially for large companies. The first companies then developed corporate guidelines that sought to standardize the process.
In June 2003, the term 'Binding Corporate Rules' appeared for the first time in the EU Data Protection Group. The idea was to create a flexible instrument for data transfer that would also meet the requirements of the Data Protection Act. The result was a procedure that allows companies to individually structure data protection when transferring data to third countries, provided that the 'Binding Corporate Rules' applied meet certain minimum standards. These include, among others:

- Development and implementation of a security concept
- Data protection training for employees
- Mandatory participation in an audit program
- Payment of compensation in the event of breaches
- Regulated complaints procedure
- Assurance of transparency
- Definition of the scope of application

The advantage of introducing 'corporate binding rules' is the possibility of individually structuring the transfer of data to 'unsafe third countries'. The main disadvantage is the high organizational effort and the lengthy review process. A BCR process can take around two years to implement. This is currently only worthwhile for large companies.