Binding business rules
The competent supervisory authority shall approve binding operating rules in accordance with the coherence mechanism referred to in Article 63, provided that:
be legally binding on, applicable to and enforced by all concerned members of the group, or the group of companies jointly engaged in an economic activity, including their employees;
give data subjects explicitly enforceable rights with respect to the processing of their personal data; and
meet the requirements set forth in paragraph 2.
The binding operating rules referred to in paragraph 1 shall specify at least the following elements:
the structure and contact details of the group or group of companies jointly engaged in an economic activity and of each of its members;
the data transfers or series of transfers, including the categories of personal data, the type of processing and its purposes, the type of data subjects concerned, and the identification of the third country or third countries concerned;
its internally and externally legally binding nature;
the application of general data protection principles, in particular purpose limitation, minimum data processing, limited storage periods, data quality, data protection by default and by design, legal basis for processing, processing of special categories of personal data, measures to ensure data security, and requirements for onward transfers to bodies not bound by binding corporate rules;
the rights of data subjects in relation to processing and the means of exercising those rights, including the right not to be subject to decisions based solely on automated processing, including profiling pursuant to Article 22, the right to lodge a complaint with the competent supervisory authority, to bring an action before the competent courts of the Member States pursuant to Article 79, and to obtain redress and, where appropriate, compensation for a breach of binding corporate rules;
the acceptance by the controller or processor established on the territory of a Member State of liability for all breaches of the binding corporate rules by a member concerned not established in the Union; the controller or processor shall be exempted from this liability, in whole or in part, only if he proves that that member is not responsible for the harmful event;
the manner in which, in addition to the information referred to in Articles 13 and 14, information on binding corporate rules, in particular on the provisions in points (d), (e) and (f), is provided to data subjects;
the duties of any data protection officer designated in accordance with Article 37, or any other person or entity entrusted with monitoring compliance with binding corporate rules within the group or group of undertakings engaged in joint economic activity, training and complaint handling;
complaint procedures;
the procedures in place within the group or group of companies jointly engaged in an economic activity to verify compliance with binding corporate rules. Such procedures shall include data protection audits and methods to ensure corrective measures to protect the rights of the data subject. The results of such audits shall be communicated to the person or entity referred to in point (h) and to the board of directors of the group-controlling undertaking or group of undertakings engaged in joint economic activity and shall be made available to the competent supervisory authority upon request;
the procedures for notifying, recording and reporting those rule changes to the supervisory authority;
the procedure for cooperation with the supervisory authority to ensure that all members of the group or group of undertakings engaged in a joint economic activity comply with the binding corporate rules, in particular by making available to the supervisory authority the results of the checks referred to in point (j);
the procedures for reporting to the competent supervisory authority any regulatory requirements to which a member of the group or group of undertakings jointly engaged in an economic activity in a third country is subject that are likely to have a significant adverse effect on the safeguards provided by the binding corporate rules; and
appropriate data protection training for personnel who have access to personal data on an ongoing or regular basis.
The Commission may specify the format and procedures for the exchange of information on binding corporate rules within the meaning of this Article between controllers, processors and supervisory authorities. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 93(2).
