Binding Corporate Rules FAQs
What are Binding Corporate Rules (BCRs)?
European and UK data protection laws require companies which transfer personal data out of the EU, EEA and UK (referred to in these FAQs as “the region”) to ensure that adequate protection is in place, so that the personal data is as well protected when it is transferred as it would be if it remained in the region.
Many companies use Standard Contractual Clauses (SCCs) to meet this requirement. An alternative option, which is expressly recognised by the GDPR and European Data Protection Board, is the use of Binding Corporate Rules (BCRs).
Verizon holds EU BCRs (which protect EU-originating personal data) and UK BCRs (which protect UK-originating data) which have been fully approved by the relevant supervisory authorities1.
How do the Verizon BCRs protect personal data?
Verizon holds BCRs as Processor and as Controller, for both the EU and the UK.
The BCRs comprise a set of rules with which entities in a multinational corporate group formally agree to comply with when handling EU- or UK-originating personal data as a processor on behalf of their customers.
All of the entities which participate in the BCRs must be legally bound to comply with the rules, and must be able to demonstrate that they are able to meet the required standard by submitting to audit procedures by way of an on-going compliance framework to the level required by supervisory authorities. A company with BCRs must also agree to be audited by the appropriate supervisory authority.
How do BCRs compare with Standard Contractual Clauses?
There are clear parallels between the obligations in the SCCs and the contents of BCRs. Obligations to a customer that must form part of a Processor BCRs include a requirement that the processor will process personal data only on behalf of the customer and in compliance with its instructions; controls around the appointment of sub-processors; security and data incident reporting (including direct obligations to the customer); audit by a customer; plus third party beneficiary rights that are designed for the maximum benefit to individuals in terms of the options available and the jurisdiction in which claims may be made.
The advantage of Processor BCRs over SCCs is that an organisation with Processor BCRs is better able to demonstrate to customers how data protection compliance is integrated into the way it carries out its business, and the protection of the BCRs can be more easily integrated into the contract with the customer.
I thought that BCRs only protect processing of personal data by the Controller?
Not quite. When BCRs were first introduced, only Controller BCRs were available but after pressure from companies including Verizon, the European Commission drafted Processor BCRs.
Verizon has BCRs for Controllers and BCRs for Processors. The BCRs for Processors protect transfers of personal data out of the region when the personal data is being processed by Verizon (as processor) on behalf of the customer (as controller).
BCRs only protect transfers of data between Verizon entities, they do not protect the initial transfer from the customer to Verizon?
According to guidance from the European Data Protection Board (EDPB) and its predecessor WP29, Processor BCRs are intended to cover the initial transfer of personal data from controller (customer) to processor (Verizon), as well as international transfers of data between group members as processors and/or sub processors.
While the guidance pre-dates the GDPR, this approach has remained unaltered with the introduction of the GDPR. In fact, the Working Document WP 257 on Binding Corporate Rules for Processors, which was released after the final text of the GDPR was published and shortly before it came into force, clearly distinguished Processor BCR from Controller BCR confirming that Processor BCRs ‘…apply to data received from a controller established in the EU which is not a member of the group and then processed by the group members as processors and/or sub processors…’.
The UK ICO also recognises the fact that Processor BCRs protect a transfer from a UK based controller to a processor which is located outside the UK.
On this basis, Verizon considers that its Processor BCRs provide protection for the initial transfer from the customer (as controller) to a Verizon group company outside the region (as processor) as well as the transfer of the personal data between Verizon group companies.
How has “Schrems II” affected Verizon’s BCRs?
In July 2020 the CJEU passed judgment on the “Schrems II” case2 which, amongst other things, requires companies to assess whether transfers of personal data from the EU are adequately protected in accordance with the EU GDPR and to put in place such additional safeguards as they consider necessary.
Verizon has considered the legal regimes in the countries to which it transfers personal data from the EU and which are protected by the EU BCRs and is using Transfer Impact Assessments to analyse the risks involved in those transfers. Appropriate steps will be taken to minimise any identified risks.
Following guidance from the Irish supervisory authority received in March 2022, Verizon has further strengthened its EU BCRs3,. This is in addition to existing provisions in Verizon’s EU and UK BCRs which state that Verizon will ensure that any transfers of personal data under the BCR policies that it makes to a public authority are “not massive, disproportionate or indiscriminate in a manner that would go beyond what is necessary in a democratic society”4.
Verizon awaits guidance from the ICO on changes to UK BCRs and will act accordingly once that guidance is issued. In the meantime, the existing provisions of Rule 12B of the UK Processor BCRs and 15C the UK Controller BCRs as outlined above address the core of the issue raised in the CJEU ruling, and Verizon is satisfied that the UK BCRs meet the current requirements.
What about the Privacy Shield?
The Privacy Shield was another way to protect transfers of personal data from the EU to the US instead of using standard contractual clauses or BCRs. The “Schrems II” case invalidated the Privacy Shield framework that was in place at the time and the EU and US have negotiated a new Privacy Framework, reaching agreement in principle in March 2022. The EU and US will now each go through a legal adoption process so that participating companies will be able to use the protection of the Privacy Framework to protect transfers of EU personal data to the US.
Verizon BCRs protect personal data when it is transferred to the US as well as to other countries and are therefore more versatile than the Privacy Framework. Verizon did not participate in the Privacy Shield and does not intend to participate in the new Privacy Framework.
However, many of the steps that the US Government has taken as a result of the Privacy Framework discussions will enhance the protection of personal data which is transferred to the US under BCRs and other adequacy mechanisms.
Can we print the BCRs and attach them to the contract between Verizon and its customer?
The BCRs are reviewed and updated every year to ensure that they reflect Verizon’s business practices and meet the current requirements and guidelines set out by the supervisory authorities. This is one of the major benefits of the BCRs; they move with the times so that customers and individuals can be confident that personal data is protected up to current standards. Verizon will protect personal data in accordance with the latest update to the BCRs as agreed by the relevant supervisory authority. Therefore we recommend that the contract between Verizon and customer incorporates the BCRs by reference, to allow for updates and revisions to the BCRs. Customers can be assured that changes to the BCRs must be approved by the supervisory authority and so the BCRs will always be fit for purpose.
Can Verizon grant the customer the right to be notified or consulted of changes to the BCRs?
The most up to date versions of the BCRs are available at all times on Verizon’s website for customers to review at their convenience. This may include the version which is currently being considered by the appropriate supervisory authority.
As stated in Article 47 GDPR, Verizon’s lead supervisory authorities (the DPC and the ICO), have responsibility to approve changes to BCRs to ensure that they meet the standard required and provide the correct level of protection for relevant personal data. Verizon is not able to take comments from other stakeholders such as customers or individual data subjects during the annual review process.
Which Verizon Services/Products do the BCRs apply to?
Any product or service which is sold by a participating entity is protected by the BCR. There may be situations where a product includes transfers to a non-participating entity, in which case alternative arrangements (such as SCCs) will be put in place.
A list of the Verizon companies which participate in the BCRs is available on the BCR webpage.
1Verizon’s lead authority for its EU BCRs is the Data Protection Commissioner (DPC) of Ireland; the lead authority for Verizon’s UK BCRs is the UK Information Commissioner’s Office (ICO)
2Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (C-311/18)
3Rule 12A and 12B of the Processor BCRs; Rule 15A and 15B of the Controller BCRs
4 Rule 12B of the UK Processor BCRs and 2021 EU Processor BCRs; Rule 15C of the UK Controller BCRs and 2021 EU Controller BCRs