Binding corporate rules and data transfer outside EU


Many multinational companies operating in Croatia have a need to share personal data with companies within the same group whose headquarters are located outside the European Union. These are most often employee data, contact details of business customers, suppliers, retailers, sales representatives, distributors, business partners, etc. For example, a company with registered seat in Croatia may send personal data of its employees to India for the purpose of payroll accounting, data on distributors and suppliers to Brazil for the purpose of notifying the management, etc.


In case where personal data are transferred outside the EU, the provisions of the GDPR stipulate that it is necessary to provide adequate protection mechanisms. Such mechanisms may be transfers based on a European Commission's decision on adequacy (e.g. transfers to Switzerland, Argentina, Canada), binding corporate rules (BCI) or standard contractual clauses.


Binding Corporate Rules (BCR) are legally binding and enforceable internal rules for the transfer of data within multinational companies that operate in a manner similar to an internal code of conduct. Binding corporate rules allow multinational companies to transfer data within the same corporate group to countries that do not provide an adequate level of personal data protection. The minimum content of the Binding Corporate Rules is prescribed by the GDPR, and during the process of their adoption, corporations can use the guidelines of the WP29 working group as well as the so-called Standard application form for approval of binding corporate rules. In order to ensure compliance with the GDPR, Binding Corporate Rules must be approved by the European Data Protection Board, the supervisory authority in the group's headquarters (leading authority) and submitted to supervisory authorities in all countries in which the group operates, including the Croatian Personal Data Protection Agency.


Once adopted, Binding Corporate Rules are binding for the management and business entities that have signed them within the corporate group. These entities must ensure that their staff adhere to the Binding Corporate Rules when processing personal data, and in particular when sending data outside the EU.