The data protection issues that arise when an employer transfers personal data outside the EU are extremely complex. This is the case even where the
transfer of data is within a group of companies.
The Data Protection Act 1998 provides that such a transfer can be lawful if it is made on terms approved by the Information Commissioner as ensuring ‘adequate safeguards’. The use of binding corporate rules is one of the ways in which such ‘adequate safeguards’ may be demonstrated.
Binding corporate rules are sets of legally binding rules that are voluntarily adopted by multinational organisations to regulate the transfer of personal data between countries, for example, a group-wide corporate data protection policy.
Companies that wish to use such rules must, however, apply for approval to the data protection authority of each EU member state from which they intend to transfer personal data. This can be burdensome. There is now, at least, a standard application form for use by companies seeking approval of their binding corporate rules. The form is submitted to the data protection authority which the company considers to be the lead authority who then circulates it to all other relevant authorities from whom the company needs approval. The form can be downloaded from this page.