Linklaters helps pave the way for BCRs in Belgium
The Belgian Commission for the Protection of Privacy and the Belgian Ministry of Justice have recently concluded a protocol that should significantly ease the approval of Binding Corporate Rules, or BCRs, in Belgium. Linklaters Brussels worked with both the Privacy Commission and the Ministry of Justice to streamline and simplify the approval procedure under this new protocol.
Binding corporate rules
European data protection laws prohibit the transfer of personal data to a country outside of the European Economic Area unless certain conditions are satisfied. One possible solution to overcome this prohibition is for an organisation to adopt BCRs, a set of internally binding compliance measures to ensure personal data is protected within that organisation.
The restriction on international transfers has been implemented in Belgium through the Belgian Act of 8 December 1992 on the protection of privacy in relation to the processing of personal data. However, the only way to approve BCRs under that Act is for a Royal Decree to be adopted by the King. This is a time-consuming and complex exercise and as a result no data transfers based upon BCRs have been validated in Belgium to date.
Standardised individual Royal Decrees
The new process for approving BCRs continues to rely on the adoption of a Royal Decree. However, the process for issuing these decrees has been greatly simplified by the new protocol which merely requires the adoption of an individual Royal Decree (“acte individuel” / “individuele bestuurshandeling”) using a standardised template. These individual Royal Decrees do not require prior review by the Finance Inspection and the Belgian Council of State.
The new approval procedure
The new approval procedure, using the protocol, depends on the status of the BCRs. If they have already been approved under the mutual recognition procedure, the Privacy Commission should approve them, subject to the administrative filing requirements being fulfilled.
In contrast, if the BCRs are submitted to the Privacy Commission as lead regulator under the mutual recognition process, or as one of the other two regulators in charge of the initial review process (or even outside the mutual recognition process) the Privacy Commission analyses those BCRs in detail. The Privacy Commission provides its comments and remarks to the submitting organisation with a view to those BCRs being amended and ultimately approved.
Once the Privacy Commission has approved the BCRs, it communicates its positive advice to the Ministry of Justice, which in turn prepares an individual Royal Decree based on the template attached to the protocol to officially approve the BCRs. The Royal Decree is then signed and published in the Belgian State Gazette.
BCRs are not the only means of achieving compliance with European rules on international transfers of personal data, but they are the most flexible. Alternative approaches, which may suit some organisations, include the use of intra-group agreements and the adhesion to the US Safe Harbor. For other organisations, however, BCRs are becoming an increasingly attractive option to achieve compliance.
For further information on this subject or any other TMT issues please contact:
Tanguy Van Overstraeten
Avocat, Member of the Brussels Bar
(+32) 2 501 94 05