Binding corporate rules (“BCRs”) are internal codes of conduct drafted for use in multinational companies which cover the international transfer of personal data within their corporate group in order to ensure an adequate level of data protection. Once signed by all entities of the group and approved by the various national data authorities involved in the (flow) stream, the BCR have to be observed by all entities and employees. In Belgium, the authorization process can only be considered final when a Royal Decree of approval has been issued by the federal Government.
On 13 July 2011, the Belgian Privacy Commission signed a Protocol with the Ministry of Justice to streamline the authorization procedure for such internally binding compliance measures under Belgian law. The Protocol contains (1) the minimum requirements for the BCR; (2) the new procedure for approval that has been agreed upon by the Commission and the Ministry of Justice; (3) an explanatory note; and (4) a preapproved standardized template for the Royal Decree of approval.
In practice, the most significant improvements are:
- the strict term of 60 days within which the Commission has to issue its advice to the Ministry of Justice after all documents have been collected and the file can be considered as complete;
- the automatic approval of the BCR by the Ministry of Justice if the Commission’s advice is favourable. As approval, the Minister of Justice will sign the Royal Decree of approval which will be published in the Official Gazette. As a template is used, the individual Royal Decrees do not require prior review by the Finance Inspection and the Belgian Council of State. (NRO)
The Protocol can be found on www.privacycommission.be