Kemp Little
  • Looking for someone?
  • Email us
  • Search
MENU MENU
Insights overview

Data protection & privacy · 18 November 2019 · Marta Dunphy-Moriel · Matthew Gregson

Achieving the Gold Standard: Equinix achieves first BCR approval under GDPR

Equinix, a global interconnection and data centre provider, became the first company to go through the BCR approval process post-GDPR. This is particularly significant as a the EDPB has explicitly confirmed in the process that BCRs are still the solid international transfer mechanism it is considered to be.

What are BCRs?

BCRs are binding data protection polices which are designed to be adhered to multinational companies in the EEA for the intragroup transfer of data to their affiliates outside the EU. They are legally binding and enforced on every signatory and include all general data protection principles and enforceable rights to ensure appropriate safeguards for data transfers.

BCRs differ from the European Commission’s Standard Contractual Clauses (“SCCs”) in two key ways:

  • For a group: Unlike the SCCs BCRs are only available to a group of undertakings, or group of enterprises engaged in a joint economic activity; and
  • Regulator stamp of approval: BCRs require a company to seek regulatory approval from their Lead Data Protection Authority, and through a GDPR consistency mechanism the European Data Protection Board who approves the BCRs on behalf of other data protection authorities within the EU).

Why choose BCRs?

One of the most popular reasons to go for BCRs is that they are great PR. It is a truth universally acknowledged that BCRs demonstrate that an organisation has achieved the highest standard of compliance when it comes to intragroup transfers of personal data. They serve as a mark of quality and come with a regulatory stamp of approval unique to the organisation in question. Whilst it is unquestionably time intensive to prepare BCRs and ultimately obtain approval, they do serve as a gold standard in a market sector, and have under the previous data protection regime most commonly been adopted by companies in heavily regulated sectors.

Other key reasons to go for BCRs include flexibility (as they cover most transfers carried out within a group and allow these to change as long as they are within the BCR parameters) and that they are “Brexit proof” as the parties can be EEA or non-EEA entities.

BCRs also offer an alternative to adopting the SCCs, the validity of which are once again the subject of legal challenge in the European Courts following allegations of deficiencies in their protections brought by privacy advocate Max Schrems. For more information about the potential implications of this judgment, please read our earlier blog post here.

Key takeaways

BCRs are stronger than ever. In these uncertain times, a large number of companies are now seeking to achieve the gold standard by bringing BCRs to the forefront of their privacy compliance programmes.

If you are considering BCRs for your organisation, as BCRs can be tailored around your needs (in Equinix’s case they focused on employees and business contacts), you should consider:

  • which categories of data and territories within your group would benefit from and be able to comply with your compliance regime; and
  • which group entity would be best placed to prepare, submit for approval, enforce, and be primarily responsible for infringement of its BCRs. Your choice of legal entity will have an impact on identifying who Lead Authority who make a draft approval of your BCRs before seeking approval of the EDPB.

If you would like to learn more, or are otherwise reviewing your international transfers in light of GDPR requirements, please get in touch with a member of our team, who would be happy to assist.

  • Share this blog

  • Twitter
  • Facebook
  • Linkedin

Need to talk about this?

Marta Dunphy-MorielMarta Dunphy-Moriel

Matthew GregsonMatthew Gregson

Get in touch

Sign up for our newsletters

  • Share this Blog

  • Twitter
  • Facebook
  • Linkedin

Other stuff you might like


    Notice: Undefined variable: show_default in /home/kemplittle/test.kemplittle.com/wp-content/themes/kemplittle/single.php on line 349
  1. Podcast | DPO Update: ICO on direct marketing, scientific research opinion, CCTV and fines
  2. From Denmark with love: Our analysis of the new Danish standard contractual clauses
  3. Podcast | DPO Update: Joint controller status, cookies guidance, DP by Design and Default and latest fines
The hottest topics in technology
  • Adtech & martech
  • Agile
  • Artificial intelligence
  • Brexit
  • Cloud computing
  • Complex & sensitive investigations
  • Connectivity
  • Cryptocurrencies & blockchain
  • Cybersecurity
  • Data analytics & big data
  • Data breaches
  • Data rights
  • Digital commerce
  • Digital content risk
  • Digital health
  • Digital media
  • Digital infrastructure & telecoms
  • Emerging businesses
  • Financial services
  • Fintech
  • Gambling
  • GDPR
  • KLick DPO
  • Open banking
  • Retail
  • SMCR
  • Software & services
  • Sourcing
  • Travel
close
The hottest topics in technology
  • Adtech & martech
  • Agile
  • Artificial intelligence
  • Brexit
  • Cloud computing
  • Complex & sensitive investigations
  • Connectivity
  • Cryptocurrencies & blockchain
  • Cybersecurity
  • Data analytics & big data
  • Data breaches
  • Data rights
  • Digital commerce
  • Digital content risk
  • Digital health
  • Digital media
  • Digital infrastructure & telecoms
  • Emerging businesses
  • Financial services
  • Fintech
  • Gambling
  • GDPR
  • KLick DPO
  • Open banking
  • Retail
  • SMCR
  • Software & services
  • Sourcing
  • Travel
Kemp Little

Lawyers
and thought leaders who are passionate about technology

Expand footer

Kemp Little

138 Cheapside
City of London
EC2V 6BJ

020 7600 8080

hello@kemplittle.com

Services

  • Commercial technology
  • Consulting
  • Disputes
  • Intellectual property
  • Employment
  • Immigration

 

  • Sourcing
  • Corporate
  • Data protection & privacy
  • Financial regulation
  • Private equity & venture capital
  • Tax

Sitemap

  • Our people
  • Insights
  • Events
  • About us
  • Contact us
  • Cookies
  • Privacy
  • Terms of use
  • Compliants
  • Debt recovery charges

Follow us

  • Twitter
  • LinkedIn
  • FlightDeck
  • Sign up for our newsletters

Kemp Little LLP is a limited liability partnership registered in England and Wales (registered number OC300242) and is authorised and regulated by the Solicitors Regulation Authority. Its registered office is 138 Cheapside, London EC2V 6BJ. The SRA Standards and Regulations can be accessed by clicking here.

  • Cyber Essentials logo
  • Tech Nation logo
  • LORCA logo
  • ABTA Partner+ logo
  • Make Your Ask logo
  • FT Innovative Lawyers 2019 winners logo
  • Law Society Excellence Awards shortlisted
  • Legal Business Awards = highly commended
  • Home
  • Our people
  • Services
    • Commercial technology
    • Consulting
    • Corporate
    • Data protection & privacy
    • Disputes
    • Employment
    • Financial regulation
    • Immigration
    • Innovation
    • Intellectual property
    • Private equity & venture capital
    • Sourcing
    • Tax
  • Insights
  • Quick reads
  • Events
  • About us
    • Who we are
    • Our social responsibilities
    • Our partnerships
    • Join us
  • Contact us
  • FlightDeck
  • LORCA
  • Sign up for our newsletters
  • Follow us
    • Twitter
    • LinkedIn
close
close
close

Send us a message

Fill in your details and we'll be in touch soon


Notice: Trying to get property of non-object in /home/kemplittle/test.kemplittle.com/wp-content/plugins/contact-form-7-dynamic-text-extension/contact-form-7-dynamic-text-extension.php on line 330

close

Sign up for our newsletter

I would like to receive updates and related news from Kemp Little *

Please select from the areas of interest below.

Themes

Services

Please select below any publications that you would like to receive:

Newsletters

close

Register for future event information

close
close
Looking for someone?
Generic filters
Exact matches only

Can't remember their name? View everyone

  • Home
  • Our people
  • Services
    • Commercial technology
    • Consulting
    • Corporate
    • Data protection & privacy
    • Disputes
    • Employment
    • Financial regulation
    • Immigration
    • Innovation
    • Intellectual property
    • Private equity & venture capital
    • Sourcing
    • Tax
  • Insights
  • Quick reads
  • Events
  • About us
    • Who we are
    • Our social responsibilities
    • Our partnerships
    • Join us
  • Contact us
  • FlightDeck
  • LORCA
  • Sign up for our newsletters
  • Follow us
    • Twitter
    • LinkedIn