Are entities in certain countries still required to form binding corporate rules?
It's regarding Module 8: Data transfers and managing third parties in the DPO course
The lecturer explains that there are certain countries that need binding corporate rules between companies transferring to each other who are operating under the same parent company. He explains that there are countries identified as having an adequate level of data protection (i.e the EU member states) and then explains that certain countries were not yet recognized have adequate protection such as the United States was not recognized as having an adequate level of data protection. Is this list of countries still up to date? Are entities in these countries still required to form binding corporate rules?
Assign topic to the user
it's regarding Module 8: Data transfers and managing third parties in the DPO courseThe lecturer explains that there are certain countries that need binding corporate rules between companies transferring to each other who are operating under the same parent company. He explains that there are countries identified as having an adequate level of data protection (i.e the EU member states), and then explains that certain countries were not yet recognized have adequate protection such as the United States was not recognized as having the adequate level of data protection. Is this list of countries still up to date?
You can find the current list on the website of the European Commission here: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_enJapan and the United States (limited to the Privacy Shield framework) were added.
Are entities in these countries still required to form binding corporate rules?
The course explained that binding corporate rules are suitable for large-size companies belonging to the same group, while other companies better use data transfer agreements.
However, entities located in the United States can now transfer data based on an adequacy decision instead of Binding corporate rules. In fact, Article 46 GDPR states that transfer on the basis of binding corporate rules happens in the absence of a decision under Article 45 GDPR.
You can find more information here:
- Article 45 GDPR: https://advisera.com/gdpr/transfers-on-the-basis-of-an-adequacy-decision/
- Article 46 GDPR: https://advisera.com/gdpr/transfers-subject-to-appropriate-safeguards/
- Article 47 GDPR: https://advisera.com/gdpr/binding-corporate-rules/
- 3 steps for data transfers according to GDPR https://advisera.com/articles/3-steps-for-data-transfers-according-to-gdpr/
You may also consider enrolling in this online EU GDPR Foundations Course: EU GDPR Foundations Course
Comment as guest or Sign in
Jun 01, 2020