Privacy & Information Security Law Blog

On March 24, 2015, the CNIL announced the implementation of a new procedure that will simplify the registration formalities for French affiliates of groups that have implemented Binding Corporate Rules (“BCRs”).

Currently, the CNIL’s prior authorization is required for each type of data transfer outside of the EU when the transfer is based on BCRs. The CNIL now proposes to issue a single authorization decision to each group that has implemented BCRs. The group’s affiliates that are data controllers and bound by the BCRs will then need to submit only a simplified registration for all of their data transfers outside of the EU based on the group’s BCRs. The affiliates will not have to obtain the CNIL’s prior authorization for each data transfer.

The CNIL emphasized that these affiliates will have to keep an updated list of their data transfers, which shall be provided to the CNIL upon request, that includes the following information:

• The general purpose of each data transfer covered by the BCRs;
• The categories of data subjects affected by the data transfer;
• The categories of personal data transferred;
• Information relating to each recipient, such as the (1) name of the company, (2) relevant group that adopted the BCRs, (3) country where the recipient is located, (4) category of data recipient (e.g., parent company, subsidiary, etc.), and (5) the type of data processing operations performed by the recipient on the transferred data.

The CNIL will contact more than 60 multinational companies with BCRs in the coming weeks to discuss the CNIL’s single authorization decision that may be granted to the group. By simplifying the registration requirements for data transfers based on BCRs, the CNIL wishes to further promote BCRs which, in the CNIL’s view, show a strong commitment from multinational organizations to protect personal data.