On 10 June 2013, the UK Information Commissioner’s Office authorized GlaxoSmithKline’s ‘Binding Corporate Rules‘ (BCRs) – a set of internal policies and procedures used to protect personal data across GSK’s operations globally.  Covington & Burling’s data privacy and security team, led by London partner Dan Cooper and senior associate Mark Young and including Brussels based policy analyst Kristof Van Quathem, was instrumental in the development, implementation and authorization of GSK’s BCRs.

GSK is one of the world’s leading research-based pharmaceutical and healthcare companies, with over 99,000 employees in over 100 countries.  With this authorization, it has become one of only 40 companies worldwide who have completed this rigorous process. 

BCRs are designed to allow multinational companies to transfer personal data from the European Economic Area (EEA) to their affiliates located outside of the EEA.  Applicants must demonstrate that their BCRs put in place adequate safeguards for protecting personal data throughout the organization.

BCRs have traditionally been adopted by companies acting as data controllers over personal data, although last year the Article 29 Working Party, a group comprised of the data protection authorities of all twenty-seven EU Member States, published a working document that provides guidance on the use of BCRs when making transfers of personal data to data processors (as discussed in this InsidePrivacy post).  The proposed Data Protection Regulation also formally recognizes BCRs for controllers and processors, and contains a consistency mechanism with which BCRs must comply.