Privacy Officers Network

08 July 2004

Cambridge, UK


How companies negotiate Binding Corporate Rules schemes with the EU Data Protection Authorities

Welcome and Introduction

Melanie Shillito, JPMorgan Chase & EPON chair

Binding Corporate Rules

Lokke Moerel, De Brauw Blackstone Westbroek, Amsterdam. Lokke has successfully negotiated BCR schemes with the Netherlands Data Protection Commissioner for five multinational companies, including Shell, Heineken and Philips Electronics.

  • Introduction: Mitigating your business risks by adopting Binding Corporate Rules
  • Difficulties in drafting the processing rules
  • Transfers outside the group company
  • Compelling business interests
  • How do you make the rules "Binding"?
    • a) Internally
    • b) Externally
  • Rules of private international law
  • Additional rights and remedies


  • Ongoing monitoring / Compliance gaps
  • Insourcing (the service provider angle)
  • Developing outsourcing guidelines
  • Assessing compliance at the vendor selection stage

Investigations/audits by data protection authorities

  • Purpose behind inspection
  • Inspection process

Subject Access Requests

  • General issues (number and frequency of requests, duration of requests, staffing issues etc)
  • Resolving problematic access requests