Guidelines for Binding Common Rules (BCR) For Personal Data Transfer – Binding Nature of the BCR

Binding Nature of the BCR

1. Binding Characteristics of the BCR: Demonstrate and specify how the BCR are to be made binding on the members of the Group:
   
   
   • Intra Group Agreements: Describe the legally binding agreements within the Group that enforce the BCR, including how these agreements are formulated and signed by all relevant entities.
   • Undertakings by the Parent Company: Explain any undertakings imposed by the parent company on the members of the Group.
   • Binding Requirements: Outline the specific binding requirements that the Group members shall be burdened with. Provide references to internal documents or legal provisions that enforce these requirements. Controllers have the right to enforce the BCR against any BCR member for any violation of the agreed upon texts. All BCR members have agreed to this provision as part of their commitments.
     
     
2. Enforcement by Members of the Group: Describe the enforcement mechanisms available to Group members within the Kingdom and internationally. Include any specific procedures for reporting and addressing non compliance.
   
   Example: The BCR can be enforced by any member of the Group through established internal reporting mechanisms and compliance programs. Members established in the Kingdom have specific procedures to escalate issues to the Group’s Data Protection Officer, who coordinates with the Competent Authority to ensure enforcement.
   
   
3. Binding upon Employees: Explain how the BCR will be made binding upon the employees of the Group members.
   
   
   • Employment Contract: Describe how BCR obligations are included in employment contracts.
   • Company Policies: Explain how the BCR texts are included in relevant company policies.
   • Disciplinary Sanctions: Provide details on disciplinary measures for non compliance with BCR.
     
     
4. Obligations on Sub Processors: Describe the contractual obligations imposed on Sub Processors, including the measures taken for non compliance.
   
   
5. Third Party Beneficiary Rights: Describe the measures taken to enable Data Subjects to practice their rights and seek redress. Include details on how these rights are respected and how Data Subjects can seek redress in case of violation of their rights.
   
   
6. Transparency in Regard to BCR: Describe the communication means and channels used to make the BCR accessible to Personal Data Subjects. Include details on channels available for Personal Data Subjects, such as websites or other accessible platforms.
   
   
7. Awareness and Training: Describe how employees of the Group members will be trained for compliance with and be made aware of the obligations and requirements set out in the BCR. The training program must ensure that all employees understand their responsibilities and the Personal Data Protection requirements stipulated in the Law and Regulations.
   
   
8. Complaint Handling: Describe the mechanisms that will be implemented to ensure efficient handling of complaints regarding the BCR and related transfers outside the Kingdom. It should be made clear that Personal Data Subjects can easily submit complaints and that these complaints are addressed promptly and effectively.
   
   
9. Auditing Process: Describe the auditing process that will be implemented to ensure compliance with the BCR by each member of the Group. It should include sufficient information on the audits.