How to transfer data between companies?
If multinational corporations with headquarters in Europe are to transfer personal data to subsidiaries located outside the EEA area, there are mainly two possible basis of transfer:
a) EU standard regulations (SCC) and
b) Binding Corporate Rules (BCR).
To avoid entering into a virtual web of transfer agreements between the entities in the same corporations, BCR's can be used. BCR's are a set of internal procedures and policies to ensure secure processing and transfer of personal data. The company group must have its BCR approved by a competent data protection authority in the EU. For Norwegian companies, it will most often be the Norwegian Data Protection Authority (Datatilsynet). Such approval must be granted before the transfer can begin. The company that is to transfer the personal data must also make sure that the personal data receives equivalent protection in the recipient country, and that the recipient country's legal system does not prevent the BCR from being complied with.
If you need help in designing and applying for approval of BCR, you can contact us here.