You may transfer personal data where the organisation receiving the personal data has provided adequate safeguards. Individuals’ rights must be enforceable and effective legal remedies for individuals must be available following the transfer.
Adequate safeguards may be provided for by:
– a legally binding agreement between public authorities or bodies;
– binding corporate rules (agreements governing transfers made between organisations within in a corporate group)
– standard data protection clauses in the form of template transfer clauses adopted by the Commission;
– standard data protection clauses in the form of template transfer clauses adopted by a supervisory authority and approved by the Commission;
– compliance with an approved code of conduct approved by a supervisory authority;
– certification under an approved certification mechanism as provided for in the GDPR
– contractual clauses agreed authorised by the competent supervisory authority
– provisions inserted into administrative arrangements between public authorities or bodies authorised by the competent supervisory authority
One of the most wide used and important instruments for framing data transfers between entities, part large corporate groups, such as Exxon Mobil, Hewlett-Packard or IBM are the Binding Corporate Rules, which is why we will examine them closely.