Binding Corporate Rules
RGA is a leader in personal data protection, receiving approval for its Binding Corporate Rules (BCRs) by the European Data Protection Board (EDPB).
Binding Corporate Rules (BCRs) are internationally recognized as the most stringent standards for data protection, and RGA is the first reinsurer to receive regulatory approval for BCRs since the European Union's General Data Protection Regulation (GDPR) went into effect on May 25, 2018. Through BCR approval, RGA is voluntarily abiding by the highest standards for data protection and transfer globally in terms of personal data received as a controller and as a processor.
BCRs only receive approval after a rigorous review conducted by multiple authorities against European data protection standards, laws widely regarded as amongst the most comprehensive and strict in the world. By following BCR guiding principles, RGA has agreed to be accountable to regulators for complying with multiple data protection requirements, including ensuring fair and lawful processing, providing appropriate technical and organizational security, and guaranteeing respect for individuals' data protection rights.
Frequently Asked Questions
BCRs are a set of group-wide data protection policies and procedures that an organization can implement to regulate the international transfer and processing of personal information by that organization's group members. BCRs enable multinational organizations to lawfully receive and process personal information transferred to them from the European Economic Area ("EEA") anywhere in the world.
BCRs must be approved by European data protection authorities (“DPA”) and only receive this approval after a rigorous review conducted by multiple authorities against European data protection standards. Due to the extensive nature of the review, receiving approval can take as long as two years. For this reason, organizations which pursue BCRs are committed to the highest standards when it comes to safeguarding personal information and, consequently, EU DPAs see BCRs as a "best practice" approach to data protection compliance.
European data protection laws are widely regarded as amongst the most comprehensive and strict in the world. These laws require organizations to comply with various data protection requirements, including ensuring fair and lawful processing, providing appropriate technical and organisational security, and guaranteeing respect for individuals' data protection rights.
One of these requirements is that personal data which is transferred outside of the EEA must remain protected to the standards required by European data protection laws. This requirement is known as the "adequacy" requirement because, technically, the law says that the data must remain protected to an "adequate" standard). There are very few reliable ways to meet this requirement.
For example, certification under the US-EU Safe Harbor, a means by which data could previously be exported from the EEA to the US was declared invalid by the Court of Justice of the European Union in 2015. Its successor, the EU-US Privacy Shield is subject to ongoing legal challenges, as are EU Standard Contractual Clauses, another common form of data export solution.
Binding Corporate Rules is the last remaining adequacy solution available to lawfully transfer personal data out of the EEA. It is the only solution that is not currently the subject of a legal challenge in the EU, meaning that it is the most legally robust of the solutions available. Further, because of the extensive review process to which BCR applicants are subject, and the fact that BCRs are the only solution that must actually be approved by EU DPAs, they are considered the "gold standard" for data exports from the EEA.
By having achieved BCR approval, RGA can receive personal data from its EEA customers and group companies in full compliance with EU data protection laws.
The BCR approval process begins with an application, with supporting documentation and BCRs policies, submitted to a "lead" DPA. In RGA's case, the lead DPA was the Irish Data Protection Commissioner.
The lead DPA is responsible for reviewing the applicant's BCRs in detail and working with the applicant to address any comments. The lead DPA will also send the BCRs to one or two other DPAs which act as co-reviewers.
Once any comments are addressed, the applicant will send the updated BCRs to the lead DPA. This organization will circulate the updated BCRs among all concerned DPAs for any comments (which are then addressed by the applicant). Following completion of this “cooperation procedure”, the lead DPA will submit a final draft of the BCRs to the European Data Protection Board (“EDPB”). The EDPB will adopt an opinion on the matter and, where the EDPB endorses the lead DPA’s draft decision on the draft BCRs, the lead DPA will adopt its decision and the BCRs will be approved.
We have both! RGA submitted two BCR applications: one for controller BCR approval (governing RGA's processing of personal information for its own purposes, such as workforce, CRM and policyholder data); and one for processor BCR approval (governing RGA's processing of personal information on behalf of a third party controller (i.e. a customer). Both applications were successfully approved.
No. BCRs are an alternative adequacy solution that replace the need for Standard Contractual Clauses and, in fact, provide an even greater level of protection – due to the fact that they have been extensively reviewed by DPAs and include requirements (like training, audit programs and complaints handling processes) that are not contained within Standard Contractual Clauses.
Standard Contractual Clauses with Reinsurance Group of America, Incorporated are unnecessary when sending EEA personal data to RGA, Inc. directly (as contrasted with sending EEA personal data to a European RGA entity first, which then transfers the personal data to RGA, Inc. under the BCR).
RGA's BCRs apply to all personal information received and processed by RGA anywhere in the world, whether sent directly by a customer or transferred intragroup by another RGA group member. Our BCRs were approved by the EU DPAs on this basis.
Under our BCR commitments, we are required to ensure that our service providers (acting as processors) will maintain the security of the personal information we host with them, will process the personal information only as instructed by us (and our instructions must be consistent with those of our customers), and will otherwise protect personal information in accordance with our BCR commitments. We have in place appropriate contractual terms with our sub-processors to this effect.
Non-EEA data protection regulators and lawmakers increasingly view BCRs as an effective mechanism for satisfying the equivalency requirement for international transfers of personal data within global organizations. Our research indicates that most countries outside of the EEA either expressly or implicitly recognize EEA BCRs as acceptable data transfer mechanisms in line with their local data privacy requirements.