Binding Corporate Rules (BCRs) are internationally recognized as the most stringent standards for data protection, and RGA is the first reinsurer to receive regulatory approval for EU BCRs since the European Union's General Data Protection Regulation (GDPR) went into effect on May 25, 2018. In September of 2023, RGA also received regulatory approval for UK BCRs.
Through these BCR approvals, RGA is voluntarily abiding by the highest standards for data protection and transfer globally in terms of personal data received as a controller and as a processor.
Both EU and UK BCRs only received approval after a rigorous review conducted by multiple authorities against European and British data protection standards and laws widely regarded as amongst the most comprehensive and strict in the world.
By following EU and UK BCR guiding principles, RGA has agreed to be accountable to regulators for complying with multiple data protection requirements, including ensuring fair and lawful processing, providing appropriate technical and organizational security, and guaranteeing respect for individuals' data protection rights.
European Union (“EU”) and United Kingdom (“UK”) Binding Corporate Rules (“BCRs”) are a set of group-wide data protection policies and procedures that an organization can implement to regulate the international transfer and processing of personal information by that organization's group members. EU and UK BCRs enable multinational organizations anywhere in the world to lawfully receive, and process personal information transferred to them from the European Economic Area ("EEA") or the UK, respectively.
EU and UK BCRs must be approved by European data protection authorities (“DPA”) and the Information Commissioner’s Office (ICO), respectively, and only receive this approval after a rigorous review conducted by multiple authorities against European and UK data protection standards. Due to the extensive nature of the review, receiving approval can take as long as two years. For this reason, organizations that pursue EU and UK BCRs are committed to the highest standards when it comes to safeguarding personal information and, consequently, EU DPAs and the UK ICO see BCRs as a "best practice" approach to data protection compliance.
The UK left the EU on January 31, 2020, and the transition period ended on December 31, 2020. From January 1, 2021, organizations could no longer rely on their EU BCRs (Controller and Processor) as an appropriate safeguard for international data transfers from the UK.
Organizations that previously relied on EU BCRs to transfer and process the personal data of UK data subjects were required to apply for and produce a standalone UK version of their BCRs.
EU and UK data protection laws are widely regarded as amongst the most comprehensive and strict in the world. These laws require organizations to comply with various data protection requirements, including ensuring fair and lawful processing, providing appropriate technical and organizational security, and guaranteeing respect for individuals' data protection rights.
One of these requirements is that personal data that is transferred outside of the EEA or UK must remain protected to the standards required by European or UK data protection laws, respectively. This requirement is known as the "adequacy" requirement because, technically, the law says that the data must remain protected to an "adequate" standard.
The EU and UK Binding Corporate Rules are the most reliable "adequacy" solutions to lawfully transfer personal data out of the EEA and the UK, respectively.
The EU BCR approval process begins with an application, with supporting documentation and BCR policies, submitted to a "lead" DPA. In RGA's case, the lead DPA was the Irish Data Protection Commission.
The lead DPA is responsible for reviewing the applicant's EU BCRs in detail and working with the applicant to address any comments. The lead DPA will also send the EU BCRs to one or two other DPAs which act as co-reviewers.
Once any comments are addressed, the applicant will send the updated EU BCRs to the lead DPA. This organization will circulate the updated EU BCRs among all concerned DPAs for any comments (which are then addressed by the applicant). Following completion of this “cooperation procedure”, the lead DPA will submit a final draft of the EU BCRs to the European Data Protection Board (“EDPB”). The EDPB will adopt an opinion on the matter and, where the EDPB endorses the lead DPA’s draft decision on the draft EU BCRs, the lead DPA will adopt its decision and the EU BCRs will be approved.
The UK BCR approval process begins with an application, with supporting documentation and BCR policies, being submitted to the Information Commissioner’s Office (ICO).
Once the application is submitted there is a series of reviews, questions, edits, and rewrites. After the series of reviews and all questions and concerns have been addressed the application is approved by the ICO.
We have both! RGA submitted EU and UK BCR applications for both Controller and Processor BCRs. All four applications were successfully approved.
Summaries of RGA’s EU and UK BCRs are available publicly here:
To access the links to the full texts of RGA’s Controller and Processor BCRs, please scroll up this page.
Confirmation of our EU BCR approval is available by contacting the European Commission or Irish Data Protection Commission (DPC).
Confirmation for our UK BCR approval is available by contacting the Information Commissioner's Office (ICO).
Under our EU and UK BCR commitments, we are required to ensure that our service providers (acting as processors) will maintain the security of the personal information we host with them, will process the personal information only as instructed by us, and will otherwise protect personal information in accordance with our EU and UK BCR commitments. We have in place appropriate contractual terms with our sub-processors to this effect.
If you have any further questions regarding Binding Corporate Rules, please contact the BCR Governance team at BCRGovernanceSupport@rgare.com.
We comply with requirements within the jurisdictions in which we operate, provide appropriate technical and organizational security, and guarantee respect for personal data protection rights around the world. Curious about our policies and governance practices? Contact us.
