Binding corporate rules
The EU gold standard privacy framework
Our privacy program is based on binding corporate rules (BCRs), considered as the “gold standard” privacy compliance framework as they are the only international data transfer mechanism that carries individual regulatory approval.
Our BCRs have been approved by the Office of the Data Protection Ombudsman, the Finnish supervisory authority. BCRs are explicitly recognized by GDPR as a mechanism for providing appropriate safeguards for third country data transfers.
This means that the level of protection afforded to your personal data by the GDPR is not compromised when Nokia and its group companies transfer that data internationally to countries whose national laws do not provide the same level of protection as the EU/EEA.
Whether Nokia is acting as a controller or a processor of personal data, the relevant BCRs will ensure that we meet the strict data protection and privacy requirements we have committed to.
BCRs are explicitly recognized by GDPR as a mechanism for providing appropriate safeguards for third country data transfers. BCRs are legally binding and enforceable internal rules and policies for the transfer and subsequent processing of personal data from Nokia entities within EU/EEA to Nokia entities outside of EU/EEA. They are like an internal code of conduct that has been approved by an independent data protection regulator.
BCRs commit us to the highest data protection principles when it comes to transparency, data quality, privacy, security, and accountability. They also commit us to monitoring compliance, through measures such as audit, providing internal training to our employees and effective complaint handling mechanisms.
Nokia has two sets of binding corporate rules– one for when it processes personal data for its own purposes (controller-BCRs) and one for when it processes personal data on behalf of its customers (processor-BCRs).
As the obligations and requirements in each scenario can differ, our BCRs ensure that a consistent standard of data protection is in place whether we act as a data controller or data processor.
When Nokia decides on the purposes and the means to process personal data, for instance when handling its employee data, or data relating to representatives of our business relations, we act as a data controller.
Controller-BCRs contain the relevant obligations and commitments that apply to us in this scenario and enable the international transfer of personal data between Nokia Group entities in the EU/EEA to Nokia Group entities outside the EU/EEA.
When we provide services to our customers, it is our customers that control why and how personal data is to be processed. We process data on our customers’ behalf and according to their instructions so they are the data controller and we are the data processor. To ensure that we uphold the same high standards when acting as a data processor when it comes to the processing and transfers of personal data, we have adopted processor-BCRs.
Processor-BCRs enable the international transfer of personal data between a customer in the EU/EEA and a Nokia Group entity outside the EU/EEA acting as a processor or sub processor.