The EU’s Article 29 Data Protection Working Party has adopted a working document on Binding Corporate Rules for data processors.
By way of background, the Data Protection Directive strictly regulates the exploitation of personal data held by organisations and, in particular, only allows it to be transferred to non-EEA countries that provide an adequate level of data protection. Ways around this prohibition include use of the safe harbour principles (for transfers to the United States) or the standard contractual clauses adopted by the European Commission. Alternatively, organisations can use Binding Corporate Rules (BCRs). BCRs are legally enforceable rules, approved by the relevant national data protection authority, which ensure that a high level of protection is applied to personal data throughout a corporate group.
Whilst the Article 29 Working Party (an independent advisory body which includes representatives from EU national data protection authorities) has already developed some tools to facilitate the use of BCRs for data controllers, the new working document is designed to facilitate the use of BCRs for processors. It provides a checklist which defines what must be found in BCRs and what must be presented to data protection authorities in the BCRs’ application. The possibility for data processors to make use of BCRs is likely to prove useful in the context of international transfers of personal data in relation to, for example, outsourcing activities and cloud computing.
For a copy of the working document, click here.
Beverley Flynn