The European data protection authorities (DPAs), represented by the Article 29 Working Party, have launched a Binding Corporate Rules (BCRs) regime for processors. Processors can implement these BCRs from 1 January 2013. BCRs are internal codes of conduct that are legally enforceable for data protection and security and, once approved by DPAs, provide a legal basis for transfer of personal data from the EU.
BCRs had previously been restricted to use by businesses when acting as data controllers (i.e. determine the purpose for which and manner in which personal data are processed) such as a company transferring its own employee data internationally. Although welcomed by many in respect of data controller initiated transfers, the DPAs were criticised for not making BCRs available to data processors that process personal data on behalf of data controllers. The new BCRs for processors should now prove popular for a wide range of international service providers, that act as data processors, such as cloud providers, outsourcing providers, payment processors, data and document storage companies, alertline providers, and many other companies in different industries. The BCRs will be enforceable against the data processor by individuals who suffer damage as a result of a breach of the BCRs and by the data controller.
Data controllers are increasingly requiring their vendors and service providers to provide evidence of data protection compliance, and adoption of BCRs by processors will provide comfort to controllers. Similarly, data processors will be able to use processor BCRs as a way of demonstrating to their customers strong commitment to data protection and so can form part of their customer value proposition. Processor BCRs may also be seen as having advantages over other existing international data transfer solutions, such as use of the EU’s standard form data transfer agreements, known as Model Contracts, which can require data processors to have hundreds of Model Contracts with their customers.
The application procedure for BCRs for processors will be based on the same process as for BCRs for data controllers. The process involves submitting an application form to a lead national DPA in the EU. Once approved by the lead DPA the BCRs will be automatically recognised by many other DPAs due to a system of mutual recognition. In a Working Document (WP195) published in June 2012 the Article 29 Working Party provided a checklist that offers guidance as to which issues should be dealt with in BCRs and what to present to DPAs in the application form including:
- a description of the data transfers and scope of the BCRs;
- be binding through reference to BCRs in the service agreement;
- grant third party beneficiary rights to individuals in the event that the data controller goes out of business or becomes insolvent;
- provide that the EU data processor accepts responsibility for the acts of other members of the group or breaches by external sub-processors outside the EU;
- give details of the existence of a suitable training programme, complaint handling process and creation of a network of privacy officers;
- provide for data protection audits on a regular basis with DPAs having a right of access to the results of the audit together with a duty to co-operate with DPAs; and
- set out a process for updating the BCRs.
According to the EU’s Article 29 Working Party, BCRs for processors will bring benefits to both data processors and data controllers “Once a BCR for processors is approved it can be used by the controller and processor, thereby ensuring compliance with EU data protection rules without having to negotiate the safeguards and conditions each and every time when a contract is entered into.” BCRs for processors will also increase confidence among customers of data processors while providing a way for customers and data processors to overcome international data-transfer limitations under EU data protection laws.
Sidley Austin provides this information as a service to clients and other friends for educational purposes only. It should not be construed or relied on as legal advice or to create a lawyer-client relationship.
Attorney Advertising – For purposes of compliance with New York State Bar rules, our headquarters are Sidley Austin LLP, 787 Seventh Avenue, New York, NY 10019, 212.839.5300; One South Dearborn, Chicago, IL 60603, 312.853.7000; and 1501 K Street, N.W., Washington, D.C. 20005, 202.736.8000.