On 19 June 2012, the Article 29 Working Party (WP29), a group that gathers the data protection authorities of all twenty-seven EU Member States, published a working document that sets out a full checklist of the requirements that binding corporate rules (BCRs) for processors must meet. BCRs are internal rules applying to entities of a multinational corporation that regulate the transfer of personal data originating in the European Economic Area (EEA). BCRs are one of the ways to legitimately transfer personal data to countries outside the EEA which the European Commission has not deemed to provide an adequate level of data protection.
BCRs have traditionally been adopted by companies acting as controllers over personal data but there has been discussion about expanding the application of the rules to service providers processing personal data on behalf of controllers, i.e., processors. In fact, the current proposal for the EU data protection regulation would explicitly expand the use of BCRs to processors. The purpose behind processor BCRs is to guarantee to the clients of processors that transfers of personal data made in relation with the performance of services by the processor are adequately protected under the EU data protection laws.
The WP29 working document sets out the elements that must be found in BCRs for processors and what needs to be presented to national data protection authorities in the BCR application. The WP29 has provided similar guidance in the context of BCRs for controllers. Key points from the working document include:
- Responsibility towards controller. According to EU law, processors handling personal data on behalf of controllers must do so under a contract. The working document requires that BCRs for processors are unambiguously linked to such a contract, referred to as the service agreement, signed by the processor and each controller. The BCRs will need to be made binding through a specific reference to them in the service agreement. The BCRs must also state that all members of the processor group shall respect the instructions regarding data processing as provided in the service agreement and contain a clear duty for any processor or sub-processor to cooperate with the controller to comply with data protection law.
- Data protection safeguards. The working document requires that the BCRs incorporate various data protection principles, including (i) transparency and fairness, which means that the processor is required to be transparent about its processing activities in order to allow the controller to correctly inform the data subject; (ii) purpose limitation; (iii) data quality, i.e., the BCRs should contain a general duty to assist the controller to have the personal data updated, corrected or deleted; (iv) security; and (v) data subjects rights, i.e., the processor must assist the controller to comply with access requests from data subjects.
- Sub-processing. The working document states that the BCRs must not allow for sub-processing of personal data, even by the other members of the processor group, without the prior written consent of the controller. Such consent can be general and given in the service agreement.
- Changes to the BCRs. The working document provides that the BCRs can be modified, but subject to an obligation to report changes not only to all members of the group and the relevant data protection authorities but also to the controller. Where the change affects processing conditions, e.g., new subcontractors are appointed, the processor must inform the controller early enough to allow the controller to object to the change or terminate the service agreement before the change takes effect.
The accompanying press release by the WP29 indicates that the group will continue to work on processor BCRs by developing a European coordination procedure for processor BCRs, similar to the procedure that exists for controller BCRs, and drafting an EU application form to be used for such BCRs.