On 19 June 2012, the Article 29 Working Party (WP29), a group that gathers the data protection authorities of all twenty-seven EU Member States, published a working document that sets out a full checklist of the requirements that binding corporate rules (BCRs) for processors must meet. BCRs are internal rules applying to entities of a multinational corporation that regulate the transfer of personal data originating in the European Economic Area (EEA). BCRs are one of the ways to legitimately transfer personal data to countries outside the EEA which the European Commission has not deemed to provide an adequate level of data protection.
BCRs have traditionally been adopted by companies acting as controllers over personal data but there has been discussion about expanding the application of the rules to service providers processing personal data on behalf of controllers, i.e., processors. In fact, the current proposal for the EU data protection regulation would explicitly expand the use of BCRs to processors. The purpose behind processor BCRs is to guarantee to the clients of processors that transfers of personal data made in relation with the performance of services by the processor are adequately protected under the EU data protection laws.
The WP29 working document sets out the elements that must be found in BCRs for processors and what needs to be presented to national data protection authorities in the BCR application. The WP29 has provided similar guidance in the context of BCRs for controllers. Key points from the working document include: