28.04.2013

Art. 29 WP: Explanatory Document on the Processor Binding Corporate Rules

The Article 29 Working Party just issued an "Explanatory Document on the Processor Binding Corporate Rules" (WP204). The explanatory document adopted on 19 April 2013 is aimed at providing further guidance to companies on what shall be contained in Processor BCR, further to the table checklist adopted by the Working Party in June 2012 (WP195). 
1. CONTEXT
1.1. European Union rules for international data transfers
The Directive requires that data transfers outside the European Union shall be strictly framed in order to make sure that data subjects benefit from an adequate level of protection even when their data is sent outside the European Union (hereinafter “EU”).
[...]
1.2. Binding corporate rules for Controllers
Realizing the need for organisations to have a global approach to data protection, the Article 29 Working Party deemed it necessary to authorise organisations to adopt binding internal rules, the so-called binding corporate rules (hereinafter “BCR”), intended to regulate the transfers of personal data that are originally processed by the organisation as Controller within the same organisation. EU Data Protection Authorities developed a “tool box” providing guidance on what is expected in BCR.

Given the growing interest of industry for such a tool, the Working Party adopted in the course of 2012 a working document setting up a table with the elements and principles to be found in BCR for Processors and an application form for submitting binding corporate rules for Processors. [...]
2. DEFINITION AND LEGAL ISSUES AT STAKE
2.1. Scope of this instrument and definitions

BCR for Processors are meant to be a tool which would help frame international transfers of personal data that are originally processed by a Processor on behalf of an EU Controller and under its instructions, and that are sub-processed within the Processor’s organisation. Therefore, BCR for Processors shall be annexed to the Processor contract (referred to in this paper as the Service Level Agreement) which is required by Art. 17 of EU Directive 95/46 and contains notably the instructions of the Controller signed between the external Controller and the Processor. BCR for Processors should be understood as adequate safeguards provided by the Processor to the Controller (Art. 26.2 of EU Directive 95/46) allowing the latter to comply with applicable EU data protection law. [...] 
5. CONCLUSION
The Working Party believes that the guidance provided in this document may facilitate the application of Article 26 (2) of the Directive in the case of BCR for Processors. It should also lead to a certain degree of simplification for multinational organisations routinely processing and exchanging personal data on a world-wide basis on behalf of Controllers.
[...]

Update 30.04.2013: Press release