Binding Corporate Rules Available for Data Processors
On 21 December 2012, the Article 29 Working Party (the "Working Party"), an independent European advisory body on data protection and privacy comprised of a representative of the national data protection authorities of the EU Member States, issued a press release announcing the possibility to adopt Binding Corporate Rules ("BCRs") for processors (i.e. the persons processing personal data on behalf of the controllers). The BCRs for processors have become available as of 1 January 2013.
Under Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data (the "Data Protection Directive"), any transfer of personal data outside the EU/EEA to a country that is not recognised by the European Commission as providing an adequate level of protection for personal data is prohibited. Still, the transfer will be permitted in the situations listed in Article 26 of the Data Protection Directive or if the parties adduce adequate safeguards, for instance by signing a data transfer agreement implementing the model clauses published by the European Commission or by adopting BCRs. BCRs are specifically designed to facilitate intra-group transfers of personal data and provide more flexibility than the model clauses.
BCRs are increasingly used to make possible the intra-group transfer of personal data of a controller (i.e. the persons collecting the data and determining the purposes and the means of the processing of personal data) for transfers of personal data between EU entities and group companies located outside the EEA.
With the new BCRs for processors, personal data can be transferred from a European based processor to one of its group companies located outside the EEA (in order to carry-out sub processing). Such BCRs will ensure that such a transfer takes place in accordance with the EU rules on data protection.
BCRs for processors have to be authorised by local data protection authorities. The authorisation procedure is the same as for controllers. The BCRs will require an authorisation by the national data protection authority in each EU Member State where a processor is established. However, the system of mutual recognition which facilitates authorisation procedures for the participating Member States also applies to BCRs for processors. Currently, 21 data protection authorities have adopted the mutual recognition...