Binding Corporate Rules for Data Processors

December 23, 2012

The European data protection authorities, assembled in the Article 29 Working Party (WP29), have at their 88th plenary meeting decided to launch Binding Corporate Rules (BCR) for processors from 1 January 2013. BCR for processors are internal codes of conduct regarding data privacy and security, to ensure that transfers of personal data outside the European Union by a processor, who acts on behalf of his clients and under their instructions, will take place in accordance with the EU rules on data protection.

The use of a BCR for processors is not obligatory and each company acting as a processor, for example in the context of outsourcing activities or cloud computing, may decide to file an application at the data protection authority. It will however bring benefits to both processors and controllers. Once a BCR for processors is approved it can be used by the controller and processor, thereby ensuring compliance with the EU data protection rules without having to negotiate the safeguards and conditions each and every time when a contract is entered into.

In the course of 2012 the Working Party has adopted a Working Document (WP195) and an application form for submitting a BCR for processors, which will be available on both the WP29 web site as well as on the web sites of the relevant national data protection authorities.

BCR for processors will be part of the guarantees brought by a controller to data protection authorities in order to demonstrate adequate protection and obtain the necessary authorisation for transfers of their personal data to the different entities of their processors (for example sub-processors and data centres). In WP195, a checklist is provided offering guidance to companies which issues should be dealt with in a BCR for processors.

The application procedure for BCR for processors will be the same as the one for BCR for controllers, which means it will be based on a process with a lead data protection authority and a system of mutual recognition involving a substantial number of European data protection authorities. The application form is also drafted on the same basis as the one existing for BCR for controllers (WP133). Companies that wish to apply for BCR for processors can contact their lead data protection authority (the ICO in the UK) for more information.