European data protection Authorities launch Binding Corporate Rules for processors

The European data protection authorities, assembled in the Article 29 Working Party (WP29), have at their 88th plenary meeting decided to launch Binding Corporate Rules (BCR) for processors from 1 January 2013. BCR for processors are internal codes of conduct regarding data privacy and security, to ensure that transfers of personal data outside the European Union by a processor, who acts on behalf of his clients and under their instructions, will take place in accordance with the EU rules on data protection.


The use of a BCR for processors is not obligatory and each company acting as a processor, for

example in the context of outsourcing activities or cloud computing, may decide to file an application at the data protection authority. It will however bring benefits to both processors and controllers.


Once a BCR for processors is approved it can be used by the controller and processor, thereby

ensuring compliance with the EU data protection rules without having to negotiate the safeguards and conditions each and every time when a contract is entered into.


In the course of 2012 the Working Party has adopted a Working Document (WP195) and an

application form for submitting a BCR for processors, which will be available on both the WP29 website as well as on the websites of the relevant national Data Protection Authorities (DPAs). BCR for processors will be part of the guarantees brought by a controller to data protection authorities in order to demonstrate adequate protection and obtain the necessary authorisation for transfers of their personal data to the different entities of their processors (for example subprocessors and data centers). In the above mentioned Working Document (WP195) a checklist is provided offering guidance to companies which issues should be dealt with in a BCR for processors.


The application procedure for BCR for processors will be the same as the one for BCR for controllers, which means it will be based on a process with a lead DPA and a system of mutual recognition involving a substantial number of European DPAs[2]. The application form is also drafted on the same basis as the one existing for BCR for controllers (WP133). Companies that wish to apply for BCR for processors can contact their lead DPA for more information.


Background information

The European data protection authorities (the Article 29 Working Party on the Protection of

Individuals with regard to the Processing of Personal Data) is an independent advisory body on data protection and privacy, set up under Article 29 of the Data Protection Directive 95/46/EC. It is composed of representatives from the national data protection authorities of the EU Member States, the European Data Protection Supervisor and the European Commission. Its tasks are described in Article 30 of Directive 95/46/EC and Article 15 of Directive 2002/58/EC. The Article 29 Working Party is competent to examine any question covering the application of the data protection directives in order to contribute to the uniform application of the directives. It carries out this task by issuing recommendations, opinions and working documents.


0 yorum: