European Data Protection Authorities Adopted an Explanatory Document on Binding Corporate Rules (BCR) for Processors

The European data protection authorities, assembled in the Article 29 Working Party (WP29), adopted an explanatory document on Processor BCR in order to further explain the principles and elements to be found in Processor BCR set out in the Working Document 02/2012 (WP195) adopted on 6 June 2012.

Launched on 1 January 20131, BCR for processors are internal codes of conduct regarding data privacy and security, to ensure that transfers of personal data outside the European Union by a processor, who acts on behalf of his clients and under their instructions, will take place in accordance with the EU rules on data protection.

Therefore, Processor BCR shall be understood as adequate safeguards provided by a processor to a controller, in order to allow the latter to demonstrate to data protection authorities adequate protection and obtain, where required by national laws, the necessary authorisation for transfers of their personal data to the different entities of their processors (for example subprocessors and data centres).

The explanatory document adopted on 19 April 2013 is aimed at providing further guidance to companies on what shall be contained in Processor BCR, further to the table checklist adopted by the Working Party in June 2012 (WP195).
Processor organisations that wish to implement BCR for processors within their group shall apply with their lead DPA through the standard application form adopted on 17 September 2012. The application procedure is the same as the one for BCR for controllers, which means it is based on a process with a lead DPA and a system of mutual recognition involving a substantial number of European DPAs.


0 yorum: