The Article 29 Working Party (the “Working Party”) has issued a Working Document intended as a “toolbox” for the use of Binding Corporate Rules (“BCRs”) for Processors aimed at both companies and data protection authorities. This document describes the conditions which must be met and includes a full checklist of requirements. The intention is that this toolbox will build on the Working Party’s previous guidance on BCRs set out in previous Opinions WP153 and WP155.
BCRs are internal rules aimed at helping large multinational companies transfer data between their various geographies through the creation of binding principles, but had been principally aimed at companies that are data controllers. BCRs can be used as an alternative to the Safe Harbor Principles (where there is a transfer to the U.S.) or the Standard Model Clauses adopted by the European Commission. Processor BCRs provide a framework for the international transfer of personal data processed by a company as a data processor that must follow the processing instructions of an external data controller, for example, in third-party outsourcing situations or for the use of cloud computing.
The toolbox sets out a list of minimum requirements, including:
- a general description of both the data processing and geographic scope of the BCRs and a list of those entities adhering to the BCRs;
- a clear duty on all members of the Group and their employees to respect the BCRs;
- an explanation how the rules are binding on each group entity and individual employees;
- a clear duty for each entity to cooperate with data protection authorities (DPAs) and for the primary data processor to cooperate with the controller; and
- a grant of third-party beneficiary rights on data subjects in the event the data controller factually disappears, ceases to exist in law or becomes insolvent.
The BCRs would also be binding on the controller in that they would form part of the agreement between controller and processor, and in addition, processors may be obliged to publish the BCRs on their website.
A key provision of Processor BCRs is the liability it would impose on a processor’s main EU group member, as that company would assume liability for breaches committed by members outside of the EU or by third-party sub-processors and would include confirmation of that company having sufficient assets to shoulder the liability.
Other requirements of the Processor BCRs include confirmation of a training programme in place, an audit programme and a complaint handling process including a network of privacy officers for handling complaints. The Processor BCRs need to specify the relationship between the BCRs and the relevant applicable data protection law and evidence a commitment that each member company will notify the data controller if they cannot comply with designated data protection legislation or their obligations. Upon receiving such notice, the data controller would have a right to suspend data transfer or terminate the contract.
While modifications to Processor BCRs would be permitted, any changes would have to be reported to the group members, the relevant DPA and the controller, and where the modifications affect the processing, the controller would be able to object or terminate the agreement. Only updates to the BCRs or the list of processor members would be exempt from any reapplication.
The toolbox provides some guidance for subprocessing by members and non-member companies, including the subcontracting under the controller/processor agreement of the Processor BCRs, but only with the controller’s prior written consent.
Data controllers would also have obligations in relation to the use of a processor who has agreed to the Processor BCRs, such as informing data subjects of the existence of the Processor BCRs, the existence of processors based outside of the EU and whether any sensitive personal data will be transferred to a third country not providing adequate protection.