The European Union (EU) data protection body, the Article 29 Working Party (A29WP), in April adopted new guidance on Binding Corporate Rules for Processors (BCPRs). The document supplements the opinion from June 2012, which listed elements required for valid BCPRs, by further clarifying what provisions and mechanisms must be included before BCPRs can be authorised. The BCPR process has been developed by the A29WP in response to a request from outsourcing providers to create a new legal instrument to legitimise international data transfers.
The new guidance emphasises that BCPRs are the preferred method for transfers of personal data from the EU to countries without “adequate levels of protection,” over other methods, such as the EU standard contractual clauses. BCPRs are preferred when transfers are voluminous and frequent between the primary data processor and sub-processors in the same organisation. BCPRs are also recognised within the mutual recognition scheme, such that authorisation of BCPRs by one EU member state will result in automatic authorisation in other participating EU member states.
Data controllers will remain responsible for ensuring that service providers only process data under their instructions, and that sufficient guarantees are in place to protect the personal data being transferred to a service provider and within that service provider group, even where BCPRs have been authorised.
The A29WP emphasises that the BCPRs must be binding both internally and externally, and recommends service providers implement strict and punitive policies or codes of conduct supported by intra-group agreements. For third-party sub-processors, service providers are required to enter into agreements requiring sub-processors to respect the same obligations as the processor group. The sub-processor agreement will need third-party beneficiary rights for the data controller and for data subjects. Service providers seeking authorisation for BCPRs will need to include extracts of relevant clauses in their authorisation application.
The guidance also specifies the limits imposed on the requirements for modifying authorised BCPRs and lists other compulsory clauses, such as provisions ensuring compliance, audit mechanisms and complaint handling, and a duty to cooperate with both the controller and the relevant data protection authority. The BCPRs must also designate a corporate member within the EU that will be liable for breaches of the BCPRs by members of the group outside the EU.
While this new tool was developed in response to calls from the outsourcing community, no BCPRs have been authorised to date, although the French authority, the CNIL, has admitted to having several applications pending.