On 6 February 2018, the Article 29 Working Party (WP29) adopted revised guidelines on binding corporate rules (BCRs). These were issued following a period of public consultation that concluded on 17 January 2018. Technology Law Dispatch previously covered the issuing of the draft guidelines last December, in a blog setting out the key elements of both guidelines.
In simple terms, BCRs are a business-specific framework that allows intra-organisational cross-border transfers of data from organisations within the European Union to their affiliates outside of the EU. BCRs underpin shared data processing standards compatible with the General Data Protection Regulation (GDPR) and wider EU data protection law. The GDPR incorporates BCRs into legislation and sets out various conditions at article 47 that must be met when businesses utilise them.
The revised guidelines (WP256 for Controllers and WP257 for Processors) address the principles and elements businesses should incorporate in their BCRs. The guidelines have revised the original guidance, although they remain largely similar to what was published in draft last year.
What the updated guidelines address
Controllers | Processors | Elements |
✓ | ✓ | Right to lodge a complaint: Data subjects should be able to bring a complaint before the supervisory authority in their country of residence, in their country of employment, where the alleged infringement of their rights occurred, before a competent EU court where the exporting entity has an establishment or in the data subject’s country of habitual residence. |
✓ | ✓ | Data protection principles: Controller BCRs should explain the principles of transparency, fairness, purpose limitation, data quality, security, lawfulness, data minimization and storage period limitation. They should also provide guarantees relating to the processing of special categories of personal data and any onward transfer requirements to bodies without BCRs. Processor BCRs should contain similar items, while also explaining their obligations relating to sub-processing, data subject rights and onward transfers not covered by BCRs. |
✓ | ✓ | Scope of application: Controller and processor BCRs must specify their material scope by outlining data transfers to which they apply, categories of personal data, types of data subjects affected,types of processing and its purpose, and must identify third countries where data is transferred. |
✓ | ✓ | Structure:BCRs must specify the internal structure of the group (this is not defined, but commonly includes work roles, policies and how information flows between the levels of the organisation) and contact details of all participating entities. |
✓ | ✓ | Accountability:Every business acting as a controller must demonstrate compliance with BCRs. Businesses acting as processors should make information available to controllers that demonstrates their own compliance with the controller’s BCR obligations. |
✓ | Third-country legislation: Controller BCRs must contain a commitment that any third-country legal requirements likely to have substantial adverse effect on the guarantees of the BCRs will be reported to a competent supervisory authority. | |
✓ | Transparency:Data subjects benefitting from third-party beneficiary rights should be provided with information underpinned in the GDPR. In particular, they should be provided with information about their rights (in relation to how their data is processed), how these rights can be exercised, and clauses relating to the data protection principles and liability. | |
✓ | Third-party beneficiary rights: Data subjects should be able to enforce BCRs as third-party beneficiaries against processors, where the requirements in dispute at directed to processors (specifically, GDPR articles 28, 29 and 79). | |
✓ | Service agreement: Agreements implemented between controllers and processors must contain the required elements of article 28 of the GDPR, which addresses processor requirements. |
Comment
The WP29 Guidelines emphasise that businesses with approved BCRs should update them in line with the new GDPR requirements in advance of the 25 May 2018 in-force date of the regulation. The finalised guidelines provide welcome clarity on how businesses can ensure BCRs comply with GDPR article 47 requirements.