Binding corporate rules

The Article 29 Working Party (WP29) has published updated guidelines on Binding Corporate Rules (BCRs) to reflect the requirements set out in the General Data Protection Regulation (GDPR). The two documents, which replace previous WP29 working papers (WP 153 and WP 195) and remain open for public consultation until January 17, 2018, are:

(i) Working Document setting up a table with the elements and principles to be found in Binding Corporate Rules (WP 256)

(ii) Working Document setting up a table with the elements and principles to be found in Processor Binding Corporate Rules (WP 257)

The two documents include tables setting out the elements and principles to be included in controller BCRs and processor BCRs. These tables have been amended specifically to:

Meet the requirements of Article 47 GDPR

  • Clarify the necessary content of BCRs as stated in Article 47 GDPR
  • Make the distinction between what must be included in BCRs and what must be presented to the competent supervisory authority in the BCRs application
  • Give the principles the corresponding text references in Article 47 GDPR (for controller BCRs)
  • Provide further guidance on each of the requirements

Both documents note that Article 47 GDPR is clearly modeled on the working documents relating to BCRs previously adopted by WP29. However, to ensure their compatibility with GDPR, Article 47 does specify new requirements to be considered for adopting new BCRs or updating existing ones.
Continue Reading Article 29 Working Party issues new guidelines for Binding Corporate Rules

On 6 July 2015, the Hungarian Parliament adopted several amendments (‘Amendments’) to Act CXII 2011 on the Right of Informational Self-Determination and the Freedom of Information (‘Data Protection Act’). The Amendments, currently only available in Hungarian, are designed to develop the data protection and right-to-access public information rules within Hungary, and fix problems the

The Article 29 Working Party has updated its guidance (the ‘Guidance’) on Processor Binding Corporate Rules (‘PBCRs’) in response to growing concerns that personal data, when transferred outside the European Union to countries without adequate protection, may be subject to access requests from those countries’ law enforcement agencies (‘LEA’) in situations which may not comply with EU data protection rules.

The Guidance sets out additional requirements for processors when they receive requests from LEAs. Processors in third countries should commit to assess each access request on a case-by-case basis, and agree to defer any LEA request for a reasonable period of time so that the data protection authority (‘DPA’) competent for the controller and lead DPA for the Processor BCRs may be notified. The Working Party suggests that DPAs then respond within a reasonable period of time by either issuing a positive opinion or prior authorisation, depending on that country’s national law, or, where appropriate based on the circumstances, exercise their powers to suspend or ban the transfer.Continue Reading Further guidance on Processor BCRs provided by Article 29 Working Party

In June, the Article 29 Working Party (‘Working Party’) wrote to the President of the European Commission, setting out its case for including a reference to Binding Corporate Rules for data processors (‘BCR-P’) in the forthcoming Data Protection Regulation.

Binding Corporate Rules are one way in which data controllers or data processors in Europe

The European Union (EU) data protection body, the Article 29 Working Party (A29WP), in April adopted new guidance on Binding Corporate Rules for Processors (BCPRs). The document supplements the opinion from June 2012, which listed elements required for valid BCPRs, by further clarifying what provisions and mechanisms must be included before BCPRs can be