Data Protection Authorities

The Article 29 Working Party has updated its guidance (the ‘Guidance’) on Processor Binding Corporate Rules (‘PBCRs’) in response to growing concerns that personal data, when transferred outside the European Union to countries without adequate protection, may be subject to access requests from those countries’ law enforcement agencies (‘LEA’) in situations which may not comply with EU data protection rules.

The Guidance sets out additional requirements for processors when they receive requests from LEAs. Processors in third countries should commit to assess each access request on a case-by-case basis, and agree to defer any LEA request for a reasonable period of time so that the data protection authority (‘DPA’) competent for the controller and lead DPA for the Processor BCRs may be notified. The Working Party suggests that DPAs then respond within a reasonable period of time by either issuing a positive opinion or prior authorisation, depending on that country’s national law, or, where appropriate based on the circumstances, exercise their powers to suspend or ban the transfer.Continue Reading Further guidance on Processor BCRs provided by Article 29 Working Party