Following our recent blog post, the Article 29 Working Party has adopted a document (WP195) on Binding Corporate Rules (“BCRs”) for processors (sometimes known as “Binding Safe Processor Rules”, or “Processor BCRs”).

Processor BCRs are internal codes of conduct relating to data privacy and security entered into by a group of companies that provides a set of binding rules to guarantee their clients adequate safeguards are in place to protect their clients’ personal data.  This will allow them to avoid the complexities of other solutions, such as model contracts.

Until now, BCRs have only applied to data processed by organisations as a controller. The Processor BCRs will finally allow companies to transfer personal data that they process on behalf of other organisations internationally. The impact of Processor BCRs is substantial, particularly for large data processing outsourcing providers and cloud computing service providers, as they will now be able to guarantee that their international data transfers comply with European data protection law. Key processing organisations that already have an approved set of BCRs will be best placed to capitalise on this development.

The key benefits are that:

  • Approval of a set of Processor BCRs will give a unique opportunity for service providers to market themselves as a “safe processor” – this will give a significant competitive advantage as clients can take advantage of the service provider’s approved status to avoid the compliance headaches of entering into a network of model contracts.
  • Clients can take comfort in the knowledge that their service provider is complying with the platinum privacy standards represented by BCRs.
  • Deal specific negotiations will be unnecessary – approved Processor BCRs will be a universal solution.

The working document (WP195) is similar in format to the version for data controllers (WP153) and provides a checklist for the conditions to be met by Processor BCRs.  The Article 29 Working Party is working towards developing a co-operation procedure similar to that for BCRs for controllers. It is also drafting an application form. So watch this space and remember you heard it here first!