The Article 29 Working Party has launched a set of "tools" aimed at facilitating the adoption and approval of Binding Corporate Rules (BCRs) by multinationals as a legal basis for their cross-border transfers of personal data. That “toolbox” includes a BCR framework (with suggestions for BCR content and structure), a BCR checklist specifying what information should be provided, as well as Frequently Asked Questions (FAQs) based on the Article 29 Working Party’s experience in dealing with BCRs.
The Working Party had stated that it would amend the FAQs on a regular basis, and on December 10, 2008, it released its first update of the FAQs. The update, which amends FAQ 6 and adds two new FAQs, provides useful insight to those companies that are considering implementing BCRs.
According to the updated FAQs, BCRs should include a general description of the types of personal data to be transferred and the main purposes for which the data is being processed. For example, in the case of human resources-related personal data, a multinational group could explain in its BCRs that the data is transferred to all group entities for staff mobility reasons, and is stored at the group’s headquarters for purposes of global compensation strategy and benefits planning.
Although the general description of the transferred data is required in all member states, data protection authorities in some member states may insist on reviewing a detailed list of individual transfers from their jurisdiction to recipients located outside the EEA.
The updated FAQs further explain that, in order to expedite the review of draft BCRs by national data protection authorities, it is advisable to have one document containing all obligations of the group as well as individuals’ rights. If necessary, the document can be complemented by policies, guidelines, and other relevant documentation.
As far as BCRs terminology is concerned, the Working Party recommends the use of wording and definitions in the BCRs that are consistent with those used in the EU Data Protection Directive (95/46/EC) and the Working Party’s BCR framework and checklist. This will avoid misinterpretation of the BCRs and facilitate review when seeking approval from national data protection authorities.
BCRs remain high on the Working Party’s list of priorities for 2009. At its December 10, 2008, plenary session, the Working Party discussed a new FAQ on individuals’ rights and confirmed that it will continue its work on BCRs. In the meantime, 13 national data protection authorities have joined the mutual recognition procedure for BCRs, as a result of which applicants will be able to obtain approval of their BCRs more easily in these countries (provided that the lead data protection authority has issued a positive opinion).
TAKE A LOOK BACK
Article 29 Working Party Steps Up Efforts to Promote Binding Corporate Rules
Search Engine Activity and Data Storage Scrutinized by EU Data Privacy Authority