The use of binding corporate rules (BCRs) as a means of legitimately transferring personal data out of Europe has been available to data controllers for some time.  This option is now available (with effect from 1 January 2013) to data processors as confirmed by a recent press release of the Article 29 Working Party.

BCRs comprise a set of rules that mirror EU data protection requirements which, once they are approved by relevant data protection authorities, enable the legitimate transfer of personal data out of Europe between members of a corporate group that agree to be bound by them.

The Working Party has acknowledged that such BCRs will enable a relevant data controller to demonstrate an adequate level of protection of personal data transferred under them.  This is welcome as data controllers continue to be legally responsible for the protection of personal data even where they engage third-party data processors to carry out processing activities.  

In 2012 the Working Party had published a table of conditions that data processor BCRs need to satisfy and an application form to be used when applying for approval from relevant data protection authorities.