21 December 2012

European data protection authorities have decided to launch Binding Corporate Rules (BCR) for processors from 1 January 2013.

BCRs for processors are internal codes of conduct regarding data privacy and security, to ensure that transfers of personal data outside the European Union by a processor, who acts on behalf of his clients and under their instructions, will take place in accordance with the EU rules on data protection. It exempts data processors and their clients from having to implement and maintain sophisticated networks of data transfer contracts in the form of the standard contractual clauses approved by the European Commission.

Processor Binding Corporate Rules will be authorised in the same way as those for data controllers, via a lead authority who will take steps to liaise with the other European data protection authorities.

The press release can be found here.