In order to facilitate the use of Binding Corporate Rules (BCRs) for international transfers of personal data to entities outside of the EU, the Article 29 Working Party (WP29) has issued two new sets of Guidelines on BCRs under the GDPR. The documents respectively address controller-BCRs and processor-BCRs.
BCRs are sets of rules that enable undertakings, or a group of enterprises engaged in a joint economic activity, to jointly sign up to common data processing standards that are compatible with EU data protection law. Personal data can then be transferred from organisations within the EU to their affiliates outside of the EU.
Controller-BCRs are suitable for framing transfers of personal data from controllers established in the EU to controllers or to processors established outside the EU who are within the same group.
Processor-BCRs are suitable for framing transfers of personal data from processors established in the EU to sub-processors established outside the EU who are within the same group.
The documents include tables setting out the elements and principles to be included in controller- and processor-BCRs. These tables:
- clarify the content that must be included in BCRs under the GDPR;
- distinguish between what must be included in BCRs and what must be presented in the application to have BCRs approved by the competent supervisory authority; and
- provide guidance and comments on each of the requirements.
Both documents draw attention to the following new elements which must be specified in BCRs in order to comply with the GDPR:
- Structure: BCRs must specify the structure of the group and the contact details of its members.
- Scope of application: BCRs must specify their material scope by outlining the transfers or set of transfers to which they will apply, including the categories of personal data, the type of processing involved and its purposes, the types of data subjects affected and identification of the recipients in the third country or countries.
- Data subject rights: BCRs must specify data subject rights and how they can be exercised, particularly the right to lodge a complaint with the competent supervisory authority or before the competent court.
New elements which must be taken into account as regards controller-BCRs include:
- Transparency: All data subjects benefitting from third party beneficiary rights should be provided with the information stipulated by the GDPR, in particular on their rights in relation to processing, the means of exercising those rights, the liability clause and the clauses relating to the data protection principles.
- Data protection principles: Controller-BCRs should explain not only the principles of transparency, fairness, purpose limitation, data quality and security, but also, in particular, the principles of lawfulness, data minimisation and storage period limitation, as well as providing guarantees as regards processing special categories of personal data and the requirements in respect of onward transfers to bodies not bound by the BCRs.
- Accountability: Every entity acting as a data controller shall be responsible for, and must be able to demonstrate compliance with, the BCRs.
New elements which must be taken into account as regards processor-BCRs include:
- Third party beneficiary rights: Data subjects should be able to enforce BCRs as third party beneficiaries directly against the processor where the obligations in question are specifically addressed to processors under the GDPR.
- Data protection principles: Processor-BCRs should explain how requirements such as those in relation to data subjects’ rights, sub-processing and onward transfers to entities not bound by the BCRs will be observed by the processor.
- Accountability: There will be an obligation on processors to provide all information necessary to demonstrate compliance with their obligations, including through audits and inspections conducted by the controller or an auditor appointed by the controller.
- Service Agreement: Any contract that is binding on the processor with regard to the controller must be implemented between the controller and the processor, and must contain all of the elements required by Article 28 GDPR.
Amending existing BCRs
Under Article 46(5) GDPR, existing BCR authorisations will remain valid until amended, replaced or repealed by the supervisory authority who made them. Nevertheless, WP29 advises group entities with approved BCRs to bring them in line with the GDPR ahead of its coming into force on 25 May 2018. After this date, all such entities should notify any relevant changes to their BCRs to all other entities in the group and to the lead supervisory authority, as part of their annual update.
These new Guidelines will provide useful assistance for any organisation applying for authorisation of BCRs by providing an authoritative point of reference. The Guidelines also reiterate for organisations which already have approved BCRs in place the importance of updating these to comply with the GDPR.