Following the separation of PayPal from the eBay Group in July 2015, PayPal wished to have its own set of Binding Corporate Rules (BCR’s) in order to maintain a high level of protection of the personal data that it processes.

BCR’s can be described as a code of conduct, outlining the internal rules for data transfers within a multinational organization, in which an affiliate located within the European Economic Area (EEA) transfers data to its affiliate located outside of the EEA.

As the nature of the business activities of PayPal involves a lot of transfers of personal data within its organization, but across jurisdictions, BCR’s are a convenient solution that enable PayPal to ensure appropriate safeguards for such data transfers (as is required under the General Data Protection Reregulation, GDPR (see Chapter V)).

In order to use BCR’s however, PayPal had to first appoint a lead authority. The role of the lead authority is to facilitate the authorization process of the BCRs. As PayPal’s European headquarters are based in Luxembourg, the National Commission for Data Protection in Luxembourg (Commission Nationale pour la Protection des Données – CNPD) was appointed as the company’s lead authority. PayPal then had to draft BCR’s in line with the requirements set up in the Article 29 Working Party papers. Once the CNPD approved the adequacy of the safeguards put in place in the BCR’s, these were circulated to the other European Data Protection Authorities (EDPA). The BCR’s have now been considered as final by all the EDPA’s, and PayPal can thus request authorization of transfers of personal data on the basis of its adopted rules.

Personal data breach notification form The CNPD has published a notification form, accompanied by a FAQ section, with the objective to facilitate entities in preparing for (and reacting to) personal data breach instances. In Luxembourg, controllers are obliged to notify personal data breach instances to the Commission de Surveillance du Secteur Financier (CSSF)

More information on this can be read here (only available in French).