On May 22, 2015, the Article 29 Working Party (WP29) adopted a revised version of the Explanatory Document on the Processor Binding Corporate Rules (BCR). “Binding Corporate Rules” are binding internal rules intended to regulate the transfers of personal data that are originally processed by the organization as Controller within the same organization.
The Document aims at facilitating the implementation of BCR by multinational data processors because it guides multinational organizations’ processing and exchanging of personal data on a worldwide basis. Importantly enough, it advices organizations on dealing with contrasting EU transparency requirements and prohibition to disclose law enforcement information requests.
Art. 26.2 of Directive 95/46/EC requires that data transfers outside the European Union be framed in order to make sure that data subjects benefit from an adequate level of protection. In order to facilitate compliance with data transfers outside the EU, the European Commission adopted sets of standard contractual clauses (see below).
BCR for Processors are meant to help frame international transfers of personal data originally processed by a Processor on behalf of an EU Controller and under its instructions, and sub-processed within the Processor’s organization. BCR for Processors shall be an annex to the Processor contract.
The Explanatory Document on the Processor Binding Corporate Rules 201500658/13/EN is available at http://ec.europa.eu…
Set of contractual clauses adopted to facilitate compliance with data transfers outside the EU:
- Document 2001/497/EC dated June 15, 2001, and 2004/915/EC dated December 27, 2004, which frame transfers between Controllers
- Document 2010/87/EU, dated February 5, 2010, intended for transfers between Controllers and Processors