On May 16, 2018, the Garante per la Protezione dei Dati Personali, Italy’s Data Protection Authority (DPA), authorized the transfer of personal data using Binding Corporate Rules, BCR, approved by May 24, 2018.
What is BCR. BCRs are a tool to allow the transfer of personal data among branches belonging to the same multinational company established in different countries (also non-EU) without further obligations (such as the signing of standard contractual clauses, the adhesion to the Safe Harbor agreement, the issuance of specific authorizations pursuant to applicable national data privacy laws).
The BCR enshrine among others the principles of correctness and legitimacy of the processing, purpose, necessity and proportionality, the obligation of the processor to provide information to the data subject, the rights of the data subjects, the security measures, and periodic auditing in order to verify compliance.
How is the BCR text prepared. Since the BCRs concern the flows of personal data between companies belonging to a single group of companies located in different countries of the world, the authorization for cross-border transfer of data through BCR is only useful if issued by all DPAs competent in the Member States from which the transfers originate.
Generally speaking, the procedure for defining the BCR text includes a “European” phase and a “national” phase; the latter is aimed at issuing the national authorization (where necessary, as in Italy).
Article 29 Working Party (WP29) has developed a cooperation procedure at the European level (see WP 107) that is able to ensure the preparation of a BCR text shared by all DPAs and valid for all the transfers covered under the BCR themselves. This procedure is carried out by the so-called “lead Authority”, which dialogues – representing all the other DPAs – with the parent company.
The prepared document is sent to the DPAs participating in the procedure, in order to obtain a positive evaluation in terms of the adequacy of the level of protection of personal data.
Some DPAs (including the Italian DPA) have joined a declaration of intent, c.d. “declaration of mutual recognition”, in order to simplify the procedure for approving the BCR text at European level. Under the declaration of mutual recognition, the lead DPA, with the support of two other DPAs, dialogues with the parent company in order to draft a text considered to be in line with the principles established by WP29. (WP 195, WP153, WP204, WP108, WP74). The other DPAs participating in the Mutual recognition system consider the opinion with which the Lead DPA certifies the conformity of the BCR as a sufficient basis for the issue of the respective national authorization.
At a national level, once the BCR text has been approved by the lead Authority, the national DPA can proceed with the issue of a national authorization to the transfer of personal under the same text.
In May 2018, the Italian DPA authorized the intracompany transfers of personal data from Italy to third countries that take place in compliance with the provisions of the BCR text and for the sole purposes indicated therein, that were approved by May 24, 2018.
What happens after May 25, 2018, with the entry into force of Regulation 2016/679, GDPR. The GDPR provides that the authorizations issued DPAs based on Directive 95/46/EC (Article 26.2) will remain valid until they amended, replaced or repealed. Article 46.5, GDPR.
However, groups with approved BCRs should bring their BCRs in line with GDPR requirements (WP 257, WP 256, adopted on 6 February 2018).
The Autorizzazione ai trasferimenti di dati personali mediante Binding Corporate Rules (Norme vincolanti di impresa) approvate prima del 25 maggio 2018 – 16 maggio 2018, (Pubblicato sulla Gazzetta Ufficiale Serie Generale n.133 del 11 maggio 2018) is available (in Italian) at https://www.garanteprivacy.it…
For an example model of BCR text, please refer to WP 154.
For more information on the implementation of BCR by multinational data processors, see http://www.technethics.com…
For more information about how privacy is implemented in Europe, contact Francesca Giannoni-Crystal & Federica Romanelli.
Follow us on& Like us on