On September 23, 2009, the Information Commissioner’s Office (the “ICO”), the UK’s data protection regulator, issued a press release announcing the approval of the Hyatt Hotels Corporation’s binding corporate rules (“BCR”) under the new mutual recognition procedure. Hyatt is the first UK applicant to receive approval under the mutual recognition procedure.
Mutual recognition was devised to speed up the process of BCR approval by EU Data Protection Authorities (“DPAs”). Under “mutual recognition,” one EU Member State’s DPA acts as the lead authority on a company’s BCR application. Once approved by the lead authority, the other participating members of the procedure automatically approve the BCR application.
A total of 17 DPAs have now agreed to participate in the mutual recognition procedure. Members of the European Economic Area that participate include France, Germany, Ireland, Italy, Latvia, Luxembourg, Spain, The Netherlands, the UK, Cyprus, Iceland, Liechtenstein and Norway.
BCRs are a set of contractual arrangements and internal policies that allow an organization’s personal data to be transferred legitimately to other entities within that organization’s global corporate group. The approval, given on September 15, 2009 by the ICO, is the fifth BCR approval issued by the ICO. However, as mentioned above, this approval is the ICO’s first under the mutual recognition procedure.
The Article 29 Working Party has issued various guidance to assist organizations with the BCR process, such as the BCR FAQs which were revised on April 8, 2009.