On June 6, 2012, the Article 29 Working Party (the “Working Party”) adopted WP 195 (the “Opinion”) setting out the requirements for Binding Corporate Rules (“BCRs”) for processors. Similar to WP 153, the Opinion lists the requirements to be covered in the processor BCRs application form and the BCRs document itself. The Opinion likely will be welcomed by processors, in particular those that provide large-scale, multinational data processing services.
As with BCRs for controllers, processor BCRs must:
- contain a clear duty on all group members and employees to respect the BCRs;
- bind each group entity and individual employee;
- impose a duty on the EU headquarters, EU group member with delegated responsibilities or the EU group member contracting with the data controller to assume liability for breaches committed by group members outside of the EU or by third-party sub-processors;
- grant access to audit results or permit conduct audits by data protection authorities (“DPAs”);
- provide a general description of the scope of the BCRs;
- indicate whether the BCRs apply only to personal data subject to EU law or to all personal data processed within the group; and
- include the principles of transparency and fairness, purpose limitation, data quality, security and data subject rights.
Specific to processor BCRs, the BCRs must:
- grant third-party beneficiary rights to data subjects in the event the data controller factually disappears, ceases to exist in law or becomes insolvent;
- be part of, and an annexed to, the Article 17 data processing agreement with the controller;
- be published on the processor’s website;
- contain a duty on all group entities to submit to audits and comply with advice from the relevant DPA competent for the data controller. Where a processor contracts with multiple controllers (e.g., in the case of large-scale outsourcing providers), the processor may be required to submit to audits by multiple DPAs;
- contain a clear duty on the processor and any sub-processor to assist the data controller in complying with data protection law, including handling data subject complaints and responses to DPA inquiries; and
- contain a requirement that the processor communicate to the controller any planned change to the BCRs that would affect the processing conditions in sufficient time to allow the controller opportunity to object to the change or terminate the contract before the change takes effect.
Data may be sub-processed by members of the group other than the entity contracting with the controller or by third-party sub-processors only with the prior consent of the controller. Such consent may be obtained on a general basis at the outset.
Further, the Opinion requires the data controller to inform data subjects: (1) of the existence of processors based outside of the EU; (2) of the existence of the processor BCRs; and (3) (where the transfer involves special categories of data) that their data will be transferred to a third country not providing adequate protection.