On December 21, 2012, the Article 29 Working Party issued a press release announcing the launch of Binding Corporate Rules (“BCRs”) for processors effective January 1, 2013. This announcement follows the Article 29 Working Party’s adoption of a Working Document (WP 195) on June 6, 2012, which set forth requirements for BCRs for processors, and an application form for submitting BCRs for processors issued on September 17, 2012.
The news likely will be welcomed by data processors, particularly those that conduct large-scale, multinational data processing activities on behalf of data controllers in the EU. Once approved, BCRs for processors can be used as a mechanism for transferring personal data outside the EU in compliance with EU data protection rules. With BCRs, there will be no need to negotiate the safeguards and conditions for data processing each time a processor contracts with a data controller.
BCRs for processors also benefit data controllers, as they will enable data controllers to demonstrate to the EU data protection authorities that adequate protection has been put in place and to obtain the necessary authorization for transfers of their personal data to their processors (as well as subprocessors).
The application procedure for approval of BCRs for processors will be identical to the one established for BCRs for data controllers, as it will be based on a process with a lead data protection authority and a system of mutual recognition involving 21 EU data protection authorities.