Guidance issued on binding corporate rules for data processors

The Article 29 Working Party, a committee made up of representatives from data protection authorities based across the EU, said, though, that the data processors must notify data controllers about those arrangements where such freedom is given to them.

Data controllers' consent to the sub-processing arrangements can be obtained either at the outset of an outsourcing agreement with a data processor that has BCRs in place or each time the data processor intends to add another company from within its group as a sub-processor of the data, the Working Party said.

"The parties to the service agreement are free to decide, depending on their particular needs, if a general prior consent given by the controller at the beginning of the service would be sufficient or if a specific consent from the controller will be required for each new sub-processing," new guidance issued by the Working Party on data processor BCRs (20-page / 349KB PDF) said.

"If a general consent is given, the controller should be informed on any intended changes concerning the addition or replacement of subcontractors in such a timely fashion that the controller has the possibility to object to the change or to terminate the contract before the data are communicated to the new sub-processor," it said.

EU data protection laws prevent companies sending personal data outside of the European Economic Area (EEA) except where adequate protections are in place. Some countries, including Argentina, Canada and Switzerland, have been designated as providing adequate protection for personal data by the European Commission, but where transfers are to be made to other countries businesses must adopt other legal mechanisms to provide for adequate protection of that data.

One way businesses can correspond with this requirement when seeking to transfer personal data from the EU to other offices they have, or to other companies in the same business group, elsewhere in the world is to put in place BCRs. BCRs are contractual provisions businesses can agree with regulators that commit those businesses to handling and protecting personal data in a way which accords with the requirements of EU data protection law when transferring that data to other companies in their group in non-EEA locations.

EU policy makers originally only enabled data controllers to put in place BCRs but since 2013 data processors have also been able to agree BCRs to govern data processing they will carry out on behalf of data controllers where the processing functions are split between offices or group companies based across the world.

In its guidance, the Working Party said data processors must demonstrate to data protection authorities that the BCRs they put in place are "effectively binding throughout the group". This might involve processors putting in place a policy where individual employees can be sanctioned for failing to follow the agreed data protection protocols set out in the BCRs, although ultimately how processors make BCRs binding is up to them, it said.

The content of the BCRs must address "practically and realistically" the requirements of EU data protection law in the context of the "processing activities carried out by the organisation in the third countries". The wording can be general, but where approval for the BCRs is sought from data protection authorities, "more precise information" is necessary. The BCRs must be capable of being "understood and effectively applied by those having data protection responsibilities within the organisation", the guidance said.

Data processors can update the BCRs after they have been put in place to reflect changes in practices, regulatory requirements or organisational structure, but they must "report these changes to "all group members, to the data protection authorities and to the controller", it said.

The guidance also makes clear that even where BCRs for processors have been put in place, and attached to the contract between those data processors and data controllers, it is "the controller [that] remains liable of ensuring that sufficient guarantees are provided to the data transferred and processed on its behalf and under its instructions within the entities of the processor’s group".