Norton Rose Fulbright - Data Protection Report blog

On February 6, 2018, the Article 29 Working Party (WP29) adopted updated guidelines on Binding Corporate Rules (“BCRs“), which replace the previous WP29 working documents 153 and 195 on BCRs and Processor BCRs.

BCRs are one of the permitted data export solutions under European data protection law, allowing members of a corporate group that have committed to a binding and approved set of data protection rules to transfer personal data within their organization (including from inside the European Economic Area to outside of it). In contrast to the Directive, the General Data Protection Regulation (the “GDPR“) incorporates BCRs into legislation and sets out at Article 47 various conditions that must be met when relying on BCRs.

The updated guidelines (WP256 and WP257, together the “Guidelines”) set out the elements and principles that Controllers and Processors should state in their BCRs. They amend the original guidance to bring the language in line with the Article 47 requirements referred to above and to reflect the necessary content of the BCRs, as mandated by the GDPR.  The updates draw attention to the following elements:

Controllers Processors Element
x x Right to lodge a complaint: Data subjects should be permitted to bring a complaint either before the supervisory authority in the country of their residency, country of employment, or the country where the alleged infringement of their rights occurred or before a competent EU court either where the exporting entity has an establishment or in the data subject’s country of habitual residence.
x Transparency: Data subjects who benefit from third party beneficiary rights should be provided with information stipulated by Articles 13 and 14.  Data subjects should also be provided with information about their rights in connection with how their data is processed and how to exercise those rights.  BCRs should also contain a clause relating to liability and clauses relating to data protection principles.
x x Scope of Application. BCRs must specify the structure and contact details of all entities participating in the BCRs (e.g., a listing of all affiliates).  Also, BCRs should specify the transfers, categories of personal data, types of data subjects and countries where data is transferred.
x x Data Protection Principles.

For Controllers, alongside the other principles in the GDPR, the BCRs should explain principles of lawfulness, data minimization, retention periods, guarantees when processing special categories of data, and requirements with respect to onward transfer.

For Processors, alongside the obligations arising from the other principles in the GDPR, the BCRs should explain the processor’s obligations in connection with data subject rights, sub-processing and onward transfers not covered by BCRs.

x x Accountability.

Every entity acting as a Controller must demonstrate compliance with BCRs.

Processors will have to make information available to Controllers that demonstrates a Processor’s compliance with the Controller’s obligations.

x Third Country Legislation.  BCRs should contain a commitment that any legal requirement in a third country likely to have substantial adverse effect on the guarantees of the BCRs will be reported to a competent supervisory authority.
x Third Party Beneficiary Rights. Data subjects should be able to enforce BCRs as third party beneficiaries directly against Processors where the requirements at stake are directed to Processors (e.g., GDPR Art. 28, 29, 79).
x Service Agreement. Agreements between Controllers and Processors must contain the required elements of Art. 28 of GDPR.

Amendments to BCRs already adopted

Although Article 46(5) of the GDPR states that existing BCR authorizations will remain valid until amended, replaced, or released by the supervisory authority, the Guidelines clarify that groups with approved BCRs are expected to update their BCRs in line with the new GDPR requirements.

In addition, groups with approved BCRs are invited to notify changes to their BCRs to their group members and the supervisory authorities (via the lead supervisory authority), as part of their annual update as of May 25, 2018.

Our take

The amended Guidelines provide some welcome clarity for companies needing to update their existing BCRs in accordance with GDPR.  Further, they are a useful tool for companies who are seeking to apply for BCRs, in particular around how to draft their BCRs and complete the application process in a manner that complies with the Article 47 requirements. However, the requirements are still very exacting. Therefore, for the time being, BCRS are likely to remain a viable export solution only for large organizations with significant resources.