< Back

Share |

Binding Corporate Rules for processors

January 2013

2012 saw the Article 29 Working Party adopt WP 195, which is a document on Binding Corporate Rules (“BCRs”) for data processors. There had been much speculation about such a move. Commentators had been discussing this for some time, often referring to the concept as ‘Binding Safe Processor Rules’ or ‘Processor BCRs’.

Processor BCRs work on a similar basis to the more familiar Controller BCR and provide:

  • internal codes of conduct relating to data privacy and security
  • applied by a group of companies
  • encapsulate a set of binding rules to guarantee their clients that adequate safeguards are in place to protect their clients’ personal data.

Until recently, BCRs have only applied to data processed from 1 January 2013 organisations as a controller. The Processor BCRs, however, will finally allow companies to transfer personal data that they process on behalf of other organisations, usually their clients’ data, internationally Flagunder a BCR arrangement.

The impact of Processor BCRs could be substantial, particularly for the likes of outsourcing providers that process large amounts of data and this would of course also include cloud computing service providers. Such ‘processor’ driven organisations will now be able to have a BCR solution to legitimise their international data transfers as compliant transfers in accordance with European data protection law.

The key benefits that may arise from obtaining a Processor BCR include:

  • a unique opportunity, at least whilst this remains a relatively new concept, for a processor driven organisation to position themselves as a market leading safe haven for data processing
  • an alternative to entering model new contracts for each supplier arrangement and thus avoiding much of the deal specific negotiation that takes place around compliant data transfers
  • The contracting client would have greater comfort in that their chosen service provider is one that has invested time and effort not only to achieve a compliance environment but an environment that is seen as the gold standard.

The working document WP195 appears to be rather similar in format to data controllers BCR document WP153 and also provides a checklist for the conditions to be met by Processor BCRs.

See our summary of adequacy solutions table.

If you have any questions on this article or would like to propose a subject to be addressed by the Global Data Hub please contact us.