Share This Article
The privacy binding corporate rules from data controller to processors (BCRs) grant a major tool to outsourcing and cloud projects relying on data transfers.
Outsourcing agreements and cloud projects largely require the transfer of personal data from the outsourcee that processes them on behalf of the company receiving the outsourced service to the outsourcee’s group companies.ย
Such practice creates major privacy issues if some of these group companies are located outside of the European Union, but these issues can now be sorted through the so called processors binding corporate rules that allow the free flow of personal data within the outsourcee’s group.ย The processor BCRs have been approved in 2012 by the European privacy consultancy body, the so called Article 29 Working Party to waive any regulatory restrictions in the flow of that within the outsourcee’s group which is functional to the delivery of the service to their customer.ย
The approach to be followed according to the processor BCRs is that the group member contracting with the company receiving the service will be appointed as data processor and its group entities will act as sub-processors.ย However, in an explanatory document just issued by the above mentioned Article 29 Working Party, it clarified, among others, that:
- the free flow of data within the service provider’s group (i.e. the outsourcee’s group) will require the prior consent from the data controller (the entity receiving the service) which can be however dealt through a blanket consent in the contract between the parties;
- the processor BCRs cannot cover transfers to entities that are not part of the processor’s group. Such transfer shall be covered by adequate contractual guarantees and fall under a different tool for data transfers provided by EU regulations;
- the binding corporate rules shallย be complied with by all the members of the data processor’s group to which the personal data are transferred;
- entitle data subjects (i.e. the individuals whose data are processed as part of the outsourcing or cloud project) to bring a direct claim for their breach against the data controller (i.e. the entity receiving the outsourced/cloud service) and the data processor (i.e. the ourtsourcee/service provider);
- entitle data controllers to bring claims against any member of the data processor’s group for breach of the binding corporate rules; and
- be attached to the outsourcing/cloud services agreement between the data controller and the data processor.ย
The explanatory document referred above does not fully clarify whether the approval of the data protection authority of the country where the data controller is based operates as an additional condition for the implementation of the BCRs. Indeed, this would increase the complexity of this tool.
ย
The binding corporate rules for processors shall be seen as a very positive news for both entities outsourcing services or relying on cloud technologies and service providers as it might make their life easier with not too much efforts.
If you found this article interesting, please share it on your favourite social media!
Follow me on LinkedIn โย Facebook Page โย Twitter โย Telegram โ YouTubeย โ Google+
(Visited 1 times, 1 visits today)
