Data processors are now able to apply to use Binding Corporate Rules (BCRs) in order to move personal data outside of the European Economic Area while complying with European data protection legislation instead of having to implement and maintain sophisticated networks of data transfer contracts in the form of the standard contractual clauses approved by the European Commission.
The European data protection authorities convened together as the Article 29 Working Party (WP29) have announced that, as of 1 January 2013, data processors will be able to apply to a single lead data protection authority for approval to use Binding Corporate Rules in the same way as data controllers are able to. As a result, processors of personal data (e.g. IT outsourcing providers, data centre providers etc) will be able to receive personal data from their data controller clients and then transfer it while complying with the European rules on data protection. The lead data protection authority will take steps to liaise with the other European data protection authorities to obtain mutual recognition of a processor’s BCRs throughout Europe.
This will be welcome news to both processors and controllers alike, particularly those that undertake large-scale international data transfers who will no longer have to negotiate complicated data protection safeguards for every processing activity where the receiving party in question has implemented BCRs. Controllers will be able to demonstrate to their stakeholders and data protection authorities that their processing activities comply with European data protection law by working with processors that have already implemented approved BCRs.