Deutsche Post DHL, a postal and logistics group that employs 500,000 individuals in 220 countries, has become the first German company to have its privacy policy approved by the country’s data protection authority. The Office of the German Federal Commissioner for Data Protection and Freedom of Information’s approval of the company’s binding corporate rules (BCR) allows Deutsche Post to transfer personal data abroad without having to gain approval for each individual transfer.
Gabriela Krader, Deutsche Post DHL corporate data protection officer, started the BCR process in 2006 by establishing a task force charged with sharing information on the requirements with various stakeholders internally. The Article 29 Working Group’s application for BCRs was the next step. European data protection authorities, led by Federal Commissioner for Data Protection and Freedom of Information Peter Schaar, reviewed the application, provided feedback, negotiated with Deutsche Post and eventually granted approval.
Krader says transferring data outside of the EU involves bilateral contracts which are a high administrative burden. BCRs are “easier to implement,” become “visible for the whole group” and are based on a company’s internal capabilities and needs rather than solely external factors.
The application process involved some challenges, given the group’s international composition, Krader said. Feedback was at times difficult to absorb.
“We found a lot of the comments did not really relate to substantial issues but rather to the fact that it could be worded in a better way, according to an individual’s view,” Krader said. “Because the approval process is done in English, and for most of the stakeholders in the process, this is not the mother language, this makes it more difficult or complex to reach agreements on the same points.”
In addition, the BCR process took about four years, meaning that, over time, there were staff changes at some authorities and, therefore, changes in opinion.
A year and a half into the process, Deutsche Post DHL became frustrated with the speed at which the process was moving. Company representatives suggested to lead-authority Schaar that they contact major stakeholders and opinion leaders—including the CNIL, the Spanish data protection authority and the UK Information Commissioner’s Office—so personal interviews between the parties could occur, allowing authorities to gain a better understanding of Deutsche Post as a company. Conducting face-to-face interviews with the authorities was important because it allowed Deutsche Post to explain in more depth its plans for implementation, Krader said, whereas an application or the privacy policy itself requires succinct answers.
“This is something you cannot explain on paper,” Krader said. “Sometimes you need to talk to them. We found this very helpful. We found them much more open to agree to compromises, and we also found it was possible to create an area of trust that we really have serious ideas and are not trying to get a policy with good-sounding principles with nothing but air behind it,” she said.
The DPAs were especially interested in how Deutsche Post could safeguard information, the requirements and mechanisms for doing so and what its awareness programs would be, among other topics.
Next for Deutsche Post will be implementing the approved changes to data transfer procedures, starting with its corporate board and trickling down through its individual group companies. A specific declaration will be required from the management of each of the company’s 1,000 subsidiaries. The BCR’s legal text will be translated into terms easily understood by employees, and guidelines and training programs will be implemented.
Krader recommends that companies interested in achieving BCR approvals begin implementing data protection management systems parallel to BCR approval negotiations.
“Otherwise, you lose too much time after the approval phase if you only then start with the first planning of overall management and organization,” she said.
