In a timely follow-up to its Working Document of June 2012, Recommendation of September 2012 and official launch in December 2012, the Article 29 Working Party has issued an Explanatory Document regarding Binding Corporate Rules (BCRs) for processors. As the Working Party notes, the outsourcing industry has requested a legal tool that caters to the reality of business structures and data transfer practices today. The idea of the processor BCRs is to provide a guarantee to the controller that a processor has a regime in place which adequately protects personal data when it is transferred outside the EU. This guarantee is provided by way of the BCRs, which should be annexed to or referenced in the Service Level Agreement (or Article 17 Agreement) with the controller. Processor BCRs can eliminate the need for reliance on other bases of transfer such as model contracts, thereby eliminating a significant administrative burden for companies engaging in frequent, large and complex international data transfers. While it is necessary to undergo an approval process for BCRs with a data protection authority (DPA) in the EU, increasing experience with BCRs for controllers is reducing the length of that procedure.
The Explanatory Document of 19 April elaborates on a number of issues including transfers and onward transfers, cooperation, update duties, the internally binding nature of BCRs and their legal enforceability. The clarity provided by the Working Party should help organizations plan their business relationships and help BCRs become a practical solution to the challenge of large routine data transfers.
Transfers and Onward Transfers
In order for processors to be able to transfer data to other members of their groups for sub-processing while maintaining transparency towards the controller, the Working Party specifies that the parties to the service agreement may choose the arrangement that suits them. One way is for the controller to give a general prior consent to sub-processing, in which case they should be informed of any addition or replacement of subcontractors in advance, with the possibility to object to the change or terminate the contract before any data is communicated to the new sub-processor. The other option is to provide in the agreement for the specific consent of the controller for each new sub-processing.
For external transfers out of the processor’s group, a further written agreement is necessary to ensure adequate protection of the data and that the external sub-processor respects the obligations under the service agreement. As far as the processor BCRs do not apply to transfers to external sub-processors, it will also be necessary to ensure that there is a legal basis for international data transfer outside the EU.
According to the Working Party, BCRs for processors must contain an express obligation to cooperate with the controller, in terms of respecting its instructions as well as helping it to comply with data protection law. This includes helping data subjects exercise their rights, handling complaints or replying to investigations or inquiries from DPAs. To this end, the processor group must create a specific contact point for data subjects, and all members of the BCRs will have the duty to communicate any claim or request to the controller who should handle them, unless otherwise agreed.
The BCRs must also contain a clear, separate duty to cooperate with competent DPAs and abide by their advice. The Working Party points out that any serious or persistent refusal by a processor to cooperate or comply with advice may result in the suspension or withdrawal of the controller’s authorization to transfer, requiring them to find another basis such as the model contracts.
Recognizing the constant evolution of business entities, BCRs can be updated without having to reapply with DPAs as long as one identified person keeps a fully updated list of the group members and sub-processors, which is accessible to the controller, data subjects and DPAs; this person keeps track of and records updates to the rules, systematically providing information to the controller and DPAs where requested; no transfer is made to a new member until it is effectively bound by the BCRs and can deliver compliance, and any substantial changes to the BCRs or the list of members is reported annually to the DPAs that granted any transfer authorizations, along with brief reasons justifying the update.
The Working Party stresses that in order to provide the necessary safeguards, processor BCRs must be binding both internally and toward the outside world.
The internally binding nature of the BCRs could be demonstrated to DPAs by internal codes of conduct backed by intra-group agreements or some other contractual mechanism. All member organizations of the processor, as well as employees within them, must be compelled to comply with the internal rules. It could be relevant to show the DPAs disciplinary sanctions for contravention of the rules, individual and effective information of employees and special education programs for employees and subcontractors.
To guarantee compliance, the BCRs must provide for regular data protection audits and/or external supervision by internal or external accredited auditors, with direct reporting to the privacy officer and the board of the parent organization. The audit should also be made available upon request to the controller. Competent DPAs should have access to the results of the audit and should be empowered by the BCRs to carry out an audit themselves if necessary in exceptional circumstances. Further, the BCRs must provide for the controller or an independent inspection body to be able to audit the data processing facilities of any processor or sub-processor in relation to the processing activities of that controller.
To guarantee legal enforceability, the BCRs must identify which member of the processor group will accept responsibility for and where necessary remedy the actions of any members of the organization or external sub-processors established outside the EU. This entity could be either the EU headquarters, the EU member of the processor with delegated data protection responsibilities or the EU exporter processor; e.g., the EU contracting party with the controller. If there is no EU member of the organization, the headquarters outside the EU will be appointed to accept liability.
The legal enforceability of the BCRs is effected primarily by linking them to the service agreement with the controller, which remains primarily liable toward DPAs and data subjects for ensuring the protection of data transferred outside the EU. The BCRs must include a third-party beneficiary right clause for the benefit of the controller, which will have the right to enforce the BCRs against any member of the processor’s group including judicial remedies and the right to receive compensation.
Data subjects must be granted third-party beneficiary rights to enforce the BCRs against members of the processor’s group where it is not possible to take action against the controller directly. They can also choose whether to take action before a DPA or court in any one of a number of relevant jurisdictions, depending on the circumstances.
Furthermore, BCR safeguards are legally enforceable by DPAs, which can investigate and intervene in data practices on their territory, as well as engage in legal proceedings where a processor is not complying with the BCR. The controller’s authorization to transfer could also be withdrawn on the basis of a processor breach.
In terms of burden of proof, the BCRs must state that where the controller or data subjects can demonstrate that damage has been suffered that was likely caused by a breach of the processor BCRs, the onus will be on the group member appointed to accept liability to prove that the relevant processor or sub-processor was not responsible or that no breach took place.
While there is still a long way to go before BCRs for processors are an everyday data protection tool, the Working Party’s Explanatory Document goes some way toward making that a reality by envisaging the legal and practical arrangements that controllers and processors should put in place in order to make use of BCRs for processors.
Coauthored by Emily Hay of the privacy team of Lorenz Brussels. She specializes in data protection and privacy, regulatory and international law. She may be reached at firstname.lastname@example.org.