DPI16_Banner_300x250 WITH COPY

In a timely follow-up to its Working Document of June 2012, Recommendation of September 2012 and official launch in December 2012, the Article 29 Working Party has issued an Explanatory Document regarding Binding Corporate Rules (BCRs) for processors. As the Working Party notes, the outsourcing industry has requested a legal tool that caters to the reality of business structures and data transfer practices today. The idea of the processor BCRs is to provide a guarantee to the controller that a processor has a regime in place which adequately protects personal data when it is transferred outside the EU. This guarantee is provided by way of the BCRs, which should be annexed to or referenced in the Service Level Agreement (or Article 17 Agreement) with the controller. Processor BCRs can eliminate the need for reliance on other bases of transfer such as model contracts, thereby eliminating a significant administrative burden for companies engaging in frequent, large and complex international data transfers. While it is necessary to undergo an approval process for BCRs with a data protection authority (DPA) in the EU, increasing experience with BCRs for controllers is reducing the length of that procedure.

The Explanatory Document of 19 April elaborates on a number of issues including transfers and onward transfers, cooperation, update duties, the internally binding nature of BCRs and their legal enforceability. The clarity provided by the Working Party should help organizations plan their business relationships and help BCRs become a practical solution to the challenge of large routine data transfers.

Transfers and Onward Transfers

In order for processors to be able to transfer data to other members of their groups for sub-processing while maintaining transparency towards the controller, the Working Party specifies that the parties to the service agreement may choose the arrangement that suits them. One way is for the controller to give a general prior consent to sub-processing, in which case they should be informed of any addition or replacement of subcontractors in advance, with the possibility to object to the change or terminate the contract before any data is communicated to the new sub-processor. The other option is to provide in the agreement for the specific consent of the controller for each new sub-processing.

For external transfers out of the processor’s group, a further written agreement is necessary to ensure adequate protection of the data and that the external sub-processor respects the obligations under the service agreement. As far as the processor BCRs do not apply to transfers to external sub-processors, it will also be necessary to ensure that there is a legal basis for international data transfer outside the EU.


According to the Working Party, BCRs for processors must contain an express obligation to cooperate with the controller, in terms of respecting its instructions as well as helping it to comply with data protection law. This includes helping data subjects exercise their rights, handling complaints or replying to investigations or inquiries from DPAs. To this end, the processor group must create a specific contact point for data subjects, and all members of the BCRs will have the duty to communicate any claim or request to the controller who should handle them, unless otherwise agreed.

The BCRs must also contain a clear, separate duty to cooperate with competent DPAs and abide by their advice. The Working Party points out that any serious or persistent refusal by a processor to cooperate or comply with advice may result in the suspension or withdrawal of the controller’s authorization to transfer, requiring them to find another basis such as the model contracts.

Update Duties

Recognizing the constant evolution of business entities, BCRs can be updated without having to reapply with DPAs as long as one identified person keeps a fully updated list of the group members and sub-processors, which is accessible to the controller, data subjects and DPAs; this person keeps track of and records updates to the rules, systematically providing information to the controller and DPAs where requested; no transfer is made to a new member until it is effectively bound by the BCRs and can deliver compliance, and any substantial changes to the BCRs or the list of members is reported annually to the DPAs that granted any transfer authorizations, along with brief reasons justifying the update.

Internally Binding

The Working Party stresses that in order to provide the necessary safeguards, processor BCRs must be binding both internally and toward the outside world.

The internally binding nature of the BCRs could be demonstrated to DPAs by internal codes of conduct backed by intra-group agreements or some other contractual mechanism. All member organizations of the processor, as well as employees within them, must be compelled to comply with the internal rules. It could be relevant to show the DPAs disciplinary sanctions for contravention of the rules, individual and effective information of employees and special education programs for employees and subcontractors.

To guarantee compliance, the BCRs must provide for regular data protection audits and/or external supervision by internal or external accredited auditors, with direct reporting to the privacy officer and the board of the parent organization. The audit should also be made available upon request to the controller. Competent DPAs should have access to the results of the audit and should be empowered by the BCRs to carry out an audit themselves if necessary in exceptional circumstances. Further, the BCRs must provide for the controller or an independent inspection body to be able to audit the data processing facilities of any processor or sub-processor in relation to the processing activities of that controller.

Legally Enforceable

To guarantee legal enforceability, the BCRs must identify which member of the processor group will accept responsibility for and where necessary remedy the actions of any members of the organization or external sub-processors established outside the EU. This entity could be either the EU headquarters, the EU member of the processor with delegated data protection responsibilities or the EU exporter processor; e.g., the EU contracting party with the controller. If there is no EU member of the organization, the headquarters outside the EU will be appointed to accept liability.

The legal enforceability of the BCRs is effected primarily by linking them to the service agreement with the controller, which remains primarily liable toward DPAs and data subjects for ensuring the protection of data transferred outside the EU. The BCRs must include a third-party beneficiary right clause for the benefit of the controller, which will have the right to enforce the BCRs against any member of the processor’s group including judicial remedies and the right to receive compensation.

Data subjects must be granted third-party beneficiary rights to enforce the BCRs against members of the processor’s group where it is not possible to take action against the controller directly. They can also choose whether to take action before a DPA or court in any one of a number of relevant jurisdictions, depending on the circumstances.

Furthermore, BCR safeguards are legally enforceable by DPAs, which can investigate and intervene in data practices on their territory, as well as engage in legal proceedings where a processor is not complying with the BCR. The controller’s authorization to transfer could also be withdrawn on the basis of a processor breach.

In terms of burden of proof, the BCRs must state that where the controller or data subjects can demonstrate that damage has been suffered that was likely caused by a breach of the processor BCRs, the onus will be on the group member appointed to accept liability to prove that the relevant processor or sub-processor was not responsible or that no breach took place.


While there is still a long way to go before BCRs for processors are an everyday data protection tool, the Working Party’s Explanatory Document goes some way toward making that a reality by envisaging the legal and practical arrangements that controllers and processors should put in place in order to make use of BCRs for processors.

Coauthored by Emily Hay of the privacy team of Lorenz Brussels. She specializes in data protection and privacy, regulatory and international law. She may be reached at

Written By

Jan Dhont


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Get more News »

Find a KnowledgeNet Chapter Near You

Network and talk privacy at IAPP KnowledgeNet meetings, taking place worldwide.

Women Leading Privacy

Events, volunteer opportunities and more designed to help you give and get career support and expand your network.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

The Training Post—Can’t-Miss Training Updates

Subscribe now to get the latest alerts on training opportunities around the world.

New Web Conferences Added!

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Staff

Get your team up to speed on privacy by bringing IAPP training to your organization.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

Learn more about IAPP certification »

Get Close-up

Looking for tools and info on a hot topic? Our close-up pages organize it for you in one easy-to-find place.

Where's Your DPA?

Our interactive DPA locator helps you find data protection authorities and summary of law by country.

IAPP Westin Research Center

See the latest original research from the IAPP Westin fellows.

Looking for Certification Study Resources?

Find out what you need to prepare for your exams

More Resources »

GDPR Comprehensive: Spots Going Fast

With the top minds in the field leading this exceptional program, it's no wonder it's filling quickly. Register now to secure your spot.

Be Part of Something Big: Join the Summit

Registration is open for the Global Privacy Summit 2016. Discounted early bird rates available for a short time, register today!

Data Protection Intensive Returns to London

Registration is now open for the IAPP Europe Data Protection Intensive in London. Check out the program!

P.S.R. Call for Speakers Open!

P.S.R. is THE privacy + cloud security event of the year, and you can take a leading role. Propose a session for this year's program.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

Exhibit at an Event

Put your brand in front of the largest gatherings of privacy pros in the world. Learn more.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»