EU Privacy Chiefs Release Corporate Data Transfer Rules Update

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By George Lynch

European Union privacy regulators Dec. 6 released updated standards for data transfers within companies to bring them in line with the bloc’s new privacy regime.

The Article 29 Working Party of privacy officials from the 28 EU countries updated its guidance to incorporate new elements from the EU General Data Protection Regulation that must be included when corporate groups update their Binding Corporate Rules (BCRs).

BCRs are an EU-approved mechanism to allow companies to transfer personal data outside the bloc from a corporate group or a group of enterprises “engaged in a joint economic activity” operating within the EU to their components outside the EU. The mechanism is primarily used by large companies, such as General Electric Corp. and AstraZeneca plc, that have the resources to go through the exhaustive BCR approval process. The GDPR, which takes effect in May 2018, recognizes BCRs as a legal means of transferring personal data from the EU.

The update “provides much needed certainty for the world of international data transfers,” Eduardo Ustaran, co-director of the privacy and cybersecurity practice at Hogan Lovells LLP in London, told Bloomberg Law. BCRs are one of the most valuable aspects of the GDPR, so these guidance documents “will become a key point of reference for any global company that is considering the BCR model,” Ustaran said.

Data Processors, Controlllers

The working party issued separate guidance for data controllers—companies that control the collection and use of personal data—and data processors—companies that process personal data under the instruction of controllers. BCRs for processors apply to data received from an EU-based controller that isn’t in the same corporate group and then processed by a member of the group. BCRs for controllers apply to data transfers from EU-based controllers to non-EU controllers or processors within the same corporate group.

Data controllers and processors must now include in BCRs information on:

  •  the scope of the corporate group, including categories of data and types of processing;
  •  enforceable rights of individuals, including the right to lodge complaints; and
  •  demonstrated accountability.
Controllers must also include:
  •  information on individual transparency rights related to processing of their data and the means of exercising those rights;
  •  an explanation of privacy principles, including lawfulness, data minimization, storage limitation, guarantees of processing sensitive data, and onward transfer requirements to bodies not bound by BCRs; and
  •  a list of any third-country legal commitments having adverse affect on BCRs will be reported to authorities.
Processors must also include:
  •  privacy principles related to individual rights; and
  •  service agreements containing all elements required by the GDPR.
Companies with BCRs already in place must update them to meet these new requirements, “which can be challenging in less than half a year’s time before the GDPR becomes applicable,” Anna Pateraki, senior privacy associate at Hunton & Williams LLP in Brussels, told Bloomberg Law.

To contact the reporter on this story: George Lynch in Washington at

To contact the editor responsible for this story: Donald Aplin at

For More Information

The new guidance for data controllers is available at .

The new guidance for data processors is available at

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law: Privacy & Data Security