December 6, 2017
By George Lynch
European Union privacy regulators Dec. 6 released updated standards for data transfers within companies to bring them in line with the bloc’s new privacy regime.
The Article 29 Working Party of privacy officials from the 28 EU countries updated its guidance to incorporate new elements from the EU General Data Protection Regulation that must be included when corporate groups update their Binding Corporate Rules (BCRs).
BCRs are an EU-approved mechanism to allow companies to transfer personal data outside the bloc from a corporate group or a group of enterprises “engaged in a joint economic activity” operating within the EU to their components outside the EU. The mechanism is primarily used by large companies, such as General Electric Corp. and AstraZeneca plc, that have the resources to go through the exhaustive BCR approval process. The GDPR, which takes effect in May 2018, recognizes BCRs as a legal means of transferring personal data from the EU.
The update “provides much needed certainty for the world of international data transfers,” Eduardo Ustaran, co-director of the privacy and cybersecurity practice at Hogan Lovells LLP in London, told Bloomberg Law. BCRs are one of the most valuable aspects of the GDPR, so these guidance documents “will become a key point of reference for any global company that is considering the BCR model,” Ustaran said.
The working party issued separate guidance for data controllers—companies that control the collection and use of personal data—and data processors—companies that process personal data under the instruction of controllers. BCRs for processors apply to data received from an EU-based controller that isn’t in the same corporate group and then processed by a member of the group. BCRs for controllers apply to data transfers from EU-based controllers to non-EU controllers or processors within the same corporate group.
Data controllers and processors must now include in BCRs information on:
To contact the reporter on this story: George Lynch in Washington at firstname.lastname@example.org
To contact the editor responsible for this story: Donald Aplin at email@example.com
Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.