EU Privacy Chiefs Release Corporate Data Transfer Rules Update

From Bloomberg Law: Privacy & Data Security

December 6, 2017

By George Lynch

European Union privacy regulators Dec. 6 released updated standards for data transfers within companies to bring them in line with the bloc’s new privacy regime.

The Article 29 Working Party of privacy officials from the 28 EU countries updated its guidance to incorporate new elements from the EU General Data Protection Regulation that must be included when corporate groups update their Binding Corporate Rules (BCRs).

BCRs are an EU-approved mechanism to allow companies to transfer personal data outside the bloc from a corporate group or a group of enterprises “engaged in a joint economic activity” operating within the EU to their components outside the EU. The mechanism is primarily used by large companies, such as General Electric Corp. and AstraZeneca plc, that have the resources to go through the exhaustive BCR approval process. The GDPR, which takes effect in May 2018, recognizes BCRs as a legal means of transferring personal data from the EU.

The update “provides much needed certainty for the world of international data transfers,” Eduardo Ustaran, co-director of the privacy and cybersecurity practice at Hogan Lovells LLP in London, told Bloomberg Law. BCRs are one of the most valuable aspects of the GDPR, so these guidance documents “will become a key point of reference for any global company that is considering the BCR model,” Ustaran said.

Data Processors, Controlllers

The working party issued separate guidance for data controllers—companies that control the collection and use of personal data—and data processors—companies that process personal data under the instruction of controllers. BCRs for processors apply to data received from an EU-based controller that isn’t in the same corporate group and then processed by a member of the group. BCRs for controllers apply to data transfers from EU-based controllers to non-EU controllers or processors within the same corporate group.

Data controllers and processors must now include in BCRs information on:

Controllers must also include: Processors must also include: Companies with BCRs already in place must update them to meet these new requirements, “which can be challenging in less than half a year’s time before the GDPR becomes applicable,” Anna Pateraki, senior privacy associate at Hunton & Williams LLP in Brussels, told Bloomberg Law.

To contact the reporter on this story: George Lynch in Washington at glynch@bloomberglaw.com

To contact the editor responsible for this story: Donald Aplin at daplin@bloomberglaw.com

For More Information

The new guidance for data controllers is available at http://src.bna.com/uKc .

The new guidance for data processors is available at http://src.bna.com/uKb.

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.


SHARE:
RELATED NEWS