Privacy & Cybersecurity Law Blog

On June 3, 2013, the French Data Protection Authority (“CNIL”) published an article outlining the importance of binding corporate rules (“BCRs”) for data processors, and describing how to use them.

A BCR is a code of conduct defining an organization’s policies with regard to international data transfers, allowing the organization to ensure an adequate level of protection for personal data transferred within the organization from locations in the European Union to non-EU countries. Until the end of 2012, BCRs could only be used as legal data transfer mechanism for data controllers. Since January 1, 2013, however, data processors (such as service providers making massive international data transfers on behalf of their clients) also may implement BCRs as an alternative to the European Commission’s existing controller-to-processor model clauses.

The CNIL’s article emphasized certain advantages BCRs offer data processors. For example, BCRs (1) create a safe area for data transferred by processors to sub-processors within the same organization; and (2) ensure that data controllers will be able to obtain the appropriate authorizations from EU data protection authorities for international data transfers.

The CNIL recalled that the content of the BCRs for data processors, as described in an Article 29 Working Party’s explanatory document, does not differ from that of EU model clauses. In addition, the content conforms with the proposed EU General Data Protection Regulation, which aims to increase data processors’ accountability.

The CNIL also mentioned that service providers who wish to implement BCRs for data processing purposes can apply with the CNIL (or one of its counterparts in other EU Member States) by completing the application form adopted by the Article 29 Working Party. The application process is the same as the process for BCRs for data controllers.