Cross-border transfers of personal data
Contracts based on the European Commission's standard contractual clauses do not have to be adopted by Royal Decree. Nevertheless, a copy of the contract should be sent to the Authority in order for the latter to check whether it is identical to the European Commission's standard contractual clauses. Moreover, the processing needs to be notified in the Authority's public register, except if it relates to an exception established in the rules on notification.
Conformity with the European Commission's standard contractual clauses is understood to refer to the following contractual clauses:
- clauses identical to the standard contractual clauses approved by the European Commission which have been completed where specifically requested (annexes, names of parties and other specific elements such as clause 5.b of standard clause 2001/497/CE, etc.);
- clauses with a minimum of modifications (e.g. punctuation, translation) and the modification of which does not change the meaning nor the scope of the standard contractual clauses and does not prejudice the fundamental rights and freedoms of data subjects;
- standard contractual clauses inserted in a larger contract and standard contractual clauses to which other clauses have been added, including commercial clauses, provided that the latter do not directly or indirectly contraduct the standard contractual clauses and that they do not prejudice the fundamental rights and freedoms of data subjects.
At European level
The Article 29 Working Party has approved several working papers describing the compulsory content of binding corporate rules, as listed below.
1. Controller binding corporate rules
- Working Document of 3/6/2003 relating to the Transfers of personal data to third countries: Applying Article 26 (2) of the EU Data Protection Directive to Binding Corporate Rules for International Data Transfers (WP74);
- Working Document of 14/4/2005 Establishing a Model Checklist Application for Approval of Binding Corporate Rules (WP108).
To help understand these two documents the Article 29 Working Party has also approved a table with al the elements that have to be included in BCR, which refers to WP 74 and WP 108. This document is entitled:
- Working Document setting up a table with the elements and principles to be found in Binding Corporate Rules (WP153).
The Article 29 Working Party has also elaborated a harmonised European form for requests for approval of controller binding corporate rules:
- Recommendation 1/2007 of 14/4/2005 on the Standard Application for Approval of Binding Corporate Rules for the Transfer of Personal Data (WP133).
To get a better idea of possible BCR structures, you are advised to read the following document:
- Working Document setting up a framework for the structure of Binding Corporate Rules (WP154).
Finally, for concrete answers to frequent questions from multinationals you can consult the document below:
- Working Document on Frequently Asked Questions (FAQs) relating to Binding Corporate Rules (WP155), this document is often updated).
All documents the Article 29 Working Party has adopted can be found on its website.
The European Commission's website also includes a separate section on BCR.
At Belgian level
National requirements have been described in the protocol on BCR concluded between the Ministry of Justice and the Authority (Dutch/French). Obviously, the inspiration for this protocol was mostly found at European level.
2. Processor binding corporate rules
- Working Document 02/2012 setting up a table with the elements and principles to be found in Processor Binding Corporate Rules (WP 195);
- Explanatory Document on the Processor Binding Corporate Rules (WP 204)
The Article 29 Working Party has also elaborated a harmonised European form for requests for approval of processor binding corporate rules:
- Recommendation 1/2012 on the Standard Application form for Approval of Binding Corporate Rules for the Transfer of Personal Data for Processing Activities (WP 195a)
This is left to the discretion of controllers. Obviously, binding corporate rules are meant more for multinationals looking for a legal solution for intra-group data flows.
The table below compares both systems:
|Purpose: offer adequate safeguards as framework for data flows to third countries and thus comply with the Privacy Act||Purpose: offer adequate safeguards as framework for data flows to third countries and thus comply with the Privacy Act|
|Compulsory code of conduct within a group of companies||Contract between two legal entities which are or are not part of the same group of companies|
|Only create a framework for intra-group data flows||Create a framework for data flows within and outside the group of companies|
|Tailor-made||Tailor-made or standard contractual clauses of the European Commission|
|By definition: create a framework for a large number of data flows with various purposes||By definition: create a framework for particular data flows|
|By definition only one code of conduct for the entire group of companies||If for a group of companies: by definition a multiplication of contracts (which is sometimes avoided for intra-group data flows by integrating contractual clauses in an "Intra-Group Agreement")|
|Allow for uniformisation of the personal data protection policy within a group of companies||-|
|Apart from legal commitments, BCR also imply concrete measures guaranteeing that rules are also abided by (employee training, privacy audits, internal complaint management system, …)||Are more limited to legal commitments regarding privacy principles|
|Make data protection into one of the group's ethical preoccupations and promote the group's external communication on it||-|