The purpose of a group’s adoption of BCRs is to create, within the group, an
“area offering an adequate level of data protection.” Thus, BCRs must be analyzed on terms similar to those required for the study of the adequate level of data pro- tection in a given state.
In order for it to be possible to hold that a given state offers an adequate level of data protection, from a substantive point of view it is necessary that its legisla- tion satisfy the data protection principles set forth in the various international in- struments adopted in this regard. From a formal point of view, it is necessary that those principles can be guaranteed through an authority that supervises compli- ance and, in the event of violation or damage to the data subject, adopts the meas- ures necessary to prevent continued violation or damage.
The extrapolation of these requirements into the framework of BCRs implies the necessity, from the point of view of content, to reflect the essential principles
10In this regard, the role of the subgroup created within the Article 29 Party has proven to be very inter- esting regarding the processing of the file related to the General Electric BCRs. This is because it was a pilot experience for implementation of the mechanisms necessary for studying it. Also, from the point of the of the Spanish Data Protection Agency the many contacts maintained with the Spanish subsidiaries of the group and with the highest level data protection officers on a global basis have proven to be extremely useful.
of data protection in an instrument applicable within the group. Regarding application, there must be bodies within its structure that guarantee effective compliance with these principles in the actions of the group companies, and guarantees that it will be able to adopt measures for sanctions or redress in the event of violation or damage to the data subject.
Leaving the content of the BCRs for later, now we must analyze the manner of compliance therewith, which translates into the both internal and external mandatory nature of the rules, which we now address.
Mandatory nature, internal and external
As the name itself indicates, BCRs must be mandatory and binding on all group companies. This binding and mandatory nature must be shown both in the daily operations of the group companies and in their relationships with third par- ties.
In addition, as may be derived from the various documents of the Article 29 Party to which we have referred before, demonstration of the mandatory nature of the BCRs is essential in order for the authorization for international data trans- fers based thereon to be effectively obtained.
As has been noted, the mandatory and binding nature of the BCRs must be shown both from an internal point of view and from the perspective of the rela- tionships of the group companies with others, in particular with the data subjects whose data are being processed and onward transferred within the group.
Regarding the internal mandatory nature of the BCRs, the Article 29 Working Party document of 3 June 2003 establishes as a principle that the mandatory na- ture of the rules must imply that, in practice, both the members of the corporate group and personnel working therein must feel obligated to comply with the in- ternal rules. In this regard, matters that may be relevant include the establish- ment of sanctions in the case of violation of the rules, the information given to employees and the creation of specific training programs for employees, subcon- tractors, etc. All of these elements may be indicators of how the individuals within the group actually feel obligated to comply with the rules. In any event, the group must be aware that it will be essential to prove the existence of these mechanisms guaranteeing compliance with the BCRs in order for it to be possible to obtain au- thorization of the transfers.
The “checklist” contained in WP document 108 contemplates certain matters that must be shown in order to guarantee the effective existence of this internal mandatory nature of BCRs. Thus, it indicates as follows:
— You must ensure compliance with the binding corporate rules by other members of the group. This is particularly important where there is no
‘head office’ or where the head office is outside the EEA. How this is achieved will depend upon the structure of your organisation but will also be subject to the national laws of the Member States in which your organi- sation is located (section 5.5).
— Employees must be bound by the rules. This might be achieved by way of spe- cific obligations contained in a contract of employment and by linking obser- vance of the rules with disciplinary procedures for example. In addition, there should be adequate training programmes and senior staff commit- ment, and the title of the person ultimately responsible within the organisa- tion for compliance should be included in your application (section 5.9).
— You need to show how your binding corporate rules are made binding on subcontractors. Please provide evidence of the type of contractual clauses that you impose on subcontractors and explain how those contracts deal with the consequences of non-compliance (section 5.11).
As may be seen the essential way of demonstrating the existence of this ele- ment centres on the existence of training and supervision programs, adopting dissuasive measures that prevent violation of the rules. This would be the case in the event of a processor’s incorporation into employment or services agreements of sanctioning measures in the event of violation of data protection principles, which could include even, respectively, termination of the employment relation- ship or termination of the services agreement.
At the same time the BCRs must bind the corporate group as to its relation- ships with third parties, in particular the data subjects whose data are processed and transferred to other group companies. This is precisely the element that is es- sential in order for a transfer based on the BCRs to be held to be adequate.
Thus, in the same way that in the countries where there is an adequate level of data protection the data subject can apply to a supervisory authority to enforce his rights and, if applicable, request adequate redress of the damages caused by un- lawful use of his data, it is necessary that the data subject can, in this case, exercise similar mechanisms implying guarantee of his rights and their indemnification if he is damaged.
The various decisions of the Commission related to transfers based on the pro- vision of contractual clauses establish this principal on two basic pillars: the inclu- sion in the agreement of a clause in favour of the data subject pursuant to which he can enforce the agreement before the data protection authorities and before
the courts, in all respects related to protection of his personal data, and the guarantee of liability of the data exporter in the event of violation of the agree- ment by the data importer, by means of the rule of joint and several liability or cul- pa in eligendoor in vigilando,in such manner that the data subject need not resort to the data importer’s jurisdiction to enforce his right.
The guarantee of the external mandatory nature of BCRs must rest on these pillars, as is stated by WP document 74, which addresses this question in its Chapter 3.3.2, indicating that data subjects whose data are within the scope of application of the binding corporate rules must be considered to be “third par- ty beneficiaries” both as regards the unilateral commitments adopted (when na- tional law so permits) and the contractual provisions that exist among the mem- bers of the group to establish the binding corporate rules. In this manner, data subjects, as beneficiaries, must be able to enforce compliance with the rules, presenting their claims both to the data protection authorities and to the com- petent courts.
At the same time it is noted that the scope of the rights of the data subjects must, as a minimum, be comparable to that guaranteed by Commission Decision 2001/947/EC.”
Finally, section 5.2.2 of the document indicates that the group applying for au- thorization must demonstrate that its European union headquarters or the sub- sidiary to which it has delegated responsibility for data protection has sufficient as- sets in the Community to cover payment of the amounts owing by reason of violation of the BCRs, or that it has adopted measures to guarantee that it can sat- isfy such claims.
As is the case regarding the internal mandatory element, WP document 108 establishes certain guidelines in the “checklist” to guarantee satisfaction of this second requirement in the BCRs. Thus, it indicates as follows:
— Individuals covered by the scope of the binding corporate rules must be able to enforce compliance with the rules both via the data protection au- thorities and the courts (section 5.13).
— Individuals must be able commence claims within the jurisdiction of the member of the group at the origin of the transfer or the EU headquarters or the European member of the group with delegated data protection re- sponsibilities (section 5.14).
— Your application should contain confirmation that the European head- quarters of the organisation, or that part of the organisation with delegat- ed data protection responsibilities in the EU, has sufficient assets or has
made appropriate arrangements to enable payment of compensation for any damages resulting from the breach, by any part of the organisation, of the binding corporate rules (section 5.17).
— Your application will need to make clear that the burden of proof with re- gard to an alleged breach of the rules will rest with the member of the group at the origin of the transfer or the European headquarters or that part of the organisation with delegated data protection responsibilities, re- gardless of where the claim originates (section 5.19).
— Your application should also include confirmation that you will co-operate with the data protection authorities with regard to any decisions made by the supervisory authority and abide by the advice of the data protection au- thority with regard to interpretation of WP 74 (section 5.21).
Content of the BCRs
Together with the requirement of the mandatory nature of the BCRs, it is ob- viously necessary that the rules establish data protection standards allowing the data protection level within the corporate group to be considered to be adequate for the purposes contemplated in Directive 95/46/EC. Thus, from the substan- tive point of view, it will be necessary for there to be a self-regulation instrument within the company containing the data protection principles contemplated in the community rules and the rules of the Member States, and that they be applied to the specific data flows subject to the rules.
On this point WP document 74 is unequivocal. It indicates that “Compliance with national law is of course a condition sine qua non for any authorisation to be granted.”11
In particular, the indicated document states that the BCRs must contain the data protection principles referred to in WP document 12, which derive from those al- ready established in the data protection directives approved by the OECD in 1980.
These principles are also set forth in the Annex to Decision 2001/497/EC, consid- ered to be the core principles of the data protection right, as follows:
1. Purpose limitation: data must be processed and subsequently used or fur- ther communicated only for the specific purposes in Appendix I to the
11In fact, in the cases analyzed to date the BCRs include a clause by virtue of which they will be appli- cable to the extent that the national law of the state where the group company is found does not impose greater obligations, in which case that law is applicable.
Clauses. Data must not be kept longer than necessary for the purposes for which they are transferred.
2. Data quality and proportionality: data must be accurate and, where neces- sary, kept up to date. The data must be adequate, relevant and not exces- sive in relation to the purposes for which they are transferred and further processed.
3. Transparency: data subjects must be provided with information as to the purposes of the processing and the identity of the data controller in the third country, and other information insofar as this is necessary to ensure fair processing, unless such information has already been given by the data exporter.
4. Security and confidentiality: technical and organisational security measures must be taken by the data controller that are appropriate to the risks, such as unauthorised access, presented by the processing. Any person acting un- der the authority of the data controller, including a processor, must not process the data except on instructions from the controller.
5. Rights of access, rectification, erasure and blocking of data: as provided for in Article 12 of Directive 95/46/EC, the data subject must have a right of access to all data relating to him that are processed and, as appropriate, the right to the rectification, erasure or blocking of data the processing of which does not comply with the principles set out in this Appendix, in par- ticular because the data are incomplete or inaccurate. He should also be able to object to the processing of the data relating to him on compelling legitimate grounds relating to his particular situation.
6. Restrictions on onwards transfers: further transfers of personal data from the data importer to another controller established in a third country not providing adequate protection or not covered by a decision adopted by the Commission pursuant to Article 25(6) of Directive 95/46/EC (onward transfer) may take place only if either:
(a) data subjects have, in the case of special categories of data, given their unambiguous consent to the onward transfer or, in other cases, have been given the opportunity to object. The minimum information to be provided to data subjects must contain in a language understandable to them:
— the purposes of the onward transfer,
— the identification of the data exporter established in the Community,
— the categories of further recipients of the data and the countries of destination, and
— an explanation that, after the onward transfer, the data may be processed by a controller established in a country where there is not an adequate level of protection of the privacy of individuals; or (b) the data exporter and the data importer agree to the adherence to the
Clauses of another controller which thereby becomes a party to the Clauses and assumes the same obligations as the data importer.
7. Special categories of data: where data revealing racial or ethnic origin, po- litical opinions, religious or philosophical beliefs or trade union member- ships and data concerning health or sex life and data relating to offences, criminal convictions or security measures are processed, additional safe- guards should be in place within the meaning of Directive 95/46/EC, in particular, appropriate security measures such as strong encryption for transmission or such as keeping a record of access to sensitive data.
8. Direct marketing: where data are processed for the purposes of direct mar- keting, effective procedures should exist allowing the data subject at any time to “opt-out” from having his data used for such purposes.
9. Automated individual decisions: data subjects are entitled not to be subject to a decision which is based solely on automated processing of data, unless other measures are taken to safeguard the individual’s legitimate interests as provided for in Article 15(2) of Directive 95/46/EC. Where the purpose of the transfer is the taking of an automated decision as referred to in Arti- cle 15 of Directive 95/46/EC, which produces legal effects concerning the individual or significantly affects him and which is based solely on auto- mated processing of data intended to evaluate certain personal aspects re- lating to him, such as his performance at work, creditworthiness, reliability, conduct, etc., the individual should have the right to know the reasoning for this decision.
Nevertheless, as already indicated above, the BCRs must not be a mere list of principles. Rather they must contain provisions custom-designed for the cir- cumstances occurring in the processing and flows of information that arise with- in the group applying for authorization of its rules. It is so stated in WP docu- ment 74 itself. It indicates that the principles must be specified in the BCRs on a practical and realistic basis, in such manner that they fit the activities under-
taken by the organization in the third countries, and that they must be suscep- tible of understanding and application by those having data protection respon- sibilities.
In particular, satisfaction of the content requirements reduces to two funda- mental matters: limitation of onward transfers of data from the group companies located outside the European Union to third parties not members of the group, and the requirement that any change in the rules be communicated to the au- thorities involved.
Regarding limitation of onward transfers, the Article 29 Working Party clarifies in its WP document 74 that “transfers from group companies to companies out- side the group located outside of the Community will be possible by subscribing the standard contractual clauses adopted by the Commission.”
In this way it is intended to guarantee that the “data protection area” resulting from the BCRs is similar to that of a state that offers an adequate level of protec- tion. Thus, in the same way that, in order for personal data to be transferred from the European Union to a third state not having an adequate level, it is necessary to use the “contractual solution,” this “solution” is necessary when the data move outside the corporate group subject to the BCRs.