The General Data Protection Regulation (EU) 2016/679 (“GDPR“) became effective on 25 May 2018 and has a substantial impact on anyone who processes personal data of data subjects (individuals). The scope of the GDPR extends beyond the borders of the European Union (“EU“) and is therefore something that likely impacts most businesses that have an international footprint or clientele in the EU.
The GDPR requires certain rules to be complied with when personal data is processed in order for the security of the personal data to be maintained and for the protection of the fundamental right to privacy. These rules must be implemented by the data controller (the party that determines the purposes for which and how data is processed) throughout the stages of processing and requires the data controller to ensure that any third party processing the data on behalf of the controller (referred to as data processors) comply with the rules relevant to them as well.
In any given scenario, there may be multiple parties that act as data controllers and data processors in respect of the same personal data – commonly referred to as joint-controllers and joint-processors. All these parties must still comply with the GDPR and the two most common manners in which this is done is through data processing agreements and binding corporate rules. In this post, we look at these two mechanisms and discuss the differences between them and when each should be used.
Data processing agreements (“DPAs”)
Data processing agreements (“DPAs“) are most commonly used where a data controller appoints a third party to process personal data on behalf of and for the benefit of the controller. The processor is only authorised to process the data on the instructions of the controller and is limited from using the personal data for its own purposes. Processors are usually third party companies that provide a service to the controller and don’t form part of the group of companies that the controller is part of.
The appointment of data processors is subject to the controller and processor complying with the relevant requirements of the GDPR. The GDPR sets out express requirements that must be met by controllers when appointing processors, including that the processor must be appointed in terms of a written agreement (the DPA) and which agreement must include provisions relating to the further requirements that processors must comply with. Some of these include:
- the purposes for which the data may be processed;
- the duration of the agreement;
- limitation of processing to the written instructions of the controller;
- a duty of confidentiality on the processor in respect of the personal data;
- duty to take appropriate organisational and technical security measures;
- the rules regarding the appointment of sub-processors; and
- liability of the processor in respect of the personal data.
Binding Corporate Rules (“BCRs”)
Binding corporate rules (“BCRs” or “Rules“), although similar to DPAs, regulate the processing of personal data between companies within a group of companies. They are like a code of conduct, allowing multinational companies to transfer data internationally to members of the group that are located in countries that may be considered to not provide an adequate level of data protection. Although some countries in which the members of the group conducts business may have their own data protection laws and requirements in respect of processing personal information, the BCRs aim to ensure that all the companies within a group meet, at a minimum, the standards required by the GDPR (and which will result in the companies falling within the GDPR’s ambit, complying with their legislative obligations).
Article 47 of the GDPR sets out the requirements regarding what BCRs must specify and the Rules that a group of companies develops must be approved by an EU regulatory authority. In brief, BCRs must further be legally binding and apply to all members of a group of companies, they must include provisions about the enforceable rights that data subjects have in respect of the processing of their personal data and must meet the further requirements of article 47, including:
- the details of the group of companies;
- information regarding the data that is transferred, the type of processing that is carried out and the purposes for such processing, and the third countries to which the data is transferred;
- the data processing and protection principles that are applicable and the rights of data subjects in regard to the processing and protection principles;
- the duties and tasks of the data protection officer who oversees the group’s compliance with the rules and the GDPR;
- the complaint process that data subjects may use;
- how the group of companies trains its employees in respect of the GDPR; and
- the various requirements in respect of enforcing the rules, reporting on compliance with the rules and cooperation with the various regulatory authorities.
Binding Corporate Rules and Data Processing Agreements have the same broad goal: to ensure compliance with the GDPR when processing personal information where the processing is carried out by more companies than just the data controller. The application of these mechanisms depends on who is carrying out the processing. The territory in which the processing is being done will further impact the substance of these agreements.
It is important, from both a GDPR and POPI perspective, that data protection requirements are adhered to and that businesses make use of the various tools available to them to ensure that they comply with these rules.