Stringent controls on the transfer of personal data are
in place in the EU and a company must apply to all 25 member states
to formalise rules controlling the movement of that data.
Previously that involved a separate application for each
country, but the ICC has produced a form which it hopes will become
a standard across all member states. It awaits approval by EU data
protection authority the EC Article 29 Data Protection Working
Party.
The form relates to Binding Corporate Rules (BCRs), agreements
which companies can enter into to control the passing of personal
information from within Europe to out with it.
The seven-section form was based on a series of rules produced
by the EC Working Party and is intended to replace a series of
national forms.
"With input from member companies working with BCRs and feedback
from various European authorities, we created this standard
application form for BCRs," said Christopher Kuner, Chair of the
ICC Task Force on Privacy and Protection of Personal Data. "The
same form can be used for approval in all EU member states –
that is the main advantage."
The application form is divided into eight sections. These are:
contact details for the company; contact details for queries;
determination of the lead Data Protection Authority; explanation of
how the BCRs will be made binding; verification of compliance;
description of processing and data flows; data protection
safeguards, and mechanisms for reporting and recording changes.
The Working Party which must now decide on the suitability of
the form was set up under Article 29 of the Data Protection
Directive to be an independent advisor on privacy and data
protection in Europe.
The UK's Information Commissioner has already published a list
of requirements for the approval of BCRs.
