The Article 29 Working Party, which consists of the data protection watchdogs of the EU member countries, has created a mechanism for transferring data within organisations but to countries to which it would usually be illegal to send personal information.
EU data protection laws restrict transfers of personal data to countries whose data protection regimes have not been judged by the European Commission to be adequate. The list of those countries deemed to offer adequate protection is very short.
The Working Party created Binding Corporate Rules to allow companies to send data to other parts of the organisation in countries whose data protection regime has not been designated as adequate.
The Working Party has updated its guidance on the use of BCRs. Its list of frequently asked questions tells companies in what circumstances BCRs should be used, who is liable for breaches of them, and what rights people whose data is transferred have under the rules.
