WP29 Clarifies DPAs' Expectations of BSPRs
The Article 29 Working Party (WP29) has adopted an Explanatory Document on the Processor Binding Corporate Rules (WP204), which clarifies the principles and elements of Processor Binding Corporate Rules or Binding Safe Processor Rules (BSPRs) as laid out in its Working Document 02|2012 (WP195). BSPRs are internal, legally binding, codes of conduct regarding privacy and security, aimed at guaranteeing clients of data processors that data transfers are adequately framed and protected. WP29 stated that data protection principles stemming from the Data Protection Directive (95|46|EC) must be incorporated within the BSPRs. They must also provide sufficient level of detail to allow DPAs to assess whether adequate safeguards are provided in relation to data processing and sub-processors. All BSPRs must contain: provisions guaranteeing a good level of compliance, audits, complaint handling, the duty of cooperation with the data controller and DPAs, liability, rules on jurisdiction, and transparency.