The Article 29 Working Party announced (pdf) that it has adopted “Working Document 02/2012 setting up a table with the elements and principles to be found in Processor Binding Corporate Rules” (Working Party pdf; archive pdf). The Working Party said:
During its 86th plenary meeting on 6 and 7 June 2012 in Brussels, the European data protection authorities, assembled in the Article 29 Working Party, adopted a working document on Binding Corporate Rules (BCR) for processors. This working document includes a full checklist of the requirements for BCR Processors and is designed both for companies and for data protection authorities.
The new initiative is based on the success of the BCR for controllers, companies’ expectations and the proposal to explicitly include BCR for controllers as well as processors in the future legislative framework of the European Union. […]
The Article 29 Working Party has already developed some tools to facilitate the use of BCR for controllers, intended to regulate the transfers of personal data that are originally processed by the company as controller (for example data relating to its customers, its employees, etc.).
With its new working document (WP 195), the Article 29 Working Party provides a checklist describing the conditions to be met in order to facilitate the use of BCR for processors (“BCR for third party data”). The checklist defines what must be found in BCRs, and what must be presented to DPAs in the BCR application. Similar guidelines already exist for BCR for controllers (WP 153).
The working document aims to meet the expectations of companies acting as data processors by giving them the possibility to make use of BCR in the context of international transfers of personal data, for example in the context of outsourcing activities or cloud computing.
The Article 29 Working Party will continue its work on BCR for processors by developing a European coordination procedure, similar to the existing procedure for BCR for controllers and by drafting an EU application form.