First Data applies for processor BCRs

Just a month after the EU Article 29 Data Protection Working Party adopted its Working Document on Processor Binding Corporate Rules, First Data announced at the Privacy Laws & Business 25th Annual International Conference this week that it has submitted an application to the UK Information Commissioner’s Office for processor BCRs, making it the first organisation to do so.

The Article 29 Group’s endorsement of the process is welcome news for outsourcing and cloud computing service providers.

First Data, a global payment processing company, had its controller BCRs approved last November.  Scott Singer, Partner at SNR Denton UK LLP which assisted First Data in its application, said that processor BCRs will streamline their business even further by making processor to sub-processor data transfers much quicker and cheaper.

In addition, the company wanted to make a public statement that it applies the highest DP standards to its operations. John Atkins, First Data’s Chief Compliance Officer said:  “Adding processor BCRs to our current ones will help First Data enforce a consistent high standard for protecting personal data throughout the organization, and will allow First Data to transfer additional personal data from the European Economic Area to its affiliates elsewhere in the world, thus increasing our efficiency and globalization efforts. This is a tremendous step forward.”

Tanya Madison Cunningham, Senior Counsel, Privacy, Regulatory Compliance & Technology at First Data commented:  "This is the next major step in the evolution of First Data's data protection program and demonstrates the company's continued commitment to our clients and their data."

Processor BCRs mean that instead of having to use inflexible standard contractual clauses, data processors will be able to transfer the data they process on behalf of their clients throughout their global group. Processor BCRs are specific to the organisation and only require approval once.

The approval process is expected to be similar to that of data controller BCRs, with the exception that it is possible that the lead DPA could be any European Union DPA. The DPAs have still to finalise the arrangements, and will issue a standard application form and further guidance later.

Read more about processor BCRs in the next UK issue of PL&B Report, due to be published on 16 July.