Title: Binding Corporate Rules: Spanish Perspective
1Binding Corporate Rules Spanish Perspective
- Conference on International Transfers of personal
data - Brussels, 23-24 October 2006
- José Luis Piñar Mañas- Director
- Spanish Data Protection Agency
2General PerspectiveInternational Data Transfers
from the EU
- Legal Basis
- Adequacy finding
- Article 26.1 Directive 95/46/EC
- Data Subjects will consent/contract
- Public interest
- Access to the information
- Article 26.2 Directive 95/46/EC
- Contractual clauses
- Binding Corporate Rules
3General PerspectiveInternational Data Transfers
from the EU
- Contractual Solution
- Decision 2001/497/EC 15th June 2001
- Decision 2002/16/EC 27th December 2001
- Basic principle
- In order to facilitate data flows from the
Community, it is desirable for data controllers
to be able to perform data transfers globally
under a single set of data protection rules. In
the absence of global data protection standards,
standard contractual clauses provide an important
tool allowing the transfer of personal data from
all MS under a common set of rules . (Commission
Decision 2004/915/EC)
4BCRs overview
BCRs are solutions adapted to the characteristics
of each company
- Main considerations
- Legal requirements
- Sustantive content
- Binding nature
- Formal procedural requirements
- Aplicability
- Role of art. 29 WP
- Documents
- WP12
- WP74
- WP107
- WP108
Coordination between the DPAs involved
5Spanish approach to BCRs
- Applicability in Civil Code systems in the
systems based in the Code Napoléonien, unilateral
statements are not binding. - Ex. Italy, France, Portugal, Spain.
- No complaints based in unilateral statements
fundamental right to data protection might be
deprived from adequate protection. - Solutions
- Contractual solution to include the BCRs in
the contract with clients or collective agreement
(staff data) - Legal solution. to legally state that BCRs are
complusory (french option)
6Spanish approach to BCRs
- Contractual Solution
- Inclusion of a specific clause in the collective
agreement (workers). General Electric example - Legal solution-future perspective- Draft
Regulation developing the LOPD - Provisions or internal rules on data protection
according to LOPD - Demonstration of BCRs binding nature following
the Spanish Law - In any case, the authorisation of the Director of
the AEPD will entail the applicability of
internal rules
7Spanish approach to BCRs
- Inclusion of a specific clause in the collective
agreement. The General Electric case
Processing the personal data of employees will
be governed by the Labour Standards on Data
Protection of GE. The employees will be afforded
the protection of the principles of data
protection, as well as the right to file
complaints or notify the company concerning
issues or breaches of this matter through the
procedures provided in the Labour Standards on
Data Protection of GE, and according to
the Spanish Law in force on data protection"
8Procedure
- 3rd country with adequacy
- finding
- Exceptions (art. 34 LOPD)
Notification to the General Register (AEPD)
Inscription of the transfer In the General
Register
Data Transfer
Authorization from the Director of the AEPD
- Adequate safeguards
- Contractual clauses
- Binding corporate rules
9Final considerations Are the BCRs beneficials?
- To the company
- Flows of information became easier
- They are an added value
- To the citizens
- Their rights became public
- Dynamic procedures to exercise these rights
- To the society
- Companys involved in the promotion of the data
protection culture - Colaboration with the DPAs
10(No Transcript)