On 10 May 2019 Blackboard submitted our Binding Corporate Rules (BCRs) for authorisation to the Dutch Data Protection Authority (DPA).
We announced this exciting achievement at TLC Europe and in a Blackboard Blog post. The following article provides more details on what the BCRs are, what our BCRs cover and why we chose to submit them.
What are BCRs?
BCRs were developed by the EU Article 29 Working Party (now the European Data Protection Board) to allow multinational organisations like Blackboard to adequately protect the personal information that is transferred to or accessed from countries outside the EU/European Economic Area (EEA). Since the introduction of the GDPR, the BCRs are explicitly recognised as an EU data transfer mechanism (Art. 47 GDPR). The BCRs are an alternative transfer mechanism to the EU-US Privacy Shield (for which Blackboard is certified) and the EU Standard Contractual Clauses (“model clauses”).
The BCRs need to be legally binding, give individuals enforceable rights (“third party beneficiary rights”) and the applicant organisation needs to demonstrate that it has implemented the necessary best practice data privacy requirements such as governance, training, security, privacy by design and assisting with individual rights requests.
What do our BCRs cover?
With the help of our law firm Bristows, we submitted both controller and processor BCRs. This means that our BCRs will apply to both the transfers of client personal information (processor BCRs) and transfers of our Blackboard personal information such as our HR data (controller BCRs).
Once authorised, the BCRs will protect any personal information that is subject to the GDPR and to all the transfers of such personal information within the group of Blackboard companies. Onward transfers to our vendors will be protected by appropriate language in our data processing agreements which flow down the GDPR and BCRs requirements, but such transfers are not directly covered by the BCRs.
Blackboard is EU-US Privacy Shield certified which (in combination with our Intra-Group Agreements) already allows us to transfer client personal information to the US and other countries outside the EU/EEA. So why implement BCRs? First of all, the BCRs are considered the most robust data transfer mechanism and we wanted to give our clients the best protection available when we transfer their personal information. Secondly, implementing the requirements of the BCRs is quite easy for us since we already have a strong data privacy program with all the elements that BCRs require (policies, governance, training, privacy by design, etc.). Given that BCRs not only focus on data transfers but review and authorise a company’s data privacy program more holistically, our BCRs will also provide additional assurance about the strength of our program. And last but not least, the BCRs are also a good foundation for obtaining any data privacy certification in the future.
What are the changes for me as a client?
What is the status of Blackboard’s BCRs?
Now that we have submitted our BCRs to the Dutch Data Protection Authority (DPA) for authorisation, the Dutch DPA, as the lead supervisory authority, will coordinate the review and authorisation with the other EU data protection authorities. We therefore have to wait for the review and questions of the DPA and will use the Community pages to provide updates on the progress of the authorisation process.