SaaS Agreements – Data Protection – Changes to BCRs

The Article 29 Working Party, which represents the European data protection authorities (DPAs), recently announced that data processors (i.e. SaaS suppliers) can now use binding corporate rules (BCRs) to transfer personal data outside the European Economic Area (EEA). Previously the use of BCRs was limited to data controllers (i.e. SaaS customers).

What are BCRs?

BCRs are a set of rules adopted within a particular company or corporate group that set out legally binding obligations in relation to data processing within a company or group which cover global data transfers of personal data. BCRs include amongst other matters, details of:

  • data protection policies;
  • commitments to data protection training;
  • data protection audits.

BCRs must be approved by a lead national data protection authority (DPA), typically determined by the location of the European headquarters of a SaaS supplier. Once the lead national DPA approves the BCRs they are then responsible for coordinating approval of the BCRs with all other DPAs across Europe.

Current Use of BCRs

Around 30 organisations currently have BCRs in place (e.g. eBay, BP and American Express).  By extending the use of BCRs to data processors SaaS suppliers may wish to review the possibility of using BCRs particularly in light of the proposed new Data Protection Directive.

Advantages for SaaS Suppliers

Under the Data Protection Act personal data cannot be transferred to countries outside of the EEA, unless the receiving country has adequate protection. To date only Andorra, Argentina, Canada, Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, Uruguay and Japan have been deemed “adequate”. Individual companies located in the USA are also accepted as having equivalent protections if they are registered under the Safe Harbor regime. This means that a transfer of data to any other country is not permitted, unless data subjects have given their consent.

The main advantage to SaaS suppliers of using BCRs is that they create a framework under which personal data can be transferred outside of the EEA without the need to negotiate the terms relating to data processing for each SaaS agreement with customers.

If a SaaS supplier has BCRs in place SaaS customers (data controllers) will be able to rely on these BCRs to show that they comply with their duties as a data controller under the Data Protection Act.

Disadvantages for SaaS Suppliers

The major obstacle to the use of BCRs is the time it takes to negotiate and agree their form with the DPAs. Some DPAs still require a permit to be issued before they will allow the transfer of data from that member state. There is also a considerable cost involved in obtaining the approval of the BCRs, as the whole procedure can last a number of years.

Alternatives to BCRs

For the reasons set out above most businesses do not currently use BCRs and choose one of the following options to overcome the obstacles to transferring data outside of the EEA:

  • Safe Harbor arrangement when transferring data to the USA;
  • model contractual clauses with data processors;
  • transfer to a country that is approved by the European Commission as having adequate levels of data protection in place i.e. New Zealand.
  • obtaining specific consent to the transfer from individuals via privacy policies.


Irene Bodle is an IT lawyer specialising in SaaS agreements with over 10 years experience in the IT sector. If you require assistance with any SaaS, ASP, software on demand contracts or any other IT legal issues contact me:

To register for my newsletter click here


Other related articles: