The Information Commissioner decided last week that Philips' binding corporate rules (BCR) were sufficiently robust to justify an authorisation for Philips to share the personal data of employees and clients within the Philips group internationally. The Data Protection Act 1998 restricts the transfer of personal data outside the EEA unless certain minimum requirements are met (eg using authorised BCR, using standard model contracts, obtaining the consent of data subjects, or otherwise ensuring "adequate" protection for the rights of the data subjects - see here for further information).
We previously reported on the decision to authorise GE to share data. Given the publicity BCR have received, it is perhaps surprising that there remain only two BCR authorisations from the Information Commissioner to date. Note also that the authorisation only applies to the extent that Philips' international data transfers are within the jurisdiction of the Information Commissioner - Philips will now have use the UK authorisation to apply for approval from the other relevant EU jurisdictions from which it transfers data internationally using the so-called "co-operation procedure".
Comments