Skip navigation
All Places > Data Privacy and Security > Blog

On 10 May 2019 Blackboard submitted our Binding Corporate Rules (BCRs) for authorisation to the Dutch Data Protection Authority (DPA).


We announced this exciting achievement at TLC Europe and in a Blackboard Blog post. The following article provides more details on what the BCRs are, what our BCRs cover and why we chose to submit them.


What are BCRs?

 

BCRs were developed by the EU Article 29 Working Party (now the European Data Protection Board) to allow multinational organisations like Blackboard to adequately protect the personal information that is transferred to or accessed from countries outside the EU/European Economic Area (EEA). Since the introduction of the GDPR, the BCRs are explicitly recognised as an EU data transfer mechanism (Art. 47 GDPR). The BCRs are an alternative transfer mechanism to the EU-US Privacy Shield (for which Blackboard is certified) and the EU Standard Contractual Clauses (“model clauses”).

 

The BCRs need to be legally binding, give individuals enforceable rights (“third party beneficiary rights”) and the applicant organisation needs to demonstrate that it has implemented the necessary best practice data privacy requirements such as governance, training, security, privacy by design and assisting with individual rights requests.

 

What do our BCRs cover?

 

With the help of our law firm Bristows, we submitted both controller and processor BCRs. This means that our BCRs will apply to both the transfers of client personal information (processor BCRs) and transfers of our Blackboard personal information such as our HR data (controller BCRs).

 

Once authorised, the BCRs will protect any personal information that is subject to the GDPR and to all the transfers of such personal information within the group of Blackboard companies. Onward transfers to our vendors will be protected by appropriate language in our data processing agreements which flow down the GDPR and BCRs requirements, but such transfers are not directly covered by the BCRs.

 

Why BCRs?

 

Blackboard is EU-US Privacy Shield certified which (in combination with our Intra-Group Agreements) already allows us to transfer client personal information to the US and other countries outside the EU/EEA. So why implement BCRs? First of all, the BCRs are considered the most robust data transfer mechanism and we wanted to give our clients the best protection available when we transfer their personal information. Secondly, implementing the requirements of the BCRs is quite easy for us since we already have a strong data privacy program with all the elements that BCRs require (policies, governance, training, privacy by design, etc.). Given that BCRs not only focus on data transfers but review and authorise a company’s data privacy program more holistically, our BCRs will also provide additional assurance about the strength of our program. And last but not least, the BCRs are also a good foundation for obtaining any data privacy certification in the future.

 

What are the changes for me as a client?

 

There will be little change that will directly impact our clients. The key changes are happening at Blackboard with the implementation of an additional BCR policy, and (minor) updates to our internal Global Data Privacy Policy and our Client Data Standard. However, once the BCRs are authorised, we will also include the required language updates in our Data Processing Addendum with our clients.

 

What is the status of Blackboard’s BCRs?

 

Now that we have submitted our BCRs to the Dutch Data Protection Authority (DPA) for authorisation, the Dutch DPA, as the lead supervisory authority, will coordinate the review and authorisation with the other EU data protection authorities. We therefore have to wait for the review and questions of the DPA and will use the Community pages to provide updates on the progress of the authorisation process.

One key requirement under the GDPR is that "data controllers" and "data processors" need to have a contract in place. This contract needs to include mandatory provisions. We have just published a client bulletin on Behind the Blackboard to explain our approach to this requirement and include a summary below.

 

Blackboard has already updated its standard Data Processing Addendum (“Addendum”) last year with all required provisions, to assist clients to meet their legal obligations. We have now created an approach to ensure that clients can benefit from the Addendum automatically regardless of the contractual scenarios outlined below.

 

Scenarios

 

Scenario

Contract in place

Current situation

Solution

1

Blackboard’s current version of the master agreement

Our GDPR-ready Addendum is already automatically incorporated by reference

The GDPR-ready Addendum already applies and will continue to apply.

2

Specifically negotiated agreement with GDPR provisions (e.g. based on client's documentation))

The contract and/or data processing addendum will include the required GDPR provisions.

Clients can rely on the GDPR provisions they negotiated with us. These will continue to apply.

3

Older versions of Blackboard’s master agreement

May not automatically incorporate our GDPR-ready Addendum

The GDPR-ready Addendum will automatically apply.

4

Specifically negotiated agreements without GDPR provisions

Do not include required GDPR provisions.

The standard Addendum will automatically apply.*

 

  *For Scenario 4, we consider our standard Addendum as the minimum contractual data privacy terms to apply. If clients have a specifically negotiated agreement with us with data privacy provisions that are more favourable to them and which do not conflict with the required GDPR provisions in our Addendum, we will consider those data privacy provisions applicable as well.

sgeering

GDPR white paper published

Posted by sgeering Apr 4, 2018

We have just today published our white paper on the EU General Data Protection Regulation with lots of helpful information. It provides an overview of the changes and the myths around the GDPR, explains our implementation approach and details how our product enhancements will support your organisation.

 

You can download the GDPR white paper here.

We published a Blackboard Blog post on the importance of privacy by design and accountability in today's data driven world.

We created this group to more actively share updates from Blackboard on data privacy and security and hopefully create many great discussions between the Blackboard users on these topics.

 

We will use this group to make you aware of important industry and regulatory developments, provide updates about our data privacy and security programs and alert you to beneficial events and webinars.

 

We hope this will be an interactive and thriving group, so please engage and post your questions and discussions topics.

 

But please do not use this group to submit requests that require a legal review or that a case be opened if you are client.  Additionally, please do not use this group to submit potential security bugs.

 

For any legal data privacy questions or issues, please contact us at privacy@blackboard.com. For potential security bugs, please contact LearnSecurity@blackboard.com. For issues related to your specific implementation of a Blackboard product, please follow the standard client support process to submit a case.

 

[Last update: 9 October 2019]