UK: Transferring Personal Data from the E.U.: Are Binding Corporate Rules the Answer?

Last Updated: 28 June 2005
Article by Mark Watts

This article was first published in International Data Transfer, a Special Report by BNA International

The restrictions imposed by Article 25 of the Data Protection Directive (95/46/EC) on organisations transferring personal data out of the European Economic Area aren’t new. Indeed, few, if any, data protection issues have attracted as much attention as those presented by Article 25. Its provisions needn’t be set out again here; suffice to say, nearly ten years after its restrictions first appeared, transferring personal data out of the EEA is not a straightforward matter; far from it.

The organisations most affected by Article 25 are probably the multinationals. Today’s trend towards globalisation makes it increasingly common for multinationals to have processes, management-lines, and internal information systems – and so too data transfers – that cross country borders, both inside and outside the EEA. The impact of restrictions on such transfers can be acute, as potentially they represent powerful limitations on the deployment of internal technological solutions, restrictions on the cost savings that can result from consolidating standalone country IT systems and restrictions on pan-global (or "dotted") management lines. Most multinationals understand and appreciate the importance of safeguarding individuals’ personal data overseas, yet desire a simple but robust, effective but low-formality solution, something that enables lawful transfers of personal data but also fits the complexity of their corporate structures.

Methods for Transferring Personal Data Overseas

Until recently, a multinational seeking to transfer personal data around the world, broadly speaking, had three options available to it, namely, acquiring the fully-informed and freely‑given consent of everyone about whom it transferred personal data, implementing a network of contractual arrangements between its various country legal entities, or, in respect of transfers to the United States (only), entering the EU-US Safe Harbor. No one "solution" is perfect. (Please note that whilst there are other exceptions under the Directive that allow personal data to be transferred, these are generally considered to be too narrow in scope to meet the day-to-day needs of a typical multinational).

Individual Consent

With regard to a solution based on individual consent – the most popular solution according to some industry surveys – the drawbacks are significant. "Business-to-business" multinationals, for example, are likely to acquire personal data about thousands of individuals, such as business "contacts" and yet not deal with the individuals directly, so preventing their consent being obtained or requiring it to be collected only "indirectly" via the individual’s colleagues or his employer, which is unlikely to be effective. In relation to personal data a multinational processes about its employees, consent is also problematic. Depending on the nature and scope of the consent sought, some employees – perhaps many – may refuse their consent. The multinational must then either ignore their refusal of consent and transfer their data anyway, a risky strategy, or provide an alternative means of processing that does not involve transferring their data out of the EEA – expensive or perhaps impracticable. And even if all employees everywhere did miraculously consent, much has been made of the validity of consent from existing (as opposed to a prospective) employees. It’s argued that an employee who is asked to consent to the transfer of his personnel record to, for example, the United States is unlikely to say no to his employer, even though experience has shown that some do. Is consent really "freely-given" in these circumstances? Also, to be valid, shouldn’t consent be capable of being withdrawn? A consent-based solution seems to be the one least favoured by Data Protection Regulators too, as unlike other solutions, it does not require data protection measures to be applied in the destination country, nor does it require continuing liability for the multinational in respect of the personal data transferred.

Model Contracts

A contractual solution also has its problems. A multinational may implement a contractual solution using its own terms and conduct a "Tour of Europe" to acquire (hopefully) the authorisation of each of the various EEA Data Protection Authorities. Alternatively, to avoid this exercise, it can adopt the European Commission Model Contracts, which first appeared in 2001. The original EU Controller-to-Controller Model Contracts did not prove popular with industry. The EU Controller-to-Processor Contract fared better but much has been said about their contents – the onerous level of detail required in both, "joint and several" liability between the data exporter and data importer under the Controller-to-Controller Contract, and the vagaries of certain key terms, such as "factually disappeared" under the Controller-to-Processor version. Many of the substantive problems associated with the 2001 version of Controller-to-Controller Contract have been lessened by the approval of the "ICC Clauses", which finally saw light of day in December 2004. In particular, the joint and several liability provisions have been replaced by a "due diligence" obligation on the data exporter, which business should prefer, particularly in an "arms length" transaction.

But the main difficulty arises not from the contents of the agreements but the sheer numbers and complexity involved in implementing a comprehensive contractual solution in a multinational. Take, for example, a multinational with 200 companies worldwide, each in a different country, each sharing personal data with its counterparts, perhaps via a shared IT infrastructure. Contractual arrangements need be put in place between each and every pair of companies. The administration involved soon becomes unwieldy – 19,900 contracts here. And whilst legal tricks can be used to minimise the number of actual bits of paper signed to create this "web" of contracts, the admin headache for a multinational implementing the web should not be underestimated. At some point in the future, the multinational is bound to acquire another company, requiring the whole web to be updated; more bits of paper, more headaches.

Safe Harbor

What of the EU-US Safe Harbor? Viewed in terms of formality alone, the EU-US Safe Harbor is perhaps the most attractive of the solutions available, although it is only available in respect of transfers of personal data to the United States. It also excludes certain important categories of personal data, such as that processed within the financial services sector. Moreover, many multinationals, particularly those with a US-based parent, have been put off joining for fear of increased scrutiny of their parent company by the US Federal Trade Commission. Also, being a politically "negotiated" document, many of the Safe Harbor Principles (and accompanying FAQs) include language that arose out of political comprise rather than a quest for legal certainty and clarity. Different interpretations are possible. Whilst the number of multinationals signed up to Safe Harbor continues to increase, progress is slow and steady. There’s no gold rush, largely for the reasons outlined.

All of these options fall short of providing a real and workable solution for a multinational struggling to do the right thing.

Binding Corporate Rules

So it was with the aim of overcoming many of these difficulties that the Article 29 Data Protection Working Party (the body set up under the Data Protection Directive, comprising representatives from each of the Member State Data Protection Authorities) adopted a paper on June 3, 2003, discussing another means of "adducing adequate safeguards" under Article 26(2), a means that has become known as "Binding Corporate Rules". Binding Corporate Rules refers to the sorts of internal codes of conduct, policies, directives and the like that multinationals use to govern themselves internally on matters such as handling confidential information, business ethics and other similarly important corporate affairs. Such policies, directives, codes and similar unilateral undertakings can be thought of as internal "law" within the multinational (occasionally, one even hears the word "lore" used). Can such documents deliver "adequate safeguards" under Article 26(2)? Yes, according to the Working Party Paper, subject to meeting certain stringent requirements.

Much of the content required of Binding Corporate Rules is as would be expected. The Working Party Paper reaffirms that the "usual" data protection principles need to be included, much as under EEA data protection legislation, the EU-US Safe Harbor and both sets of EU Controller-to-Controller Model Contracts. More detail and explanation is required to ensure compliance under Binding Corporate Rules though, particularly by parts of the multinational that operate in countries without a data protection law or culture. The principles should be tailor-made so that they practically and realistically fit with the processing activities that the multinational actually carries out.

Perhaps most importantly, the Binding Corporate Rules must be binding both "inside and out", referring to the requirement that the multinational must be bound both in practice (compliance) and in law (legal enforceability). They must deliver a real and ensured legal effect throughout the multinational.

Here, "binding in practice" or compliance means that all companies of the multinational, as well as their employees, feel compelled to comply with the Binding Corporate Rules; that is, they must respect this internal "law". The Working Party Paper does not stipulate how multinationals should guarantee compliance but states that the binding nature of the rules must be clear and good enough to be able to guarantee compliance with the rules outside the EEA. A multinational must be able to demonstrate, for example, that the rules are known, understood and effectively complied with wherever they apply by employees who have received appropriate training. Disciplinary measures should be in place for non-compliance. Executive-management must be involved to oversee and ensure compliance.

As with other every other transborder dataflow solution (except consent, strictly speaking), auditing compliance has an important role to play. Binding Corporate Rules must provide for self-audit (i.e. internal audit) and/or external supervision by accredited auditors on a regular basis, with the results being directly reported at board level. The Data Protection Authorities may become involved in this aspect too, as part of a broader commitment by the multinational to co-operate with them.

The Working Party Paper also recognises that even with fully-enforceable legal rights, as described below, litigation can be disproportionately expensive and burdensome for an individual, particularly if it has to be conducted overseas. Multinationals are encouraged to incorporate other means of compliant handling, and the use of alternative dispute resolution mechanisms is promoted.

As well as being binding internally, Binding Corporate Rules must be binding "outside", that is, legally enforceable between the multinational and the outside world – the outside world being the EEA’s Data Protection Authorities and data subjects (the individuals about whom personal data is processed). A Data Protection Authority should be able to achieve legal enforceability of its rights and powers under the Binding Corporate Rules fairly simply, for example, via the process of granting an authorisation under Article 26(2) (and its national law equivalent). It will require an unambiguous undertaking that the multinational as a whole and each of the companies within it will abide by the "advice" of the Data Protection Authority. Some multinationals have expressed concern about the meaning of "advice" in this context. For example, the same language is used in connection the EU-US Safe Harbor, where it may include a requirement to compensate individuals affected. The Working Party Paper also states that their "advice" may be made public.

For the data subject, legal enforceability will require them to become "third party beneficiaries" via some means, either through the legal effect of the Binding Corporate Rules themselves (where possible) or the Binding Corporate Rules in combination with other contractual arrangements within the multinational. Data subjects need to be able to enforce compliance both by lodging a complaint before the competent Data Protection Authority and/or by commencing legal proceedings before a competent court.

The remedies available to data subject under Binding Corporate Rules should be broadly the same as under the EU Controller-Controller Model Contracts. Giving individuals such broad legal rights is regarded as undesirable by some multinationals. They argue that provided sufficiently high levels of internal compliance are achieved, together with a commitment to co-operate with the Data Protection Authorities, there should be no need for legal enforcement measures quite so far reaching. But legal enforceability is clearly an area to which the Working Party attaches great importance, and there’s nothing new there (see, for example, the similar remarks it made about "appropriate redress" in its 1997 paper, "First Orientations on Transfers of Personal Data to Third Countries"). Giving data subjects the right to seek judicial remedies is justified in two ways in the Working Party Paper. Firstly, because even the firm commitment required from multinationals to co-operate with the Data Protection Authorities cannot guarantee 100 percent compliance and the individuals concerned may not always agree with the views of the Data Protection Authority. Secondly, because the views of the Data Protection Authorities may vary from country to country and none of them are able to award damages as a remedy; only courts can do that. Given these remarks, it’s hard to see how Binding Corporate Rules that don’t provide individuals with judicial remedies could now be approved by an EEA Data Protection Authority. And here’s the rub. The laws of some EEA countries do not enable third party beneficiary rights or binding obligations to be created by unilateral undertakings alone. In other words, the legal theories required for Binding Corporate Rules acceptable to the Working Party may not apply EEA-wide or perhaps even exist at all in some EEA countries. A patchwork of legal theories tailored to various country laws seems more likely, possibilities including theories based on unfair trade practices, the law of trusts, the law of misrepresentation and misleading advertisement, employment and consumer protection laws. From a legal point of view, finding a sufficiently good means of "legally-bindingness" unilaterally in all EEA countries is probably the biggest obstacle to the widespread adoption of the Binding Corporate Rules. Many multinationals are using hybrid BCR/contractual approaches, which, of course, isn’t going to free them of the admin headaches described above.

The Working Party Paper also deals with some of the "structural" issues unique to multinationals. It recognises them as mutating groups of entities whose members and practices change from time to time and acknowledges that updates to both the Binding Corporate Rules and the list of entities they apply to will need to be made over time. Updates are allowed under a Binding Corporate Rules solution (without the multinational having to reapply for a new authorisation) under the following conditions:

  • no transfer of personal data is made to a new group member until it is effectively bound by the rules and can deliver compliance;
  • a fully updated list of members is maintained by the multinational along with a record of any updates to the rules, which should be made available to individuals or Data Protection Authorities upon their request;
  • changes to the list of members and/or the rules are reported annually to the relevant Data Protection Authority, together with a brief explanation of the reason for the change.

For larger multinationals, even maintaining such a length list may be problematic, although it should be easier than constantly updating an entire contractual solution.

The Working Party Paper recognises that even if EEA-based data subjects are provided with legally enforceable rights against, say, a multinational’s Venezuelan operating, in practice, exercising such rights is likely to be prohibitively complicated and/or expensive. It recommends that the EU headquarters (if an EU-owned multinational) or an EU member of the multinational with delegated data protection responsibilities should accept responsibility for the acts of all other companies of the multinational outside the EEA. This would include, where appropriate, making a commitment to pay compensation for any damages resulting from the relevant violation anywhere outside the EEA. Intriguing, and not present in either the Model Contracts or the EU-US Safe Harbor, is the requirement that the burden of proof falls on the EU headquarters or delegate in such circumstances to establish that the individual’s loss was not a result of the multinational’s company overseas. In its initial request for an authorisation of the Binding Corporate Rules under Article 26(2), the multinational must include evidence that the EU headquarters (or its EU delegate, as the case may be) has sufficient assets within the EEA to cover payment of compensation for breaches of the Binding Corporate Rules, or that it has taken measures to ensure that it would be able to meet such claims, such as, for example, taking out appropriate insurance.

Recent Developments

The most recent development regarding BCRs is the Article 29 Working Party’s adoption on 14th April 2005 of two papers dealing with the procedural aspects of obtaining approvals for a BCRs approach from all of the Data Protection Authorities across the EEA.

The first paper, entitled "Working Document Establishing a Model Checklist Application for Approval of Binding Corporate Rules", describes the features of the BCRs approach that should be included in any application to a Data Protection Authority. It also lists the factors to be considered by a multinational when deciding which country’s Data Protection Authority to apply to. For multinationals whose ultimate parent or operational headquarters is located in a member state of the European Union then the "lead authority" should be the authority in that member state. Multinationals having their ultimate parent or operational headquarters outside the EU should apply various factors in determining who is the lead authority. Priority is given to the Data Protection Authority of the member state where the multinational’s European Headquarters is located.

In setting out the detail of the application the checklist requires certain specifics of the arrangements described above to be included. In particular, details of the "internal bindingness" of the BCRs need to be set out. Unfortunately, some of the thrust of the June 2003 Working Party Paper – that, internally, what matters is practical compliance rather than giving wholly-owned subsidiaries a legally-enforceable right to sue each other – appears to have been lost, or at least diluted. The checklist refers to unilateral declarations not being regarded as binding in some member states, which suggests that subsidiaries actually need to be legally bound, notwithstanding that wholly owned subsidiaries are hardly going to sue each other. (By contrast, creating third party beneficiary rights that are legally enforceable externally is a clear requirement of the original Working Party Paper). The problem is that while creating enforceable third party rights in favour of the outside world – Data Protection Authorities and data subjects – is relatively straightforward, even using unilateral declarations, imposing legally-binding (as opposed to practically-binding) obligations on group companies unilaterally is far more difficult. It is this that has led some multinationals to bolster their BCRs with a contractual framework. Back to those admin headaches…

The second, shorter Working Party Paper describes the cooperation procedure to be followed by Data Protection Authorities upon receiving a request for BCRs approval. The first part of the procedure, which may take up to a month, focuses on establishing that the Data Protection Authority to which the request for an authorisation was made is the most appropriate to handle it. Once that’s established, the applicant holds discussions with that lead authority, which result in a "consolidated draft", which is then circulated to all Data Protection Authorities in countries from which transfers may take place. Their comments are subsequently fed into a "final draft", which is resubmitted by the multinational, leading to confirmation from each of the Data Protection Authorities that they are satisfied as the adequacy of the safeguards proposed. Simple. Well, hopefully.

The possibility of relying on Binding Corporate Rules and avoiding many of the drawbacks of other approaches, has been met with excitement by data protection practitioners and warmly welcomed in principle by many multinationals. Several are already a long way down the road towards developing and implementing a BCRs solution. Concerns remain, however, that the approach may still be to formalistic and that many of provisions required are too onerous or simply "too difficult", particularly in terms of using unilateral declarations to create enforceable legal rights and obligations internally. The early signs are promising however. Many multinationals are adopting the approach. Some have already had local "approvals" and are in discussions with Data Protection Authorities across the EEA using the procedure described above. It is to be hoped that, finally, after so many years, a realistic and "multinational friendly" approach to Article 25 of the Data Protection Directive will be available before too much longer.

But BCRs are not for everyone

While the BCRs approach is achieving some popularity – fashionability! – amongst multinationals, it’s not an approach that lends itself to transfers of personal data amongst groups of entities whose affairs aren’t so closely aligned and hierarchical as those of the multinational. The Working Party Paper states that BCRs "are very unlikely to be a suitable tool for loose conglomerates of legal entities". The diversity between the members of such loose conglomerates and the broad scope of their processing activities would make it very difficult (if not impossible) to meet the requirements for BCRs that the Working Party Paper sets out. Examples of such loose conglomerates would include all manner of commercial and non-commercial arrangements: complex joint ventures; international trade associations; charitable organisations; any grouping of entities that share personal data.

Nor is a BCRs approach appropriate in connection with transfers of personal data in "arms length transactions", such as companies entering into joint marketing arrangements or a party outsourcing its IT operations or another business process that involves data processing. That the providers of outsourcing services are often based in low-cost countries, such as India or China, not regarded as "adequate", has been particularly newsworthy recently. Even in the United States, which remember only has a few sector-specific data protection laws itself, data protection concerns have even been cited by politicians as reasons why data processing should not be "offshored" to India or China.

So when a BCRs approach isn’t a viable option for protecting personal data overseas what is?

Perhaps the first thing to consider is in what capacity is the recipient acting? In data protection terms, is the recipient a "Controller", a party that will exercise "control" over the data provided by determining the purposes and means for which it processed, or a "Processor", a party that will only process the data it receives on behalf of, and in accordance with the instructions of, the party providing the data (the "original" Controller). Of course, this issue arises whether or not the recipient is based in a country to which transfers of personal data are restricted by Article 25 and even when the recipient is in the same country as the Controller (or even the same building), but it can influence the parties’ choice of transborder dataflow solution when the proposed transfers are restricted by Article 25.

Take, for example, a joint marketing "partnership" where two parties, one based in the EEA, the other based in the US, collect consumers’ e-mail addresses and other personal data on their websites both to run their own marketing campaigns and to share the data with its "partner" so it can run its own marketing campaigns. As consumer consent is likely to be required anyway to allow use of the data for marketing and its sharing with a third party, wouldn’t also obtaining consent to the transfer of personal data to the US be the preferred solution, provided it is sufficiently unambiguous, fully-informed and freely-given? Although a joint marketing arrangement is likely to involve a contract between the two parties anyway, so consent wouldn’t avoid any contracting formalities, it at least would remove the need to incorporate the EU Model Clauses for Controller-to-Controller transfers, either the original "2001 Clauses" or the recent ICC Model Clauses and the liability-sharing and due-diligence requirements (respectively) that using them would introduce. If consent isn’t possible, say, because an existing marketing list is being shared, then the ICC Model Clauses would probably be the way to go.

By way of contrast, consider the typical "offshoring" situation. In all but a minority of business process outsourcing situations, the service provider (the importer of the personal data) merely acts as a Processor. In order to provide the service provider with the personal data lawfully the Controller must ensure that it has a contract in writing with its Processor that satisfies the requirements of Article 17 of the Directive (as implemented by the various EEA Member States). And if an "Article 17" data protection contract needs to be implemented anyway, wouldn’t it make sense to use a contractual solution to enable the offshore transfers, such as the Model Clauses for Controller-to-Processor transfers?

Another twist that can influence how transborder dataflows are handled is where the exporter and importer are in the pharmaceutical sector, perhaps exchanging clinical trials data collected about patients. While ordinarily, one would consider consent, or a contractual solution, where the importer is located in the US, it may be worth reconsidering the EU-US Safe Harbor, FAQ 14 of which provides assistance with certain pharma-specific data protection issues, such as ensuring that a patient is not able to jeopardise a clinical trial by using their right of subject access to find out whether they are receiving the active drug or the placebo.

It seems inevitable that for large complex multinationals, Binding Corporate Rules will become the preferred approach to handling internal transborder dataflows long term. Where BCRs aren’t appropriate, Consent, Safe Harbor and Contractual Solutions will need to be considered. When choosing which to use, it’s all too easy to let the tail wag the dog. Data exporters should put aside the question of transborder dataflows and consider what they need to do to comply with EU law in any event. In most situations, if consent or a contract is necessary then extending them to cover transfers too – adding more detail about the proposed transfers, or incorporating additional clauses – is likely to be the way to go.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on

Click to Login as an existing user or Register so you can print this article.

In association with
Up-coming Events Search
Font Size:
Mondaq on Twitter
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
Email Address
Company Name
Confirm Password
Mondaq Topics -- Select your Interests
 Law Performance
 Law Practice
 Media & IT
 Real Estate
 Wealth Mgt
Asia Pacific
European Union
Latin America
Middle East
United States
Worldwide Updates
Check to state you have read and
agree to our Terms and Conditions

Terms & Conditions and Privacy Statement (the Website) is owned and managed by Mondaq Ltd and as a user you are granted a non-exclusive, revocable license to access the Website under its terms and conditions of use. Your use of the Website constitutes your agreement to the following terms and conditions of use. Mondaq Ltd may terminate your use of the Website if you are in breach of these terms and conditions or if Mondaq Ltd decides to terminate your license of use for whatever reason.

Use of

You may use the Website but are required to register as a user if you wish to read the full text of the content and articles available (the Content). You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these terms & conditions or with the prior written consent of Mondaq Ltd. You may not use electronic or other means to extract details or information about’s content, users or contributors in order to offer them any services or products which compete directly or indirectly with Mondaq Ltd’s services and products.


Mondaq Ltd and/or its respective suppliers make no representations about the suitability of the information contained in the documents and related graphics published on this server for any purpose. All such documents and related graphics are provided "as is" without warranty of any kind. Mondaq Ltd and/or its respective suppliers hereby disclaim all warranties and conditions with regard to this information, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Mondaq Ltd and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use or performance of information available from this server.

The documents and related graphics published on this server could include technical inaccuracies or typographical errors. Changes are periodically added to the information herein. Mondaq Ltd and/or its respective suppliers may make improvements and/or changes in the product(s) and/or the program(s) described herein at any time.


Mondaq Ltd requires you to register and provide information that personally identifies you, including what sort of information you are interested in, for three primary purposes:

  • To allow you to personalize the Mondaq websites you are visiting.
  • To enable features such as password reminder, newsletter alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our information providers who provide information free for your use.

Mondaq (and its affiliate sites) do not sell or provide your details to third parties other than information providers. The reason we provide our information providers with this information is so that they can measure the response their articles are receiving and provide you with information about their products and services.

If you do not want us to provide your name and email address you may opt out by clicking here .

If you do not wish to receive any future announcements of products and services offered by Mondaq by clicking here .

Information Collection and Use

We require site users to register with Mondaq (and its affiliate sites) to view the free information on the site. We also collect information from our users at several different points on the websites: this is so that we can customise the sites according to individual usage, provide 'session-aware' functionality, and ensure that content is acquired and developed appropriately. This gives us an overall picture of our user profiles, which in turn shows to our Editorial Contributors the type of person they are reaching by posting articles on Mondaq (and its affiliate sites) – meaning more free content for registered users.

We are only able to provide the material on the Mondaq (and its affiliate sites) site free to site visitors because we can pass on information about the pages that users are viewing and the personal information users provide to us (e.g. email addresses) to reputable contributing firms such as law firms who author those pages. We do not sell or rent information to anyone else other than the authors of those pages, who may change from time to time. Should you wish us not to disclose your details to any of these parties, please tick the box above or tick the box marked "Opt out of Registration Information Disclosure" on the Your Profile page. We and our author organisations may only contact you via email or other means if you allow us to do so. Users can opt out of contact when they register on the site, or send an email to with “no disclosure” in the subject heading

Mondaq News Alerts

In order to receive Mondaq News Alerts, users have to complete a separate registration form. This is a personalised service where users choose regions and topics of interest and we send it only to those users who have requested it. Users can stop receiving these Alerts by going to the Mondaq News Alerts page and deselecting all interest areas. In the same way users can amend their personal preferences to add or remove subject areas.


A cookie is a small text file written to a user’s hard drive that contains an identifying user number. The cookies do not contain any personal information about users. We use the cookie so users do not have to log in every time they use the service and the cookie will automatically expire if you do not visit the Mondaq website (or its affiliate sites) for 12 months. We also use the cookie to personalise a user's experience of the site (for example to show information specific to a user's region). As the Mondaq sites are fully personalised and cookies are essential to its core technology the site will function unpredictably with browsers that do not support cookies - or where cookies are disabled (in these circumstances we advise you to attempt to locate the information you require elsewhere on the web). However if you are concerned about the presence of a Mondaq cookie on your machine you can also choose to expire the cookie immediately (remove it) by selecting the 'Log Off' menu option as the last thing you do when you use the site.

Some of our business partners may use cookies on our site (for example, advertisers). However, we have no access to or control over these cookies and we are not aware of any at present that do so.

Log Files

We use IP addresses to analyse trends, administer the site, track movement, and gather broad demographic information for aggregate use. IP addresses are not linked to personally identifiable information.


This web site contains links to other sites. Please be aware that Mondaq (or its affiliate sites) are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of these third party sites. This privacy statement applies solely to information collected by this Web site.

Surveys & Contests

From time-to-time our site requests information from users via surveys or contests. Participation in these surveys or contests is completely voluntary and the user therefore has a choice whether or not to disclose any information requested. Information requested may include contact information (such as name and delivery address), and demographic information (such as postcode, age level). Contact information will be used to notify the winners and award prizes. Survey information will be used for purposes of monitoring or improving the functionality of the site.


If a user elects to use our referral service for informing a friend about our site, we ask them for the friend’s name and email address. Mondaq stores this information and may contact the friend to invite them to register with Mondaq, but they will not be contacted more than once. The friend may contact Mondaq to request the removal of this information from our database.


This website takes every reasonable precaution to protect our users’ information. When users submit sensitive information via the website, your information is protected using firewalls and other security technology. If you have any questions about the security at our website, you can send an email to

Correcting/Updating Personal Information

If a user’s personally identifiable information changes (such as postcode), or if a user no longer desires our service, we will endeavour to provide a way to correct, update or remove that user’s personal data provided to us. This can usually be done at the “Your Profile” page or by sending an email to

Notification of Changes

If we decide to change our Terms & Conditions or Privacy Policy, we will post those changes on our site so our users are always aware of what information we collect, how we use it, and under what circumstances, if any, we disclose it. If at any point we decide to use personally identifiable information in a manner different from that stated at the time it was collected, we will notify users by way of an email. Users will have a choice as to whether or not we use their information in this different manner. We will use information in accordance with the privacy policy under which the information was collected.

How to contact Mondaq

You can contact us with comments or queries at

If for some reason you believe Mondaq Ltd. has not adhered to these principles, please notify us by e-mail at and we will use commercially reasonable efforts to determine and correct the problem promptly.