On November 14, 2022, the European Data Protection Board (EDPB) adopted Recommendations on the application for approval and on the elements and principles to be found in Controller Binding Corporate Rules (BCR-C).
What are the BCRs?
BCRs are a data transfer tool that can be used by a group of undertakings, or a group of enterprises, engaged in a joint economic activity, for its international transfers of personal data from the European Union (EU) to controllers or processors within the same group of undertakings or enterprises outside of the EU. In this sense, BCRs are suitable for multi-national organisations making frequent transfers of personal data between group entities.
According to Article 46(2)(b) of the GDPR, BCRs are permitted safeguards for transfers of personal data to third countries. BCRs create a framework of policies and procedures implemented throughout the entities of the organizations, which include enforceable rights and commitments to establish an essentially equivalent level of protection to that guaranteed by the GDPR. BCR applications should meet the requirements set out in Article 47 GDPR for the relevant supervisory authority to approve the BCRs.
What do the recommendations bring?
The recommendations provide additional guidance on BCR-C applications, update the existing application form for the approval of BCR-Cs, and clarify the content required for BCR-C as stated in Article 47 GDPR. The recommendations also distinguish between information that must be included in a BCR-C form and that must be presented to the relevant data protection authority.
The EDPB considers that the recommendations aim to level the playing field for all BCR applicants and align the current guidance with the requirements of the CJEU’s judgment in the Schrems II case.
The EDPB notes that recommendations for processor BCR are currently being worked on.
Stakeholders can contribute their comments on the recommendations until January 10, 2023.
Although, this is a great development it would also be important to improve the BCR approval process with data protection authorities (DPAs), since there is a great discrepancy between the various DPAs in the EU.
Does your organization have questions about binding corporate rules or international data transfers? Contact us, the Experts in Data Privacy at firstname.lastname@example.org for more information.