EDPB focuses on BCR-Cs: New recommendations 01/2022 for BCR-C sent for public consultation

In 2021 and 2022, many businesses in Norway were busy performing a Schrems-II assessment of their transfers of personal data to third countries, and transitioning to the modernised standard contractual clauses (SCC) issued by the EU Commission in 2021.

Recently, the EDPB adopted Recommendations 1/2022 on the Application for Approval and on the elements and principles to be found in Controller Binding Corporate Rules (BCR-C), which are open for public consultation until 10 January 2023. Once the recommendations have been finalized by the EDPB, those international groups of companies that rely on previously approved BCR-C will need to update BCR-C and underlying procedures and documentation, so that they meet the requirements of the EDPB’s new recommendations.

Binding Corporate Rules (BCR) provide a valid legal basis for the transfer of personal data from group companies established in the EEA to other companies in the same group that are established in third countries, or for similar transfers in a group of enterprises engaged in a joint economic activity. Data controllers falling within the geographical scope of the GDPR and wishing to use BCR for transfers of personal data to other controllers or processors within the same group that are established outside the EEA (BCR-C) and data processors and/or sub-processors in the EEA wishing to use BCR to transfer personal data to other processors and/or sub-processors within the same group outside the EEA (BCR-P) must, respectively, seek approval from the competent data protection supervisory authority. Several international groups of companies with operations in the EU/EEA, including those with a main establishment in Norway, have chosen to use BCR as a legal basis for transfers internally within the group because they deem BCR to be a more appropriate transfer tool for such transfers than standard contractual clauses (SCC).

On 14 November 2022, the European Data Protection Board (EDPB) issued new recommendations on controller BCRs ("BCR-C"), cf. Recommendations 1/2022 on the Application for Approval and on the elements and principles to be found in the Controller Binding Corporate Rules (Article 47 GDPR). These new recommendations are intended to repeal and replace, while in substance building on the previous recommendations and application form (WP264), as well as the previous table with the elements and principles to be found in the BCR-C (WP256 rev.01), and which were issued by the Article 29 Working Party, the predecessor of the EDPB.

The new recommendations 01/2022, which are open to public consultation with a deadline of 10 January 2023, include, among other things:

  1. a new application form for approval of BCR-C, and
  2. a new table where the applicant must insert references to the paragraphs/sections/parts of the BCR-C document, the BCR-C application and/or other supporting documents, that address the various requirements in the table that originate from the GDPR.

The structure and content of the new application form and the table are mainly based on the previous application form and table, but with some adjustments. Among other things, the BCR-C must contain a number of commitments whereby the BCR members, inter alia, specify and confirm that they will only use the BCR-C as a transfer tool when the requirements of the Schrems II judgment (delivered by the EU Court of Justice) are complied with. The BCR-C shall also contain an obligation for BCR members to document all Schrems II assessments and supplementary measures that were selected and implemented. They must also contain detailed obligations on data importers in third countries when such data importers receive a request from public authorities in their own third country (or from another third country) for disclosure of personal data that had been transferred on the basis of BCR-C.

The requirements in Recommendations 01/2022 must be complied with by both new BCR-C applicants as well as by businesses that have already had their BCR-C approved in accordance with the previous recommendations (WP264 and WP256 rev. 01).

"The EDPB expects all BCR-C holders to bring their BCR-C in line with the requirements set out below. This includes BCR-C that has been approved before publication of these Recommendations. [...]" (Recommendations 1/2022, paragraph 13)

The EDPB's Recommendations 01/2022 are open for public consultation, and all interested stakeholders can send comments to the EDPB by 10 January 2023. As is usually the process when recommendations are sent for public consultation, the EDPB are expected to finalise and publish the final version after taking into consideration the comments received. Groups of companies that already rely on approved BCR-C, as well as those with pending BCR-C applications, must be prepared to update their BCR-C and underlying routines and documentation, so that they meet the requirements of EDPB's Recommendations 01/2022.

The EDPB has also stated that a second set of recommendations for Binding Corporate Rules for processors (BCR-P) is currently being developed.

Our Data Protection Team has extensive experience both with assisting in drafting BCRs and complying with Schrems-II, and we are happy to assist businesses with ensuring compliance with these requirements.