EDPB Recommendation 1/2022 – Binding Corporate Rules
By Mugurel Olariu, RPD protectie date.
In the meeting of 14.11.2022, the European for Data Protection Board (hereafter EDPB) adopted for public consultation – until 10.01.2023, Recommendations 1/2022 on the Application for Approval and on the elements and principles to be found in Controller Binding Corporate Rules (Art. 47 GDPR).
The GDPR expressly provides for the use of Binding Corporate Rules (hereinafter referred to as BCR) by a group of enterprises or a group of enterprises engaged in a common economic activity (hereinafter referred to as the Group) for transfers of personal data within the meaning of Article 44 GDPR.
On 6 February 2018, the Article 29 Working Party (hereafter WP29) adopted a table of elements and principles found in the BCR to reflect the requirements related to the BCR (hereafter WP256 rev.01). EDPB approved WP256 rev.01 on 25 May 2018. These recommendations also repeal and replace WP256 rev.01, while essentially building on it.
On 11 April 2018, the Working Party on Article 29 (hereinafter referred to as WP29) adopted Recommendations on the standard request for approval of binding corporate rules for the transfer of personal data (hereinafter referred to as: WP264). The EDPB approved WP256 rev.01 on 25 May 2018. These recommendations repeal and replace WP264, while essentially building on it.
These recommendations are intended to:
√ Provide a standard form for the BCR approval request for controller (hereinafter BCR-C);
√ Clarify the necessary content of the BCR-C, as mentioned in article 47 GDPR;
√ Distinguish between what must be included in the BCR-C and what must be presented to the BCR Lead Supervisory Authority (hereafter BCR Lead) in the BCR application; and
√ Provides explanations and comments on requirements.
BCR-C are suitable for framing transfers of personal data from operators who are subject to the geographical scope of the GDPR under Article 3 GDPR to other controllers or to processors (established outside the EEA) within the same group, while the BCR for Processors (hereinafter referred to as BCR-P) applies to data received from a controller who is not a member of the Group and which is then processed by the relevant Group members as data processors and/or sub-processors.
Therefore, the obligations set out in the BCR-C apply in respect of entities within the same Group acting as operators and entities acting as internal processors.
As for this very last case, it is worth recalling that, in addition to the BCR-C, a contract or other legal act under Union or Member State law, binding on the processor with regard to the controller and which comprises all requirements as set out in Article 28(3) GDPR, must be signed by each controller acting as data exporter with all internal processors. Indeed, the obligations set forth in BCR-C apply to entities of the Group receiving personal data as (‘internal’) processors to the extent that this does not lead to a contradiction with the contract or other legal act entered into under Article 28(3) GDPR (i.e., the processors members of the Group processing on behalf of controllers members of the Group should primarily abide by this contract).
EU data protection legislation applicable to Group members must be complied with and cannot be overridden by the BCR-C, unless the BCR’s main BCR (hereafter referred to as the BCR-C) voluntarily provides a higher level of protection.
In accordance with Article 46(2)(b) GDPR, the BCR represents adequate safeguards for transfers of personal data to third countries. The BCRs create enforceable rights and establish commitments to create, for personal data transferred under the BCRs, a level of protection essentially equivalent to that provided by the GDPR.
Therefore, it is not sufficient for the BCR-C to refer only to the provisions of the GDPR, and BCR-C applicants should rather express the requirements within their BCR-C.
BCRs are subject to approval by the BCR Officer. In this regard, it is worth emphasizing the difference between the Lead BCR who is competent to issue the BCR approval – and the Supervisory Authority who is competent for a particular transfer made by a particular operator under that BCR-C.
However, the approval does not include an assessment of whether each processing is in compliance with all GDPR and BCR requirements. For example, each data exporter must ensure that the requirements set out in Article 6 GDPR (lawfulness of processing) and Article 28 GDPR (for transfers to authorized persons) or any additional formalities specified by the national law of a Member State, if any, are fulfilled for each transfer. In addition, it is, for example, the responsibility of each data exporter to assess, for each transfer, on a case-by-case basis, whether additional measures need to be put in place to ensure an essentially equivalent level of protection to that provided by GDPR. Such additional measures are the responsibility of the data exporter and as such are not assessed by the Supervisory Authorities as part of the BCR approval process.
The EDPB expects all BCR-C holders to bring their BCR-C in line with the requirements set out in the Recommendation. This includes BCR-Cs that were approved prior to the publication of these Recommendations. Such changes will need to be made in accordance with the commitments made in their own BCR-C, in accordance with the Binding Nature of the BCR-C Section in the table presented in the Recommendation.