On the 16th of November 2022, the European Data Protection Board (“EDPB”) adopted Recommendations 1/2022 (the “Recommendations”) on the application for approval and on the elements and principles found in Controller Binding Corporate Rules. The EDPB’s Recommendations are open for feedback from the public with submissions to be made by 10 January 2023.
The Recommendations will repeal and replace the EDPB endorsed Article 29 Working Party Recommendations on the Standard Application for Approval of Controller Binding Corporate Rules for the Transfer of Personal Data (WP264).
Binding Corporate Rules approved under the EU GDPR (the “EU BCRs”) are legally binding terms and a transfer tool that can be used to transfer data outside the EU to:
- controllers or processors within the same corporate group; or
- group of undertakings or group of enterprises engaged in a joint economic activity.
Article 46(2) of the EU GDPR recognises the EU BCRs as an adequate safeguard for making restricted transfers of personal data. The EU BCRs set out the obligations to establish a level of data protection which is essentially equivalent to the EU GDPR one.
The Recommendations’ focus is:
- clarifying the content of the EU BCRs and providing additional guidance;
- ensuring a level playing field for all EU BCRs applicants;
- provide an updated standard application form for the approval of BCRs;
- making a distinction between what must be included in the EU BCRs and what must be presented to the EU BCR lead data protection authority in the EU BCR application;
- providing an updated standard application form for the approval of EU BCRs. The EDPB has updated and merged the existing EU BCRCs referential with the application form for EU BCRs; and
- bringing the existing guidance in line with the requirements under the Schrems II.
Find the EDPB press release and the version of the Recommendations for public consultation here.
The EDPB confirmed that separate recommendations for EU BCRs for processors are currently being developed.
Please contact Jose Saras if you have any questions about the above.
The material in this article is only for general review of the topics covered and does not constitute legal advice. No legal or business decision should be based on its content.