On the 20th of June 2023 the European Data Protection Board (EDPB) adopted the recommendations 01/2022 on the application for approval and on the elements and principles to be found in the Controller Binding Corporate Rules (BCRs or more specific BCR-C, Art. 47 GDPR).
The decision to update some of the principles and guidelines to obtain an approval of the BCRs by corporate groups acting as data controllers was mainly derived from the game-changing decision in the framework of the international personal data transfers of the European Court of Justice (ECJ) of July 2020, the well-known Schrems II ruling. The decision invalidated the Privacy Shield and led to the adoption of a new set of Standard Contractual Clauses (SCCs). The new SCCs were followed by EDPB recommendations on the assessment of the supplementary measures required to identify the essentially equivalent level of protection for EU originating personal data to the destination country.
According to the EDPB recommendations (recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data, Version 2.0, adopted on 18 June 2021) despite the transfer tool adopted to transfer personal data, the controllers should ensure that the transferred personal data will benefit from an essentially equivalent level of protection. Hence, BCRs are not excluded from the obligation to perform transfer impact assessments (TIAs).
The updates do not only concern the additional safeguards on third-country transfers, but also other requirements that the corporate group shall take into account when applying for BCR-C approval.
Under the recommendations many updates were provided both to the application form and to the elements and principles to be found in the BCR-C.
Which are the main items updated by the EDPB in the BCRs approval recommendations?
Updates to the application form
The Application form structure has been sensitively simplified but the main elements to be outlined in order to present an application for BCR-C approval are still there: applicant information, short description of processing and data flows as well as the determination of the lead supervisory authority (‘BCR lead’). However, there is an interesting final section, so called “Acknowledgment”, where the applicant declares that:
- the approval does not include an assessment of whether each processing is in line with all requirements of the GDPR and the BCRs as applicable, and that each BCR member needs to ensure that all requirements set out in GDPR and BCRs, as applicable, are met for each transfer;
- the exporters commit to verify (with the support of the importer member) that every transfer to an importer country has been made following an assessment of whether the legislation of the third country of destination does not prevent the recipient from complying with the BCRs and if this would be the case, which supplementary measures can be implemented to ensure an essentially equivalent level of protection to personal data at the destination member as provided in the EU; and
- that if no supplementary measures are effective and an essentially equivalent level of protection as provided in the EU cannot be ensured, the transfer would not be considered as lawful.
In few words, there is a “TIA” commitment underlying the transfers covered by the BCRs within the company group.
Updates to the elements and principles
The main elements that can be identified as critical updates of the new BCRs referential are the following:
Binding nature of the BCR-C
The instruments allowed to demonstrate that BCRs are binding for the entities of the group and their employees are specifically mentioned in the guidelines and are respectively (for the entities) an intragroup agreement or a unilateral declaration provided that specific requirements to demonstrate responsibility and bear liability are met, or other means proving the binding character of the BCRs and (for the employees) agreements with sanctions (individual or collective), specific clauses in the employment contract, internal policies with sanctions or other equivalent means.
Third-party beneficiary rights, rights to judicial remedies, responsibility and liability
The new guidelines reinforced the obligations for the company group to grant and enable data subjects to enforce their rights on a number of aspects. In addition to the rights conferred under Chapter III GDPR, it should be possible for data subjects to enforce the BCRs as third-party beneficiaries in relation to local laws and practices affecting compliance with the BCR-C and in case of government access requests, obtain information about any update of the BCR-C and of the list of BCR members and claim Right to judicial remedies, redress and compensation.
On this last point, the recommendations introduce the right for data subjects. The BCR members accept the data subjects to be represented by a non-profit body, organisation or association under the conditions set out in Article 80(1) GDPR. In general, the aim of the regulators is to ensure that the rights of data subjects as third-party beneficiaries are not only expressly conferred and covered by the third-party beneficiary clause of the BCR-C, but also practically enforceable including the possibility to raise a complaint before the applicable Supervisory Authority. Finally, to reinforce the principle of “centralised responsibilities and liability regime”, the authorities may on a case-by-case basis, accept solutions where several BCR members established in the EEA have such responsibility and liability, and where sufficient and adequate assurances are provided. This alternative should always presume appropriate information rights to the data subjects including the possibility to enforce their rights.
Easy access to the BCRs for data subjects and scope of the BCRs
The recommendations define in a more granular way how the BCR-C should be made available to the data subjects, including internally to the employees, especially with the goal to clarify the scope and the responsibilities of the corporate group. With regard to the scope, it is explicitly mentioned that data subjects’ scope of the BCRs should cover all the transfers including third-countries, therefore not limiting the scope of data subjects to EEA residents but also to the data subjects whose personal data are affected by the regulations of Chapter V. Furthermore, for the sake of transparency, the material scope of the BCRs should also be described clearly and contain a description of the transfers (data categories, data subject types and purposes, at least).
Corporate groups’ internal obligations
The recommendations have refined a number of obligation requirements that are incumbent upon the company group when applying for BCR-C approval, such as:
- specifying a list of members of the BCR-C;
- adopting an appropriate training program for employees;
- providing a clear contact point for complaints as well as updates to the data subjects on the actions taken regarding the complaint;
- adopting a detailed audit program including details on the frequency and the responsibilities of the auditors.
Clearer indications on the role of the Data Protection Officer (DPO) are also provided in the recommendations especially in relation to the independence of the DPO and risk of conflicts of interests. The duties of cooperation with the Supervisory Authorities (SAs) have also been reinforced as well as the confidentiality obligations of the SAs. The new referential also requires controllers to define in a stricter way (equivalent to GDPR language) their obligations in terms of data breaches, security and rights of data subjects.
Lawfulness of processing and security
The new recommendations require applicants to commit to strict provisions regarding the lawfulness of the processing, in particular by describing all the data protection principles of the GDPR and the way they are respected by the controller and the clearly explaining the legal basis on which the processing operations are based on, including for special categories of data.
Local laws and practices affecting compliance with the BCR‐C
Most likely, this item is the one on which the update of the recommendations is focussing the most and which will cause the most efforts (and headaches) for the applicants. In accordance to the regulatory developments after the Schrems II case and following the release of new SCCs and relevant EDPB Guidelines for TIAs, the BCRs application recommendations have fully taken over the principles and the obligations deriving from the two-step approach: SCCs + TIA. In fact, controllers are obliged to confirm in the BCRs that the company group will use the BCRs as a transfer tool only where they have assessed that the law and practices in the importer country do not prevent the importer member to comply with the obligations and duties set in the BCRs. The journey to this statement should include the following steps:
- assessing the third-country transfers in accordance to the EDPB recommendations (which would translate into TIAs on the transfers covered by BCRs);
- identify any supplementary measure to grant an essentially equivalent level of protection as provided by the GDPR to the data transferred (on this step, the DPO and the liable member of the BCRs should be involved);
- document the assessment and the measures and make those available to the SA, if required;
- commit the importer members to communicate to the data exporter and the liable member of the BCRs any situation (including changes to the local law) that would prevent it from fulfilling its obligations under the BCRs.
In the cases where it is identified or flagged by the data importer member or by the data exporter (with the support of the liable BCRs member and the relevant DPO) that the BCRs – even if accompanied by supplementary measures – cannot be complied with for a transfer or set of transfers, or if instructed by the competent SAs, it commits to suspend the transfer or set of transfers at stake until a compliant way of transferring the data is found. Such assessment and relevant measures shall be made available to all the BCRs members such that similar situations can be addressed in the same way.
Government access requests
In line with the new SCCS, the updated BCRs application recommendations include obligations to define specific statements in the BCRs in relation to the requests of access by government authorities received by the importer member. In such situations the BCRs members that are defined as importers must comply with the same obligations deriving from the SCCs including the notification to the exporter or data subject, the efforts to challenge the request and the review of legality. In any case, the BCR-C should state that transfers of personal data by a BCRs member to any public authority cannot be massive, disproportionate and indiscriminate in a manner that would go beyond what is necessary in a democratic society.
Conclusions
With the new recommendations on the guidelines to apply for the approval of BCRs for controllers, the EDPB aims to two main achievements: the first one is to make clear that GDPR obligations are the guiding light of the rules and responsibilities set in the BCRs for controllers. This is evident from the numerous instances where the recommendations clearly require the controllers to include specific GDPR obligations or principles in the BCRs text. The second one is to engage corporate groups to the commitments that are deriving from the new set of SCCs approved in 2021 and from TIAs. Those include obligations and duties of the exporters to assess the risks on personal data due to current law and practices of the importer country and the possible applicability of additional measures to ensure an essentially equivalent level of protection at the importer member as provided in the EU. This is completely following the guidance previously set in the recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data. The new requirements do apply to multinational groups that wish to present an application for BCR-C approval but also controllers whose BCR-C have been approved in the past should review their existing transfers, perform the appropriate assessments and update the BCRs in accordance to the new recommendations.