ENG

Finalised Updates to EU BCRs – what you need to know

Published

Jul 10 2023

Written By

elizabeth upton module
Elizabeth Upton

Legal Director
UK

I'm a legal director in our London Privacy and Data Protection Practice working with clients in many of our key sectors.

Related

Practices

Regions

On 20 June, the EPDB adopted the final version of its Recommendations to update the Controller Binding Corporate rules Application Form and Requirements table (now called “Elements and Principles to be found in BCR-C”).

These Recommendations are effective from the date of publication and will affect all organisations holding existing EU Controller BCRs as well as those currently going through the application process or thinking of doing so.

Existing BCR holders will need to update their BCRs in line with these Recommendations as part of their 2024 annual update although such update will not generally trigger the need for a new approval since they are meant to improve safeguards for data subjects.

Whilst the main driver behind the update is to build in requirements to address the CJEU’s Schrems II ruling (i.e. to deal with transfer impact assessments and Government access requests), the EDPB has also taken the opportunity to build on and revise other requirements. These Recommendations are intended to replace and repeal the former Article 29 Working Party documents: WP 264 and WP 256 rev.01.

In order to help affected organisations quickly assess the scope of the changes to the Requirements table, we have produced the following:

  1. a simple track changes version of the Requirements showing all the changes between the new Requirements and those originally set out in WP 256 rev.01 (marked as version 1); and
    CLICK HERE TO ACCESS VERSION 1
  2. an “edited” track changes version of the Requirements where minor changes and/or sections which have just been moved around the document are not highlighted, leaving track changes which are more significant in nature and/or which are likely to require organisations to carefully check their existing or draft EU Controller BCRs to see if further amendments are likely to be needed (marked as version 2).
    CLICK HERE TO ACCESS VERSION 2

These documents build on the versions we issued in November based on the draft Recommendations, with new text highlighted in green.

In summary, the main changes to note are:

Requirement

Overview

5.4.1 and 5.4.2

These two sections contain the Schrems II requirements , namely obligations with respect to transfer impact assessments and data importer obligations with respect to the handling of Government access requests.

Transfer Impact Assessments

BCRs must contain a clear commitment that BCR members must only use the BCR-Cs as a tool for transfers where they have assessed that the laws and practices in the third country applicable to the processing of data by the BCR member acting as data importer do not prevent it from fulfilling its obligations under the BCR-Cs.

The BCR members must take account of similar elements in their assessment as set out in Clause 14 of the EU SCCs. The requirements do state that the BCR members can consider “the laws and practices of the third country of destination relevant in light of the circumstances of the transfer” and reference is made to the EDPB Recommendations 01/2020 on measures that supplement transfer tools. In addition a new footnote has been included which aligns with footnote 12 in the EU SCCs to state that as regards the impact of such laws and practices, different elements may be considered as part of an overall assessment – this may include relevant and documented practical experience with prior instances of request for disclosure from public authorities or the absence of such requests covering a sufficiently representative time frame.

The Liable BCR Member/relevant Privacy officer or Function should be informed and involved in any transfer risk assessment and of any additional safeguards which are put in place. The assessment and any supplementary measures should be documented and be available on request to the competent supervisory authority.

A data importer is obliged to notify the data exporter (and the Liable BCR Member) if when using these BCR-Cs as a tool for transfers, it has reason to believe that it is or has become subject to laws and practices that would prevent it from fulfilling its obligations under the BCR-C. Where this happens the data exporter/Liable BCR Member/Privacy officer or Function will promptly identify supplementary measures to be adopted. The same applies if the data exporter has reason to believe that the data importer can no longer fulfil its obligations. The Liable BCR Member/Privacy officer or Function will inform all other BCR members about the assessment so that identified supplementary measures will be applied to other similar transfers.

If supplementary measures will not assist (or if instructed by competent supervisory authorities), the data exporter commits to suspend the relevant transfers/similar transfers. The data exporter must then agree to end the transfer if the BCR-C cannot be complied with and compliance not restored within one month of suspension. Any data which has already been transferred prior to the suspension must be returned or destroyed.

The BCR-C must include a duty for the data exporters to monitor on an ongoing basis (with the help of the data importers where appropriate) for developments in the third countries which could affect the initial assessment of the level of protection provided.

Government access requests

The requirements here largely replicate the language in Clause 15 of the EU SCCs. In addition, the BCR-C should still state that the transfers of personal data by a BCR member to any public authority cannot be massive disproportionate and indiscriminate in a manner that would go beyond what is necessary in a democratic society (and reference is made to the EDPB Recommendations 02/2020 on the European Essential Guarantees for surveillance measures.

1.2

If an organisation wishes to rely on a Unilateral Declaration as a mechanism for making its BCR-Cs internally binding, there are new requirements. The Group will also have to demonstrate how the Group’s internal policies are made legally binding on employees and how they be enforced in practice vis a vis the employees.

1.3.1

 More details are provided with respect to exactly what third party beneficiary rights must be expressly stated in the BCR-Cs. The Group will also need to explain in the application form how the instrument it intends to apply in order to make the BCR-C internally binding also enables the data subjects to legally enforce these BCR elements against the Group. 

1.4

 Where organisations choose not to adopt a centralised responsibility and liability regime, additional assurances will need to be provided and the applicant must show that data subjects will be transparently informed, assisted in exercising their rights and not disadvantaged or unduly inhibited in any way by the use of such alternative mechanism.

The requirements do not include any express references to the fact that the Liable BCR member must be a legal entity with a separate legal personality (as is the case under UK BCRs).             

1.5

 Confirmation that the Liable BCR member has sufficient assets must be made on an annual basis.

1.7

 More detail is provided about exactly what data subjects need to be told about the BCRs in the public version of the BCRs.

2.1

 Information provided on the transfers must be “exhaustive” although this does not mean it has to be provided with a high degree of specificity or granularity. Scope of the BCRs should not be limited to “EEA Citizens” or “EEA residents”.

2.2

 The address and company registration details (where available) of BCR members should be included as part of the published BCRs.

3.1

 More detail is expected on training requirements (e.g. intervals specified, requirement to address procedures for managing requests for access to personal data by public authorities).

3.2

 More detail is expected on complaints and the provision of contact points for data subjects.

3.3

 More detail is expected on audits. DPOs should not be in charge of auditing if that could result in a conflict of interests. BCRs should not contain wording aimed at restricting the duty of all BCR members to communicate the results of audits to supervisory authorities on grounds of confidentiality (as SAs already under an obligation of confidentiality). 

3.4

 BCRs should not contain wording aimed at restricting the duty of all BCR members to cooperate with supervisory authorities on grounds of confidentiality (as SAs already under an obligation of confidentiality) nor limit their powers of audit. 

5.1.2

 BCR-Cs should contain an exhaustive list of all legal basis of processing which the BCR members intend to rely on.

6.1

 New provision regarding what happens to data on termination of BCR member

7.1

 New provisions relating to what happens if there is non compliance with the BCRs

8.1

 Where any modification would “possibly be detrimental to the level of protection offered by the BCR-C or significantly affect them (e.g. changes to binding character, change of Liable BCR Member) it must be communicated in advance to the SAs, via the BCR Lead, with a brief explanation of the reasons for the update. In this case, the SAs will assess if the changes require a new approval.” Once a year, the SAs should be notified via the BCR Lead of any changes to the BCR-C or to the list of BCR members, with a brief explanation of the reasons for the changes. This includes any changes made to align with these updated requirements. The SAs should also be notified once a year even if no changes have been made.

9

New section requiring that the BCR-Cs contain a list of definitions and if the BCRs use the same terms as the GDPR, the definitions shouldn’t vary. References to GDPR provisions should be avoided or quoted in full.

The Application Form remains in two Parts:
  • Part 1 (Applicant Information): This remains largely the same save that there is a new acknowledgement that (i) the BCR approval does not include an assessment of whether each processing is line with all the requirements of the GDPR and the BCR as applicable and that each BCR member will need to ensure that all relevant requirements are met; (ii) that it is the responsibility of the data exporter (with the help of the data importer where needed) to carry out a transfer risk assessment and where necessary consider whether any supplementary measures are needed (but noting that the supplementary measures are not themselves assessed by the supervisory authorities as part of the BCR approval process) and; (iii) if a data exporter is not able to implement supplementary measures to ensure an essentially equivalent level of protection as provided in the EU, that data cannot be lawfully transferred; and
  • Part 2 (Background Paper): This has been shortened from the current version with some of the detail relating to complaints, third party beneficiary rights, cooperation, description of data flows, accountability, mechanisms for recording change and data protection safeguards now being found in the Elements and Principles Table which forms Annex 2 of the Application Form (A copy of the BCRs themselves will be attached as Annex 1).

A link to the full Recommendations can be found here: Recommendations 1/2022 on the Application for Approval and on the elements and principles to be found in Controller Binding Corporate Rules (Art. 47 GDPR) | European Data Protection Board (europa.eu)

If you have any questions about your EU BCRs, please reach out to Ruth Boardman or Elizabeth Upton to discuss.

Latest insights

More Insights
Curiosity line green background

China Cybersecurity and Data Protection: Monthly Update - February 2025 Issue

Feb 21 2025

Read More
Curiosity line pink background

China Data Protection and Cybersecurity: Annual Review of 2024 and Outlook for 2025 (II)

22 minutes Feb 12 2025

Read More
featured image

Concluding contracts in the era of the Data Act

7 minutes Feb 04 2025

Read More
More Insights