Privacy & Cybersecurity Law Blog

On April 11, 2018, the Article 29 Working Party (the “Working Party”) adopted two Recommendations on the Standard Application for Approval of Data Controller or Processor Binding Corporate Rules for the Transfer of Personal Data (the “Recommendations”). Binding Corporate Rules (“BCRs”) are one of the mechanisms offered to companies to transfer data outside the European Economic Area to a country which does not provide an adequate level of protection for the data according to Article 45 of the GDPR. These Recommendations, in the form of questionnaires, are intended to help BCR applicants demonstrate how they fulfill the requirements of Article 47 of the GDPR.

In addition, the Working Party also released a Working Document Setting Forth a Co-Operation Procedure for the Approval of “Binding Corporate Rules” for Controllers and Processors under the GDPR (“the Working Document”). The Working Document specifically refers to a scenario in which a group of undertakings or group of enterprises engaged in a joint economic activity, with entities in more than one Member State, wishes to submit draft BCRs to a Supervisory Authority (“SA”). In this case, the GDPR does not provide any guidance on how the group of undertakings or enterprises should determine their choice of SA as BCR Lead. The BCR Lead will act as the point of contact for the applicant during the approval process and will also manage the application throughout the cooperation phase with the relevant SAs. As such, the Working Document provides a series of criteria to identify the appropriate BCR Lead, such as the location of the group’s European Headquarters or the location of the company with the delegated data protection responsibilities. Finally, the Working Document also details the cooperation procedure to follow between the BCR Lead and the other relevant SAs for the approval of BCRs.

The Recommendations are available for data controllers and for data processors. View the Working Document.