Out-Law News | 06 Dec 2022 | 12:35 pm | 3 min. read
The European Data Protection Board (EDPB)’s proposals to update the process for binding corporate rules (BCRs) for controllers confirm that companies transferring personal data outside of the European Economic Area are required to carry out a transfer risk assessment and put in place safeguards to mitigate any of the risks identified, a legal expert said.
BCRs are one of the legal tools businesses can put in place to comply with their GDPR obligations around transfers of personal data outside the EEA. They can be used on an intragroup basis as an alternative to the European Commission-endorsed standard contractual clauses (SCCs). BCRs entail putting in place a set of binding intra-group rules governing the data transfers and obtaining regulatory approval for those arrangements.
The new guidance, released by the EDPB on 14 November 2022, provides an updated standard form for the application for approval of BCRs for controllers (BCR-C), alongside updated criteria for approval of BCR-C, and clarifies the necessary content of BCR-C as stated in Article 47 GDPR. It also makes a distinction between what must be included in BCR-C and what must be presented to the relevant supervisory authority. Explanations and comments on the requirements are included in the guidance.
“The recommendations update the BCR process following the Schrems II judgment and provide guidance on carrying out data transfer impact assessments for BCRs,” said Rosie Nance, data protection law expert of Pinsent Masons.
The Schrems II judgment refers to the judgment C-311/18 handed down in July 2020 by the Court of Justice of the European Union (CJEU). The judgment reiterated that the protection granted to personal data in the European Economic Area (EEA) must travel with the data wherever it goes. It also confirmed, in principle, that businesses can use EU SCCs to underpin data transfer arrangements to jurisdictions outside of the EEA.
“The EDPB’s Schrems II guidance confirmed that the Schrems II judgment is relevant for transfers of personal data on the basis of BCRs and confirmed that updated guidance would be provided. These recommendations update the form and application process for BCR-C to incorporate the CJEU’s comments in the Schrems II decision, bringing BCRs for controllers in line with the 2021 SCCs,” said Nance.
According to Phoebe Rowson-Stevens, data protection law expert of Pinsent Masons, BCR for controllers (BCR-C) are suitable for framing transfers of personal data from controllers covered by the geographical scope of the GDPR to other controllers or to processors that are established outside the EEA but within the same group. In comparison, BCR for processors (BCR-P) apply to data received from a controller that is not a member of the group, and which are then processed by the concerned group members as processors and/or sub-processors. The guidance makes it clear that the obligations set out in BCR-C apply in relation to entities within the same group acting as controllers and to entities acting as ‘internal’ processors.
The recommendations provide instructions and guidance for the BCR application form. For example, in case of application for both BCR-C and BCR-P, separate forms need to be filled out for each BCR.
Rowson-Stevens also pointed that the EDPB has confirmed that a data transfer impact assessment must be carried out by the exporters, which are businesses subject to the GDPR that are transferring the personal data to third countries. The transfer impact assessment is not assessed by supervisory authorities as part of the process of BCR approval.
The guidance provides that “it is… the responsibility of each data exporter to assess, for each transfer, on a case-by-case bases, whether there is a need to implement supplementary measures in order to provide for a level of protection essentially equivalent to the one provided by the GDPR.”
In addition, updated rules require a number of commitments to be included in the BCRs. For example, one such commitment is that “personal data that have been transferred under the BCR may only be onward transferred outside the EEA to processors and controllers which are not bound by the BCR-C if the conditions for transfers laid down in Articles 44 to 46 GDPR are applied in order to ensure that the level of protection of natural persons guaranteed by GDPR is not undermined. In the absence of an adequacy decision or appropriate safeguards, BCR-C may include a provision that onward transfers may exceptionally take place if a derogation applies in line with Article 49 GDPR.”
Another example of the commitments required for the BCR-C is that “the BCR member acting as data importer will promptly notify the data exporter and, where possible, the data subject (if necessary with the help of the data exporter)” if it becomes aware of any legally binding government authority requests for access, or of any direct access by public authorities.”
The guidance is entitled “Recommendations 1/2022 on the Application for Approval and on the elements and principles to be found in Controller Binding Corporate Rules (Art. 47 GDPR” (the “Recommendations”). The EDPB is currently conducting a public consultation on the new guidance until 10 January 2023. These recommendations repeal and replace the Article 29 Working Party Recommendations on the Standard Application for Approval of Controller Binding Corporate Rules for the Transfer of Personal Data of 11 April 2018 (WP264), as well as the Article 29 Working Party’s guidance on the elements and principles to be found in BCR of 6 February 2018 (wp256).
01 Feb 2022