The EDPB has adopted an updated document setting forth a co-operation procedure for the approval of binding corporate rules (BCR) for controllers and processors. The updates seek to impose more structure on the process among supervisory authorities to reach a consensus on the BCR. New detail is included on what is considered to be a “round” during different phases of the BCR approval procedure, the role of the BCR Lead during those different phases and the procedure for informal “BCR sessions”. The updated document provides welcome clarity for entities who are considering or who have applied for the BCR, at a time when supervisory authorities across the EU continue to show interest in scrutinising intra-group international transfers of personal data. Key aspects of the changes are addressed below.

Use of Binding Corporate Rules

The BCR are intended for use by multinational corporate groups, groups of undertakings or a group of enterprises engaged in a joint economic activity such as franchises, joint ventures, or professional partnerships. They govern intra-group transfers of personal data from their EEA entities to group entities located in third countries. Under the BCR, the transfer of personal data to third countries is subject to data protection principles including a right of action by data subjects against the group for failure to comply with the rules.

BCR Approval – Cooperation among supervisory authorities

The procedure for approving the BCR for controllers and processors is set out in Articles 47(1), 63, 64 and (only if necessary) 65 GDPR. A group interested in submitting draft binding corporate rules for approval liaises with the relevant competent supervisory authority in the EU, who acts as an intermediary between the applicant and other concerned supervisory authorities to approve the BCR in accordance with the consistency mechanism in Article 63 GDPR. However, as the group applying for the BCR may have entities in more the one Member State, this procedure will necessarily involve all the concerned supervisory authorities. (A footnote in the updated EDPB document notes that as the approved BCR may be used in all Member States without any additional authorisation, all supervisory authorities (SAs) are “concerned”. This approach is reflected at the BCR session phase, which requires the participation of all SAs.)

The GDPR does not lay down specific rules for a cooperation phase among concerned SAs to approve the BCR. Nor does it set out specific rules for identifying the competent SA which will act as lead authority. In April 2018, the Article 29 Working Party’s document, WP 263 rev 0.1 (later endorsed by the EDPB) sought to address this. The updated EDPB document builds on practical experience gained since then setting out further detail and clarification.

Rounds – No maximum rounds in phases one and two

There are six phases for approval of the BCR, as set out below.

1. BCR Lead review phase​
2. Co-review phase ​
3. Cooperation phase ​
4. BCR session​
5. EDPB Opinion phase​
6. Approval procedure by BCR Lead​

The updated EDPB document provides clarity about what is considered to be a “round” during different phases of the BCR approval procedure, i.e. where the BCR Lead sends comments to the applicant and the comments are deemed not to have been appropriately addressed by the applicant, a new round starts. Comments can originate from the BCR Lead, i.e. in the first phase, or from other SAs, i.e. in the second and third co-review and cooperation phases. However, it is the BCR Lead that acts as the point of contact (for the applicant, co-reviewers, BCR session participants, International Transfers Expert Group members, the EDPB Secretariat, and if necessary, in the plenary regarding the BCR) during the different phases of the BCR approval procedure.

In terms of timing, in the first and second phase, there is no maximum number of rounds. The process continues until the BCR Lead (or the supervisory authority(ies)) is satisfied with the preliminary draft BCR. Importantly, the updated EDPB document suggests that when necessary, for the Cooperation phase, between the third and the fourth round of the BCR approval procedure, controversial issues or remaining issues are to be discussed in a BCR Session and there is a mechanic for a fifth round in the format of a BCR session “to address the remaining and/ or controversial issues accordingly”.

BCR Sessions – Speaking with one voice

The BCR Lead may initiate a BCR Session at any stage of the BCR approval procedure. Annex two sets out a detailed procedure for these informal sessions. The BCR Session is not a mandatory phase, but is highly recommended, with the aim being to discuss the controversial or remaining issues with SAs and the EDPB Secretariat and to find consensus on the standards and expectations of the BCR. All SAs are required to take part (in this respect reference is made to the cooperation duty set forth in Article 57(1)(g) GDPR). Notably, the updated EDPB document also refers to the need to speak with “one voice” to the applicant and this process is designed to facilitate that approach​. Controversial and remaining issues can be escalated through the informal procedure set out in Annex two to an International Transfers Expert Subgroup (ITS ESG) meeting or if need be, the Plenary.

After the BCR Session, if changes to the BCR are necessary, the BCR Lead liaises with the applicant requesting the changes which are agreed upon during the BCR session, ITS ESG or Plenary. Subject to the requested changes being made to the satisfaction of the BCR Lead and the SAs in the relevant phase, the approval procedure moves on to its next phase.

Benefits for applicants

The new procedure offers greater clarity on the role of the BCR Lead and the objective and processes between and among the supervisory authorities in reaching consensus.

Adoption of the BCR can provide organisations with a stable, reliable, and effective mechanism to transfer personal data. Tailored to reflect an organisation’s intra-group data sharing processes, they offer a significant degree of flexibility as they may be updated over time to absorb and reflect changes to a group’s corporate structure. The BCR can augment governance structures for compliance and demonstrate a commitment to data protection compliance to regulators. In light of Brexit and post-Schrems II which invalidated the EU-US Privacy Shield, the BCR offer a long-term solution to ensure that personal data transfers from the EU are in full compliance with the GDPR.