New UK Addendum to EU Binding Corporate Rules
The UK Information Commissioner’s Office (ICO) has published an addendum for EU BCRs, with a view to streamlining its approval process for the UK Binding Corporate Rules (UK BCRs). On 19 December 2023, the final form addendum was released for use by UK members of organisations who already hold an approved set of EU BCRs for controllers and/or processors. Organisations can choose to submit the addendum in the standard form (which is the quickest way to obtain approval) or as a template, aligning it your organisation’s individual needs.
Structure of the application
The necessary documents required to apply are:
- the EU BCRs for controllers and/or processors
- a complete EU BCRs approval
- a UK BCR summary (described below)
- a complete UK BCR addendum
The addendum document has a background section, information tables and the UK BCR addendum itself.
Part 1: Background
First, the applicant confirms the pre-requisites for the UK BCR addendum process, i.e. that they have an approved set of EU BCRs. Organisations must list a lead UK BCR member. This is the member of the applicant organisation that will be responsible for breaches of the UK BCRs by non-UK BCR members. During the approval phase, the ICO will seek assurances and commitments that the nominated UK entity has or can individually call on sufficient assets to remedy a breach of the UK BCRs.
Part 2: Information tables
This section is split into four tables:
- The first table sets out the UK BCR members.
- The second table includes electronic copies of all the approved EU BCR documentation.
- The third table is the UK BCR summary which is any easy-to-read document for people whose personal data is transferred under the UK BCRs so that they know how their information is processed, what rights they have under the UK BCRs and how to enforce them.
- The fourth table sets out the relevant options. Even where the addendum is to be used in standard form, the final options table offers applicants some flexibility. For example, organisations can choose to make amendments to the UK BCR summary through notification by the UK BCR lead member to the other UK BCR members or through written agreement by all the UK BCR members. The organisation can also add additional commercial clauses, e.g. allocating costs for compensation, as long as these clauses do not reduce the level of protection provided in the addendum.
Part 3: UK BCR addendum
The final part is the UK BCR addendum itself which has 16 sections that cover the Article 47 UK GDPR requirements. The guidance published by the ICO has stated that where the standard form is adapted into a template, then there is an onus on organisations to update the template alongside future ICO amendments. Organisations can submit such revisions as part of the annual update.
After Brexit, all UK BCR applicants were required to draw up bespoke UK BCRs. This resulted in lengthy timelines for the organisations to draft the BCRs, but also for the ICO to review each in turn. The UK BCR addendum will streamline this process by supplying a standard form that can be amended as needed. The ICO has noted that where the form is used as a template, organisations must explain why such changes do not diminish the protection afforded by the addendum in standard form, which may in turn result in lengthier approval times as the ICO has the opportunity to ask further questions before approving. However, once the UK BCR addendum has been approved, should an organisation update its EU BCRs, the UK BCR will automatically update in relation to UK-restricted transfers.
For more information, please see the UK BCR Addendum guidance here, and access the addendum here.
Organisations with EU BCRs for controllers should also remember that they will need to update their EU BCR-C by the time of their annual update this year to comply with the updated BCR-C requirements in the EDPB Recommendations 1/2022 adopted 20 June 2023.
The authors would like to thank Martin Shannon for his contribution to this briefing.