The EDPB has adopted Recommendations on the application for approval and on the elements and principles to be found in Controller Binding Corporate Rules (BCR-C). These recommendations form an update to the existing BCR-C, which contain criteria for BCR-C approval, and merge it with the standard application form for BCR-C.

The new Recommendations build upon the agreements reached by data protection authorities during approval procedures on concrete BCR applications since the GDPR entered into effect. The Recommendations provide additional guidance and aim to ensure a level playing field for all BCR applicants. The Recommendations also bring the existing guidance into line with requirements in the CJEU’s Schrems II ruling.

As the EDPB explains, BCR-Cs are a transfer tool that can be used by a group of undertakings or enterprises engaged in a joint economic activity to transfer personal data outside the European Economic Area to controllers or processors within the same group. BCRs create enforceable rights and set out commitments to establish a level of data protection essentially equivalent to that of the GDPR.

The Recommendations:

• provide an updated standard application form for the approval of BCR-Cs;
• clarify the necessary content of BCR-Cs and provide further explanation; and
• make a distinction between what must be included in a BCR-C and what must be presented to the BCR lead data protection authority in the BCR application.

A second set of Recommendations for BCR-processors is currently being developed.

The Recommendations are open to public consultation until 10 January 2023. To read the EDPB’s press release in full and for a link to the Recommendations, click here.