Latest Updates to EU BCRs – what you need to know
Written By
On 17 November, the EPDB published its long awaited draft Recommendations to update the Controller Binding Corporate rules Application Form and Requirements table (now called “Elements and Principles to be found in BCR-C”) which are open to consultation until 10 January 2023.
These will affect all organisations holding existing EU Controller BCRs as well as those currently going through the application process or thinking of doing so. Whilst the main driver behind the update is to build in requirements to address Schrems II (i.e. to deal with transfer impact assessments and Government access requests), the EDPB has also taken the opportunity to build on and revise other requirements. These Recommendations are intended to replace and repeal the former Article 29 Working Party documents: WP 264 and WP 256 rev.01.
In order to help affected organisations quickly assess the scope of the changes to the Requirements table, we have produced the following:
- a simple track changes version of the Requirements showing all the changes between the new Requirements and those originally set out in WP 256 rev.01 (marked as version 1); and Click here to access version 1
- an “edited” track changes version of the Requirements where minor changes and/or sections which have just been moved around the document are not highlighted, leaving track changes which are more significant in nature and/or which are likely to require organisations to carefully check their existing or draft EU Controller BCRs to see if further amendments are likely to be needed (marked as version 2). Click here to access version 2
In summary, the main changes to note are:
|
Requirement |
Overview |
|
5.4.1 and 5.4.2 |
These two sections contain the Schrems II requirements , namely obligations with respect to transfer impact assessments and data importer obligations with respect to the handling of Government access requests.
Transfer Impact Assessments
BCRs must contain a clear commitment that BCR members must only use the BCR-Cs as a tool for transfers where they have assessed that the laws and practices in the third country applicable to the processing of data by the BCR member acting as data importer do not prevent it from fulfilling its obligations under the BCR-Cs.
The BCR members must take account of similar elements in their assessment as set out in Clause 14 of the EU SCCs. The requirements do state that the BCR members can consider “the laws and practices of the third country of destination relevant in light of the circumstances of the transfer” and reference is made to the EDPB Recommendations 01/2020 on measures that supplement transfer tools.
The Liable BCR Member/relevant Privacy officer or Function should be informed and involved in any transfer risk assessment and of any additional safeguards which are put in place. The assessment and any supplementary measures should be documented and be available on request to the competent supervisory authority.
A data importer is obliged to notify the data exporter (and the Liable BCR Member) if when using these BCR-Cs as a tool for transfers, it has reason to believe that it is or has become subject to laws and practices that would prevent it from fulfilling its obligations under the BCR-C. Where this happens the data exporter/Liable BCR Member/Privacy officer or Function will promptly identify supplementary measures to be adopted. The same applies if the data exporter has reason to believe that the data importer can no longer fulfil its obligations. The Liable BCR Member/Privacy officer or Function will inform all other BCR members about the assessment so that identified supplementary measures will be applied to other similar transfers.
If supplementary measures will not assist (or if instructed by competent supervisory authorities), the data exporter commits to suspend the relevant transfers/similar transfers. The data exporter must then agree to end the transfer if the BCR-C cannot be complied with and compliance not restored within one month of suspension. Any data which has already been transferred prior to the suspension must be returned or destroyed.
The BCR-C must include a duty for the data exporters to monitor on an ongoing basis (with the help of the data importers where appropriate) for developments in the third countries which could affect the initial assessment of the level of protection provided.
Government access requests The requirements here largely replicate the language in Clause 15 of the EU SCCs. In addition, the BCR-C should still state that the transfers of personal data by a BCR member to any public authority cannot be massive disproportionate and indiscriminate in a manner that would go beyond what is necessary in a democratic society.
|
|
1.2 |
If an organisation wishes to rely on a Unilateral Declaration as a mechanism for making its BCR-Cs internally binding, there are new requirements. |
|
1.3.1 |
More details are provided with respect to exactly what third party beneficiary rights must be expressly stated in the BCR-Cs. |
|
1.4 |
Where organisations choose not to adopt a centralised responsibility and liability regime, additional assurances will need to be provided and the applicant must show that data subjects will be transparently informed, assisted in exercising their rights and not disadvantaged or unduly inhibited in any way by the use of such alternative mechanism.
The requirements do not include any express references to the fact that the Liable BCR member must be a legal entity with a separate legal personality (as is the case under UK BCRs). |
|
1.5 |
Confirmation that the Liable BCR member has sufficient assets must be made on an annual basis. |
|
1.7 |
More detail is provided about exactly what data subjects need to be told about the BCRs in the public version of the BCRs. |
|
2.1 |
Information provided on the transfers must be “exhaustive” although this does not mean it has to be provided with a high degree of specificity or granularity. Scope of the BCRs should not be limited to “EEA Citizens” or “EEA residents”. |
|
2.2 |
The address and company registration details (where available) of BCR members should be included as part of the published BCRs. |
|
3.1 |
More detail is expected on training requirements (e.g. intervals specified, requirement to address procedures for managing requests for access to personal data by public authorities). |
|
3.2 |
More detail is expected on complaints and the provision of contact points for data subjects. |
|
3.3 |
More detail is expected on audits. DPOs should not be in charge of auditing if that could result in a conflict of interests. BCRs should not contain wording aimed at restricting the duty of all BCR members to communicate the results of audits to supervisory authorities on grounds of confidentiality (as SAs already under an obligation of confidentiality). |
|
3.4 |
BCRs should not contain wording aimed at restricting the duty of all BCR members to cooperate with supervisory authorities on grounds of confidentiality (as SAs already under an obligation of confidentiality) nor limit their powers of audit. |
|
5.1.2 |
BCR-Cs should contain an exhaustive list of all legal basis of processing which the BCR members intend to rely on. |
|
6.1 |
New provision regarding what happens to data on termination of BCR member |
|
7.1 |
New provisions relating to what happens if there is non compliance with the BCRs |
|
8.1 |
Where any modification would “possibly be detrimental to the level of protection offered by the BCR-C or significantly affect them (eg changes to binding character, change of Liable BCR Member) it must be communicated in advance to the SAs, via the BCR Lead, with a brief explanation of the reasons for the update. In this case, the SAs will assess if the changes require a new approval.” Other changes must be notified once a year to the SAs via the BCR Lead. This includes changes made to align with these updated requirements. |
|
9 |
New section requiring that the BCR-Cs contain a list of definitions and if the BCRs use the same terms as the GDPR, the definitions shouldn’t vary. References to GDPR provisions should be avoided or quoted in full. |
The Application Form remains in two Parts:
- Part 1 (Applicant Information): This remains largely the same save that there is a new acknowledgement that (i) the BCR approval does not include an assessment of whether each processing is line with all the requirements of the GDPR and the BCR as applicable and that each BCR member will need to ensure that all relevant requirements are met; (ii) that it is the responsibility of the data exporter (with the help of the data importer where needed) to carry out a transfer risk assessment and where necessary consider whether any supplementary measures are needed (but noting that the supplementary measures are not themselves assessed by the supervisory authorities as part of the BCR approval process) and; (iii) if a data exporter is not able to implement supplementary measures to ensure an essentially equivalent level of protection as provided in the EU, that data cannot be lawfully transferred; and
- Part 2 (Background Paper): This has been shortened from the current version with some of the detail relating to complaints, third party beneficiary rights, cooperation, description of data flows, accountability, mechanisms for recording change and data protection safeguards now being found in the Elements and Principles Table which forms Annex 2 of the Application Form (A copy of the BCRs themselves will be attached as Annex 1).
A link to the full Recommendations can be found here: Recommendations 1/2022 on the Application for Approval and on the elements and principles to be found in Controller Binding Corporate Rules (Art. 47 GDPR) | European Data Protection Board (europa.eu).
If you have any questions about your EU BCRs, please reach out to Ruth Boardman or Elizabeth Upton to discuss.
