BCR are legally binding internal rules adopted by multinational corporations to facilitate transfers of personal data to non-EEA countries (Art. 46(2)(b), Art. 47 GDPR).
The draft Recommendations 1/2022 apply to C-BCR, which can be used as legal mechanism for transfers of personal data from controllers subject to the GDPR to other entities of the same company group established outside the EEA also acting in the role of controllers or “group-internal” processors. C-BCR must be distinguished from BCR for processors (P-BCR), which apply to data transfers from an external controller to members of a company group, and the subsequent processing of such personal data by the group members as processors and/or sub-processors. New draft Recommendations on P-BCR are expected to arrive in the near future.
In order to be used as a transfer mechanism, BCR must be approved by the European DPAs, which, for the purpose of the BCR approval procedure, are represented by a lead supervisory authority (BCR Lead). The BCR Lead will typically be the DPA of the location of the company group’s EEA headquarters or main establishment, and therefore the applicant is required to provide sufficient information in its BCR application in order to determine a BCR Lead.
Overview of the draft Recommendations
The draft Recommendations 1/2022 comprise two main elements: (1) an application form to be completed and submitted by the applicant to the relevant BCR Lead (Section 2 of the Recommendations), and (2) a table overview of the elements and principles to be found in C-BCR that specify the mandatory minimum content of C-BCR (Section 3 of the Recommendations).
The application form consists of the following parts:
In Part 1, applicants must provide information about the company group for which the C-BCR approval is sought and the covered processing activities and data flows, as well as information necessary for the determination of the BCR Lead.
In Part 2 (the so-called “Background Paper”), applicants must provide details demonstrating the binding nature of the C-BCR within the company group (e.g. by means of an intra-group agreement), and explaining its effective practical implementation.
As Annex 1, applicants need to attach a copy of the C-BCR text that reflects all mandatory content for C-BCR. It is possible to also submit supporting documents (e.g. copies of an intra-group agreement, or an audit policy).
As Annex 2, applicants must provide a completed version of the table for the elements and principles to be found in C-BCR, which contains references to the C-BCR text and applicable documents in order to facilitate the assessment by the DPAs.
The table overview in Section 3 lists the required minimum content that must be reflected in C-BCR, and defines the material standards that a company group applying for C-BCR must comply with.
The draft Recommendations 1/2022 are intended to replace the existing guidelines for C-BCR, namely (a) Working Paper 264 with recommendations on the standard application for approval of C-BCR and (b) Working Paper 256.rev01 specifying the elements and principles to be found in C-BCR.
Compared to these existing Working Papers, the draft Recommendations introduce several updates on the material requirements for C-BCR. This particularly concerns the table for the elements and principles to be found in C-BCR, which brings, among others, the following changes:
Various amendments to existing requirements, both in detail and scope, including several sensitive topics for controllers, e.g. transparency obligations regarding the appointment of processors (Sec. 5.3) and the obligation to list all applicable legal basis of processing (including local laws) and applicable exemptions for processing special categories of personal data (Sec. 5.1.2).
Introduction of additional mandatory content for the C-BCR text, which was formerly only required to be provided in the application form, such as details on the audit programme covering the C-BCR (Sec. 3.3).
Expansion of data subject rights, including provisions on legal remedies, compensation (Sec. 1.3.2) and new rights concerning government access requests (Sec. 1.3.1).
Strict requirements on the publication of the C-BCR, similar to a privacy notice (Sec. 1.7), as well as the obligation to notify all data subjects of any changes of the C-BCR text and its member list (Sec. 1.3.1), although it is not specified how such update notices shall be provided.
New safeguards to avoid conflict of interests of the data protection officer competent for the C-BCR, e.g. the prohibition for the DPO to conduct data protection impact assessments or audits related to the C-BCR (Sec. 3.4).
Addition of extensive provisions concerning international data transfers, as summarized below.
Requirements for local law assessments and government access requests
In comparison to the existing Working Papers, the draft Recommendations introduce strict requirements for local law assessment and the handling of government access requests that are intended to address the implications of the Schrems II CJEU judgment, including the following:
Performance of Transfer Impact Assessments (TIA) based on an assessment of the local laws of the third countries to which personal data is transferred under the C-BCR (Sec. 5.4.1). This includes comprehensive monitoring and notification obligations with regard to legislative changes in the local laws.
Implementation of supplementary measures. It remains the responsibility of each data exporter to assess, for every international data transfer and on a case-by-case basis, whether there is a need to implement supplementary measures in order to provide for a sufficient level of protection essentially equivalent to the GDPR (Sec. 5.4.1). However, such supplementary measures are not reviewed by the DPAs as part of the approval process for C-BCR.
Government Access Request procedures and requirements, specifying the steps to be taken in case of such requests by public authorities and preceding any disclosure of personal data (Sec. 5.4.2). The procedures may include the notification of the data exporter and the exhaustion of legal remedies.
Although the “Schrems II” requirements in the C-BCR are similar to the corresponding provisions in the SCC (Clauses 14 and 15), there are differences to note:
Regarding the local law assessment of the third country of destination, the C-BCR require the additional consideration of any laws allowing for access to personal data “during the transit between the country of the data exporter and the country of the data importer” (Sec. 5.4.1.ii.).
The provisions on government access requests introduce an additional notification obligation for data importers. Such obligation does not only arise in case of access requests from public authorities of the country of destination of the transfer, but is also triggered in case of such requests by authorities of “another third country” (Sec. 5.4.2i.a)).
What to do now?
The EDPB states in its draft Recommendations that it expects all C-BCR holders to bring their BCR in line with the new requirements, including C-BCR that have been approved before the publication of the new Recommendations (para. 13). Therefore, groups of companies that already rely on approved C-BCR, as well as organizations with pending C-BCR applications, will need to update their C-BCR and underlying procedures once the final version of the Recommendations are adopted.
The draft Recommendations are open for public consultation, allowing organizations to submit their feedback and comments by 10 January 2023 at the latest.
Authored by Henrik Hanssen and Eduardo Ustaran.
Timm Smid, a paralegal in our Hamburg office, contributed to the drafting of this article.