BCR are legally binding internal rules adopted by multinational corporations to facilitate transfers of personal data to non-EEA countries in accordance with Article 46(2)(b) and Article 47 GDPR. In contrast to the Standard Contractual Clauses of the European Commission (SCC), BCR are approved by the European data protection authorities (DPAs) individually and therefore provide a greater level of legal certainty for companies that transfer personal data across borders.
On 14 November 2022, the EDPB published its draft Recommendations for C-BCR which introduced several updates on the material requirements for C-BCR. Following public consultation which closed on 10 January 2023, the EDPB adopted the final version of its Recommendations on 20 June 2023. For more information on BCR as a transfer mechanism under the GDPR and our analysis of the draft Recommendations, please refer to our previous article.
Key Updates in the Final C-BCR Recommendations
The final Recommendations include very few amendments to the material requirements for C-BCR as proposed in the draft Recommendations (and outlined in our previous article).
Minor revisions are introduced such as the inclusion of examples or clarifications which apply mainly to the following requirements within the table specifying the elements and principles to be found in C-BCR:
Binding Nature - internally: Where a group company relies on internal policies and sanctions or other means for making the C-BCR legally on employees, they are required to properly demonstrate how this will be enforced in practice vis-à-vis the employees (Sec. 1.2) in addition to demonstrating how those means make the C-BCR legally binding on employees.
Binding Nature - externally: The duty to inform all data subjects about any update to the C-BCR and the list of BCR members has been retained and the EDPB has added, by way of example, that this can be undertaken by publishing the new version without undue delay (Sec.1.3.1). In addition, there is focus on explaining, in the application form, how the instrument(s) a company group intends to rely on to make the C-BCR internally binding also enables the C-BCR elements against the group company, for example, with respect to an intra-group agreement, the company group should explain how the agreement will be enforceable by data subjects (Sec 1.3.1).
Effectiveness: A reminder that no transfer can be made under the C-BCR to a BCR member unless the member is effectively bound by the C-BCR and can deliver compliance, which includes that appropriate training on the C-BCR can effectively be provided to the employees of the respective member (Sec. 3.1).
- Mechanisms for reporting and recording changes: Clarification that supervisory authorities should be notified once a year in instances where no changes have been made to the C-BCR and that the annual update or notification should include the renewal of the confirmation regarding assets (Sec 8.1).
Impact on Companies
The EDPB states that it expects all new and ongoing C-BCR applicants as well as current holders of C-BCR to bring their C-BCR in line with the updated final C-BCR.
- Groups of companies that have an application for C-BCR pending with their lead DPA need to make sure that their application materials as well as their C-BCR meet the standards of the final updated C-BCR Recommendations. C-BCR applications that already reached the stage of a “consolidated draft” in June 2023 and for which the EDPB also issues its opinion by the end of 2023 will have to bring their BCR in line with the C-BCR Recommendations with their 2024 annual update.
- Groups of companies that already rely on approved C-BCR, as well as organizations with pending C-BCR applications, will need to update their C-BCR and underlying procedures with their 2024 annual update.
Groups of companies that are just in the planning stage of setting up their own C-BCR should consider the updated C-BCR Recommendations from the outset.
Will the EDPB also issue Updated Guidance on Processor-BCR?
The recent updates to the EDPB’s guidance only apply to C-BCR, while for Binding Corporate Rules for Processors (“P-BCR”) the “pre-Schrems II” recommendations under Working Paper 265 dated April 2018 still apply. As indicated by the EDPB’s list of approved BCR, the current P-BCR recommendations are still applied by the EU data protection authorities. It is planned to develop a new set of EDPB Recommendations on P-BCR that take into account the requirements formulated by the CJEU. However, the timeline for the publication of the draft for such P-BCR Recommendations is still unclear. Given the significant relevance of P-BCR in practice, companies are well advised to further consider the developments in this regard.
Authored by Henrik Hanssen, Jabeen Rizvi, Julie Schwartz, and Katie McMullan.