APPLICATIONFORM
GeneralInstructionsforApplicants:
OnlyasinglecopyoftheformneedbefilledoutandsubmittedtotheSupervisoryAuthority(SA)youconsidertobetheBCRLeadinaccordancewith Articles47(1)and64GDPRandtheWP263;thisformmaybeusedinallEEAMemberStates.
IncaseofapplicationforbothBCR-CandBCR-P,separateformsneedtobefilledoutforeachBCR.
PleasefilloutallentriesofPartIoftheapplicationformandsubmittheformtotheSAyouconsidertobetheBCRCLead.Assoonasadecisiononthe BCRLeadhasbeenmade(seeWP263),theBCRLeadwilldeterminewhenitwillinviteyoutofilloutandsubmitPartIIoftheapplicationformincluding itsAnnexes.
Youmayattachadditionalpagesorannexesifthereisinsufficientspacetocompleteyourresponses.
Youmayindicateanyresponsesormaterialsthatisinyouropinioncommerciallysensitiveandshouldbekeptconfidentialbut,inanycase,beaware thattherelevantdocumentwillbesharedamongtheconcernedSAsandtheEDPBwhich,underArticle64GDPR,hastoissueitsopinionontheapproval draftdecisionofyourBCRC.Requestsbythirdpartiesfordisclosureofsuchinformation,will,however,behandledbyeachSAinvolvedinaccordance withnationallegislation.
IftheGrouphasitsheadquartersintheEEAtheformshouldbefilledoutandsubmittedbythatEEAentity.
IftheGrouphasitsheadquartersoutsidetheEEA,thentheGroupshouldappointaGroupentitylocatedinsidetheEEA-astheGroupmemberwith delegateddataprotectionresponsibilities.ThisistheentitywhichshouldthensubmittheapplicationonbehalfoftheGroup.
Adoptedversionforpublicconsultation 6
ThenextstepsoftheprocedurearedescribedinWP263. InstructionsforFillingInPart1(applicantinformation): Section1:StructureandContactDetailsoftheApplicantandoftheGroup
Contactdetailsforqueries: o Pleaseindicateacontacttowhomqueriesmaybeaddressedconcerningtheapplication. o ThiscontactdoesnotneedtobelocatedintheEEA,althoughthismightbeadvisableforpracticalreasons. o Youmayindicateafunctionratherthanaspecificperson.
Section2:Shortdescriptionofdataflows
Theapplicantshouldalsogiveabriefdescriptionofthescopeandnatureofthedataflowstothirdcountriesforwhichapprovalissought.
Section3:DeterminationoftheBCRLead
InaccordancewithArticle64GDPR,theBCRLeadistheauthorityinchargeofcoordinatingtheapprovalofyourBCRC,whichthencouldbeconsidered appropriatesafeguardsfortransfersofpersonaldatabyGroupmemberstothirdcountries,withoutrequiringanyspecificauthorisationfortheuse oftheBCRCfromtheotherSAsconcerned.
o BeforeyouapproachoneSAasthepresumptiveBCRLead,youshouldexaminethefactorslistedinSection1ofWP263.Basedonthesefactors youshouldexplaininPart1.3oftheApplicationFormwhichSAshouldbetheBCRLead.TheSAsarenotobligatedtoacceptthechoicethat youmakeiftheybelievethatanotherSAismoresuitabletobeBCRLead,inparticularifitwouldbeworthforspeedinguptheprocedure(e.g. takingintoaccounttheworkloadoftheoriginallyrequestedSA).
Adoptedversionforpublicconsultation 7
PART1:APPLICANTINFORMATION
NameoftheGroupandlocationofitsheadquarters: DoestheGrouphaveitsheadquartersintheEEA? Yes No
Nameandlocationoftheapplicant:
Identificationnumber(ifany): Legalnatureoftheapplicant(corporation,partnership,etc.):
DescriptionofpositionoftheapplicantwithintheGroup: (e.g.headquartersoftheGroupintheEEA,or,iftheGroupdoesnothaveitsheadquartersintheEEA,thememberoftheGroupinsidetheEEAwithdelegateddata protectionresponsibilities)
Nameand/orfunctionofcontactperson(note:thecontactpersonmaychange,youmayindicateafunctionratherthanthenameofaspecificperson):
Address: Country: Phonenumber: E-Mail:
EEAMemberStatesfromwhichtheBCRCwillbeused:
Adoptedversionforpublicconsultation 8 ApplicationFormforApprovalofControllerBindingCorporateRules(“BCR
C”)
-
1.STRUCTUREANDCONTACTDETAILSOFTHEGROUPOFUNDERTAKINGSORGROUPOFENTERPRISESENGAGEDINAJOINTECONOMIC ACTIVITY(THEGROUP)
2.SHORTDESCRIPTIONOFPROCESSINGANDDATAFLOWS10
Please,indicatethefollowing: NatureofthedatacoveredbytheBCRC,andinparticular,iftheyapplytoonecategoryofdataortomorethanonecategory,thetypeofprocessingandits purposes,thetypesofdatasubjectsaffected(forinstance,datarelatedtoemployees,customers,suppliersandotherthirdpartiesaspartoftheirrespectiveregular businessactivities,…)
- DotheBCR-ConlyapplytotransfersfromtheEEA,ordotheyapplytoalltransfersbetweenmembersofthegroup? PleasespecifyfromwhichcountrymostofthedataaretransferredoutsidetheEEA: ExtentofthetransferswithintheGroupthatarecoveredbytheBCRC;includingadescriptionandthecontactdetailsofanyGroupmembersintheEEAoroutside theEEAtowhichpersonaldatamaybetransferred
3.DETERMINATIONOFTHELEADSUPERVISORYAUTHORITY(‘BCRLEAD’)
PleaseexplainwhichshouldbetheBCRLead,basedonthefollowingcriteria:
- LocationoftheGroup’sEEAHeadquarters
IftheGroupisnotheadquarteredintheEEA,thelocationintheEEAoftheGroupentitywithdelegateddataprotectionresponsibilities
10SeeArticle47(2)(a)and(b)GDPR. 11SeePart1,WP263.
Adoptedversionforpublicconsultation 9
11
Thelocationofthecompanywhichisbestplaced(intermsofmanagementfunction,administrativeburden,etc.)todealwiththeapplicationandtoenforcetheBCR CintheGroup
- Thecountrywheremostofthedecisionsintermsofthepurposesandthemeansofthedataprocessingaretaken
EEAMemberStatesfromwhichmostofthetransfersoutsidetheEEAwilltakeplace
4.ACKNOWLEDGEMENT
theapprovaldoesnotincludeanassessmentofwhethereachprocessingisinlinewithallrequirementsoftheGDPRandtheBCRasapplicable,andthateachBCRmember needstoensurethatallrequirementssetoutinGDPRandBCR,asapplicable,aremetforeachtransfer(e.g.,inrelationtolawfulness,Article28requirements,DPIAwhere needed,etc.)
beforecarryingoutanytransferofpersonaldataonthebasisoftheapprovedBCRCtooneofthemembersoftheGroup,itistheresponsibilityofanydataexporter,if neededwiththehelpofthedataimporter,toassesswhetherthelegislationofthethirdcountryofdestinationdoesnotpreventtherecipientfromcomplyingwiththeBCR-C, includingwithregardtoonwardtransfersituations.Thisassessmenthastobeconductedinordertodeterminewhetheranylegislationorpracticesofthethirdcountry, applicabletothetobetransferreddatagobeyondwhatisnecessaryinademocraticsocietytosafeguardimportantpublicinterestobjectives,inparticularcriminallaw enforcementandnationalsecurityandmayimpingeonthedataimporter’sand/orthedataexporter’sabilitytocomplywiththeircommitmentstakenintheBCRC,taking intoaccountthecircumstancessurroundingthetransfer.Incaseofsuchpossibleimpingement,thedataexporterinanEEAMemberState,ifneededwiththehelpofthedata importer,shouldassesswhetheritcanprovidesupplementarymeasuresinordertoexcludesuchimpingementandthereforetoneverthelessensure,fortheenvisagedtransfer athand,anessentiallyequivalentlevelofprotectionasprovidedintheEU.Deployingsuchsupplementarymeasuresistheresponsibilityofthedataexporterandremainsits responsibilityevenafterapprovaloftheBCR-C,andassuch,theyarenotassessedbytheSupervisoryAuthoritiesaspartoftheapprovalprocessoftheBCR-C;
inanycase,wherethedataexporterisnotabletoimplementsupplementarymeasuresnecessarytoensureanessentiallyequivalentlevelofprotectionasprovidedintheEU, personaldatacannotbelawfullytransferredtoathirdcountryundertheBCRC.Inthesamevein,wherethedataexporterismadeawareofanychangesintherelevantthird countrylegislationthatunderminethelevelofdataprotectionrequiredbyEUlaw,thedataexporterisrequiredtosuspendorendthetransferofpersonaldataatstaketothe concernedthirdcountries.
Adoptedversionforpublicconsultation 10
WeacknowledgeonbehalfofeachmemberoftheGroupthat
Date,Signatureoftheapplicant(Boardlevel) PART2:BACKGROUNDPAPER 5.BINDINGNATUREOFTHEBCR-C
BindingwithintheentitiesoftheGroup
HowaretheBCRCmadebindinguponthemembersoftheGroup?
IntraGroupAgreement
UnilateralDeclaration(hereinafter:UD)iftherequirementssetoutinSection1.2ofthe“Elementsandprinciples”part(=Chapter3)oftheseEDPBRecommendations aremet
Othermeans(onlyiftheGroupdemonstrateshowthebindingcharacteroftheBCRCisachieved),pleasespecify
PleaseattachthedraftIntraGroupAgreement/UD/“othermeans”.PleasenotethatthesedocumentswillhavetobesignedatBoardlevelaftertheBCRCapprovalhasbeen obtained.
Pleaseexplainthelegalbasisenablingthemember(s)oftheGroupwithdelegateddataprotectionresponsibilitytoenforcetheBCR-Cobligationsofothermembersofthe Group(e.g.rightsofaparentcompanyresidingincorporatelaw):
DoestheinternallybindingeffectofyourBCRCextendtothewholeGroup?(IfsomeGroupmembersshouldbeexempted,specifyhowandwhy)
Adoptedversionforpublicconsultation 11
Bindingupontheemployees
YourGroupmaytakesomeorallofthefollowingstepstoensurethattheBCR-Carebindingonemployees,buttheremaybeothersteps.Please,givedetailsbelow.
Individualandseparateagreement(s)/undertakingwithsanctions;
Clauseinemploymentcontractwithadescriptionofapplicablesanctions;
Collectiveagreementswithsanctions;
Internalpolicieswithsanctions(buttheGroupmustproperlyexplainhowtheBCRCaremadebindingonemployees);
Othermeans(buttheGroupmustproperlyexplainhowtheBCR-Caremadebindingonemployees)
Pleaseprovideasummary,supportedbyextractsasappropriate,toexplainhowtheBCRCarebindinguponemployees.
Adoptedversionforpublicconsultation 12
Assets
PleaseconfirmthattheliableBCR-Cmember(s)establishedontheterritoryofanEEAMemberState(e.g.theEuropeanheadquartersoftheGroup,orthememberofthe GroupwithdelegateddataprotectionresponsibilitiesintheEEA)hasmadeappropriatearrangementstoenableitselfpaymentofcompensationforanydamagesresultingfrom thebreachoftheBCRCbyBCRmembersoutsidetheEEA,andexplainhowthisisensured.
Adoptedversionforpublicconsultation 13
6.EFFECTIVENESS
Adoptedversionforpublicconsultation 14
Specialtrainingprograms EmployeesaretestedonBCRsanddataprotection -BCRsarecommunicatedtoallemployeesonpaperoronline -Reviewandapprovalbyseniorofficersofthecompany Howareemployeestrainedtoidentifythedataprotectionimplicationsoftheirwork,i.e.toidentifythattherelevantprivacypoliciesareapplicabletotheiractivitiesandto reactaccordingly?(ThisapplieswhethertheseemployeesareornotbasedintheEEA) Networkofdataprotectionofficers(DPO)orappropriatestaff
compliancewiththeBCRforProcessors:
ItisimportanttoshowhowtheBCRsinplacewithinyourorganizationarebroughttolifeinpractise,inparticularinnonEEAcountrieswheredatawillbetransferredonthe basisoftheBCRs,asthiswillbesignificantinassessingtheadequacyofthesafeguards.Pleaseprovideinformationontheelementsbelow. Trainingandawarenessraising(employees)
PleaseconfirmthatanetworkofDPOsorappropriatestaff(suchasanetworkofprivacyofficers)isappointedwithtopmanagementsupporttooverseeandensure
PleaseexplainhowyournetworkofDPOsorprivacyofficersfunctions:
Internalstructure: Roleandresponsibilities: Date,Signatureoftheapplicant(Boardlevel) (pleasealsoindicatename,position,andcontactdetails)
Adoptedversionforpublicconsultation 15
ANNEX1: COPYOFTHEBCR-C
PleaseattachacopyofyourBCRCtoyourapplication.PleasenotethatallmandatorycontentneedstobeincludedintheBCRdocuments(inthecoredocument(s)orits annexes),while“supportingdocuments”(i.e.documentsthatarenotpartoftheBCR)mayonlybesubmittedforreasonsoffurtherexplanation12 .
ANNEX2:
Pleasefilloutthetable“ElementsandPrinciplestobefoundinBCRC”andattachittoyourapplication.
12Pleasenotethatanydocumentsthataresubmittedmaybesubjecttoaccessrequestsbasedonfreedomofinformationlegislation,asapplicable.
Adoptedversionforpublicconsultation 16
COPYOFTHEFILLED-OUTTABLE“ELEMENTSANDPRINCIPLES TOBEFOUNDINBCR-
C”
CriteriaforBCR-Capproval In BCR-C In application form Reference Comments
1BINDINGNATURE
Internally
1.1DutytorespecttheBCRC YES NO Article47(1)(a) and (2)(c) GDPR14
1.2Explanationofhowthe BCRCareinternally15 made bindingontheBCRmembers, andontheiremployees
NO YES
Article47(1)(a) and(2)(c)GDPR
TheBCRCmustbelegallybindingandshould containacleardutyforeachBCRmember,including theiremployees,torespecttheBCRC.
TheGroupwillhavetoexplaininitsapplicationform howtheBCRCaremadebinding:
i.ForeachBCRmember,byoneormoreofthe following: a)Intra-groupagreement;
b)UnilateralDeclaration(hereinafterUD),if thefollowingrequirementsaremet:
13Tobecompletedbytheapplicantbyinsertingreferencestotheparagraphs/sections/partsoftheBCRdocumentsand,ifnecessary,anysupportingdocuments,thataddress therespectiverequirement.PleasenotethatallmandatorycontentneedstobeincludedintheBCRdocuments(inthecoredocument(s)oritsannexes),whilesupporting documents(i.e.documentsthatarenotpartoftheBCR)mayonlybesubmittedforreasonsoffurtherexplanation.Furthermore,itisnotnecessarytocopy&pastetext fromtheBCRdocuments,butitsufficesmentioningtherelevantsectionsofthedocumentsassuch.Examples:Section4.1oftheBCRdocumentandparagraph2.1ofAnnex I(intragroupagreement);Part2,Section4oftheApplication,Section2.1oftheBCRdocumentandparagraph3ofAnnex2(Auditconcept).
14ReferencesinthispapertoGDPRprovisionsdonotimplythatGDPRappliesdirectlytotheBCRmembersactingasdataimporters,butshouldratherbeunderstoodasthe thresholdforcommitmentsthatneedtobemadeinaBCR.IftheBCRmakereferencetoGDPRprovisions,possiblewordingtoindicatethismighte.g.beinlinewithArticle XoftheGDPR, asthoseprovidedforbyArticleXoftheGDPR.
15Pleasenotethanbesidehavinginternalbindingnature(i.e.bindingeffectontheBCRmembersandtheiremployees)theBCRCmustalsohaveanexternalbindingeffect inthesenseofprovidinglegalenforceability(ofcertainpartsoftheBCRC)forthedatasubjectsbycreatingthirdpartybeneficiaryrights.SeeSection1.3belowasregards thisexternalbindingeffect.
Adoptedversionforpublicconsultation 17
ELEMENTSANDPRINCIPLESTOBEFOUNDINBCR-C
ReferencestoBCR-C, applicationformBCR-C,and/ orsupportingdocuments13
Theentity/entitiestakingresponsibility andliability(seeSection1.4below) is/arelocatedinaMemberState recognisingUDsasbinding;
Theentity/entitiestakingresponsibility andliability(seeSection1.4below) is/arelegallyabletobindtheotherBCR members,andthisisexpresslyprovided for,e.g.inaseparatewritten commitmentfromthatentity;
TheBCRCstatetheprinciplethatallthe entitiesidentifiedintheUDareboundby theBCRC;
ThelawapplicabletotheUDisthelawof thecountryoftheentity/entitiestaking responsibilityandliability(seeSection 1.4below).Theapplicablelawis expresslystatedintheUD;and ItistheGroupsresponsibilitytoverify thatanyadditionalrequirementsofthe applicablelawforbindingnessaremet (suchaspublicationoftheUD,).
c)Othermeans(onlyiftheGroup demonstrateshowthebindingcharacterof theBCRCisachieved).TheBCRLeadcan requirecorrespondingdocumentationthat demonstratesthebindingcharacter.16
16Themoststraightforwardinstrumentinthisregardisacontractualarrangement(i.e.,anintragroupagreement),sincecontractualarrangementscanbelegallyenforced bythirdpartiesasbeneficiariesunderprivatelawinallMemberStates
Adoptedversionforpublicconsultation 18
ii.Onemployeesbyoneormoreof:
a)Individualandseparateagreement(s)/ undertakingwithsanctions; b)Clauseinemploymentcontractwitha descriptionofapplicablesanctions; c)Collectiveagreementswithsanctions; d)Internalpolicieswithsanctions;or e)Othermeans.
Regardingd)ande)above,theGroupshould properlydemonstratehowthosemeansmakethe BCRCbindingontheemployees.
TheBCRLeadcanrequestcorresponding documentationthatdemonstratesthebinding character.
Externally 1.3.1Creationofthirdparty beneficiaryrightsthatare enforceablebydatasubjects
YES NO Article47(1)(b), (2)(c)and(e) GDPR
TheBCRCmustexpresslyconferrightstodata subjectstoenforcetheBCRCasthirdparty beneficiaries,atleastasregardsthefollowing elementsoftheBCRC:
Dataprotectionprinciples,lawfulnessof processing,securityandpersonaldatabreach notifications,restrictionsononwardtransfers (seeArticle47(2)(d)GDPR,andSections5.1.1, 5.1.2,5.1.3secondparagraph3rdindent[duty tonotifywithoutunduedelaytodatasubjects wherethepersonaldatabreachislikelytoresult
Adoptedversionforpublicconsultation 19
inahighrisktotheirrightsandfreedoms],and 5.1.4below);
TransparencyandeasyaccesstotheBCRC(see Article47(2)(g)GDPR,andSections1.7and5.1.1 below);
- Rightsofinformation,access,rectification, erasure,restriction,notificationregarding rectificationorerasureorrestriction,objection toprocessing,rightnottobesubjectto decisionsbasedsolelyonautomated processing,includingprofiling (seeArticle 47(2)(e),Articles15to19,21and22GDPR,and Section5.2below);
- Obligationsincaseoflocallawsandpractices affectingcompliancewiththeBCR-Candincase ofgovernmentaccessrequests (seeArticle 47(2)(m)GDPR,andSection5.4.1and5.4.2 below);
RighttocomplainthroughtheGroupsinternal complaintprocess(seeArticle47(1)(i)GDPR, andSection3.2below);
- CooperationdutieswithCompetentSAs(see Article47(2)(j),(k),and(l)GDPR,andSection4.1 below)relatingtocomplianceobligations coveredbythisthirdpartybeneficiaryclause;
- Jurisdictionandliabilityprovisions(seeArticle 47(2)(e)and(f)GDPR,andSections1.3.2and1.4 below);
Adoptedversionforpublicconsultation 20
1.3.2Righttojudicialremedies, redressandcompensationfor datasubjects
YES NO Article47(2)(e) andArticles77to 82GDPR
- Dutytoinformthedatasubjectsaboutany updateoftheBCR-CandofthelistofBCR members(seeSection8.1below);
Third-partybeneficiaryclauseitself(seepresent Section1.3.1);
- Righttojudicialremedies,redressand compensation(seeSection1.3.2below)
Theserightsdonotextendtothoseelementsofthe BCRCpertainingtointernalmechanisms implementedwithinentities,suchasdetailsof training,auditprogramme,compliancenetwork, andmechanismforupdatingtheBCR-C.
TheGroupneedstomakesurethatthird-party beneficiaryrightsareeffectivelycreatedtomake thosecommitmentsbinding(seeSection1.2below).
TheBCRCshallexpresslyconferondatasubjectsthe righttojudicialremediesandtherighttoobtain redressand,whereappropriate,compensationin caseofanybreachofoneoftheenforceable elementsoftheBCR-CasenumeratedinSection 1.3.1above.TheBCRmembersacceptthatdata subjectsmayberepresentedbyanot-for-profit body,organisationorassociationunderthe conditionssetoutinArticle80(1)GDPR(seeArticles 7782GDPR).
TheBCRmembersshouldmakesurethatallthose rightsarecoveredbythethirdpartybeneficiary clauseoftheBCR-C,forexample,bymaking referencetotheclauses,sections,and/orpartsof
Adoptedversionforpublicconsultation 21
1.4OneormoreBCR member(s)intheEEAwith delegateddataprotection responsibilityacceptliability forpayingcompensationto datasubjectsandremedying breachesoftheBCR-C (hereinafter LiableBCR Member(s))
YES NO Article47(2)(f) GDPR
theBCRCwherethoserightsareregulated,orby listingtheminthesaidthirdpartybeneficiary clause.
TheBCR-Cmustconferondatasubjectstherightto lodgeacomplaint(byincludingadirectreferenceto suchrightintherelevantBCR-Cdocumentsthatare bindingandpublished):
- withaSA,inparticularintheMemberStateof thedatasubjectshabitualresidence,placeof workorplaceoftheallegedinfringement;and
- beforethecompetentcourtoftheMember Stateswherethecontrollerorprocessorhasan establishment,orwherethedatasubjecthas theirhabitualresidence.
TheBCRCmustcontainadutythat,atanygiven time,oneBCRmemberintheEEAaccepts responsibilityforandagreestotakethenecessary actionstoremedytheactsofotherBCRmembers outsideoftheEEA,andtopaycompensationforany materialornonmaterialdamagesresultingfromthe violationoftheBCR-CbysuchBCRmembers (centralisedresponsibilityandliabilityregime).
SAsmayalso,onacasebycasebasis,accept solutionswhereseveralBCRmembersestablishedin theEEAhavesuchresponsibilityandliability,and wheresufficientandadequateassurancesare providedbytheapplicant.Whereanalternative mechanismtothecentralisedresponsibilityand liabilityregimeisused,theapplicantshouldshow thatdatasubjectswillbetransparentlyinformed,
Adoptedversionforpublicconsultation 22
assistedinexercisingtheirrightsandnot disadvantagedorundulyinhibitedinanywaybythe useofsuchalternativemechanism.
TheBCR-Cshouldalsostatethat,ifaBCRmember outsidetheEEAviolatestheBCRC,thecourtsor otherjudicialauthoritiesintheEEAwillhave jurisdiction,anddatasubjectswillhavetherights andremediesagainsttheLiableBCRmemberasif theviolationhadbeencausedbythelatterinthe MemberStateinwhichitisbased,insteadoftheBCR memberoutsidetheEEA.
GDPR
1.5TheLiableBCRmember(s) hassufficientassets NO YES Article70(1)(i)
Theapplicationformshouldcontainaconfirmation thattheLiableBCRmember(s)hassufficientassets, orhasmadeappropriatearrangementstoenable itselftopaycompensationfordamagesresulting fromabreachoftheBCR-C.
Suchconfirmationshouldberenewedatthe occasionofeveryannualupdate(seeSection8.1 below).
1.6Theburdenofprooflies withtheLiableBCRmember(s)
YES NO Article47(2)(f)
GDPR
TheBCRCmustcontainthecommitmentthatwhere datasubjectscandemonstratethattheyhave suffereddamageandestablishfactswhichshowitis likelythatthedamagehasoccurredbecauseofthe breachoftheBCR-C,itwillbefortheLiableBCR membertoprovethattheBCRmemberoutsideof theEEAwasnotresponsibleforthebreachofthe BCRCgivingrisetothosedamages,orthatnosuch breachtookplace.
1.7EasyaccesstotheBCRCfor
datasubjects
YES NO Article47(2)(g)
GDPR
TheBCR-Cmustcontainthecommitmentthatall datasubjectsshouldbeprovidedwithinformation
Adoptedversionforpublicconsultation 23
ontheirthirdpartybeneficiaryrights,withregardto theprocessingoftheirpersonaldata,andonthe meanstoexercisethoserights.
Furthermore,theBCR-Cmustcontainthe commitmentthatdatasubjectswillbeprovidedat leastwiththedescriptionofthescopeoftheBCR-C (seeSection2below),theclauserelatingtothe Groupsliability(seeSection1.4above),theclauses relatingtothedataprotectionprinciples(see Section5.1.1below),tothelawfulnessofthe processing(seeSection5.1.2below),tosecurityand personaldatabreachnotifications(seeSection5.1.3 below),torestrictionsononwardtransfers(see Section5.1.4below),andtheclausesrelatingtothe rightsofthedatasubjects(seeSection5.2below). Thisinformationshouldbeuptodate,and presentedtodatasubjectsinaclear,intelligible,and transparentway.Thisinformationshouldbe providedinfull,henceasummaryhereofwillnotbe sufficient.
Moreover,theBCRCmustillustratethewayin whichsuchinformationwillbeprovided.For instance,theBCR-Cmaystatethatatleasttheparts oftheBCRConwhichinformationtodatasubjects ismandatory(asdescribedintheprevious paragraphs)willbepublishedontheinternetoron theintranet(whendatasubjectsareonlytheGroup staffhavingaccesstotheintranet).
IncasetheGroupplanstonotpublishtheBCRCas awhole,butonlycertainpartsoraspecificversion aimedatinformingdatasubjects,theGroupshould
Adoptedversionforpublicconsultation 24
2SCOPEOFTHEBCR
2.1Descriptionofthematerial scopeoftheBCRC YES YES Article47(2)(b) GDPR
expresslyprovideintheBCRCthelistofthe elementsthatitwillincludeinthatpublicversion.
Insuchsituation,thedescriptionofthematerial scopeoftheBCR-C17shouldalwaysbepartofthe informationontheBCRCthatispubliclyavailable. Thelistofdefinitions(seeSection9.1below)and,if applicable,ofabbreviationswhichareusedinthe BCRC,shouldinanycasebeincludedinthepartsof theBCRCwhicharepublished.TheBCRCshould containanexpresscommitmentinthisregard. TheBCRCmustuseclearandplainlanguagesothat employeesandanyotherpersoninchargewith applyingtheBCRCcansufficientlyunderstand them.Thesameappliestoanyparts/versionofthe BCRCthatwillbepublishedwiththeaimof providingaccesstotheBCR-Cfordatasubjects.
InordertobetransparentastothescopeoftheBCR C,theBCR-Cmustspecifytheirmaterialscope,and thereforecontainadescriptionofthetransfers.
TheBCRCmust,inparticular,specifypertransferor setoftransfers18(forexample,bymeansofatable): thecategoriesofpersonaldata;
17SeeSection2.1below.
18Theinformationonthetransfersmustbeexhaustiveinthateverytransferorsetoftransfersmustbedescribed.Thisdoesnotmeanthattheinformationmustbeprovided withahighdegreeofspecificityorgranularity.Wherethedescriptionprovidedbytheapplicantistoobroad,generalorvague,theapplicantshouldbeabletoexplainwhyit isnotinapositiontoprovidemoredetailedinformation.Ifandtotheextentthatanyoftheelementsprovidedinthetransfersdescriptionchangesinthefuture,theprocess forBCRCupdatesapplies,i.e.,informationontheamendmentstotheBCRCmustbeprovidedintheannualBCRCupdatenotifiedtotheBCRLead(seeSection8.1below).
Adoptedversionforpublicconsultation 25
2.2ListofBCRmembers,and descriptionofthegeographical scopeoftheBCR-C
YES YES Article47(2)(a) GDPR
- thetypeofprocessingandtheirpurposes; thecategoriesofdatasubjects(e.g.data relatedtoemployees,customers,suppliers andotherthirdpartiesaspartoftheGroups respectiveregularbusinessactivities);and
- thethirdcountryorcountries.
Astothedatasubjectscovered,BCRCwillapplyto alldatasubjectswhosepersonaldataare transferredwithinthescopeoftheBCRCfroman entityunderthescopeofapplicationofChapterV GDPR.Therefore,thescopeoftheBCRCmay,in particular,notbelimitedtoEEAcitizensorEEA residents.
TheBCRCshallspecifythestructureandcontact detailsoftheGroupandofeachofitsBCRmembers (contactdetailsoftheBCRmembers suchas addressandcompanyregistrationnumber,where available shouldbeinsertedinthelistofBCR membersthatispartoftheBCR-C,forexamplean annexthereof,thathastobepublishedalongwith theBCRC).
TheBCR-Cshouldindicatethattheyatleastapplyto allpersonaldatatransferredtoBCRmembers outsidetheEEA,andonwardtransferstootherBCR membersoutsidetheEEA.
3EFFECTIVENESS
3.1 Suitable training programme YES NO Article47(2)(n) GDPR
TheBCRCmuststatethatappropriateandupto datetrainingontheBCRCisprovidedtopersonnel
Adoptedversionforpublicconsultation 26
3.2Complainthandlingprocess fortheBCRC
YES NO
Article47(2)(i) andArticle12(3) GDPR
thathavepermanentorregularaccesstopersonal data,whoareinvolvedinthecollectionofdataorin thedevelopmentoftoolsusedtoprocesspersonal data.
Thetrainingprogramme,includingitsmaterials,has tobedevelopedtoasufficientlyelaboratedegree beforetheBCRCareapproved.
TrainingintervalsshouldbespecifiedintheBCRC.
Trainingshouldcover,amongothers,proceduresof managingrequestsforaccesstopersonaldataby publicauthorities.
TheSAsevaluatingtheBCRCmayaskforexamples andexplanationsofthetrainingprogrammeduring theapplicationprocedure.
Aninternalcomplainthandlingprocessmustbeset upintheBCRCtoensurethatanydatasubject shouldbeabletoexercisetheirrightsandcomplain aboutanyBCRmember.
TheBCRC(or,dependingonthecase,thepartsof theBCRCthatwillbepublishedfortheattentionof datasubjects,seeSection1.7above)willincludethe point(s)ofcontactwheredatasubjectscanlodge anycomplaintsrelatedtotheprocessingoftheir personaldatacoveredbytheBCR-C.Asinglepoint ofcontactoranumberofpointsofcontactare possible.Inthisregard,aphysicaladdressshouldbe provided.Additionally,furthercontactoptionsmay beprovided,e.g.agenericemailaddressand/ora phonenumber.
Adoptedversionforpublicconsultation 27
Whiledatasubjectsareencouragedtousethe point(s)ofcontactindicated,thisisnotmandatory.
TheBCRCmustcontainthedutyforthecontroller toprovideinformationonactionstakentothe complainantwithoutunduedelay,andinanyevent withinonemonth,byaclearlyidentifieddepartment orpersonwithanappropriatelevelofindependence intheexerciseoftheirfunctions.Takingintoaccount thecomplexityandnumberoftherequests,that onemonthperiodmaybeextendedatmaximumby twofurthermonths,inwhichcasethecomplainant shouldbeinformedaccordingly.
TheBCRC(or,dependingonthecase,thepartsof theBCR-Cthatwillbepublishedfortheattentionof datasubjects,seeSection1.7above)shouldinclude informationaboutthepracticalstepsofthe complaintprocess,inparticular:
- Wheretocomplain(point(s)ofcontact;see above); Inwhatform;
- Consequencesofdelaysforthereplytothe complaint;
Consequencesincaseofrejectionofthe complaint;
Consequencesincasethecomplaintis consideredasjustified;and
- Consequencesifthedatasubjectisnotsatisfied bythereply,i.e.,righttolodgeaclaimbeforethe
Adoptedversionforpublicconsultation 28
3.3Auditprogrammecovering theBCR-C
YES NO Article47(2)(j) and(l),and
Article 38(3)
GDPR
competentcourtandacomplaintbeforeaSA (seeSection1.3.2above),whileclarifyingthat suchrightisnotdependentonthedatasubject havingusedthecomplainthandlingprocess beforehand.
TheBCRCmustcreateadutyfortheGrouptohave dataprotectionauditsonaregularbasis(byeither internaland/orexternalaccreditedauditors)andif thereareindicationsofnoncompliancetoensure verificationofcompliancewiththeBCR-C.
Theauditfrequencyenvisagedshouldbespecifiedin theBCRC.Thefrequencyneedstobedetermined onthebasisoftherisk(s)posedbytheprocessing activitiescoveredbytheBCRCtotherightsand freedomsofdatasubjects.
Inadditiontotheregularaudits,specificaudits(ad hocaudits)mayberequestedbythePrivacyofficer orFunction(seeSection3.4below),oranyother competentfunctionintheorganisation.
Ifauditswillbecarriedoutbyexternalauditors,the BCRCshouldspecifytheconditionsunderwhich suchauditorsmaybeentrusted.
TheBCR-Cshouldstatewhichentity(department withintheGroup)decidesontheaudit plan/programme,andwhichentitywillconductthe audit.Dataprotectionofficersshouldnotbethe onesinchargeofauditingcompliancewiththeBCR C,ifsuchsituationcanresultinaconflictofinterests. Functionsthatmaypossiblybeentrustedwith decidingontheauditplan/programmeand/orwith
Adoptedversionforpublicconsultation 29
conductingauditsinclude,forinstance,Audit Departments,butotherappropriatesolutionsmay beacceptabletooprovidedthat:
- thepersonsinchargeareguaranteed independenceastotheperformanceoftheir dutiesrelatedtotheseaudits;and theBCRCincludeanexplicitcommitmentinthis regard.
TheBCR-Cshouldstatethattheauditprogramme coversallaspectsoftheBCRC(forinstance, applications,ITsystems,databasesthatprocess personaldata,oronwardtransfers,decisionstaken asregardsmandatoryrequirementsundernational lawsthatconflictwiththeBCR-C,reviewofthe contractualtermsusedforthetransfersoutofthe Grouptocontrollersorprocessorsofdata, correctiveactions,etc.),includingmethodsand actionplansensuringthatcorrectiveactionshave beenimplemented.
ItisnotmandatorytomonitorallaspectsoftheBCR CeachtimeaBCRmemberisaudited,aslongasall aspectsoftheBCRCaremonitoredatappropriate regularintervalsforthatBCRmember.
Moreover,theBCRCshouldstatethattheresults willbecommunicated:
- tothePrivacyofficerorFunction(seeSection3.4 below);
- totheboardoftheLiableBCRmember;and
Adoptedversionforpublicconsultation 30
3.4Creationofanetworkof dataprotectionofficers(DPOs) orappropriatestafffor monitoringcompliancewith theBCRC
YES NO Article47(2)(h) andArticle38(3) GDPR
- whereappropriate,alsototheGroupsultimate parent'sboard.
TheBCRCmuststatethatCompetentSAscanhave accesstotheresultsoftheaudituponrequest.
SinceSAsarealreadyboundbyanobligationof confidentialityinthecourseofexercisingtheirpublic office(seeinparticularArticle54(2)GDPR),theBCR Cshouldnotcontainwordingaimedatrestricting thedutyofallBCRmemberstocommunicatethe resultsoftheaudit(s)totheSAsongroundsof confidentiality,e.g.relatedtotheprotectionof businesssecrets.
TheBCR-Cmustcontainacommitmenttodesignate aDPO,whererequiredinlinewithArticle37GDPR, oranyotherpersonorentity(suchasachiefprivacy officer)withresponsibilitytomonitorcompliance withtheBCRC,enjoyingthehighestmanagement supportforthefulfillingofthistask.
TheDPOortheotherprivacyprofessionalscanbe assistedbyateam,anetworkoflocalDPOsorlocal contacts,asappropriate(hereinafter Privacy officerorFunction).
TheDPOshalldirectlyreporttothehighest managementlevel.Inaddition,theDPOcaninform thehighestmanagementlevelifanyquestionsor problemsariseduringtheperformanceoftheir duties.
TheBCRCshouldincludeabriefdescriptionofthe internalstructure,role,positionandtasksofthe DPOorsimilarfunctionandthenetworkcreatedto
Adoptedversionforpublicconsultation 31
ensurecompliancewiththeBCRC.Forexample, thattheDPOorchiefprivacyofficerinformsand advisesthehighestmanagement,dealswith CompetentSAsinvestigations,monitorsand annuallyreportsoncomplianceatagloballevel,and thatlocalDPOsorlocalcontactscanbeinchargeof handlinglocalcomplaintsfromdatasubjects, reportingmajorprivacyissuestotheDPO, monitoringtrainingandcomplianceatalocallevel.
TheDPOshouldnothaveanytasksthatcouldresult inconflictofinterests.TheDPOshouldnotbein chargeofcarryingoutdataprotectionimpact assessments,neithershouldtheybeinchargeof carryingouttheBCRCauditsifsuchsituationscan resultinaconflictofinterests.However,theDPO canplayaveryimportantandusefulroleinassisting theBCRmembers,andtheadviceoftheDPOshould besoughtforsuchtasks.
TheBCRCshouldspecifythattheDPOorother privacyprofessionalsmaybedirectlycontacted.The BCRCshouldincludeacommitmenttopublishtheir contactdetails.
4COOPERATIONDUTY
tocooperatewith,toaccepttobeauditedandtobe inspected,includingwherenecessary,on-site,bythe competentSAs, totakeintoaccounttheiradvice,and
Adoptedversionforpublicconsultation 32
CompetentSAs YES NO Article47(2)(l) GDPRandArticle 31GDPR
4.1Dutytocooperatewith
TheBCRCshouldcontainacleardutyforallBCR members:
- toabidebydecisionsoftheseSAs onanyissuerelatedtotheBCR-C.
TheBCR-Cshallincludetheobligationtoprovidethe CompetentSAs,uponrequest,withanyinformation abouttheprocessingoperationscoveredbythe BCRC.
SinceSAsarealreadyboundbyanobligationof confidentialityinthecourseofexercisingtheirpublic office(seeinparticularArticle54(2)GDPR),theBCR Cmaynotcontainwordingaimedatrestrictingthe dutyofallBCRmemberstocooperatewiththe CompetentSAs,totakeintoaccounttheiradvice,to abidebytheirdecisionsortoaccepttobeaudited andtobeinspectedbythemincluding,where necessary,onsite,ortoacceptauditsbythemon groundsofconfidentiality,e.g.relatedtothe protectionofbusinesssecrets.
TheBCRCcanneitherlimitthedutytocooperate withCompetentSAsnorlimittheirpowers,in particularinrelationtothepracticalmodalitiesof theauditsconductedbytheseSAs(e.g.,notlimited tobusinesshours).
TheBCRCneedtoincludeacommitmentthatany disputerelatedtotheCompetentSAsexerciseof supervisionofcompliancewiththeBCRCwillbe resolvedbythecourtsoftheMemberStateofthat SA,inaccordancewiththatMemberStates procedurallaw.TheBCRmembersagreetosubmit themselvestothejurisdictionofthesecourts.
Adoptedversionforpublicconsultation 33
5DATAPROTECTIONSAFEGUARDS
5.1.1Descriptionofthedata protectionprinciples
YES NO Article47(2)(d) GDPRandArticle 5GDPR
TheBCRCshouldexplicitlyincludeanddescribethe followingprinciplestobeobservedbytheBCR members.
TheBCRCneedtoestablishthoseprinciplesina sufficientlyelaboratedmannerthatisinlinewith thecontentoftheprinciplesasprovidedforinthe GDPRprovisions.
TheBCRCshouldnotincludegenerallimitationsto theapplicationoftheseprinciples(e.g.,predefined listsofoverridinginterests),whichlimitationscan onlybeappliedonacase-bycasebasis,and,where applicable,inaccordancewiththetransparency requirements.
i.Transparency,fairnessandlawfulness(see Section5.1.2below)forprocessingofpersonal data,specialcategoriesofdata,anddata relatingtocriminalconvictionsandoffences (seeArticle5(1)(a),andArticles6,9,and10 GDPR);
ii.Purposelimitation(seeArticle5(1)(b)GDPR);
iii.Dataminimisationandaccuracy(seeArticle 5(1)(c)and(d)GDPR);
iv.Limitedstorageperiods(seeArticle5(1)(e) GDPR);
v.Security (integrityandconfidentiality,see Section5.1.3below,andArticle5(1)(f)GDPR); and
Adoptedversionforpublicconsultation 34
5.1.2Lawfulnessofprocessing YES NO Article47(2)(d), Article5(1)(a), andArticles6 and9GDPR
vi.Onwardtransfers
(seeSection5.1.4belowand ChapterVGDPR).
TheBCRCshouldcontainanexhaustivelistofall legalbasisforprocessingwhichtheBCRmembers intendtorelyon.Onlylegalbasisasthosestipulated inArticle6(1)and(3)GDPR,orinotherlegalbasis laiddowninUnionorMemberstatelaw,as permittedbytheGDPR,canbeused19 .
Inaddition,specialcategoriesofpersonaldatamay onlybeprocessedifexemptionsastheones envisagedbyArticle9(2)GDPRapply.TheBCRC shouldcontainanexhaustivelistofallsuch exemptions.
Processingofpersonaldatarelatingtocriminal convictionsandoffencesshallbeprohibited,unless thesameexemptionsastheonesenvisagedby Article10GDPRapply.
5.1.3Securityandpersonal databreachnotifications
YES NO Article47(2)(d) andArticles32to 34GDPR
TheBCR-Cshouldincludeacommitmentto implementappropriatetechnicalandorganisational measurestoensurealevelofsecurityappropriateto therisk(s)fortherightsandfreedomsofnatural persons(seeArticle5(f)andArticle32GDPR).Itis notmandatorytocopypastethewordingofsuch GDPRprovisions.However,theBCR-Cneedtocreate thoseobligationsinasufficientlyelaboratedmanner thatisinlinewiththecontentoftheseprovisions.
TheBCRCshouldincludeadutytonotify:
19Asregardspossibleconflictswiththirdcountrylegalobligations,seeSection54.1below.
Adoptedversionforpublicconsultation 35
5.1.4Restrictionsononward transfers YES NO Article47(2)(d) GDPRandArticle 44GDPR
- withoutunduedelay,anypersonaldata breachestotheLiableBCRmemberandthe relevantPrivacyofficerorFunction,aswell astotheBCRmemberactingasacontroller whenaBCRmemberactingasaprocessor becomesawareofadatabreach;
- withoutunduedelay,and,wherefeasible, notlaterthan72hoursafterhavingbecome awareofthepersonaldatabreachtothe CompetentSA,unlessthepersonaldata breachisunlikelytoresultinarisktothe rightsandfreedomsofnaturalpersons;
- withoutunduedelaytodatasubjects,where thepersonaldatabreachislikelytoresultin ahighrisktotheirrightsandfreedoms.
Furthermore,anypersonaldatabreachshouldbe documented(comprisingthefactsrelatingtothe personaldatabreach,itseffects,andtheremedial actiontaken),andthedocumentationshouldbe madeavailabletotheCompetentSAuponrequest (seeArticles33and34GDPR).
BCRCshouldcontainthecommitmentthatpersonal datathathavebeentransferredundertheBCRmay onlybeonwardtransferredoutsidetheEEAto processorsandcontrollerswhicharenotboundby theBCR-C20iftheconditionsfortransferslaiddown inArticles44to46GDPRareappliedinorderto ensurethatthelevelofprotectionofnaturalpersons guaranteedbyGDPRisnotundermined.Inthe
20ForonwardtransferstootherBCRmembersoutsidetheEEA,seeSection2.2above
Adoptedversionforpublicconsultation 36
5.2Rightsofdatasubjects YES NO Article47(2)(e), Articles12to19 and21to22 GDPR
absenceofanadequacydecisionorappropriate safeguards,BCRCmayincludeaprovisionthat onwardtransfersmayexceptionallytakeplaceifa derogationappliesinlinewithArticle49GDPR.
TheBCRCshouldprovidedatasubjectswiththe rightsofinformation,access,rectification,erasure, restriction,notificationregardingrectificationor erasureorrestriction,objectiontoprocessing,right nottobesubjecttodecisionsbasedsolelyon automatedprocessing,includingprofiling,inthe samewayastheserightsareprovidedforbyArticles 12to19,andArticles21and22GDPR.
Itisnotmandatorytocopy-pastethewordingofthe abovementionedGDPRprovisions.However,the BCRCneedtocreatethoserightsinasufficiently elaboratedmannerthatisinlinewiththecontentof theseprovisions.
5.3Accountabilityandother
tools
YES NO Article47(2)(d), andArticles30, 3536GDPR
EveryBCRmemberactingascontrollershallbe responsibleforandabletodemonstratecompliance withtheBCRC(seeArticle5(2)andArticle24GDPR).
TheBCRCneedtocontainacommitmenttoenter intocontractswith all internalandexternal contractors/processorsandmustspecifythecontent ofsuchcontracts,assetoutinArticle28(3)GDPR, includingthedutytofollowthecontrollers instructionsandimplementappropriatetechnical andorganisationalmeasures.
TheBCRCshouldcontainacommitmentthat,in ordertodemonstratecompliance,BCRmembers havetomaintainarecordofallcategoriesof
Adoptedversionforpublicconsultation 37
processingactivitiescarriedoutonpersonaldata transferredundertheseBCRC.TheBCRCmust specifythecontentoftherecord,inlinewithwhatis requiredbyArticle30(1)(forcontrollers)andArticle 30(2)(forprocessors).Thisrecordshouldbe maintainedinwriting,includinginelectronicform, andshouldbemadeavailabletotheCompetentSA onrequest.
TheBCRCshouldcontainthecommitmentthatdata protectionimpactassessmentsshouldbecarriedout forprocessingoperationsonpersonaldata transferredundertheseBCRCthatarelikelyto resultinahighrisktotherightsandfreedomsof naturalpersons(seeArticle35GDPR).
Whereadataprotectionimpactassessment indicatesthattheprocessingwouldresultinahigh riskintheabsenceofmeasurestakenbythe controllertomitigatetherisk,theBCRmember actingasacontrollershould,priortoprocessing, consulttheCompetentSA(seeArticle36GDPR).
TheBCRCshouldenvisagethatappropriate technicalandorganisationalmeasuresdesignedto implementdataprotectionprinciplesandto facilitatecompliance,inpractice,withthe requirementssetupbytheBCRC,shouldbe implemented(dataprotectionbydesignandby defaultseeArticle25GDPR).
Adoptedversionforpublicconsultation 38
importerincaseofgovernment accessrequests
YES NO Article47(2)(m) GDPR
officerorFunctionwillinformallotherBCR membersoftheassessmentcarriedoutandofits results,sothattheidentifiedsupplementary measureswillbeappliedincasethesametypeof transfersiscarriedoutbyanyotherBCRmemberor, whereeffectivesupplementarymeasurescouldnot beputinplace,thetransfersatstakearesuspended orended.
TheBCRCneedstoincludeadutyfordataexporters tomonitor,onanongoingbasis,andwhere appropriateincollaborationwithdataimporters, developmentsinthethirdcountriestowhichthe dataexportershavetransferredpersonaldatathat couldaffecttheinitialassessmentofthelevelof protectionandthedecisionstakenaccordinglyon suchtransfers.
WithoutprejudicetotheobligationoftheBCR memberactingasdataimportertoinformthedata exporterofitsinabilitytocomplywiththe commitmentscontainedintheBCR-C(seeSection 5.4.1above),theBCRCshouldalsoincludethe followingcommitments:
i. TheBCRmemberactingasdataimporterwill promptlynotifythedataexporterand,where possible,thedatasubject(ifnecessarywith thehelpofthedataexporter)ifit:
a)receivesalegallybindingrequestbya publicauthorityunderthelawsofthe countryofdestination,orofananother thirdcountry,fordisclosureofpersonal datatransferredpursuanttotheBCR-C;
Adoptedversionforpublicconsultation 43
suchnotificationwillincludeinformation aboutthepersonaldatarequested,the requestingauthority,thelegalbasisfor therequestandtheresponseprovided; b)becomesawareofanydirectaccessby publicauthoritiestopersonaldata transferredpursuanttotheBCRCin accordancewiththelawsofthecountryof destination;suchnotificationwillinclude allinformationavailabletothedata importer.
ii. Ifprohibitedfromnotifyingthedataexporter and/orthedatasubject,thedataimporter willuseitsbesteffortstoobtainawaiverof suchprohibition,withaviewtocommunicate asmuchinformationaspossibleandassoon aspossible,andwilldocumentitsbestefforts inordertobeabletodemonstratethemupon requestofthedataexporter.
iii. ThedataimporterwillprovidetheBCR memberactingasdataexporter,atregular intervals,withasmuchrelevantinformation aspossibleontherequestsreceived(in particular,numberofrequests,typeofdata requested, requesting authority or authorities,whetherrequestshavebeen challengedandtheoutcomeofsuch challenges,etc.).Ifthedataimporterisor becomespartiallyorcompletelyprohibited fromprovidingthedataexporterwiththe aforementionedinformation,itwill,without
Adoptedversionforpublicconsultation 44
unduedelay,informthedataexporter accordingly.
iv. Thedataimporterwillpreservethe abovementionedinformationforaslongas thepersonaldataaresubjecttothe safeguardsprovidedbytheBCR-C,andshall makeitavailabletotheCompetentSAsupon request.
v. Thedataimporterwillreviewthelegalityof therequestfordisclosure,inparticular whetheritremainswithinthepowers grantedtotherequestingpublicauthority, andwillchallengetherequestif,aftercareful assessment,itconcludesthatthereare reasonablegroundstoconsiderthatthe requestisunlawfulunderthelawsofthe countryofdestination,applicableobligations underinternationallaw,andprinciplesof internationalcomity.
Thedataimporterwill,underthesame conditions,pursuepossibilitiesofappeal. Whenchallengingarequest,thedata importerwillseekinterimmeasureswitha viewtosuspendingtheeffectsoftherequest untilthecompetentjudicialauthorityhas decidedonitsmerits.Itwillnotdisclosethe personaldatarequesteduntilrequiredtodo soundertheapplicableproceduralrules.
vi. Thedataimporterwilldocumentitslegal assessmentandanychallengetotherequest
Adoptedversionforpublicconsultation 45
6TERMINATION
6.1Termination YES NO Article70(1)(i) GDPR
fordisclosureand,totheextentpermissible underthelawsofthecountryofdestination, makethedocumentationavailabletothe dataexporter.Itwillalsomakeitavailableto theCompetentSAsuponrequest.
vii. Thedataimporterwillprovidetheminimum amountofinformationpermissiblewhen respondingtoarequestfordisclosure,based onareasonableinterpretationoftherequest.
Inanycase,theBCRCshouldstatethattransfersof personaldatabyaBCRmembertoanypublic authoritycannotbemassive,disproportionateand indiscriminateinamannerthatwouldgobeyond whatisnecessaryinademocraticsociety(astothe consequencesofsuchcases,seeSection 5.4.1above).
TheBCRCshouldspecifythataBCRmemberacting asdataimporter,whichceasestobeboundbythe BCRCmaykeep,return,ordeletethepersonaldata receivedundertheBCR-C.
Ifthedataexporteranddataimporteragreethatthe datamaybekeptbythedataimporter,protection mustbemaintainedinaccordancewithChapterV GDPR.
7 NONCOMPLIANCE
7.1.Non-Compliance YES NO Article70(1)(i) GDPR
TheBCRCshouldcontaincommitmentsastothe followingobligations:
Adoptedversionforpublicconsultation 46
i. NotransferismadetoaBCRmemberunless theBCRmemberiseffectivelyboundbythe BCRCandcandelivercompliance.
ii. Thedataimportershouldpromptlyinform thedataexporterifitisunabletocomply withtheBCRC,forwhateverreason, includingthesituationsfurtherdescribed underSection5.4.1above.
iii. Wherethedataimporterisinbreachofthe BCRCorunabletocomplywiththem,the dataexportershouldsuspendthetransfer.
iv. Thedataimportershould,atthechoiceof thedataexporter,immediatelyreturnor deletethepersonaldatathathasbeen transferredundertheBCRCinitsentirety, where:
- thedataexporterhassuspendedthe transfer,andcompliancewiththisBCR Cisnotrestoredwithinareasonable time,andinanyeventwithinonemonth ofsuspension;or thedataimporterisinsubstantialor persistentbreachoftheBCR-C;or thedataimporterfailstocomplywitha bindingdecisionofacompetentcourtor CompetentSAregardingitsobligations undertheBCR-C.
Adoptedversionforpublicconsultation 47
8MECHANISMSFORREPORTINGANDRECORDINGCHANGES
8.1Processforupdatingthe BCRC YES NO Article47(2)(k) GDPR
Thesamecommitmentsshouldapplytoanycopies ofthedata.Thedataimportershouldcertifythe deletionofthedatatothedataexporter.
Untilthedataisdeletedorreturned,thedata importershouldcontinuetoensurecompliancewith theBCR-C.
Incaseoflocallawsapplicabletothedataimporter that prohibit the return or deletion ofthetransferredpersonaldata,thedataimporter shouldwarrantthatitwillcontinuetoensure compliancewiththeBCRC,andwillonlyprocessthe datatotheextentandforaslongasrequiredunder thatlocallaw.
Forcaseswereapplicablelocallawsand/or practicesaffectcompliancewiththeBCRC,see Section5.4.1above.
TheBCRChavetobekeptuptodateinorderto reflectthecurrentsituation(forinstancetotake intoaccountmodificationsoftheregulatory environment,theseEDPBRecommendations,or changestothescopeoftheBCR-C).
TheBCR-Cshouldimposeadutytoreportchanges, includingtothelistofBCRmembers,withoutundue delay,toallBCRmembers.
TheBCR-Cshouldidentifyapersonor team/departmentthatkeepsafullyupdatedlistof theBCRmembers,keepsrecordofanyupdatesto theBCRC,andprovidesthenecessaryinformation
Adoptedversionforpublicconsultation 48
9-DEFINITIONS
9.1Listofdefinitions YES NO Article70(1)(i) GDPR
todatasubjects,and,uponrequest,toCompetent SAs.
WhereamodificationtotheBCRCwouldpossibly bedetrimentaltotheleveloftheprotectionoffered bytheBCRCorsignificantlyaffectthem(e.g. changestothebindingcharacter,changeofthe LiableBCRmember(s)),itmustbecommunicatedin advancetotheSAs,viatheBCRLead,withabrief explanationofthereasonsfortheupdate.Inthis case,theSAswillalsoassesswhetherthechanges maderequireanewapproval.
AnyotherchangestotheBCRCortothelistofBCR membersshouldbenotifiedonceayeartotheSAs, viatheBCRLead,withabriefexplanationofthe reasonsfortheupdate.Thisincludesanychanges madeinordertoaligntheBCR-Cwithanyupdated versionoftheseEDPBRecommendations.
ItremainstheresponsibilityoftheBCRCholderto keepitup-to-dateandincompliancewithArticle47 GDPRandtheseEDPBRecommendations.
Theapplicantshouldincludealistofdefinitionsin theBCRC.Thelistshouldincludethemostrelevant terms.TotheextenttheBCR-Ccontainterms definedintheGDPR,thedefinitionsprovidedshould notvaryfromtheGDPR.Forbetterreadability,these definitionsshouldbereplicatedinthelist.
Adoptedversionforpublicconsultation 49
Ifthetermsdataexporteranddataimporterare used,theymustbedefined.Theapplicantmayfind itusefultoaddfurthertermsandtheirdefinitions.
IfthetermCompetentSA(s)isusedbythe applicant,itshouldbedefinedasreferringtothe EEAdataprotectionSAcompetentforthedata exporter.
Wherethetermapplicablelawisused,itshould beclarified,ineachcase,whetheritrefersto national/locallawofathirdcountryasapplicableto theBCRmembers.Inanycase,BCRmembersmust complywiththerequirementssetoutunder Sections5.4.1and5.4.2above.
ReferencestoGDPRprovisionsshouldgenerallybe avoided.However,ifthereisaneedforreferenceto aparticularprovisionoftheGDPR,itshouldbe quotedinfullintheBCR-C.
FortheEuropeanDataProtectionBoard
TheChair (AndreaJelinek)
Adoptedversionforpublicconsultation 50
