9 minute read
INTRODUCTION
The European Data Protection Board
Having regard to Article 70(1)(i) o f the Regulatio n 2016/679/EU of the Euro pean P arliam ent and o f the Co uncil o f 27 April 2016 o n the pro tectio n o f natural perso ns with regard to the pro cessing o f perso nal data and o n the free m ovement o f such data, and repealing Directive 95/46/ EC, (hereinafter GDPR ),
Advertisement
Having regard to the EEA Agreement and in particular to Annex XI and P ro to co l 37 thereo f, as amended by the Decisio n o f the EEA jo int Comm ittee No 154/2018 o f 6 July 20181 ,
Having regard to Articles 12 and 22 o f its Rules o f P rocedure,
HAS ADOPTED THE FOLLOWING RECOMMENDATIONS:
INTRODU C TI ON
1. The GDPR expressly provides fo r the use o f binding co rpo rate rules (hereinafter BCR ) by a gro up o f undertakings, o r a gro up o f enterprises engaged in a jo int eco nom ic activity (hereinafter Group ) fo r transfers o f perso nal data in the sense o f Article 44 GDP R.
2. On 6 February 2018, the Article 29 Wo rking P arty (hereinafter WP29 ) ado pted a table with the elem ents and principles to be fo und in BCR in o rder to reflect the requirem ents referring to BCR (hereinafter WP 256 rev.01 ). The Euro pean Data P ro tectio n Board (hereinafter EDPB ) endo rsed WP256 rev.01 o n 25 May 2018 . These Recom mendatio ns also repeal and replace WP256 rev.01, while in substance building o n it.
3. On 11 April 2018, the Article 29 Wo rking P arty (thereinafter WP 29 ) ado pted Reco mm endatio ns o n the Standard Applicatio n fo r Appro val o f Co ntro ller Binding Co rpo rate Rules fo r the Transfer o f P erso nal Data (hereinafter: WP264 ). The Euro pean Data P rotectio n Bo ard (hereinafter EDPB ) endo rsed WP256 rev.01 o n 25 May 2018. These Reco mmendatio ns repeal and replace WP264, while in substance building o n it.
4. These reco mmendatio ns are meant to:
- P rovide a standard fo rm for the applicatio n fo r appro val o f BCR fo r co ntro llers (hereinafter BCR-C );
1 Refe rence s to Member States made throughout this document should be understood as ref erenc es to EEA Me mbe r States .
Ado pted - versio n fo r public co nsultatio n
- Clarify the necessary co ntent o f BCR-C as stated in Article 47 GDP R;
- Make a distinctio n between what m ust be included in BCR-C and what m ust be presented to the BCR Lead superviso ry autho rity (hereinafter BCR
Lead )2 in the BCR applicatio n; and
- P rovide explanatio ns and co mments o n the requirements.
5. BCR-C are suitable fo r fram ing transfers o f perso nal data from co ntro llers co vered by the geo graphical sco pe o f the GDP R pursuant to Article 3 GDPR3 to o ther co ntro llers o r to processo rs (established o utside the EEA) within the same Gro up, whereas BCR fo r pro cesso rs (hereinafter BCR-P ) apply to data received fro m a co ntro ller that is not a mem ber o f the Gro up, and which are then pro cessed by the co ncerned Gro up mem bers as pro cesso rs and/ o r sub-pro cessors. Hence, the o bligatio ns set o ut in BCR-C apply in relatio n to entities within the sam e Gro up acting as co ntro llers and to entities acting as internal processo rs. As fo r this very last case, it is wo rth recalling that, in additio n to the BCR-C, a contract o r other legal act under Unio n o r Mem ber State law, binding o n the pro cesso r with regard to the co ntro ller and which com prises all requirem ents as set o ut in Article 28(3) GDP R, m ust be signed by each co ntro ller acting as data expo rter with all internal pro cesso rs4. Indeed, the o bligatio ns set fo rth in BCR-C apply to entities o f the Gro up receiving perso nal data as ( internal ) pro cesso rs to the extent that this do es not lead to a contradictio n with the co ntract o r other legal act entered into under Article 28(3) GDP R (i.e., the pro cesso rs m em bers o f the Gro up processing o n behalf o f co ntrollers m em bers o f the Gro up sho uld prim arily abide by this co ntract).
6. EU data pro tectio n legislatio n applicable to mem bers o f the Gro up m ust be com plied with and canno t be o verruled by pro visio ns in the BCR-C, unless the BCRC vo luntarily provide fo r a higher level o f protectio n.
7. P ursuant to Article 46(2)(b) GDP R, BCR are appro priate safeguards fo r transfers of perso nal data to third co untries. BCR create enfo rceable rights and set o ut com m itments in o rder to create, fo r the perso nal data transferred under the BCR, a level o f pro tectio n essentially equivalent to the o ne pro vided by the GDPR. Therefo re, it is not sufficient fo r the BCR-C to o nly make reference to provisio ns o f the GDP R, and BCR-C applicants sho uld rather expressly fo rm ulate the requirements within their BCR-C.
2 See W P29 Working Docum ent setting forth a co-operation procedure for the appro val of Binding Corporate Rule s fo r controllers and proce s sors u nder the GDP R, WP26 3 rev.0 1, adopted on 11 April 2018, endorsed by the EDPB. A vailable at https:// edpb.europa.eu/our-work-tool s/g eneral-guidance/ endorsed-wp29-gu idelines _en. 3 Please note that at least one group memb er in the EEA is required (s ee Chapter 3, S ectio n 1.4 of these Reco mm endations). 4 Article 2 8(3) GDPR r equire s, among others, for each contr oller-to-proce ssor r elationshi p a specifi cation, by way of contract or other legal act, of the subject-matter, the duration, the nature and purposes of the proces sing, the type of personal data and categorie s of data subjects and the obligations and rights of the controller. A generic description included in a BCR-C regarding the cate gorie s of data, data subjects etc. would not be suffici ent in this regar d.
Ado pted - versio n fo r public co nsultatio n
8. BCR are subject to approval5 by the BCR Lead. In this respect, it is worth highlighting the difference between the BCR Lead which is co m petent fo r issuing the approval o f the BCR - and the SA that is com petent fo r a specific transfer carried o ut by a certain co ntro ller under that BCR-C6 .
9. The draft approval decisio n o f the BCR Lead is subject to an o pinio n by the EDP B7. The approval co nfirm s that the requirem ents set o ut in Article 47 GDPR are m et, and therefo re, that the co mm itments included in the BCR will provide fo r appro priate safeguards in the sense o f Article 46 GDP R.
10. Ho wever, the appro val does no t include an assessment o f whether each pro cessing is in line with all requirem ents o f the GDP R and the BCR. Fo r instance, each data expo rter needs to ensure that the requirements set o ut in Article 6 GDPR (Lawfulness o f pro cessing) and Article 28 GDPR (fo r transfers to pro cesso rs) o r any additio nal fo rm alities specified by the natio nal law o f a Mem ber State, if any, are met fo r each transfer. Furtherm o re, it is, fo r instance, the respo nsibility o f each data expo rter to assess, fo r each transfer, o n a case-by-case basis, whether there is a need to im plement supplem entary m easures in o rder to provide fo r a level o f protectio n essentially equivalent to the one provided by the GDP R8 . Such supplem entary m easures are in the respo nsibility o f the data expo rter, and as such, are not assessed by superviso ry autho rities (hereinafter SAs ) as part o f the pro cess o f approval o f BCR.
11. The BCR approval o nly covers transfers o f perso nal data to third co untries. However, Gro ups m ay design BCR to be used as their glo bal data pro tectio n policy. Ho wever, the sco pe o f the appro val o f the BCR by the BCR Lead is always lim ited to transfers o f perso nal data from entities under the sco pe o f applicatio n o f the GDP R9 to third co untries and their o nward transfers to other Gro up m em bers that are bo und by the BCR (hereinafter BCR member(s) ) o utside the EEA.
12. Once appro ved, BCR can be used fo r transfers from all relevant Mem ber States, and the SA com petent fo r the data expo rter will also be co m petent to assess the respect o f the BCR by the data impo rter in the third co untry in relatio n to the relevant transfers.
13. The EDP B expects all BCR-C ho lders to bring their BCR-C in line with the requirements set o ut below. This includes BCR-C that have been approved before the publicatio n o f these Recomm endatio ns. Such changes will have to be do ne in com pliance with the comm itm ents taken in their BCR-C in acco rdance with Sectio n 5.1 belo w.
5 In accordance with Article 4 7 (1) GD PR. 6 Throughout these Re com me ndations, the term Compet e nt SA(s) re fer s to the data protection SA( s) comp etent for the data exporter(s) o f the sp ecifi c transf er. 7 In accordance with Article 4 6 (4), Articl e 64(1 )(f ) and Article 64(3) GDPR. 8 See Chapter 3 of the se Re co mm endations, Sect ion 5.4.1, and EDPB Reco mm endations 01/202 0 on m easur es that su pplement trans fer tools to en sure co mpliance with the EU le vel o f protection of personal data, available at https://edpb.europa.eu/our-w ork-tools/our-docu ment s/rec omm endations/reco mm endations-01 2020-m easur essupplem ent-trans fer _en. 9 Please note that at least one group member in the EEA is r equired (s ee Chapter 3, S ectio n 1.4 of these Reco mm endations).
Ado pted - versio n fo r public co nsultatio n
