14 minute read
Applicatio n fo rm
AP P LICATI ON F OR M
General Instructions for Applicants:
Advertisement
Only a single co py o f the form need be filled o ut and subm itted to the Supervisory Autho rity ( SA ) yo u co nsider to be the BCR Lead in acco rdance with Articles 47(1) and 64 GDPR and the WP 263; this fo rm m ay be used in all EEA Mem ber States. In case o f applicatio n fo r bo th BCR-C and BCR-P, separate fo rm s need to be filled o ut fo r each BCR. P lease fill o ut all entries o f Part I o f the applicatio n fo rm and subm it the fo rm to the SA yo u co nsider to be the BCR-C Lead. As soo n as a decisio n o n the BCR Lead has been m ade (see WP263), the BCR Lead will determ ine when it will invite yo u to fill o ut and subm it Part II of the applicatio n fo rm including its Annexes. Yo u m ay attach additio nal pages o r annexes if there is insufficient space to com plete yo ur respo nses. Yo u m ay indicate any respo nses o r m aterials that is in yo ur o pinio n co mmercially sensitive and sho uld be kept co nfidential but, in any case, be aware that the relevant do cum ent will be shared am o ng the co ncerned SAs and the EDP B which, under Article 64 GDP R, has to issue its o pinio n o n the approval draft decisio n o f yo ur BCR-C. Requests by third parties fo r disclo sure o f such inform atio n, will, ho wever, be handled by each SA invo lved in acco rdance with natio nal legislatio n. The next steps o f the procedure are described in WP263.
Instructions for Filling In Part 1 (applicant information):
Sec tion 1: Struc ture and Contac t Details of the Applic ant and of the Group
If the Gro up has its headquarters in the EEA the fo rm sho uld be filled o ut and subm itted by that EEA entity. If the Gro up has its headquarters o utside the EEA, then the Gro up sho uld appo int a Gro up entity lo cated inside the EEA - as the Gro up m em ber with delegated data pro tectio n respo nsibilities . This is the entity which sho uld then subm it the applicatio n o n behalf o f the Gro up. Co ntact details fo r queries:
o P lease indicate a co ntact to whom queries m ay be addressed co ncerning the applicatio n.
o This co ntact do es not need to be lo cated in the EEA, altho ugh this m ight be advisable fo r practical reaso ns.
o Yo u m ay indicate a function rather than a specific perso n.
Ado pted - versio n fo r public co nsultatio n
Sec tion 2: Short desc ription of data flows
The applicant sho uld also give a brief descriptio n o f the sco pe and nature o f the data flows to third co untries fo r which approval is so ught.
Sec tion 3: Determination of the BCR Lead
In acco rdance with Article 64 GDP R, the BCR Lead is the autho rity in charge o f co o rdinating the approval o f your BCR-C, which then co uld be co nsidered appro priate safeguards fo r transfers o f perso nal data by Gro up m em bers to third co untries, witho ut requiring any specific autho risatio n fo r the use o f the BCR-C from the o ther SAs co ncerned.
o Befo re yo u appro ach o ne SA as the presum ptive BCR Lead, yo u sho uld exam ine the facto rs listed in Sectio n 1 o f WP 263. Based o n these facto rs yo u sho uld explain in P art 1.3 o f the Applicatio n Form which SA sho uld be the BCR Lead. The SAs are no t o bligated to accept the cho ice that yo u m ake if they believe that another SA is mo re suitable to be BCR Lead, in particular if it wo uld be wo rth for speeding up the pro cedure (e.g. taking into acco unt the worklo ad o f the o riginally requested SA).
Ado pted - versio n fo r public co nsultatio n
Application Form for Approval of Controller Binding Corporate Rules (“BCR-C”)
PART 1: APPLICANT INFORMATION
1. STRUCTURE AND CONTACT DETAILS OF TH E GROUP OF UNDERTAK INGS OR GROUP OF ENTERPRISES ENGAGED IN A JOINT ECONOM IC ACTIVITY (THE GROUP)
Na me of the Group and location of its headquarters:
Does the Group ha ve its head quarters in the EE A? Yes No
Na me and location o f the applicant:
Identification number (if any): Le gal nature of the applicant ( corporation, partnership, etc.):
Description of position o f the applicant within the Group: (e.g. headquarters of the Group in the EE A, or, if the Group does not have its headquarters in the EE A, the me mber of the Group inside the EE A with delegated data protection responsibilities)
Na me and/or function o f conta ct person (note: the contact pe rson ma y cha nge, you ma y ind icate a functio n rather tha n the na me o f a specific person):
Address:
Countr y: Phone number: E-Mail:
EEA Me mber States fro m which the BCR-C will be used:
Ado pted - versio n fo r public co nsultatio n
2. SHORT DESCRIPTION OF PROCESSING AND DATA FLOWS10
Please, indicate the follo wing: - Nature of the data covered by the BCR-C, and in partic ular, if the y apply to one cate gor y of data or to more tha n one cate gor y, the type of processing a nd its purposes, the type s of data sub jects affected (for insta nce, data related to emplo yee s, custo mers, suppliers and other third parties as part of their respective regular business activities,…)
- Do the BCR-C o nly apply to transfers fro m the EE A, or do the y apply to all tra nsfers between me mbers of the group?
- Please specify fro m whic h countr y most of the data are transferred outside the EEA:
- Extent of the tra nsfers within the Group that are covered b y the BCR-C; inc luding a description and the contac t details of any Group me mbers in the E EA or outside the EE A to whic h personal data ma y be transferred
3. DETERM INATION OF THE LEAD SUPERVISORY AUTHORITY (‘BCR LEAD’)11
Please explain whic h sho uld be the BCR Lead, based on the follo wing criteria: - Location of the Group ’s EE A Headquarters
- If the Group is not headquarte red in the EE A, the location in the EEA o f the Gro up entity with delega ted data protection responsibilities
10 See Artic le 47(2)( a) and (b) G DPR. 11 See Part 1, WP 263.
Ado pted - versio n fo r public co nsultatio n
- T he location of the co mpany whic h is best placed (in ter ms of ma nage me nt functio n, ad ministrative burden, etc.) to deal with the application and to enforce the BCRC in the Group
- T he countr y where most o f the decisions in ter ms of the purposes and the means of the data processing are take n
- EEA Me mber States fro m which most of the tra nsfers outsid e the EEA will ta ke place
4. ACKNOWLEDGEM ENT
We ackno wledge on beha lf o f each me mber of the Gro up tha t
-the approval does not includ e an asse ssme nt of whether ea ch processing is in line with all require ments of the GDPR a nd the BCR as applicable, and that each BCR me mber needs to ensure tha t all require ments set o ut in GDPR and BCR, as applicable, are met for each transfer (e.g., in relatio n to la wfulne ss, Article 28 require ments, DPIA where needed, etc.)
-before carr ying out a ny transfer of personal data on the basis of the approved BCR-C to one of the me mbers of the Group, it is the responsibility o f any data exporter, if needed with the help of the data importer, to assess whether the legislation of the third countr y o f destina tion does not prevent the recipient fro m co mp lying with the BCR-C, including with regard to onwa rd transfer situatio ns. T his assessment has to be conducted in order to determine whether any le gislation or practices of the third countr y, applicable to the to-be-transfe rred data go beyond what is ne cessar y in a de mocratic society to safe guard important public interest objectives, in partic ular criminal la w enforce ment a nd natio nal sec urity and ma y impinge on the d ata importer’s a nd/or the data exporter’s ability to co mply with their co mmitments ta ken in the BCR-C, taking into account the circ umsta nce s surrounding the transfer. In c ase of such possible impinge ment, the data exporter in an EEA Me mber State, if needed with the help of the data importer, should assess whether it can provide supple me ntar y mea sure s in order to exclude suc h impinge me nt a nd there fore to nevertheless ensure, for the envisaged transfer at hand, an e sse ntially equivalent leve l of protection as provided in the EU. Deplo ying suc h supple me ntar y measures is the responsibility of the data e xporter and remains its responsibility eve n after approval of the BCR-C, and as suc h, the y are not assessed by the Supervisor y Authoritie s as part of the approval process of the BCR-C;
-in any case, where the data exporter is not able to imple me nt supple me ntar y measures ne cessar y to ensure an esse ntia lly equivalent level o f protection as provided in the EU, personal data cannot be la wfully transferred to a third countr y under the BCR-C. In the sa me vein, where the data exporter is made a ware of any cha nges in the rele vant third countr y legislatio n that undermine the le vel of data protection required by EU la w, the data exporter is required to suspend or end the transfer of personal data at stake to the concerned third countries.
Ado pted - versio n fo r public co nsultatio n
Date, Signature of the applicant (Board level)
PART 2: BACKGROUND PAPER
5. BINDING NATURE OF THE BCR-C
Binding withi n the entit ies of the Group
Ho w are the BCR-C made binding upon the me mber s of the Group?
Intra Group Agree me nt Unilateral Dec laration (hereinafter: UD) if the require me nts set out in Section 1.2 of the “E le me nts a nd principles” part (= Chapter 3) of these EDPB Recomme ndations are me t Other mea ns (only if the Group demonstrates ho w the binding character of the BCR-C is ac hieved), please specify
Please attach the draft I ntra Group Agree me nt / UD / “other means”. Please note tha t the se documents will ha ve to be signed at Board level after the BCR-C approval has been obtained.
Please explain the legal basis enabling the me mber(s) of the Group with delegated data protection responsibility to enfo rce the BCR-C obliga tions of other me mber s of the Group (e.g. rights of a parent compa ny residing in corporate la w):
Does the internally binding effect of your BCR-C extend to the whole Group? (If so me Gr oup me mbers sho uld be exe mpted, specify ho w a nd why)
Ado pted - versio n fo r public co nsultatio n
Binding upon the em ployees
Your Group ma y ta ke so me or all of the follo wing steps to e nsure that the BCR-C are binding o n e mplo yee s, but there ma y be other steps. Please, give details belo w.
Individua l and separate agree ment(s) / undertaking with sanctions;
Clause in e mplo yme nt contra ct with a description of applic able sanctions;
Collective a gree me nts with sa nctions;
Internal policies with sa nctio ns (but the Group must properly explain ho w the BCR-C are made binding on e mplo yees);
Other mea ns (but the Group must properly e xplain ho w the BCR-C are made binding o n emp lo yees)
Please provide a summar y, supported by extracts as appropriate, to explain ho w the BCR-C are binding upon e mp lo yees.
Ado pted - versio n fo r public co nsultatio n
Asse ts
Please confir m that the liable BCR-C me mber(s) established on the territor y of an EE A M e mber State (e.g. the E uropean headquarters of the Group, or the me mber of the Group with delegated data protection responsibilities in the EEA) ha s made appropriate arrange me nts to enable itself payme nt o f co mpensation for any da ma ges resulting fro m the breach of the BCR-C b y BCR me mbers o utside the EE A, and explain ho w this is e nsur ed.
Ado pted - versio n fo r public co nsultatio n
6. EFFECTIVENESS
It is important to sho w ho w the BCRs in place within yo ur organization are brought to life in practise, in partic ular in non EEA countries where data will be transferred on the basis of the BCRs, as this will be significa nt in assessing the adequac y of the sa feguards. Please provide infor ma tion on the ele ments belo w.
- Special training progra ms
- E mplo yee s are tested on BCRs a nd data protection
- BCRs are co mmunicated to all e mplo yee s on paper or online
- Re vie w a nd approval by se nior officers of the co mpany
- Ho w are e mplo yees trained to identify the data protection imp lications of their wor k, i.e. to identify that the rele vant privac y policies are applicable to their activities a nd to react accordingly? (T his applies whether the se e mplo yees ar e or not based in the EEA)
Training and awareness raisi ng (em ployees)
Network of data protection officers (DPO) or appropriate staff
Please confir m that a network of DPOs or appropriate staff (suc h as a net wor k of privac y officers) is appointed with top manage me nt support to oversee and ensure complia nce with the BCR for Processors:
Ado pted - versio n fo r public co nsultatio n
Please explain ho w your network of DPOs or privacy office rs functio ns:
- Inter nal str ucture:
- Role and responsibilitie s:
Date, Signature of the applicant (Board level)
(please also indicate name, position, and contact details)
Ado pted - versio n fo r public co nsultatio n
ANNE X 1 : COPY OF THE BCR-C
Please attach a cop y of your BCR-C to your applicatio n. Please note that all ma ndator y content needs to be included in the BCR documents (in the core docume nt(s) or its anne xes), while “supporting d ocume nts” (i.e. docume nts tha t are not part of the BCR) ma y only be sub mitted for reasons of further expla nation12 .
ANNE X 2 : COPY OF THE FILLED-OUT T ABLE “ELEMENTS AND PRINCIPLES TO BE FOUND IN BCR-C”
Please fill out the table “Ele ments a nd Principles to be found in BCR-C” a nd attach it to your application.
12 Please note that any docume nts that are submitted may be subject to acce s s reque sts b ased on fre edom of infor mati on legislati on, as applicable.
Ado pted - versio n fo r public co nsultatio n
