19 Jun WP29 on the Cooperation Procedure for the approval of the Binding Corporate Rules for controllers and processors
On April 11th 2018 the Article 29 Working Party (hereinafter, the “WP29”), with the aim of providing a smooth and effective cooperation procedure in line with the EU General Data Protection Regulation (hereinafter, the “GDPR”), published a Working Document on the approval of Binding Corporate Rules (“BCRs”) for controllers and processors.
According to Article 47 of the GDPR, a group of undertakings or a group of enterprises engaged in a joint economic activity (“Group” or “applicant”) may lawfully transfer personal data within the same corporate group to countries that do not provide an adequate level of protection if their internal BCRs are approved by the competent Supervisory Authority (“DPA”). The document contains important clarifications on the rules governing the approval procedure, which are laid down in Articles 63, 64 and 65 of GDPR.
Firstly, the Working document sets out the following criteria that must be considered by the applicant in order to identify and propose a DPA as the BCR Lead Authority (“BCR Lead”), which will act as a single contact-point for the applicant during the approval process and the cooperation phase:
- the location(s) of the Group’s European headquarters;
- the location of the company within the Group with delegated data protection responsibilities;
- the location of the company which is the best placed (in terms of management functions, administrative burden, etc.) to both deal with the application but also to enforce the BCRs in the Group;
- the place where most decisions in terms of the purposes and the means of the processing are taken;
- the member state within the EU from which most or all transfers outside the European Economic Area will take place.
It is the BCR Lead which, after having discussed and reviewed the application together with the applicant and with the aid of two additional DPAs concerned, shall propose a “consolidated draft”, which will circulate among all concerned DPAs for comments. If no such comment is submitted within the period of one month, the DPAs concerned is deemed to have agreed to the “consolidated draft”.
However, in the case where comments were posed by the DPAs concerned, the BCR Lead shall resume discussions with the applicant (if necessary) and invite them to put forward a “final draft” on which the European Data Protection Board will adopt an opinion.
In this regard, the WP29 clarifies that the responsibility to inform all concerned DPAs of any updates to the BCRs (both prior and subsequent of their approval) as well as to the list of BCR members, remains with the BCR Lead and not with the applicant, who is also exempted from obtaining a specific authorisation from other concerned DPAs, once approval is given by the BCR Lead.
As a general rule all documents, including the consolidated draft of the BCRs should be provided by the applicant in the language of the BCR Lead. Specifically, the applicant must translate the final draft of the approved BCRs into the languages of the concerned DPAs.
The Group interested in submitting draft Binding Corporate Rules for approval, shall:
- identify the relevant BCRs Lead and justify the proposal on the basis of the above-listed criteria;
- provide the BCR Lead with all appropriate information including relevant information on the processing activities regarding the transfer;
- engage with the BCR Lead in the discussion and reviewing process of the proposal;
- send the BCR Lead, on request, the “final draft” of the BCRs;
- translate the approved BCRs to the relevant languages of the concerned DPAs.