The EDPB recently published Recommendations 1/2022 on the Application for Approval and on the elements and principles to be found in Controller Binding Corporate Rules.

The European Data Protection Board (EDPB) has recently adopted recommendations for the Controller Binding Corporate Rules (BCR-Cs) during their November plenary. The document includes recommendations on the Application for Approval and on the elements and principles to be found in Controller Binding Corporate Rules. These recommendations serve as an update to the existing BCR-C referential and seeks to clarify key content within the BCR-Cs, provide the public with the updated standard application form for the approval of BCR-Cs, as well as distinguish between what must be included in BCR-Cs and what needs to be presented in the BCR application. These recommendations will remain open for public consultation until 10th January, 2023. 

The Recommendation on the Controller Binding Corporate Rules include detailed guidance on various aspects of the transfer tool. 

Binding Corporate Rules facilitate transfers for a group of undertakings or enterprises to other entities of the same group, outside of the European Economic Area. The BCRs establish enforceable rights and clear commitments to maintain a level of data protection essentially comparable to that provided under the GDPR. The recommendations published by the EDPB contain guidance on how the BCR-Cs are internally made binding on the BCR members, and on their employees. Additionally, the recommendations contain guidance on the creation of third-party beneficiary rights that are enforceable by data subjects. The document goes on to detail data subjects’ right to judicial remedies, redress and compensation, as well as several other possible situations which may arise with the use of Binding Corporate Rules as a transfer mechanism and guidance on how these situations are to be handled under the GDPR. This includes guidance on making changes or updates to existing binding corporate rules, how to handle government access requests, how to deal with local laws and practices which may conflict with the Binding Corporate Rules. . 

The EDPB welcomes comments on the Recommendations 1/2022 on the Application for Approval and on the elements and principles to be found in Controller Binding Corporate Rules.

The published recommendations are open for public consultation until 10th January 2023. The EDPB therefore welcomes questions and comments through a form provided on this section of  their website until that date. These comments will be screened, and then may be published on the EDPB website. In the meantime, a second set of recommendations, on processor binding corporate rules is currently being developed and will go through the same process. 

Does your company have all of the mandated safeguards in place to ensure the safety of the personal data you collect or process? Aphaia can help. Aphaia also provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.