The Spanish DPA, AEPD, has approved its first Binding Corporate Rules (BCRs) under the GDPR. The AEPD acted as lead DPA and counted with the EDPB’s favourable Opinion.
The AEPD has issued their final opinion concerning the first binding corporate rules drafted by Fujikura Automotive Europe Group, two months after the EDPB approved them. This will be included in the register of decisions which have been subject to the consistency mechanism, and it means that Fujikura Automotive Europe Group will be free to use, from now onwards, the BCRs for transferring personal data to the group members based in third countries with appropriate safeguards.
What are BCRs?
GDPR defines Binding Corporate Rules as “personal data protection policies which are adhered to by a controller or processor established on the territory of a Member State for transfers or a set of transfers of personal data to a controller or processor in one or more third countries within a group of undertakings, or group of enterprises engaged in a joint economic activity”.
Once approved by the competent DPA, BCRs are considered a valid instrument that provides appropriate safeguards for personal data transfers to third countries.
What is the approval process of BCRs?
First, the lead DPA confirms whether the draft BCRs include all article 47.2 GDPR mandatory requirements. Then, pursuant the consistency mechanism covered in articles 63 and 64.1 GDPR, the EDPB should issue their opinion, after which the lead DPA communicate their final decision and, where approved, BCRs are included in the relevant register.
How did the process apply to this case?
Pursuant to Recital 110 GDPR, “a group of undertakings should be able to make use of approved binding corporate rules for its international transfers from the Union to organisations within the same group”, as long as said BCRs include “all essential principles and enforceable rights to ensure appropriate safeguards for transfers”.
Back to this case, the BCRs were first drafted by Fujikura Automotive Europe Group and the AEPD reviewed them as the Lead DPA. Accordingly, the AEPD submitted its draft decision to the EDPB, who, early this year, issued their opinion, by which they considered that the BCRs contained appropriate safeguards to ensure that the level of protection of natural persons guaranteed by the GDPR was not undermined when transferring and processing personal data to and by the group members based in third countries. Two months after, the AEPD has finally approved them and communicated their final decision to the EDPB.
Do you need assistance with the appropriate safeguards that should apply to international transfers of personal data? We can help you. Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. Contact us today.