On July 22, 2020, the European Data Protection Board (‘EDPB’) released an information note on Binding Corporate Rules (‘BCRs’), which provides guidance for groups of undertakings/enterprises which have the UK ICO as their competent supervisory authority (‘BCR Lead SA’) [1]. Binding Corporate Rules are a means of legitimizing transfers of personal data outside of the EEA under the EU’s General Data Protection Regulation (GDPR).
As a consequence of Brexit, BCR holders having the Information Commissioner’s Office (‘ICO’) as their BCR Lead SA need to identify a new BCR Lead SA in the EEA (in accordance with existing regulatory guidance [2]) and must amend their BCRs before the end of the Brexit transition period. For BCRs already approved under the GDPR, the new BCR Lead SA in the EEA will have to issue a new approval decision following an opinion from the EDPB. Such approval by the new BCR Lead SA is not required for BCRs for which the UK ICO acted as BCR Lead SA under Directive 95/46/EC, the GDPR’s predecessor. It is important to note that current BCR holders will not be able to rely on their BCRs as a valid transfer mechanism for transfers of personal data outside the EEA in the absence of the required changes and/or a new approval before the end of the transition period.
Also, groups of undertakings/enterprises for which BCRs are at the review stage by the ICO need to identify their new BCR Lead SA before the end of the transition period. The new BCR Lead SA will take over the application and formally initiate an approval procedure subject to an opinion of the EDPB.
In order to assist such controllers and processors, the information note contains a checklist of elements that need to be amended for the BCR Lead SA change in the context of Brexit.
The checklist primarily consists of an overview of BCR criteria which are relevant in the context of a BCR Lead SA change, and for each specific criterion, the EDPB provides practical comments, indicating which elements of the BCRs are most likely to be amended due to the BCR Lead SA change.
Some key comments provided by the EDPB in the checklist include that:
- groups of undertakings / enterprises need to ensure that UK controllers and processors are correctly shifted from the exporter- to the importer-side of the BCRs;
- the new entity taking liability for any violations of the BCRs by other BCR members outside of the EEA is located in the EEA and has sufficient financial means to cover any damages in connection with violations of the BCRs ; and
- any reference to the competent SA (in relation to cooperation, reporting, etc.), ‘competent courts’ or ‘national jurisdiction’ refers to EEA SAs, courts and jurisdiction.
Following this month’s Schrems II case (which we cover here), BCRs may hold increasing importance as a means of legitimizing data transfers from the EEA to the rest of the world.
[1] EDPB, Information note on BCRs for Groups of undertakings / enterprises which have ICO as BCR Lead SA, adopted on 22 July 2020, https://edpb.europa.eu/our-work-tools/our-documents/otros/information-note-bcrs-companies-which-have-ico-bcr-lead_en.
[2] Specifically, Article 29 Working Party, Document Setting Forth a Co-Operation Procedure for the approval of “Binding Corporate Rules” for controllers and processors under the GDPR, WP263 rev.01, adopted on 11 April 2018 – endorsed by the EDPB.
