• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to secondary sidebar

Alston & Bird Privacy Blog

  • Home
  • Services
  • Events
  • Contacts

EDPB clarifies Brexit obligations for holders of Binding Corporate Rules which have the UK ICO as their lead authority

July 23, 2020 By Yung Shin Van Der Sype, Paul Greaves and Wim Nauwelaerts

On July 22, 2020, the European Data Protection Board (‘EDPB’) released an information note on Binding Corporate Rules (‘BCRs’), which provides guidance for groups of undertakings/enterprises which have the UK ICO as their competent supervisory authority (‘BCR Lead SA’) [1]. Binding Corporate Rules are a means of legitimizing transfers of personal data outside of the EEA under the EU’s General Data Protection Regulation (GDPR).

As a consequence of Brexit, BCR holders having the Information Commissioner’s Office (‘ICO’) as their BCR Lead SA need to identify a new BCR Lead SA in the EEA (in accordance with existing regulatory guidance [2]) and must amend their BCRs before the end of the Brexit transition period. For BCRs already approved under the GDPR, the new BCR Lead SA in the EEA will have to issue a new approval decision following an opinion from the EDPB. Such approval by the new BCR Lead SA is not required for BCRs for which the UK ICO acted as BCR Lead SA under Directive 95/46/EC, the GDPR’s predecessor. It is important to note that current BCR holders will not be able to rely on their BCRs as a valid transfer mechanism for transfers of personal data outside the EEA in the absence of the required changes and/or a new approval before the end of the transition period.

Also, groups of undertakings/enterprises for which BCRs are at the review stage by the ICO need to identify their new BCR Lead SA before the end of the transition period. The new BCR Lead SA will take over the application and formally initiate an approval procedure subject to an opinion of the EDPB.

In order to assist such controllers and processors, the information note contains a checklist of elements that need to be amended for the BCR Lead SA change in the context of Brexit.

The checklist primarily consists of an overview of BCR criteria which are relevant in the context of a BCR Lead SA change, and for each specific criterion, the EDPB provides practical comments, indicating which elements of the BCRs are most likely to be amended due to the BCR Lead SA change.

Some key comments provided by the EDPB in the checklist include that:

  • groups of undertakings / enterprises need to ensure that UK controllers and processors are correctly shifted from the exporter- to the importer-side of the BCRs;
  • the new entity taking liability for any violations of the BCRs by other BCR members outside of the EEA is located in the EEA and has sufficient financial means to cover any damages in connection with violations of the BCRs ; and
  • any reference to the competent SA (in relation to cooperation, reporting, etc.), ‘competent courts’ or ‘national jurisdiction’ refers to EEA SAs, courts and jurisdiction.

Following this month’s Schrems II case (which we cover here), BCRs may hold increasing importance as a means of legitimizing data transfers from the EEA to the rest of the world.

 

[1] EDPB, Information note on BCRs for Groups of undertakings / enterprises which have ICO as BCR Lead SA, adopted on 22 July 2020, https://edpb.europa.eu/our-work-tools/our-documents/otros/information-note-bcrs-companies-which-have-ico-bcr-lead_en.

[2] Specifically, Article 29 Working Party, Document Setting Forth a Co-Operation Procedure for the approval of “Binding Corporate Rules” for controllers and processors under the GDPR, WP263 rev.01, adopted on 11 April 2018 – endorsed by the EDPB.

Filed Under: Data Protection, International, Privacy

About Yung Shin Van Der Sype

Yung Shin is an associate in the Technology & Privacy Group.

About Paul Greaves

Paul Greaves is an associate in the Brussels office and a member of the Privacy & Data Security Team. Paul’s privacy, information technology, and data protection practice includes a focus on compliance with the General Data Protection Regulation, ePrivacy rules, and cross-border data transfers.

[Read Bio]

About Wim Nauwelaerts

Wim Nauwelaerts is a partner in the Brussels office, leading Alston & Bird’s European Privacy & Data Security Team. Wim has over 20 years of experience working with global companies on their data protection, privacy, and cybersecurity needs, including General Data Protection Regulation (GDPR) readiness, data transfer, data security and breach requirements, and compliance training.

[Read Bio]

Primary Sidebar

This blog is a service of Alston & Bird’s Privacy & Data Security team and focuses on key data privacy and data security issues.


Receive email notifications when new posts are added.

Receive email notifications when new posts are added.


THE DIGITAL DOWNLOAD
Click here to see the editions

PRIVACY & CYBER EVENTS
Click here to see upcoming and past events

PRIVACY & CYBER MAILINGS
Click here to sign up

@ALSTONPRIVACY
Click here to follow us on Twitter

Secondary Sidebar

Categories

Recent Posts

  • Federal Court Rules Cyber Forensic Report Is Not Protected Under Attorney-Client Privilege Or Work Product Doctrine
  • Financial Regulatory Agencies Announce Proposed Rule Requiring Notice of Computer Security Incidents
  • Brexit Trade Agreement Provides a Temporary Solution for Companies Transferring Personal Data from the EEA to the UK
  • UK ICO Publishes New Data Sharing Code
  • SolarWinds Hack: Unparalleled Supply Chain Attack Results in Potential Compromise of Private and Public Sector Organizations
Copyright © 2021 · Alston & Bird · All Rights Reserved. Privacy.
This website uses cookies to improve functionality and performance. By continuing to browse this site, you are consenting to the use of cookies on this website. OkCookie policy