| demo | 2025-10-01 · NEW:  Appunta · Stampa · Cita: 'Doc 100209' · pdf |
|
abstract:
Documento annotato il 01.10.2025
Fonte: europa.eu
Link: https://www.edpb.europa.eu/system/files/2025-09/ed
Link: https://www.edpb.europa.eu/system/files/2025-09/ed
analisi:
L'analisi è riservata agli iscritti. Segui la newsletter dell'Osservatorio oppure il Podcast iscrizione gratuita 30 giorni
-
index:
testo:
Eestimated reading time: 9 min Adopted
Opinion 22 / 2025 on the draft deci ...
r />
Opinion 22 / 2025 on the draft decision of the Luxembourg
Supervisory Authority regarding the Controller Binding
Corporate Rules of the Ferrero Group
Adopted on 11 September 20 25
2
Adopted
TABLE OF CONTENTS
1 SUMMARY OF THE FACTS ................................ ................................ ................................ ............ 5
2 ASSESSMENT ................................ ................................ ................................ ............................... 5
3 CONCLUSIONS ................................ ................................ ................................ ............................. 5
4 FINAL REMARKS ................................ ................................ ................................ .......................... 6
3
Adopted
The European Data Protection Board
Having regard to Article 63, Article 64(1) (f) and Article 47 of the Regulation 2016/679/EU of the
European Parliament and of the Council of 27 April 2016 on the protection of natural persons with
regard to the .......... .. . ....... .... ... .. ... .... ........ .. .... ...., ... .........
Directive 95/46/EC (hereinafter “ GDPR ”),
Having regard to the European Economic Area ( hereinafter “ EEA ” ) Agreement and in particular to
Annex XI and Protocol 37 thereof, as amended by the Decision of the EEA joint Committee No
154/2018 of 6 July 2018
1
,
Having regard to the judgment of the Court of Justice of the European Union Data Protection
Commissioner v. Facebook Ireland Ltd and Maxim illian Schrems , C - 311/18 of 16 July 2020 ,
Having regard to .... ............... ../.... .. ........ .... .......... ........ ..... ..
ensure compliance with the EU level of protection o f personal data of 18 June 2021,
Having regard to .... ............... ./.... .. ... ........... ... ........ ... .. ... ........
and principles to be found in Controller Binding Corporate Rules (Art. 47 GDPR) of 20 June 2023
(hereinafter “the Recommendations”) ,
Having regard to Article s 10 and 22 of its Rules of Procedure .
Whereas:
(1) The main role of the European Data Protection Board (here in after the “ EDPB ” ) is to ensure the
consistent application of the .... .......... ... ... . .. .... ......, .. ....... .... . ...... ..(.)(.)
GDPR that the EDPB shall issue an opinion whe re a supervisory authority ( here in after “ SA ” ) aims to
approve binding corporate rules ( here in after “ BCRs ” ) within the meaning of A rticle 47 GDPR.
(2) The EDPB welcomes and acknowledges the efforts the companies make to uphold the ....
standards in a global environment. Building on the experience under Directive 95/46/EC , the ....
affirms the important role of BCRs to frame international transfers and its commitment to support the
companies in setting - up their BCRs. This opinion aims towards this objective a nd takes into account
that the .... ............ ... ..... .. .........., .. ......... .. ... ............ .. . ...... ..
GDPR , and conferred to the .... ... .... .. ..... .. ....... .. ... ......... .. ’. ..... ........
aiming to approve BCRs. This task of the EDPB aims to ensure the consistent application of the GDPR,
including by the SAs , controllers , and processors.
(3) Pursuant to Article 46(1) GDPR, in the absence of a decision pursuant to Article 45 ( 3) GDPR , a
controller or processor may transfer perso nal data to a third country or international organisation only
if the controller or processor has provided appropriate safeguards, and on condition that enforceable
data subject rights and effective legal remedies for data subjects are available. A group o f undertakings
or group of enterprises engaged in a joint economic activity may provide such safeguards by the use
of legally binding BCRs, which expressly confer enforceable rights on data subjects and fulfil a series of
1
References to “Member States” made throughout this opinion should be understood as references to “EEA
Member States”.
4
Adopted
requirements ( A rticle 46 GDPR). Th e implementation and adoption of BCRs by a group of undertakings
is intended to provide guarantees that apply uniformly in all third countries and, consequently,
independently of the level of protection guaranteed in each third country. The specific requir ements
listed in the .... ... ... ... .... ..... .... ..... ....... ( . ...... ..(.) ....). ... .... ... .......
to approval from the competent SA (hereinafter “ the BCR Lead ”) , in accordance with the consistency
mechanism set out in A rticle 63 and Article 64( 1)(f) GDPR, provided that the BCRs meet the conditions
set out in Article 47 GDPR, together with the requirements set out in the .... ...............
1/2022 on the Application for Approval and on the elements and principles to be found in Controller
Bindin g Corporate Rules (Art. 47 GDPR ), adopted on 20 June 2023 , which supersede the working
documents WP256 rev.01 and WP264 of the Article 29 Working Party
2
.
(4) This opinion only covers the EDPB’s consideration that the BCRs submitted for the required opinion
afford appropriate safeguards in that they meet all requirements of Article 47 .... ... ...
Recommendations . Accordingly, this opinion and the SAs’ review do not address elements and
ob ligations of the .... ......... .. ... .... .. ..... ..... .... ..... ....... .. ....... .. .....
This also applies to any supplementary measures t hat an exporter subject to the GDPR may be required
to adopt, depending on the circumstances of the transfer , in order to ensure compliance with the
commitments taken in the BCRs .
(5) The .... ....... ...., .. .......... .... ... ........ .. ... ..... .. ....... .. ... ........
Union C - 311/18 , it is the responsibility of the data exporter subject to the GDPR, if needed with the
help of the data importer, to assess whether the level of protection required by EU law is respected in
the third country concerned, in order to determine if the guarantees provided by BCRs can be complied
with in practice, taking into consideration the possible interference created by the third country
legis lation with the fundamental rights. If this is not the case, the data exporter subject to the GDPR,
if needed with the help of the data importer, should assess whether they can provide supplementary
measures to ensure an essentially equivalent level of pro tection as provided in the EU.
( 6 ) Taking into account the specific characteristics of BCRs provided for by Article 47(1) and (2) GDPR ,
each application should be addressed individually and is without prejudice to the .......... .. ...
other BCRs . The EDPB recalls that BCRs should be customised to take account of the structure of the
group of companies that they apply to, the .......... .... ......... , ... ... ........ ... ..........
that they have in place to protect personal data
3
.
( 7 ) The opinion of the EDPB shall be adopted, pursuant to Article 64(3) .... .. ........... ....
Article 10(2) of the .... ..... .. ........., ...... ..... ..... ..... ... ..... ... ....... .... ...
file is complete. Upon decision of the .... ....., .... ...... ... .. ........ .. . ....... ... .....,
taking into account the complexity of the subject matter.
2
The Working Party on the Protection of Individuals with regard to the .......... .. ........ .... ..........
by Article 29 of Directive 95/46/EC . The following documents, which were endorsed by the EDPB, are now
superseded by the .... ...............: ....... .. ....... .....’. ....... ........ ....... .. . .....
with the elements and principles to be fo und in Binding Corporate Rules ( WP 256 rev.0 1 ) and Article 29
Working Party’s Recommendation on the Standard Application for Approval of Controller Binding Corporate
Rules for the Transfers of Personal Data ( WP 264 ).
3
This view was expressed by the Article 29 Working party in Working Document Sett ing up a framework for the
structure of Binding Corporate Rules, adopted on 24 June 2008 , WP154.
5
Adopted
(8) Finally, the .... .......... .... ... ............. ......... ... .. ....... .. ...... ..
documents requests in accordance with the SAs’ national laws and with Regulation 1049/2001
4
,
applicable to the .... ........ .. ....... .. (.) .....
HAS ADOPTED THE FO LLOWING OPINION :
1 SUMMARY OF THE FACTS
1. In accordance with the cooperation procedure as set out in the EDPB Document Setting Forth a Co -
Operation procedure for the approval of Binding Corporate Rules for controllers and processors , the
draft BCR - C of Ferrero International Société Anonyme and the Ferrero Group’s entities (hereinafter
the “Ferrero Group ”) was reviewed by the LU SA as the BCR Lead.
2. The BCR Lead has sub mitted its draft decision regarding the draft BCR - C of the Ferrero Group ,
requesting an opinion of the .... ...... .. .. ....... ..(.)(.) .... .. .. .... ..... ... ........ ..
the completeness of the file was taken on 31 July 2025.
2 ASSESSMENT
3. The draft BCR - C of the Ferrero Group covers the transfers of personal data from Ferrero Group’s
entities acting as controllers established in the EEA, to Ferrero Group’s entities established outside of
the EEA and bound by the BCR - C, as well as onward intra - group trans fers of personal data
5
.
4. Concerned data subjects include employees and their family members; job applicants; users of Ferrero
Grou p’ s systems; actual and potential customers; consumers; testers; suppliers and visitors
6
.
5. The draft BCR - C of the Ferrero Group has been scrutinised according to the procedures set up by the
EDPB. The SAs assembled within the .... .... ......... .... ... ..... ... - . .. ... ....... .....
contains all the elements required under A rt icle 47 .... ... ... ............... , .. ..........
with the draft decision of the BCR Lead submitted to the .... ... .. ........ ........., ... ....
does not have any concerns that need to be addressed.
3 CONCLUSIONS
6. Taking into account the above and the commitments that the group members will undertake by signing
the Intra - Group Agreement , the EDPB considers that the draft d ecision of the BCR Lead may be
adopted as it is , since the draft BCR - C of the Ferrero Group contain s appropriate safeguards to ensure
that the level of protection of natural persons guaranteed by the GDPR is not undermined when
personal data is transferred to and processed by the g roup m embers based in third countries. The
EDPB recalls that the approval o f BCRs by the BCR Lead does not entail the approval of specific transfers
of personal data to be carried out on the basis of the BCRs. Accordingly, the approval of BCRs may not
4
Regulation (EC) No 1049/2001 of the European Parliament and of the Council of 30 May 2001 regarding public
access to European Parliament, Council and Commiss ion documents .
5
Section 1 of the BCR - C and Appendix I .
6
Section 6 of the BCR - C.
6
Adopted
be construed as the approval of transfers to third countries included in the BC Rs for which an
essentially equivalent level of protection to that guaranteed within the EU cannot be ensured.
7. Finally, the .... .... ....... ... .......... ......... ...... . ...... ..(.)(.) .... ... ...
Recommendations providing the conditions under whic h the applicant may modify or update the BCRs,
includi ng updates to the list of BCRs g roup m embers .
4 FINAL REMARKS
8. This opinion is addressed to the BCR Lead and will be made public pursuant to A rticle 64(5 )( b) GDPR.
9. According to Article 64 (7) and (8) GDPR, the BCR Lead shall communicate its response to this opinion
to the Chair within two weeks after receiving the opinion .
10. Pursuant to A rticle 70(1)(y) GDPR, the BCR Lead shall communicate the final decision to the EDPB for
inclusion in the register of decisions which have been subject to the consistency mechanism.
For the European Data Protection Board
The Chair
( Anu Talus )
Opinion 22 / 2025 on the draft decision of the Luxembourg
Supervisory Authority regarding the Controller Binding
Corporate Rules of the Ferrero Group
Adopted on 11 September 20 25
2
Adopted
TABLE OF CONTENTS
1 SUMMARY OF THE FACTS ................................ ................................ ................................ ............ 5
2 ASSESSMENT ................................ ................................ ................................ ............................... 5
3 CONCLUSIONS ................................ ................................ ................................ ............................. 5
4 FINAL REMARKS ................................ ................................ ................................ .......................... 6
3
Adopted
The European Data Protection Board
Having regard to Article 63, Article 64(1) (f) and Article 47 of the Regulation 2016/679/EU of the
European Parliament and of the Council of 27 April 2016 on the protection of natural persons with
regard to the .......... .. . ....... .... ... .. ... .... ........ .. .... ...., ... .........
Directive 95/46/EC (hereinafter “ GDPR ”),
Having regard to the European Economic Area ( hereinafter “ EEA ” ) Agreement and in particular to
Annex XI and Protocol 37 thereof, as amended by the Decision of the EEA joint Committee No
154/2018 of 6 July 2018
1
,
Having regard to the judgment of the Court of Justice of the European Union Data Protection
Commissioner v. Facebook Ireland Ltd and Maxim illian Schrems , C - 311/18 of 16 July 2020 ,
Having regard to .... ............... ../.... .. ........ .... .......... ........ ..... ..
ensure compliance with the EU level of protection o f personal data of 18 June 2021,
Having regard to .... ............... ./.... .. ... ........... ... ........ ... .. ... ........
and principles to be found in Controller Binding Corporate Rules (Art. 47 GDPR) of 20 June 2023
(hereinafter “the Recommendations”) ,
Having regard to Article s 10 and 22 of its Rules of Procedure .
Whereas:
(1) The main role of the European Data Protection Board (here in after the “ EDPB ” ) is to ensure the
consistent application of the .... .......... ... ... . .. .... ......, .. ....... .... . ...... ..(.)(.)
GDPR that the EDPB shall issue an opinion whe re a supervisory authority ( here in after “ SA ” ) aims to
approve binding corporate rules ( here in after “ BCRs ” ) within the meaning of A rticle 47 GDPR.
(2) The EDPB welcomes and acknowledges the efforts the companies make to uphold the ....
standards in a global environment. Building on the experience under Directive 95/46/EC , the ....
affirms the important role of BCRs to frame international transfers and its commitment to support the
companies in setting - up their BCRs. This opinion aims towards this objective a nd takes into account
that the .... ............ ... ..... .. .........., .. ......... .. ... ............ .. . ...... ..
GDPR , and conferred to the .... ... .... .. ..... .. ....... .. ... ......... .. ’. ..... ........
aiming to approve BCRs. This task of the EDPB aims to ensure the consistent application of the GDPR,
including by the SAs , controllers , and processors.
(3) Pursuant to Article 46(1) GDPR, in the absence of a decision pursuant to Article 45 ( 3) GDPR , a
controller or processor may transfer perso nal data to a third country or international organisation only
if the controller or processor has provided appropriate safeguards, and on condition that enforceable
data subject rights and effective legal remedies for data subjects are available. A group o f undertakings
or group of enterprises engaged in a joint economic activity may provide such safeguards by the use
of legally binding BCRs, which expressly confer enforceable rights on data subjects and fulfil a series of
1
References to “Member States” made throughout this opinion should be understood as references to “EEA
Member States”.
4
Adopted
requirements ( A rticle 46 GDPR). Th e implementation and adoption of BCRs by a group of undertakings
is intended to provide guarantees that apply uniformly in all third countries and, consequently,
independently of the level of protection guaranteed in each third country. The specific requir ements
listed in the .... ... ... ... .... ..... .... ..... ....... ( . ...... ..(.) ....). ... .... ... .......
to approval from the competent SA (hereinafter “ the BCR Lead ”) , in accordance with the consistency
mechanism set out in A rticle 63 and Article 64( 1)(f) GDPR, provided that the BCRs meet the conditions
set out in Article 47 GDPR, together with the requirements set out in the .... ...............
1/2022 on the Application for Approval and on the elements and principles to be found in Controller
Bindin g Corporate Rules (Art. 47 GDPR ), adopted on 20 June 2023 , which supersede the working
documents WP256 rev.01 and WP264 of the Article 29 Working Party
2
.
(4) This opinion only covers the EDPB’s consideration that the BCRs submitted for the required opinion
afford appropriate safeguards in that they meet all requirements of Article 47 .... ... ...
Recommendations . Accordingly, this opinion and the SAs’ review do not address elements and
ob ligations of the .... ......... .. ... .... .. ..... ..... .... ..... ....... .. ....... .. .....
This also applies to any supplementary measures t hat an exporter subject to the GDPR may be required
to adopt, depending on the circumstances of the transfer , in order to ensure compliance with the
commitments taken in the BCRs .
(5) The .... ....... ...., .. .......... .... ... ........ .. ... ..... .. ....... .. ... ........
Union C - 311/18 , it is the responsibility of the data exporter subject to the GDPR, if needed with the
help of the data importer, to assess whether the level of protection required by EU law is respected in
the third country concerned, in order to determine if the guarantees provided by BCRs can be complied
with in practice, taking into consideration the possible interference created by the third country
legis lation with the fundamental rights. If this is not the case, the data exporter subject to the GDPR,
if needed with the help of the data importer, should assess whether they can provide supplementary
measures to ensure an essentially equivalent level of pro tection as provided in the EU.
( 6 ) Taking into account the specific characteristics of BCRs provided for by Article 47(1) and (2) GDPR ,
each application should be addressed individually and is without prejudice to the .......... .. ...
other BCRs . The EDPB recalls that BCRs should be customised to take account of the structure of the
group of companies that they apply to, the .......... .... ......... , ... ... ........ ... ..........
that they have in place to protect personal data
3
.
( 7 ) The opinion of the EDPB shall be adopted, pursuant to Article 64(3) .... .. ........... ....
Article 10(2) of the .... ..... .. ........., ...... ..... ..... ..... ... ..... ... ....... .... ...
file is complete. Upon decision of the .... ....., .... ...... ... .. ........ .. . ....... ... .....,
taking into account the complexity of the subject matter.
2
The Working Party on the Protection of Individuals with regard to the .......... .. ........ .... ..........
by Article 29 of Directive 95/46/EC . The following documents, which were endorsed by the EDPB, are now
superseded by the .... ...............: ....... .. ....... .....’. ....... ........ ....... .. . .....
with the elements and principles to be fo und in Binding Corporate Rules ( WP 256 rev.0 1 ) and Article 29
Working Party’s Recommendation on the Standard Application for Approval of Controller Binding Corporate
Rules for the Transfers of Personal Data ( WP 264 ).
3
This view was expressed by the Article 29 Working party in Working Document Sett ing up a framework for the
structure of Binding Corporate Rules, adopted on 24 June 2008 , WP154.
5
Adopted
(8) Finally, the .... .......... .... ... ............. ......... ... .. ....... .. ...... ..
documents requests in accordance with the SAs’ national laws and with Regulation 1049/2001
4
,
applicable to the .... ........ .. ....... .. (.) .....
HAS ADOPTED THE FO LLOWING OPINION :
1 SUMMARY OF THE FACTS
1. In accordance with the cooperation procedure as set out in the EDPB Document Setting Forth a Co -
Operation procedure for the approval of Binding Corporate Rules for controllers and processors , the
draft BCR - C of Ferrero International Société Anonyme and the Ferrero Group’s entities (hereinafter
the “Ferrero Group ”) was reviewed by the LU SA as the BCR Lead.
2. The BCR Lead has sub mitted its draft decision regarding the draft BCR - C of the Ferrero Group ,
requesting an opinion of the .... ...... .. .. ....... ..(.)(.) .... .. .. .... ..... ... ........ ..
the completeness of the file was taken on 31 July 2025.
2 ASSESSMENT
3. The draft BCR - C of the Ferrero Group covers the transfers of personal data from Ferrero Group’s
entities acting as controllers established in the EEA, to Ferrero Group’s entities established outside of
the EEA and bound by the BCR - C, as well as onward intra - group trans fers of personal data
5
.
4. Concerned data subjects include employees and their family members; job applicants; users of Ferrero
Grou p’ s systems; actual and potential customers; consumers; testers; suppliers and visitors
6
.
5. The draft BCR - C of the Ferrero Group has been scrutinised according to the procedures set up by the
EDPB. The SAs assembled within the .... .... ......... .... ... ..... ... - . .. ... ....... .....
contains all the elements required under A rt icle 47 .... ... ... ............... , .. ..........
with the draft decision of the BCR Lead submitted to the .... ... .. ........ ........., ... ....
does not have any concerns that need to be addressed.
3 CONCLUSIONS
6. Taking into account the above and the commitments that the group members will undertake by signing
the Intra - Group Agreement , the EDPB considers that the draft d ecision of the BCR Lead may be
adopted as it is , since the draft BCR - C of the Ferrero Group contain s appropriate safeguards to ensure
that the level of protection of natural persons guaranteed by the GDPR is not undermined when
personal data is transferred to and processed by the g roup m embers based in third countries. The
EDPB recalls that the approval o f BCRs by the BCR Lead does not entail the approval of specific transfers
of personal data to be carried out on the basis of the BCRs. Accordingly, the approval of BCRs may not
4
Regulation (EC) No 1049/2001 of the European Parliament and of the Council of 30 May 2001 regarding public
access to European Parliament, Council and Commiss ion documents .
5
Section 1 of the BCR - C and Appendix I .
6
Section 6 of the BCR - C.
6
Adopted
be construed as the approval of transfers to third countries included in the BC Rs for which an
essentially equivalent level of protection to that guaranteed within the EU cannot be ensured.
7. Finally, the .... .... ....... ... .......... ......... ...... . ...... ..(.)(.) .... ... ...
Recommendations providing the conditions under whic h the applicant may modify or update the BCRs,
includi ng updates to the list of BCRs g roup m embers .
4 FINAL REMARKS
8. This opinion is addressed to the BCR Lead and will be made public pursuant to A rticle 64(5 )( b) GDPR.
9. According to Article 64 (7) and (8) GDPR, the BCR Lead shall communicate its response to this opinion
to the Chair within two weeks after receiving the opinion .
10. Pursuant to A rticle 70(1)(y) GDPR, the BCR Lead shall communicate the final decision to the EDPB for
inclusion in the register of decisions which have been subject to the consistency mechanism.
For the European Data Protection Board
The Chair
( Anu Talus )
Link: https://www.edpb.europa.eu/system/files/2025-09/ed
Testo del 2025-10-01 Fonte: europa.eu
Demo Altre chiavi solo per gli iscritti
Commenta
i commenti sono anonimi e inviati via mail e cancellati dopo aver migliorato la voce alla quale si riferiscono: non sono archiviati; comunque non lasciare dati particolari. Si applica la privacy policy.
