| demo | 2025-10-01 · NEW:  Appunta · Stampa · Cita: 'Doc 100212' · pdf |
|
abstract:
Documento annotato il 01.10.2025
Fonte: europa.eu
Link: https://www.edpb.europa.eu/system/files/2025-09/ed
Link: https://www.edpb.europa.eu/system/files/2025-09/ed
analisi:
L'analisi è riservata agli iscritti. Segui la newsletter dell'Osservatorio oppure il Podcast iscrizione gratuita 30 giorni
-
index:
testo:
Eestimated reading time: 9 min Adopted
Opinion 18 /2025 on the draft decisio ...
r />
Opinion 18 /2025 on the draft decision of the Irish
Supervisory Authority regarding the Processor Binding
Corporate Rules of the Shopify Group
Adopted on 11 September 2025
2
Adopted
Table of contents
1 SUMMARY OF THE FACTS ................................ ................................ ................................ ............ 5
2 ASSESSMENT ................................ ................................ ................................ ............................... 5
3 CONCLUSIONS ................................ ................................ ................................ ............................. 5
4 FINAL REMARKS ................................ ................................ ................................ .......................... 6
3
Adopted
The European Data Protection Board
Having regard to Article 63, Article 64(1)(f) and Article 47 of the Regulation 2016/679/EU of the
European Parliament and of the Council of 27 April 2016 on the protection of natural persons with
regard to the .......... .. ........ .... ... .. ... .... ........ .. .... ...., ... .........
Directive 95/46/EC (hereinafter “ GDPR ”),
Having regard to the European Economic Are a ( hereinafter “ EEA ” ) Agreement and in particular to
Annex XI and Protocol 37 thereof, as amended by the Decision of the EEA joint Committee No
154/2018 of 6 July 2018
1
,
Having regard to the decision of the Court of Justice of the European Union Data Prote ction
Commissioner v. Facebook Ireland Ltd and Maximillian Schrems , C - 311/18 of 16 July 2020,
Having regard to .... ............... ../.... .. ........ .... .......... ........ ..... ..
ensure compliance with the EU level of protection of personal data of 18 June 2021,
Having regard to Article s 10 and 22 of its Rules of Procedure .
Whereas:
(1) The main role of the European Data Protection Board (hereinafter the “ EDPB ” ) is to ensure the
consistent application of the .... .......... ... ... . .. .... ......, .. ....... .... . ...... ..(.)(.)
GDPR that the EDPB shall issue an opinion where a supervisory authority ( hereinafter “ SA ” ) aims to
approve binding corporate rules ( hereinafter “ BCRs ” ) within the meaning of A rticle 47 GDPR.
(2) The EDPB w elcomes and acknowledges the efforts the companies make to uphold the ....
standards in a global environment. Building on the experience under Directive 95/46/EC , the ....
affirms the important role of BCRs to frame international transfers and its commitme nt to support the
companies in setting - up their BCRs. This opinion aims towards this objective and takes into account
that the .... ............ ... ..... .. .........., .. ......... .. ... ............ .. . ...... ..
GDPR , and conferred to the .... ... ... . .. ..... .. ....... .. ... ......... .. ’. ..... ........
aiming to approve BCRs. This task of the EDPB aims to ensure the consistent application of the GDPR,
including by the SAs , controllers , and processors.
(3) Pursuant to Article 46(1) GDPR, in the absence of a decision pursuant to Article 45(3) GDPR , a
controller or processor may transfer personal data to a third country or international organisation only
if the controller or processor has provided appropriate safeguards, and on condition that enfor ceable
data subject rights and effective legal remedies for data subjects are available. A group of undertakings
or group of enterprises engaged in a joint economic activity may provide such safeguards by the use
of legally binding BCRs, which expressly co nfer enforceable rights on data subjects and fulfil a series of
requirements ( A rticle 46 GDPR). The implementation and adoption of BCRs by a group of undertakings
is intended to provide guarantees that apply uniformly in all third countries and, consequent ly,
1
References to “Member States” made throughout this opinion should be understood as references to “EEA
Member States”.
4
Adopted
independently of the level of protection guaranteed in each third country. The specific requirements
listed in the .... ... ... ... .... ..... .... ..... ....... ( . ...... ..(.) ....). ... .... ... .......
to approval from the competent SA (hereinafter “ the BCR Lead ”) , in accordance with the consistency
mechanism set out in A rticle 63 and Article 64(1)(f) GDPR, provided that the BCRs meet the conditions
set out in Article 47 GDPR, together with the requirements set out in the relevant working documents
of the Article 29 Working Party
2
, endorsed by the EDPB.
(4) This opinion only covers the EDPB’s consideration that the BCRs submitted for the required opinion
afford appropriate safeguards in that they meet all requirements of Article 47 .... ... .... . ... . . .
of the Article 29 Working Party, as endorsed by the EDPB
3
. Accordingly, this opinion and the SAs’
review do not address elements and obligations of the .... ......... .. ... .... .. ..... .....
than those related to Article 47 GDPR. This also applies to any supplementary measures that an
exporter subject to the GDPR may be required to adopt, depending on the circumstances of the
transfer , in order to ensure compliance with the commitments taken in the BCRs.
(5) The .... ....... .... , .. .......... .... ... ........ .. ... ..... .. ....... .. ... ........
Union C - 311/18 , it is the responsibility of the data exporter subject to the GDPR, if needed with the
help of the data importer, to assess whether the level of protection required b y EU law is respected in
the third country concerned, in order to determine if the guarantees provided by BCRs can be complied
with in practice, taking into consideration the possible interference created by the third country
legislation with the fundament al rights. If this is not the case, the data exporter subject to the GDPR,
if needed with the help of the data importer, should assess whether they can provide supplementary
measures to ensure an essentially equivalent level of protection as provided in th e EU.
(6 ) The WP25 7 rev.01 of the Article 29 Working Party , as endorsed by the EDPB, provides for the
required elements for BCRs for processors (hereinafter “ BCR - P ”) , including the Intra - Company
Agreement where applicable, and the application form. The WP2 6 5 of the Article 29 Working Party
4
,
as endorsed by the EDPB, provides for recommendations to the applicants to help them demonstrate
how to meet the requirements of A rticle 47 .... ... .... . ... . ... ............, ... .... ..........
tha t any documentation submitted may be subject to access to documents requests in accordance
with the SAs’ national laws and with Regulation 1049/2001
5
, applicable to the .... ........ ..
Article 76(2) GDPR .
( 7 ) Taking into account the specific characteristi cs of BCRs provided for by Article 47(1) and (2 ) GDPR ,
each application should be addressed individually and is without prejudice to the .......... .. ...
other BCRs . The .... ....... .... .... ...... .. .......... .. .... ....... .. ... ......... .. ...
2
The Working Party on the Protection of Individuals with regard to the .......... .. ........ .... .......... ..
Article 29 of Directive 95/46/EC.
3
Article 29 Working Party, Working Document setting up a table with the elements and principles to be found in
Processor Binding Corporate Rules, as last revised and adopted on 6 February 2018, WP 25 7 rev.01.
4
Article 29 Working Party, Recommendations on the Standard Application for Approval of Processor Binding
Corporate Rules for the Transfer of Personal Data, adopted on 11 April 2018, WP26 5 .
5
Regulation (EC) No 1049/2001 of the European Parliament and of th e Council of 30 May 2001 regarding public
access to European Parliament, Council and Commission documents.
5
Adopted
g roup of companies that they apply to, the .......... .... ......... , ... ... ........ ... ..........
that they have in place to protect personal data
6
.
(8 ) The opinion of the .... ..... .. ......., ........ .. ....... ..(.) .... .. ........... ....
Article 10(2) of the .... ..... .. ........., ...... ..... ..... ..... ... ..... ... ....... .... ...
file is complete. Upon decision of the .... ....., .... ...... ... .. ........ .. . ....... ... .....,
taking into account the complexity of the subject m atter.
HAS ADOPTED THE FOLLOWING OPINION:
1 SUMMARY OF THE FACTS
1. In accordance with the cooperation procedure as set out in WP263 rev.01, the draft BCR - P of Shopify
International Limited and the g roup entities (hereinafter the “Shopify Group ”) was reviewed by the
Irish SA as the BCR Lead.
2. The BCR Lead has submitted its draft decision regarding the draft BCR - P of the Shopify Group ,
requesting an opinion of the .... ........ .. ....... ..(.)(.) .... .. . .... .... . ... ........ ..
the complete ness of the file was taken on 4 July 2025 .
2 ASSESSMENT
3. The draft BCR - P of the Shopify Group covers intra - group transfers among Shopify G roup entities legally
bound by the BCR, when they act as processor s and sub - processors on behalf of controllers outside of
the Group, with respect of personal data originally subject to the GDPR
7
.
4. Concerned data subjects include customers of the controller and any personal data shared with Shopify
Group by the controller
8
.
5. The draft BCR - P of the Shopify Group has been scrut inised according to the procedures set up by the
EDPB. The SAs assembled within the .... .... ......... .... ... ..... ... - . .. ... ....... .....
contains all the elements required under Article 47 .... ... ..... ......, .. .......... .... ...
draft decisi on of the BCR Lead submitted to the .... ... .. ........ ........., ... .... .... ...
have any concerns that need to be addressed.
3 CONCLUSIONS
6. Taking into account the above and the commitments that the group members will undertake by signing
the Shopify G roup ’s Intra - Group Agreement, the .... ......... .... ... ..... ........ .. ... ...
Lead may be adopted as it is , since the draft BCR - P of the Shopify Group contains appropriate
safeguards to ensure that the level of protection of natural persons guarantee d by the .... .. ...
undermined when personal data is transferred to and processed by the group members based in third
6
This view was expressed by the Article 29 Working party in Working Document Setting up a framework for the
structure of Binding Corporate Rules, ad opted on 24 June 2008, WP154.
7
Specified in the BCR Part 1 and Part V Appendix 1 .
8
Specified in the BCR Part 1 and Part V Appendix 12.
6
Adopted
countries. The .... ....... .... ... ........ .. .... .. ... ... .... .... ... ...... ... ........ ..
specific transfers of personal data to be carried out on the basis of the BCRs. Accordingly, the approval
of BCRs may not be construed as the approval of transfers to third countries included in the BCRs for
which an essentially equivalent level of protection to that guaranteed within the E U cannot be ensured.
7. Finally, the .... .... ....... ... .......... ......... ...... ....... ..(.)(. ) .... ... .... . ... . ..
providing the conditions under which the applicant may modify or update the BCRs, includi ng updates
to the list of BCRs g roup m embers.
4 FINAL REMARKS
8. This opinion is addressed to the BCR Lead and will be made public pursuant to A rticle 64(5 )( b) GDPR.
9. According to Article 64 (7) and (8) GDPR, the BCR Lead shall communicate its response to this opinion
to the Chair within two weeks af ter receiving the opinion .
10. Pursuant to A rticle 70(1)(y) GDPR, the BCR Lead shall communicate the final decision to the EDPB for
inclusion in the register of decisions which have been subject to the consistency mechanism.
For the European Data Protection Board
The Chair
( Anu Talus )
Opinion 18 /2025 on the draft decision of the Irish
Supervisory Authority regarding the Processor Binding
Corporate Rules of the Shopify Group
Adopted on 11 September 2025
2
Adopted
Table of contents
1 SUMMARY OF THE FACTS ................................ ................................ ................................ ............ 5
2 ASSESSMENT ................................ ................................ ................................ ............................... 5
3 CONCLUSIONS ................................ ................................ ................................ ............................. 5
4 FINAL REMARKS ................................ ................................ ................................ .......................... 6
3
Adopted
The European Data Protection Board
Having regard to Article 63, Article 64(1)(f) and Article 47 of the Regulation 2016/679/EU of the
European Parliament and of the Council of 27 April 2016 on the protection of natural persons with
regard to the .......... .. ........ .... ... .. ... .... ........ .. .... ...., ... .........
Directive 95/46/EC (hereinafter “ GDPR ”),
Having regard to the European Economic Are a ( hereinafter “ EEA ” ) Agreement and in particular to
Annex XI and Protocol 37 thereof, as amended by the Decision of the EEA joint Committee No
154/2018 of 6 July 2018
1
,
Having regard to the decision of the Court of Justice of the European Union Data Prote ction
Commissioner v. Facebook Ireland Ltd and Maximillian Schrems , C - 311/18 of 16 July 2020,
Having regard to .... ............... ../.... .. ........ .... .......... ........ ..... ..
ensure compliance with the EU level of protection of personal data of 18 June 2021,
Having regard to Article s 10 and 22 of its Rules of Procedure .
Whereas:
(1) The main role of the European Data Protection Board (hereinafter the “ EDPB ” ) is to ensure the
consistent application of the .... .......... ... ... . .. .... ......, .. ....... .... . ...... ..(.)(.)
GDPR that the EDPB shall issue an opinion where a supervisory authority ( hereinafter “ SA ” ) aims to
approve binding corporate rules ( hereinafter “ BCRs ” ) within the meaning of A rticle 47 GDPR.
(2) The EDPB w elcomes and acknowledges the efforts the companies make to uphold the ....
standards in a global environment. Building on the experience under Directive 95/46/EC , the ....
affirms the important role of BCRs to frame international transfers and its commitme nt to support the
companies in setting - up their BCRs. This opinion aims towards this objective and takes into account
that the .... ............ ... ..... .. .........., .. ......... .. ... ............ .. . ...... ..
GDPR , and conferred to the .... ... ... . .. ..... .. ....... .. ... ......... .. ’. ..... ........
aiming to approve BCRs. This task of the EDPB aims to ensure the consistent application of the GDPR,
including by the SAs , controllers , and processors.
(3) Pursuant to Article 46(1) GDPR, in the absence of a decision pursuant to Article 45(3) GDPR , a
controller or processor may transfer personal data to a third country or international organisation only
if the controller or processor has provided appropriate safeguards, and on condition that enfor ceable
data subject rights and effective legal remedies for data subjects are available. A group of undertakings
or group of enterprises engaged in a joint economic activity may provide such safeguards by the use
of legally binding BCRs, which expressly co nfer enforceable rights on data subjects and fulfil a series of
requirements ( A rticle 46 GDPR). The implementation and adoption of BCRs by a group of undertakings
is intended to provide guarantees that apply uniformly in all third countries and, consequent ly,
1
References to “Member States” made throughout this opinion should be understood as references to “EEA
Member States”.
4
Adopted
independently of the level of protection guaranteed in each third country. The specific requirements
listed in the .... ... ... ... .... ..... .... ..... ....... ( . ...... ..(.) ....). ... .... ... .......
to approval from the competent SA (hereinafter “ the BCR Lead ”) , in accordance with the consistency
mechanism set out in A rticle 63 and Article 64(1)(f) GDPR, provided that the BCRs meet the conditions
set out in Article 47 GDPR, together with the requirements set out in the relevant working documents
of the Article 29 Working Party
2
, endorsed by the EDPB.
(4) This opinion only covers the EDPB’s consideration that the BCRs submitted for the required opinion
afford appropriate safeguards in that they meet all requirements of Article 47 .... ... .... . ... . . .
of the Article 29 Working Party, as endorsed by the EDPB
3
. Accordingly, this opinion and the SAs’
review do not address elements and obligations of the .... ......... .. ... .... .. ..... .....
than those related to Article 47 GDPR. This also applies to any supplementary measures that an
exporter subject to the GDPR may be required to adopt, depending on the circumstances of the
transfer , in order to ensure compliance with the commitments taken in the BCRs.
(5) The .... ....... .... , .. .......... .... ... ........ .. ... ..... .. ....... .. ... ........
Union C - 311/18 , it is the responsibility of the data exporter subject to the GDPR, if needed with the
help of the data importer, to assess whether the level of protection required b y EU law is respected in
the third country concerned, in order to determine if the guarantees provided by BCRs can be complied
with in practice, taking into consideration the possible interference created by the third country
legislation with the fundament al rights. If this is not the case, the data exporter subject to the GDPR,
if needed with the help of the data importer, should assess whether they can provide supplementary
measures to ensure an essentially equivalent level of protection as provided in th e EU.
(6 ) The WP25 7 rev.01 of the Article 29 Working Party , as endorsed by the EDPB, provides for the
required elements for BCRs for processors (hereinafter “ BCR - P ”) , including the Intra - Company
Agreement where applicable, and the application form. The WP2 6 5 of the Article 29 Working Party
4
,
as endorsed by the EDPB, provides for recommendations to the applicants to help them demonstrate
how to meet the requirements of A rticle 47 .... ... .... . ... . ... ............, ... .... ..........
tha t any documentation submitted may be subject to access to documents requests in accordance
with the SAs’ national laws and with Regulation 1049/2001
5
, applicable to the .... ........ ..
Article 76(2) GDPR .
( 7 ) Taking into account the specific characteristi cs of BCRs provided for by Article 47(1) and (2 ) GDPR ,
each application should be addressed individually and is without prejudice to the .......... .. ...
other BCRs . The .... ....... .... .... ...... .. .......... .. .... ....... .. ... ......... .. ...
2
The Working Party on the Protection of Individuals with regard to the .......... .. ........ .... .......... ..
Article 29 of Directive 95/46/EC.
3
Article 29 Working Party, Working Document setting up a table with the elements and principles to be found in
Processor Binding Corporate Rules, as last revised and adopted on 6 February 2018, WP 25 7 rev.01.
4
Article 29 Working Party, Recommendations on the Standard Application for Approval of Processor Binding
Corporate Rules for the Transfer of Personal Data, adopted on 11 April 2018, WP26 5 .
5
Regulation (EC) No 1049/2001 of the European Parliament and of th e Council of 30 May 2001 regarding public
access to European Parliament, Council and Commission documents.
5
Adopted
g roup of companies that they apply to, the .......... .... ......... , ... ... ........ ... ..........
that they have in place to protect personal data
6
.
(8 ) The opinion of the .... ..... .. ......., ........ .. ....... ..(.) .... .. ........... ....
Article 10(2) of the .... ..... .. ........., ...... ..... ..... ..... ... ..... ... ....... .... ...
file is complete. Upon decision of the .... ....., .... ...... ... .. ........ .. . ....... ... .....,
taking into account the complexity of the subject m atter.
HAS ADOPTED THE FOLLOWING OPINION:
1 SUMMARY OF THE FACTS
1. In accordance with the cooperation procedure as set out in WP263 rev.01, the draft BCR - P of Shopify
International Limited and the g roup entities (hereinafter the “Shopify Group ”) was reviewed by the
Irish SA as the BCR Lead.
2. The BCR Lead has submitted its draft decision regarding the draft BCR - P of the Shopify Group ,
requesting an opinion of the .... ........ .. ....... ..(.)(.) .... .. . .... .... . ... ........ ..
the complete ness of the file was taken on 4 July 2025 .
2 ASSESSMENT
3. The draft BCR - P of the Shopify Group covers intra - group transfers among Shopify G roup entities legally
bound by the BCR, when they act as processor s and sub - processors on behalf of controllers outside of
the Group, with respect of personal data originally subject to the GDPR
7
.
4. Concerned data subjects include customers of the controller and any personal data shared with Shopify
Group by the controller
8
.
5. The draft BCR - P of the Shopify Group has been scrut inised according to the procedures set up by the
EDPB. The SAs assembled within the .... .... ......... .... ... ..... ... - . .. ... ....... .....
contains all the elements required under Article 47 .... ... ..... ......, .. .......... .... ...
draft decisi on of the BCR Lead submitted to the .... ... .. ........ ........., ... .... .... ...
have any concerns that need to be addressed.
3 CONCLUSIONS
6. Taking into account the above and the commitments that the group members will undertake by signing
the Shopify G roup ’s Intra - Group Agreement, the .... ......... .... ... ..... ........ .. ... ...
Lead may be adopted as it is , since the draft BCR - P of the Shopify Group contains appropriate
safeguards to ensure that the level of protection of natural persons guarantee d by the .... .. ...
undermined when personal data is transferred to and processed by the group members based in third
6
This view was expressed by the Article 29 Working party in Working Document Setting up a framework for the
structure of Binding Corporate Rules, ad opted on 24 June 2008, WP154.
7
Specified in the BCR Part 1 and Part V Appendix 1 .
8
Specified in the BCR Part 1 and Part V Appendix 12.
6
Adopted
countries. The .... ....... .... ... ........ .. .... .. ... ... .... .... ... ...... ... ........ ..
specific transfers of personal data to be carried out on the basis of the BCRs. Accordingly, the approval
of BCRs may not be construed as the approval of transfers to third countries included in the BCRs for
which an essentially equivalent level of protection to that guaranteed within the E U cannot be ensured.
7. Finally, the .... .... ....... ... .......... ......... ...... ....... ..(.)(. ) .... ... .... . ... . ..
providing the conditions under which the applicant may modify or update the BCRs, includi ng updates
to the list of BCRs g roup m embers.
4 FINAL REMARKS
8. This opinion is addressed to the BCR Lead and will be made public pursuant to A rticle 64(5 )( b) GDPR.
9. According to Article 64 (7) and (8) GDPR, the BCR Lead shall communicate its response to this opinion
to the Chair within two weeks af ter receiving the opinion .
10. Pursuant to A rticle 70(1)(y) GDPR, the BCR Lead shall communicate the final decision to the EDPB for
inclusion in the register of decisions which have been subject to the consistency mechanism.
For the European Data Protection Board
The Chair
( Anu Talus )
Link: https://www.edpb.europa.eu/system/files/2025-09/ed
Testo del 2025-10-01 Fonte: europa.eu
Demo Altre chiavi solo per gli iscritti
Commenta
i commenti sono anonimi e inviati via mail e cancellati dopo aver migliorato la voce alla quale si riferiscono: non sono archiviati; comunque non lasciare dati particolari. Si applica la privacy policy.
