Recommendations 1/2022 on the Application for Approval and on the elements and principles to be found in Controller Binding Corporate Rules (Art. 47 GDPR)

L'analisi è riservata agli iscritti. Segui la newsletter dell'Osservatorio oppure il Podcast iscrizione gratuita 30 giorni

-

Eestimated reading time: 74 min Adopted 1 Recommendations 1/2022 on th ...

 

Testo riservato. Per iscriversi: all'Osservatorio - al Podcast (30 gg gratuito)

br />






Recommendations 1/2022 on the Application for Approval
and on the elements and principles to be found in
Controller Binding Corporate Rules (Art. 47 GDPR)

Adopted on 20 June 2023

Adopted 2
VERSION HISTORY
Version 2. 1
20 June 2023
03 July 2023: Editorial correction (Chair’ s name)
Version 2. 0 Adoption of the Guidelines after public consultation
Version 1. 0 14 November 2022 Adoption of the Guidelines for public consultation

Adopted
T able of contents
1 I ntroduction ................................ ................................................................................................................................................................ 4
2 Application form ................................ .......................................................................................................................................................... 7
3 Elements and principles to be f ound in B CR -C ................................ ................................................................................................................ 19

Adopted
4
The European Data Protection Board
Having regard to Article 70(1)(i) of the R eg ulation 2016/679/EU of the European Parliament and of the Council of 27 April 2016 on the protection of natural
persons with reg ard to the .......... .. ........ .... ... .. ... ... . ........ .. .... ...., ... ......... . ........ ../../.., (........... “ ....”),
Having reg ard to the EEA Ag reement and in particular to Annex XI and Protocol 37 thereof, as amended by the D ecision of the E EA joint Committee No
154/2018 of 6 July 2018
1,
Having reg ard to A rticles 12 and 22 of its R ules of Procedure,
HAS ADOPTED THE FOLLOWING RECOMMENDATIONS:
1 INTRODUCTION
1. The GD PR expressly provides for the use of binding corporate rules (hereinafter “BCR”) by a g roup of undertaking s, or a g roup of enterprises eng ag ed in a
joint economic activity (hereinafter “ Group ”) for transfers of personal data in the sense of Article 44 GD PR .
2. On 6 February 2018, the Article 29 Working Party (hereinafter “WP29”) adopte d a table with the elements and principles to be found in B CR in order to reflect
the requirements referring to BCR (hereinafter “WP256 rev.01 ”). The European D ata Protection B oard (hereinafter “ED PB ”) endorsed WP256 rev. 01 on 25
May 2018 . These Recommend ations also repeal and replace WP256 rev. 01, while in substance building on it.
3. On 11 April 2018, the Article 29 Working Party (thereinafter “WP29”) adopted R ecommendations on the Standard Application for Approval of Controller
B inding Corporate R ules f or the Transfer of Personal Data (hereinafter: “ WP264”). The European D ata Protection B oard (hereinafter “ED PB ”) endorsed WP256
rev. 01 on 25 May 2018. These R ecommendations repeal and replace WP264, while in substance building on it.
4. These recommendations are meant to:
- Provide a standard form for the application for approval of B CR for controllers (hereinafter “ BCR -C ”);
1 Refer enc es to “ Member States ” made throughout thi s document s hould be understood as r efer enc es to “EEA Member Sta tes ”.

Adopted
5
- Clarify the necessary content of B CR-C as stated in Article 47 GDPR;
- Make a distinction between what must be included in B CR -C and what must be presented to the B CR Lead supervisory authority (hereinafter “ BCR
Lead ”)
2 in the B CR application; and
- Provide explanations and comments on the requirements.
5. B CR-C are suitable for framing transfers of personal data from controllers covered by the g eog raphical scope of the GD PR pursuant to Article 3 GD PR
3 to other
c ontrollers or to p rocessors within the same Group established in third countries that have not been recog nised as providing an adequate level of protection
pursuant to Article 45 GD PR (hereinafter: “internal controllers” / “internal processors”) . B CR for processors ( hereinafter “ BCR-P”), on the other hand, apply
to data that will be processed by members of the Group covered by the g eog raphical scope of the GD PR , a ct ing a s processors on behalf of a controller that is
not a member of the Group, and which are the n transferred and processed by Group members a s sub- processors in third countries that have not been
recog nise d as providing an adequate level of protection pursuant to Article 45 GD PR . Hence , the oblig ations set out in B CR -C apply in relation to entities within
the same G roup acting as controllers and to entities acting as ‘ internal’ processors. As for this very last case, it is worth recalling that, in addition to the BCR -
C, a contract or other leg al act under Union or Member State law, binding on the processor with reg ard to the controller and which comprises all requirements
a s set out in Art icle 28(3) GDPR, must be sig ned by each controller acting as data exporter with all internal processors
4. I ndeed, the oblig ations set forth in
B CR -C apply to entities of the Group receiving personal data as (‘ internal’ ) processors to the extent that this does not lead to a contradiction with the contract
or other leg al act entered into under Art icle 28(3) .... (.. .. , ... .......... ....... .. . .. . .... .......... .. ...... .. . .......... ....... .. ... .....
should primarily abide by this contract).
6. EU data protection leg islation applicable to members of the Group must be complied with and cannot be overruled by provisions in the B CR -C, unless the B CR -
C voluntarily provide for a hig her level of protection.
7. Pursuant to Article 46 (2)(b) GDPR, B CR a re appropriate safeg uards for transfers of personal data to third countries. B CR create enforceable rig hts and set out
commitments in order to create, for the personal data transferred under the B CR , a level of protection essentially equivalent to the one prov ided by the GD PR.
2 See W P 2 9 W orking Doc ument s etting forth a c o -operation procedure for the approval of “Bi nding Corporate Rul es” for controllers and processors under the GDPR, WP263
rev.01, adopted on 11 April 2018, endorsed by the EDPB. Ava ilable a t https://edpb.europa.eu/our -wor k -tools/general -g ui d anc e/ end o rs ed -wp 2 9 -guidelines en .
3 P l ea se note tha t a t l east one gr oup member in the EEA i s r equired (s ee Chapter 3 , Sec tion 1 .4 of thes e Rec ommendations).
4 Ar ti c le 2 8 (3) .... . ..... .., . .... ..... ., ... .. . . . .... ..... -.. -......... ............ . . ............, .. ... .. ........ .. ..... . .... ..., .. ... . ...... -...... , ...
durati on, the nature and purposes of the processing, the type of pers onal data and categories of data s ubjects and the obl igations and rights o f th e c o n tro ller. A gen eric
des cription i ncluded i n a BCR -C regarding the categories of data, data s ubjects etc. woul d not be s ufficient i n thi s regard.

Adopted
6
Therefore,
it is not sufficient for the B CR -C to only make reference to provisions of the GD PR , and B CR-C applicants should rather expressly formulate the
requirements within the ir B CR -C.
8. B CR are subject to approval
5 by the B CR Lead . I n this respect, it is worth hig hlig hting the difference between the B CR Lead – which is competent for issuing
the approval of the B CR - and the SA that is competent for a specific transfer carried out by a certain controller under that B CR -C
6.
9. The draft approval decision of the B CR Lead is subject to an opinion by the EDPB
7. The approval confirms that the requirements set out in Article 47 .... ...
met , and therefore , that the commitments included in the B CR will provide for appropriate safeg uards in the sense of Art icle 46 GDPR.
10. However, the approval does not include an .......... .. ....... .... .......... .. .. .... .... ... ............ .. ... .. .. ... ... . .. . ... ........,
each data exporter needs to ensure that the requirements set out in Article 6 .... (.. ........ .. .......... ) ... ....... .. .. .. (... . .. ...... . . ..........)
or any additional formalities specified by the national law of a Member State, if any, are met for each transfer. Furthermore , it is, for instance, the responsibility
of each da t a export er t o a ssess, for ea ch t ra nsfer , on a case -by -case basis, whether there is a need to implement supplementary measures in order to provide
for a level of protection essentially equivalent to the one provided by the GD PR
8. Such supplementary me a sures a re in the responsibility of the data e x por t er,
and as such, are not assessed by supervisory authorities (hereinafter “ S As”) as part of the process of approval of B CR .
11. The B CR approval only covers transfers of personal data to third countries that have not been recog nised as providing an adequate level of protection pursuant
to Article 45 .... . ......., ...... ... ..... . . .. .. .. .... .. ..... . ..... .... .......... ...... .. ... ........ ..... (...... ......... .. .........)
whatever their l ocation (inside or outside the EEA). Notwithstanding this possibility, the scope of the B CR approval by the B CR Lead is always limited to
tran sfers of personal data from entities under the scope of application of the GD PR
9 to third countries that have not been recog nised as providing an adequate
level of protection pursuant to Article 45 GD PR and their onward transfers to other Group members bound by the B CR (hereinafter “ BCR memb er(s )”).
12. Once approved, B CR can be used for transfers from all relevant Member States, and the SA competent for the data exporter will also be competent to assess
the respect of the B CR by the data importer in the third country in relation to the relevant t ra nsfers.
5 In accordance wi th Article 47(1) GDPR.
6 Throughout these Recommendations, the ter m “Competent SA(s ) ” r efer s to the da ta protec tion SA(s) c ompetent for the da ta ex por ter (s ) of the s pec ific tr ansfer .
7 In accordance with Article 46(4), Article 64(1)(f) and Article 64(3) GDPR.
8 See Cha pter 3 of thes e Rec ommendations, Sec tion 5.4.1 , a nd EDP B Rec ommendations 0 1 /2 020 on mea sur es that s upplement tr a nsfer tools to ens ur e c omplianc e wi th the
EU l evel of pr otec ti on of personal data, available at https ://edpb.europa.eu/our-w
or k-tools/our -documents/recommendations/recommendations -0 120 20- m e a s ur es -
s upplement -tr ansfer en .
9 P l ea se note tha t a t l east one gr oup member in the EEA i s r equired (s ee Chapter 3 , Sec tion 1 .4 of thes e Rec ommendations).

Adopted
7
13.
These R ecommendations become effective on the date of their publi cation.
14. Consequently, the .... ....... ... ... ... ... .... . .. -. .......... .. ..... ..... . .. -. .. .... .... ... ............ ... ... ..... . . .. -. ............
that by the time these recommendations are published have already reached the stag e of a “consolidated draft” in accordance with 2. 4 of WP 263 rev. 01 and
for which the ED PB also issues its opinion by the end of 2023 will have to bring their B CR in line with these recommendation with their 2024 annual update.
15. All BCR -C holders must also comply with these R ecommendations. R elated chang es will have to be done as part of their 2024 annual update . I n line with
Section 8. 1 (Process for updating the B CR -C), such update will not g enerally trig g er the need for a new approval since they are meant to improve the safeguards
for data subjects.
16. The B CR Lead SAs will be ready to provide, where needed, additional information upon request.
2 APPLICATION FORM
General Instructions for Applicants :
• Only a sing le copy of the form need be fil led out and submitted to the Supervisory Authority (‘ SA’ ) you consider to be the B CR L ead in accordance with
Article s 47( 1) and 64 GD PR and the WP263; this form may be used in all EEA Member States.
• I n case of application for both B CR -C a nd B CR -P , separate forms need to be filled out for each B CR .
• Please fill out all entries of Part I of the application form and submit the form to the SA you consider to be the B CR -C L ead. As soon a s a decision on t he
BCR Lead has been made (see WP 263), the BCR Lead will determine when it will invite you to fill out and submit Part I I of the application form including
it s Annexes.
• You may attach additional pag es or annexes if there is insufficient space to complete your responses.
• You may indicate any responses or ma terials that is in your opinion commercially sensitive and should be kept confidential but, in any case, be aware
that the relevant document will be shared among the concerned SAs and the ED PB which, under Article 64 .... , ... .. ..... ... ....... .. ... . .......
draft decision of your B CR -C. R equests by third parties for disclosure of such information, will, however, be handled by each SA involved in accordance
with national legislation.
• The next steps of the procedure are described in WP263 .

Adopted
8
•
B CR holders notifying the update of their B CR -C in 2024 (see Par. 13 of the I ntroduction) only need to sig n Section 4 (“Acknowledg ment”) of Part I of the
Application Form below.
• B CR holders must in the course of their annual update (see Section 8. 1 below) confirm sufficient a sset s pursua nt t o Sect ion 5 (“Asset s”) of Pa rt I I of t he
Application Form below .

Instructions for Filling i n Part 1 (applicant information):
Section 1: Structure and Contact Details of the Applicant and of the Group
• I f the Group has its headquarters in the EEA the form should be filled out and submitted by that EEA entity or , under certain circumstances, another
EEA entity with deleg ated data protection responsibilities
10. In the latter case , the Group should provide additional justification as to why another EEA
entity which is not the EEA headquarters is the applicant.
• I f the Group has its headquarters outside the EEA, then the Group should appoint a Group entity located inside the EEA - a s the Group member with
deleg ated data protection responsibilities. This is the entity which should then submit the application on behalf of the Group.
• Contact details for q ueries:
o Please indicate a contact to whom queries may be addressed concerning the application.
o This contact does not need to be located in the EEA, althoug h this mig ht be advisable for practical reasons.
o You may indicate a function rather than a specific person.

S ectio n 2: S h o rt d es crip tio n o f d ata flo ws
• The applicant should also g ive a brief description of the scope and nature of the data flows to third countries for which approval is soug ht.
10 Ac c o r d ing to Ar ti cle 4 7(2 )( f) GDPR, ther e s hould always be a n EU ba sed member of the gr o up es tablished on the territory of a Member Sta te a ccepting liability for any
breaches of the bi ndi ng corporate rul es by any member concerned not es tablished i n the Uni on. If the headquarters of the group wer e s omewher e el s e, the hea dquarters
s hould del ega te thes e responsibilitie s to a member based in the EU.

Adopted
9
Section 3: Determination of the BCR Lead
•
I n accordance with Article 64 GD PR , the B CR Lead is the authority in charg e of coordinating the approval of your B CR-C , which then could be considered
appropriate safeg uards for transfers of personal data by Group members to third countries, without requiring any specific authorisation for the use of
t he B CR -C from the other SAs concerned.
o B efore you approach one SA as the presumptive B CR Lead, you should examine the factors listed in Section 1 of WP263. B ased on these factors
you should explain in Part 1. 3 of the Application Form which SA should be the B CR Lead. The SAs are not oblig ated to accept the choice that
you make if they believe that another SA is more suitable to be B CR Lead, in particular if it would be worth for speeding up the procedure (e.g.
taking into account the workload of the orig inally requested SA) .

Adopted
10
Ap p lic a t io n F orm for Approval of C o n t r o lle r Binding Corporate Rules (“B CR- C”)

PART 1: APPLICANT INFORMATION


1 . S TRUCTURE AND CONTACT DETAILS OF THE GROUP OF UNDERTAKINGS OR GROUP OF ENTERPRIS ES ENGAGED IN A J OINT ECONOMIC
ACTIVITY (THE GROUP)


Name of the Group and lo c a tio n o f it s h e ad qua rte rs:

Does the Group have its headquarters in the EEA?
Ye s
No

Name and location of the applicant:

Identification number (if any):
Legal nature of the applicant (corporation, partnership, etc.):

Description of position of the applicant within the Group:
(e.g. headquarters of the Group in the EEA, or, if the Group does not have its headquarters in the EEA, the member of the Group inside the EE A with delegated data
p ro t e c t ion re sp onsib ilit ie s)

Name and/or function of contact person (note: the contact person may change, you may indicate a function rather than the name of a s pecific pers on):

A ddress:

Country:
Phone number: E- M a il:

EEA Member States from which the BCR-C will b e u s e d:

Adopted
11

2 . S HORT DES CRIPTION OF PROCES S ING AND DATA FLOWS 11
Please, indicate the following:
- Nature of the data covered by t h e BCR-C, and in particular, if they apply to one category of data or to more than one category, the type of p ro c e ssin g a n d it s p urposes,
the types of data s ubjects affected ( fo r in s t ance, data related to employees, customers, s uppliers and other third parties as part of t h e ir res pective regular business
a c t iv it ie s, …)



- Do t h e BCR-C only apply to transfers from the EEA, or do they apply to all transfers between members of the group?



- Please specify from which country most of the data are transferred outside the EEA:



- Extent of the transfers within the Group that are covered by the BCR -C; including a description and the contact details of any Group members in the EEA or outside
the EEA to which personal data may be transferred






3 . DETERMINATION OF THE LEAD S UPERVIS ORY AUTHORITY (‘B CR LEAD’) 12

Please explain which should be the BCR Lead, based on the fo llo win g c rit e ria :
- Location of the Group’s EEA Headquarters



- If the Group is not headquartered in the EEA, the location in the EEA of the Group entity with delegated data protection resp on sibilit ie s

11 See Ar ti c l e 4 7 (2)(a) a nd (b) .... .
12 See P a r t 1 , WP 263.

Adopted
12


- The location of the company which is best placed (in terms of management function, administrative burden, etc.) to deal with the application and to enforce the BCR-
C in the Group



- The country where most of the decisions in terms of the purposes and the means of the data .......... ... .....



- EEA Member States from which mos t of the transfers outside the EEA will take place




4 . ACKNOWLEDGEMEN T

We acknowledge on behalf of each member of the Group that

-the approval does not include an .......... .. ....... .... .......... .. .. .... .... ... ............ .. ... .... ... ... ... .. .........., ... .... .... ... ......
needs to ensure that all requirements set out in .... ... ..., .. .........., ... ... ... .... ..... ... (...., .. ........ .. ......... ., ....... .. ............, .... .....
needed, etc.)

-b efo re c arrying out any transfer of personal data on the basis of the a p prov ed BCR-C to one of the members of the G roup, it is the responsibility of any data exporter, if needed
with the help of the data importer, to as sess whether the legislation of the third country of destination does not prevent the recipient from complying with the BCR -C, including
with regard to onward transfer s ituations. This .......... ... .. .. ......... .. ..... .. ......... ....... ... ........... .. ......... .. ... ..... ....... , .. .... . . .. .. ...
to-be -transferred data go beyond what is necessary in a democratic s ociety to s afeguard important public interest objectives, in particular criminal law enforcement and national
s ecurity and may impinge on the data importer’s and/or the data exporter’s ability to comply with their commitments taken in the BCR -C, taking into account the circumstances
surrounding the transfer. In case of such possible impingement, the data exporter in a n EEA Member State, if needed with the help of the data i mp o rt e r, s h ould a sse ss whether
it can provide supplementary measures in order to exclude such impingement and therefore to nevertheless ensure, for the envi saged transfer at hand, an essentially equivalent
level of protection as provided in the EU. Deploying s uch s upplementary measures is the res ponsibility of the data exporter and remains its res ponsibility even after approval
o f t h e BCR-C, and as such, they are not assessed by the Supervisory Authorit ie s as part of the approval process of the BCR -C;

-in any cas e, where the data exporter is not able to implement s upplementary measures necessary to ensure an es sentially equivalent level of protection as provided in the EU,
pers onal data cannot be lawfully transferred to a third country under the BCR -C. In t he s ame vein, where the data exporter is made aware of any changes in the relevant third
country legislation that undermine the level of data protection required by EU law, the data exporter is required to suspend or end the transfer of personal data at st ake to the
concerned third countries.

Adopted
13


Date , Sig nature o f the applicant (B o ard le v e l)


PART 2: BACKGROUND PAPER


5. B INDING NATURE OF THE B CR-C



Binding within the entities of the Group

How are the BCR-C made binding upon the members of the Group?

In t ra Group Agreement
Un ila t e ra l Declaration (hereinafter: UD) if the requirements set out in Se c t ion 1 .2 of the “Elements and principles” part (= Ch ap t er 3) o f t hese EDP B Recommendations
are met
Other means (only if the G roup demonstrates how the binding character of the BCR -C is achieved), please s pecify



Pleas e attach t h e d raft In t ra Group Agreement / UD / “other means”. Please note that these documents will have to be signed at Board level after the BCR-C approval has been
obtained.


Pleas e e xp la in the legal basis enabling t h e me mb e r (s ) of the Group wit h d e le g a te d d a ta p ro te ct ion re sp onsib ilit y to en force t h e BCR- C obligations of other members of the
Group (e.g. rights of a parent company residing in corporate law) :



Does the internally binding effect of your BCR -C extend to the whole Group? (If some Group members should be exempted, specify how and why)

Adopted
14
Bind ing up on the emp lo yees

Your Group may take some or all of the following steps to ensure that the BCR -C are binding on employees, but there may be other steps. Please, give details below.

Individual and separate agreement(s) / undertaking with sanctions;



Clause in employment contract with a description of applicable sanctions;



Collective agreements with s anctions;



Internal policies with sanctions (but the G roup must properly explain how the BCR-C are made binding on employees);



Other means (but the G roup must properly explain how the BCR -C are made binding on employees)







Pleas e provide a s ummary, s upported by extracts as appropriate , to explain how the BCR -C are binding upon employees.

Adopted
15
Assets
Pleas e confirm that the liable BCR -C memb er(s ) es t ab lish ed o n t he t errit ory o f a n EEA Member State (e.g. the European headquarters of the Group, or the me mb e r of the Group
wit h delegated data protection res ponsibilities in the EEA) has made appropriate arrangements to enable its elf payment of compensa tion for any damages resulting from the
breach o f t h e BCR-C by BCR members outside the EEA , and explain how this is ensured.

Adopted
16

6. EF F EC T IV EN ES S


It is important to show how the BCR in place within your organization are brought to life in practise, in particular in non EEA countries where data will be tran s ferred on the
basis of the BCR, as this will be significant in assessing the adequacy of the safeguards. Please provide information on the elements below.

Training and awareness raising (employees)

- Special training programs



- Employees are tes ted on BCR and data protection



- BCR are communicated to all employees on paper or online



- Review and approval by senior officers of the company



- How are employees trained to identif y the data protection implications of their work, i.e. to identify that the relevant ....... ........ ... .......... .. ..... .......... ... ..
react accordingly? (This applies whether these employees are or not based in the EEA)





Network of data protection officers (DPO) or appropriate staff

Please confirm that a network of DPOs or appropriate staff (such as a network of ....... ........) .. ......... .... ... .......... ....... .. ....... ... ......
compliance with the BCR for Proces s ors:

Adopted
17



Please explain how your network of DPOs or ....... . .... . .. .. .. ... ..:

- In t ern al s t ru cture:



- Ro le a n d re s p onsib ilit ie s :






Date , Sig nature o f the applicant (B o ard le v e l)
(pleas e als o indic ate n ame, position, and c ontac t det ails )

Adopted
18
ANNEX 1:
COPY OF THE BCR-C


Pleas e attach a copy of your BCR -C to your application . Please note that all mandatory content needs to be included in the BCR documents (in the core document(s) or its
annexes), while “supporting documents” (i.e. documents that are not part of the BCR) may only be submitted for reasons of fur ther explanation
13.


ANNEX 2:
COPY OF THE FILLED -OUT TABLE “ELEMENTS AND PRINCIPLES
TO BE FOUND IN BCR-C”

Pleas e fill out the table “Elements and Principles to be found in BCR -C” and attach it to your application.
13 Please note that any documents that are submitted may be subject to access requests based on freedom of information legislati on, as applicable.

Adopted
19
3 ELEMENTS AND PRINCIPL ES TO BE FOUND IN BCR-C
14 To be compl eted by the applicant by inserti ng references to the paragraphs/sections/parts of the BCR documents and, i f necessary, any supporting documents, that address
the res pecti ve requirement. Pl ease note that al l mandatory content needs to be i ncluded i n the BCR documents (i n the core doc umen t( s ) o r i ts a nn exes ) , wh i l e “s u pporti ng
documents ” (i .e. documents that are not part of the BCR) may onl y be s ubmitted for reasons of further expl anation. Furthermore, i t i s not necess ar y to “c opy & pa s te” text
from the BCR documents , but it s uffices menti oning the rel evant sections of the documents as s uch. Examples: “Secti on 4.1 of the BCR document and paragraph 2.1 of Annex
I (i ntr a -group agreement); Part 2, Section 4 of the Appl ication”, “Secti on 2.1 of the BCR document and paragraph 3 of Annex 2 (Audit c o nc ept) ”.
15 References i n this paper to .... .......... .. ... . .... .... .... . ...... ... ..... .. ... ... ....... .... .. .. .... . ........, ... . ..... ...... .. .......... .. ...
thres hold for commitments that need to be made i n a BCR. If the BCR make reference to .... .........., ........ ....... .. . ... .... . ... ..... .... .. “.. .... .... .......
X of the GDPR”, “… as thos e provided for by Arti cle X of the GDPR”.
16 P l ea se note tha t, b es i de s having internal binding nature (i.e. bi nding effect on the BCR members and the ir employees) , the BCR -C must also have an ex ter nal binding effect
i n the s ens e of providing l egal enforceability (of certain parts of the BCR -C) for the data s ubjects by creating third -party beneficiar y r ights. See Sec t i on 1 .3 bel ow a s regards
thi s external binding effect.
Crite ria for BCR-C approval In
BCR-C
In
application
form
Reference Comments
References to BCR -C,
application form BCR -C, and /
or supporting documents 14
1 - B I NDIN G NATURE
Internally
1.1 Duty to respect the BCR -C YES NO Art icle 47(1)(a)
and (2)(c)
GDPR
15
The B CR -C must be leg ally binding and shoul d
contain a clear duty for each B CR member, including
their employees, to respect the BCR -C.

1.2 E xplanation of how the
BCR -C are internally 16 m ade
binding on the BCR members,
and on their employees

NO YES Article 47(1)(a)
and (2)(c) ....
The Group will have to explain in its application form
how the B CR-C are made binding :
i. Fo r each BCR member , by one or more of the
fo llo win g :
a) I ntra -g roup ag reement;
b) Unilateral Declaration ( hereinafter “UD”), if
the following requirements are met:

Adopted
20

17
The mos t s traightforward instrument i n this regard is a contractual arrangement (i .e., an i ntra -group agreement), s i nce contractual arrangements can be l egally enforced
by thi rd parties as beneficiaries under private l aw i n all Member States .
- The entity /entities taking responsibilit y
and liability (see Section 1.4 below)
is/are located in a Member State
recog ni sing UD s as binding ;
- The entity/entities taking responsibilit y
and liability (see Section 1.4 below)
is/are leg ally able to bind the other BCR
m embers,
and this is expressly provided
for, e. g . in a separate written
commitment from th at entity;
- The B CR-C state the principle that all th e
entities identified in the UD are bound by
t he B CR -C ;
- The law applicable to the UD is the law of
the country of the entity/entities taking
responsibility and liability
(see Section
1.4 below). The applicable law is
expressly stated in the UD ; and
- It is the G roup’ s responsibility to verify
that any additional r equirements of the
applicable law for binding ness are met
(such as publication of the UD , …) .
c) Other means (only if the G roup
demonstrates how the binding c haracter of
t he B CR -C is achieved ). T
he B CR Lead can
require corresponding documentation that
dem onstrates the binding character
17.

Adopted
21
ii. On employees by one or more of:
a) I ndividual and separate ag reement(s) /
undertaking with sanctions;
b) Clause in employment contract with a
desc ription of applicable sanctions;
c) Collective agreements with sanctions ;
d) I nternal policies with sanctions ; or
e) Other means .
Regarding d) and e) above , the G roup should
properly demonstrate (1)
how those means make
t he B CR-C legally binding on the employees, and (2)
that and how they will be enforced in practice vis -à-
vis the employees.
The B CR Lead can request corresponding
documentation that demo
nstrates the binding
character.
Ex ternally
1.3.1 Creation of third -party
beneficiary rights that are
enforceable by data subjects
YES YES Article 47(1)(b),
(2)(c) and (e)
GDPR
The B CR -C must expressly confer rig hts to data
subjects to enforce the B CR-C a s t hird -party
beneficiaries, at least as regards the following
elements of the BCR -C:
- Data protection principles , lawfu ln es s o f
processing, security and personal data breach
n o tificatio n s , restrictions on onward transfers
(see Article 47(2)(d) GDPR, and Section s 5.1.1 ,
5.1.2, 5.1.3 second parag raph 3rd
indent [“duty
to notify without u ndue delay to data subjects

Adopted
22
where the personal data breach is likely to result
in a hig h risk to their rig hts and freedoms”] , and
5.1.4 below);
- Transparency and easy access to the BCR-C (see
Article 47(2)(g) GDPR, and Sections 1.7 and 5.1 .1
below);
- Rig h ts o f in fo rmatio n , acces s , rectificatio n,
erasure, restriction, n o tificatio n reg ard ing
rectificatio n o r erasure or restriction, o b j e ct io n
to processing, right not to be subject to
decisions based solely on automated
p ro ces s in g , in clu d in g p ro filin g (see Article
47(2)(e), Articles 15 to 19, 21 and 22 GDPR, and
Sect ion 5.2 below);
- Ob lig atio n s in cas e o f lo cal laws an d p ractices
affectin g co mp lian ce with the BCR -C and in case
of government access requests
(see Article
47(2)(m) GDPR, and Section 5.4.1 and 5.4.2
below);
- Right to complain through the G roup’s internal
co mp lain t process
(see Article 47(1)(i) GDPR,
and Section 3 . 2 below);
- Cooperation duties with Competent SAs (see
Article 47(2)(j), (k), and (l) GDPR, and Section 4 .1
below)
relating to compliance obligations
covered by this third party beneficiary clause ;
- J u ris d ictio n an d liab ility p ro v is io n s (see Article
47(2)(e) and (f) GDPR, and Sections 1. 3 .2 and 1. 4
below);

Adopted
23
- Duty to inform the data subjects about any
update of the BCR-C an d o f th e lis t o f BCR
m embers , e.g.
by way of publishing the new
v ers io n with out undue delay (see Section 8.1
below);
- Th ird-p arty b eneficiary clau s e its elf (see present
Sect ion 1. 3 .1);
- Right to judicial remedies, redress and
compensation ( see Section 1.3.2 below).
These rig hts do not extend to those elements of the
B CR -C
pertaining to internal mechanisms
implemented within entities , such as detail s of
training , audit prog ram me
, compliance network,
and mechanism for updating the B CR-C .
T he G roup needs to make sure that third- party
beneficiary rights are effectively created
to make
those commitments binding, e.g. enforceable by the
data subjects (see Section 1.2 above ).
To this aim,
the Group needs to provide for and briefly explain in
the application form how the instrument(s) it
intends to apply in order to make the B CR -C
internally binding (see Section 1. 2 above) also
enable the data subjects to leg ally enforce these
B CR - C elements ag ainst the Group (at least ag ainst
the member(s) with responsibility and liability as per
Section 1. 4). For example, if the Group intends to
apply an intra - g roup ag reement in this reg ard (see
Section 1. 2. i. a), it should briefly explain how such
intra g roup ag reement will be enforceable by the
data subjects.

Adopted
24
1.3.2 Right to judicial remedies,
redress and compensation for
data subjects
YES NO Article 47(2)(e)
and Articles 77 to
82 ....
The B CR -C shall expressly confer on data subjects the
rig ht to judicial remedies and the rig ht to obtain
redress and, where appropriate, compensation in
case of any breach of one of the enforceable
elements of t he B CR-C as enumerated in Section
1.3.1 above. The BCR m embers accept that data
subjects may be represented by a not -for -profit
body, org anisation or association under the
conditions set out in Article 80(1) .... (... ........
77 – 82 GDPR).
The B CR m embers should make sure that all those
rig hts are covered by the third- party beneficiary
clause of the B CR -C , for example, by making
reference to the clauses, sections, and/or parts of
t he B CR-C where those rig hts are reg ulated, or by
lis ting them in the said third- party beneficiary
cla use.
The B CR -C must confer on data subjects the rig ht to
lodg e a complaint (by including a direct reference to
such rig ht in the relevant B CR -C documents that are
binding and published):
- with a SA, in particular in the Member State of
the data subject’ s habitual residence, place of
work or place of the alleg ed infring ement; and
- before the competent court of the Member
States where the controller or processor has an
establishment, or where the data subject has
their habitual residence.

1.4 One or more BCR
member(s) in the EEA with
YES NO Article 47(2)(f)
GDPR
The B CR -C must contain a duty that, at any g iven
time, one BCR m ember in the EEA accepts

Adopted
25
delegated data protection
responsibility accept liability
for paying compensation to
data subjects and remedyi ng
breaches of the BCR -C
(hereinafter “ Liable B CR
M ember (s)”)
responsibility for and ag rees to take the necessary
actions to remedy the acts of other BCR members
outside of the EEA, and to pay compensation for any
material or non -material damag es resulting from the
violation of the B CR -C by such B CR m embers
(“central ised responsibility and liability regime”).
SAs may also, on a case-by -ca se ba sis, a cce pt
solutions where several BCR m embers established in
the EEA have such responsibility and liability, and
where sufficient and adequate a ssura nces a re
provided by the a
pplicant. Where an alternative
mechanism to the centralised responsibility and
liability regime is used , the applicant should show
that data subjects will be transparently informed,
assisted in exercising their rig hts and not
disadvantag ed or unduly inhibi ted in any way by the
use of such alternative mechanism .
The B CR -C should also state that, if a BCR m ember
outside the EEA violates the B CR -C
, the courts or
other judicial authorities in the EEA will have
jurisdiction, and data subjects will have the rig ht s
and remedies ag ainst the L iable B CR m
ember as if
the violation had been caused by the latter in the
Member State in which it is based, instead of the B CR
m ember outside the EEA.
1.5 The Liable BCR m ember(s)
has sufficient assets
NO YES Article 70(1)(i )
GDPR
The application form should conta in a confirmation
that the Liable B CR member (s) ha s sufficient a sset s,
or has made appropriate arrang ements to enable
itself to pay compensation for damag es resulting
from a breach of the B CR -C.

Adopted
26
Such confirmation should be renewed at the
occasion of every annual update (see Section 8.1
below).
1.6 The burden of proof lies
with the Liable BCR member(s)
YES NO Article 47(2)(f)
GDPR
The B CR -C must contain the commitment that w here
data subjects can demonstrate that they have
suffered damag e and establish facts which show it is
likely that the damag e has occurred because of the
breach of the B CR-C, it will be for the Liable B CR
m ember to prove that the BCR m ember outside of
the EEA was not responsible for the breach
of the
B CR - C g iving rise to those damag es, or that no such
breach took place.

1.7 Easy access to the BCR -C f or
data subjects YES NO Article 47(2)(g)
GDPR
The B CR -C must contain the commitment that all
data subjects should be provided with information
on their third- party beneficiary rig hts, with reg ard to
the .......... .. ..... ........ ...., ... .. ...
means to exercise those rights.
Furthermore, the B CR- C must contain the
commitment that data subjects will be provided at
least with the description of the scope of the B CR -C
(see Section 2 below )
, the clause relating to the
Group? s liability (see Section 1.4 above) , the clauses
relating to the data protection principles (see
Section 5.1.1 below)
, to the lawfulness of the
processing (see Section 5.1.2 below), to security and
personal data breach notifications (see Section 5. 1.3
below), to restrictions on onward transfers (see
Sect ion 5.1.4 below) , and the clauses relati ng to the
rig hts of the da ta subjects (see Section 5. 2 below) .
This information should be up- to-
date, and
presented to data subjects in a clear, intellig ible, and

Adopted
27

18
Se e Gui del ines on Tr ansparency under Regulation 2016/679, WP260rev.01, endorsed by the European Data Protection Board on 25/05/2018.
19 See Sec ti on 2.1 below.
transparent way 18. This information should be
provided in full, hence a summary hereof will not be
sufficient.
Moreover, t he B CR - C must illustrate the way in
which such information will be provided. For
instance, the B CR -C may state that at least the parts
of t he B CR -
C on which information to data subjects
is mandatory (as described in the previous
parag raphs) will be publ ished on the internet or on
the intranet (when data subjects are only the G roup
staff having access to the intranet).
I n case the Group plans to not publish the B CR - C a s
a whole, but only certain parts or a specific version
aimed at informing data subjects, the Group shoul d
expressly provide in the B CR -
C the list of the
elements that it will include in that public version.
I n such situation, t he description of the material
scope of the B CR -C 19 should always be part of the
information on the B CR -C that is publicly available.
The list of definitions (see Section 9 .1 below) and, if
applicable, of abbreviations which are used in the
B CR -C, should in any case be included in the parts of
t he B CR -C which are published. The B CR -C shoul d
contain an express commitment in this reg ard.
The B CR-C must use clear and plain lang uag e so that
employees and any other person in charg e with
applying the B CR- C can sufficiently understand
them. The same applies to any parts/version of the

Adopted
28


20 The i nfor mation on the tr a nsfer s must be ex haustive i n tha t ever y tr a nsfer or set of tra nsfers must be described. This does not mean that the i nformation mus t be provided
wi th a hi gh degree of s pecificity or granularity. Where the des cription provided by the applicant i s too broad, general or va gue, the applicant s hould be able to expl ain why it
i s not i n a position to provide more detailed i nformation. If and to the extent that any of the el ements provided in the transfers’ description changes in the future, the process
for BCR- C updates applies, i .e., i nformation on the amendments to the BCR -C mus t be provided in the annual BCR -C update noti fied to the BCR Lea d (s ee Sec ti on 8 . 1 b e l ow).
B CR -C t ha t will be published with the aim of
providing access to the B CR-C for data subjects.
2 - SC OPE OF THE BCR
2.1 Description of the material
scope of the BCR -C
YES YES Article 47(2)(b)
GDPR
I n order to be transparent as to the scope of the B CR -
C, t he B CR - C must specify their material scope, and
therefore contain a description of the transfers.
The B CR-C must, in particular, specify per transfer or
set of t ra nsfers
20 (for example, by means of a table):
- the categ ories of personal data;
- the type of .......... ... ..... .........
- the categ ories of data subjects (e. g . data
related to employees, customers, suppliers
and other third parties as part of the Group’ s
respective reg ular business activities); and
- the third country or countries.
As to the data subjects covered, B CR - C will apply to
all data subjects whose personal data are
transferred within the scope of the B CR - C from a n
entity under the scope of application of Cha pter V
GDPR. Therefore, the scope of the BCR - C ma y, in
particular, not be limited to “EEA citizens or EEA
resident s”.

Adopted
29
2.2 List of BCR members, and
description of the geog raphical
scope of the BCR-C

YES YES Article 47(2)(a)
GDPR
The B CR -C shall specify the structure and contact
details of the Group and of each of its B CR members
(contact details of the B CR members –
such a s
address and company reg istration number, where
available – should be inserted in the list of B CR
members that is part of the B CR -C, for example an
annex thereof, that has to be published along with
t he B CR -C).
The B CR -C should indicate that they at least apply to
all personal data transferred to B CR members
outside the EEA, and onward transfers to other B CR
members outside the EEA.

3 - E FFECTIVENESS
3.1 S uitable training
programme
YES YES Article 47(2)(n)
GDPR
The B CR -C must state that appropriate and up -to-
date training on the B CR - C is provided to personnel
that have permanent or reg ular access to personal
data, who are involved in the collection of data or in
the development of tools used to process personal
data.
The training prog ramme, including its materials , ha s
to be developed to a sufficiently elaborate degree
before the BCR -C are approved. I n this reg ard it
should be recalled that no transfer can be made
under the B CR - C to a B CR member unless the
member is effectively bound by the B CR - C and can
deliver compliance (see Section 7. 1) which includes
that appropriate training on the B CR - C ca n
effectively be provided to the employees of the
respective member.

Adopted
30
Training intervals should be specified in the B CR -C.
Training should cover, among others, procedures of
manag ing requests for access to personal data by
public authorities.
The SAs evaluating the B CR - C may ask for examples
and explanations of the training prog ramme during
the application procedure.
3.2 Complaint handling process
for the BCR -C YES NO Article 47(2)(i)
and Article 12(3)
GDPR
An internal complaint handling process must be set
up in the B CR - C to ensure that any data subject
should be able to exercise their rig hts and complain
about any B CR m ember.
The B CR - C (or, depending on the case, the parts of
t he B CR-C that will be published for the attention of
data subjects, see Section 1. 7 above) will include the
point(s) of contact where data subject
s can lodg e
any complaints related to the .......... .. .....
personal data covered by the B CR - C. A sing le point
of contact or a number of points of contact are
possible. I n this reg ard, a physical address should be
provided. Additionally, further contact
options may
be provided, e. g . web forms, a generic e-mail
address and/or a phone number.
While data subjects are encourag ed to use the
point(s) of contact indicated, this is not mandatory.
The B CR- C must contain the duty for the controller
to provide information on actions taken to the
complainant without undue delay, and in any event
within one month, by a clearly identified department
or person with an appropriate level of independence
in the exercise of their functions. Taking into account

Adopted
31
the complexity and number of the requests, that
one-month period may be extended at maximum by
two further months, in which case the complainant
should be informed according ly.
The B CR-C (or, depending o n the case, the parts of
t he B CR -C that will be published for the attention of
data subjects, see Section 1. 7 above) should include
information about the practical steps of the
complaint process, in particular:
- Where to complain (point(s) of contact; see
above);
- I n what form;
- Consequences of delays for the reply to the
complaint;
- Consequences in case of rejection of the
complaint;
- Consequences in case the complaint is
considered as justified; and
- Consequences if the data subject is not satisfied
by the reply , i.e., rig ht to lodg e a claim before the
competent court and a complaint before a SA
(
see Section 1.3.2 above), while clarifying that
such rig ht is not dependent on the data subject
having used the complaint handling process
beforehand.
3 .3 Audit programme covering
the BCR -C YES NO Article 47(2)(j)
and (l), and
The B C R-C must create a duty for the G roup to have
data protection audits on a reg ular basis (by either
internal and/or external accredited auditors) and if

Adopted
32
Article 38(3)
GDPR
there are ind ications of non -compliance to ensure
verification of compliance with the BCR -C.
The audit frequency envisag ed should be specified in
t he B CR -
C. The frequency needs to be determined
on the basis of the risk(s) posed by the ..........
activities covered by t he B CR- C to the rig hts and
freedoms of data subjects.
I n addition to the reg ular audits, specific audits (ad
hoc a udits) may be requested by the ....... .......
or Function (see Section 3. 4 below), or any other
competent function in the org anisation.
I f audits will be carried out by external auditors, the
B CR-C should
specify the conditions under which
such auditors may be entrusted.
The B CR-C should state which entity (department
within the G roup) decides on the audit
plan/prog ramme, and which entity will conduct the
audit. D ata protection officers should not be the
ones in charg e of auditing compliance with t he B CR-
C, if such situation can result in a conflict of interests.
Functions that may possibly be entrusted with
deciding on the audit plan/prog ramme and/or with
conducting audits include, for instance, Audit
D epartments, but other appropriate solutions may
be acceptable too provided that:
- the persons in charg e are g uaranteed
independence as to the performance of their
duties related to these audits; and

Adopted
33
- t he B CR -C include an explicit commitment in this
regard.
The B CR -C should state that the audit programme
covers a ll a spect s of t he B CR -C (for instance,
a pplica t ions, I T syst ems, da t a ba ses t ha t process
personal data, or onward transfers, decisi ons taken
as reg ards mandatory requirements under national
laws that conflict with the BCR - C, review of the
contractual terms used for the transfers out of the
Group to controllers or processors of data,
corrective actions, etc. ), including methods and
act ion plans ensuring that corrective actions have
been implemented.
It is not mandatory to monitor all aspects of the BCR -
C each time a B CR m ember
is audited, as long as all
a spect s of t he B CR - C are monitored at appropriate
regular intervals for that B CR mem ber .
Moreover, the BCR -C should state that the results
will be communicated:
- to the ....... ....... .. ........ (... ....... . ..
below) ;
- to the board of the Liable B CR m ember; and
- where appropriate, also to the Group’ s ultimate
parent's board.
The B CR -C must state that Competent SAs can have
access to the results of the audit upon request.
Since SAs are already bound by an oblig ation of
confidentiality in the course of exercising their public

Adopted
34
office (see in particular Article 54(2) GDPR) , t he B CR -
C should not contain wording aimed at restricting
the duty of all B CR m embers to communicate the
results of the audit(s) to the SAs on g rounds of
confidentiality, e. g . related to the protection of
business secret s.
3.4 Cr eation of a networ k of
data protection officers (DPOs)
or appropriate staff for
monitoring compliance with
the BCR -C
YES NO Article 47(2)(h)
and Article 38(3)
GDPR
The B CR -C must contain a commitment to desig nate
a ... , ..... ........ .. .... .... ....... .. ....,
or any other person or entity (such as a chief .......
officer) with responsibility to monitor compliance
with the B CR- C, enjoying the hig hest manag ement
support for the fulfilling of this task.
The D PO or the other ....... ............. ... ..
assisted by a team, a network of local D POs or local
contacts, as appropriate (hereinafter “ Pr iv a cy
o fficer o r F unction”).
The D PO shall directly report to the hig hest
manag ement level. I n addition, the D PO can inform
the hig hest manag ement level if any questions or
problems arise during the performance of their
duties.
The B CR - C should include a brief description of the
internal structure, role, position and tasks of the
D PO or similar function and the network created to
ensure compliance with the B CR-C
. For e x a m pl e,
that the D PO or chief ....... ....... ....... ...
advises the hig hest manag ement, deals with
Competent
SAs? investig ations, monitors and
annually reports on compliance at a g lobal level, and
that local DPOs or local contacts can be in charge of
handling local complaints from data subjects,

Adopted
35
reporting major ....... ...... .. ... . ..,
monitoring training and compliance at a local level.
The D PO should not have any tasks that could result
in conflict of
interests. The D PO should not be in
charg e of carrying out data protection impact
assessments, neither should they be in charg e of
carrying out the B CR-C audits if such situations can
result in a conflict of interest s . However, the ...
can play a very important and useful role in assisting
the BCR members, and the advice of the D PO should
be soug ht for such tasks.
The B CR-C should specify that the D PO or other
priva cy professiona ls may be directly contacted. The
B CR -C
should include a commitment to publish their
contact details.
4 - C OOPERATION DUTY
4.1 Duty to cooperate with
Competent SAs
YES NO Art icle 47 (2)(l)
GDPR and Article
31 ....
The B CR -C should contain a clear duty for all B CR
members:
to cooperate with, to accept to be audited and to be
inspected, including where necessary, on- site, by the
competent SAs ,
- to take into account their advice, and
- to abide by decisions of these SAs
on any issue related to the B CR -C.
The B CR-C shall include the oblig ation to provide the
Competent SAs, upon request , with any information

Adopted
36
about the processing operations covered by the
B CR-C.
Since SAs are already bound by an oblig ation of
confidentiality in the course of exercising their public
office (see in particular Art icle 54(2) GDPR), the BCR -
C
may not contain wording aimed at restricting the
duty of all B CR members to cooperate with the
C ompetent SAs, to take into account their advice, to
abide by their decisions or to accept to be audited
and to be inspected by them incl uding , where
necessa ry, on -sit e, or to accept audits by them on
g rounds of confidentiality, e. g . related to the
prot ect ion of business secret s.
The B CR-C can neither limit the duty to cooperate
with Competent SAs nor limit their powers, in
particular in re lation to the practical modalities of
the audits conducted by these SAs (e.g., not limited
to business hours).
The B CR-C need to include a commitment that any
dispute related to the Competent SA s’ exercise of
supervision of compliance with the B CR -C will be
resolved by the courts of the Member State of that
SA
, in accordance with that Member State’s
procedural law. The B CR members agree to submit
themselves to the jurisdiction of these courts.
5 - D A TA PROTECTION SAFEGU ARDS
5.1.1 Description of the data
protection principles
YES NO Article 47(2)(d)
GDPR and Article
5 ....
The B CR -C should explicitly include and describe the
following principles to be observed by the B CR
members.

Adopted
37
The B CR -C need to establish those principles in a
sufficiently elaborated manner that is in line with
the content of the principles as provided for in the
GD PR provisions.
The B CR-C should not include g eneral limitations to
the application of these princi ples (e. g . , pre-defined
lists of overriding interests), which limitations can
only be applied on a case -by case basis, and, where
applicable, in accordance with the transparency
requirements.
i. Transparency, fairness and lawfulness (see
Sect ion 5.1. 2 below) for .......... .. ........
data, special categories of data, and data
relating to criminal convictions and offences
(see Article 5(1)(a), and Articles 6, 9, and 10
GDPR);
ii. Pu rp o s e limitatio n (see Article 5(1)(b) GDPR);
iii. Data min imisation and ........ (... .. .....
5(1)(c) and (d) GDPR);
iv. Limited s to rag e p erio d s (see Article 5(1)(e)
GDPR);
v. S ecu rity (integ rity and confidentiality, see
Sect ion 5.1.3 below, and Article 5(1)(f) GDPR);
and
vi. Onward transfers (see Section 5.1.4 below and
Chapter V GD PR ).
5.1. 2 Lawfulness of processing YES NO Article 47(2)(d),
Article 5(1)(a),
The B CR -C should contain an exhaustive list of all
leg al basis for .......... ..... ... . .. .......

Adopted
38

21
As rega rds possible conflicts with third country l egal obligations, see Secti on 5 .4 .1 bel ow.
and Articles 6
and 9 GD PR
intend to rely on. Only leg al basis as those stipulated
in Article 6(1) and (3) GDPR, or in other legal basis
laid down in Union or Member state law, as
permitted by the GD PR , can be used 21.
I n addition, special categ ories of personal data may
only be processed if exemptions as the ones
envisag ed by Article 9(2) G D PR apply. The B CR-C
should contain an exhaustive list of all such
exemptions.
Processing of personal data relating to criminal
convictions and offences shall be prohibited, unless
the same exemptions as the ones envisag ed by
Article 10 .... ......
5.1.3 Security and personal
data breach notifications
YES NO Article 47(2)(d)
and Articles 32 to
34 ....
The B CR -C should include a commitment to
implement appropriate technical and org anisational
measures to ensure a level of security appropriate to
the risk(s) for the rig hts and freedoms of natural
persons (see Article 5(f) and Article 32 GDPR). It is
not m andatory to copy -
paste the wording of such
GD PR provisions. However, the B CR -C need to create
those oblig ations in a sufficiently elaborated manner
that is in line with the content of these provisions.
The B CR -C should include a duty to notify:
- without undue delay, any personal data
breaches to the Liable B CR member and the
relevant ....... ....... .. ........ , .. ....
as to the B CR member acting as a controller

Adopted
39

22
For onwa r d tr a nsfers to other BCR member s outside the EEA, s ee Sec ti on 2 .2 a bo v e .
when a B CR member acting as a processor
becomes aware of a data breach;
- without un due delay, and, where feasible,
not later than 72 hours after having become
aware of the personal data breach to the
Competent SA , unless the personal data
breach is unlikely to result in a risk to the
rig hts and freedoms of natural persons ;
- without undue delay to data subjects, where
the personal data breach is likely to result in
a hig h risk to their rig hts and freedoms in
line with the requirements of Article 34
GDPR .
Furthermore, any personal data breach should be
documented (comprising the facts relating to the
personal data breach, its effects, and the remedial
action taken), and the documentation s hould be
made available to the C ompetent SA upon request
(see Articles 33 and 34 GDPR).
5.1.4 R estr ictions on onwar d
transfers
YES NO Article 47(2)(d)
GDPR and Article
44 GDPR

B CR -C should contain the commitment that p ersona l
data that have been transferred under the B CR may
only be onward transferred outside the EEA to
processors and controllers which are not bound by
t he B CR-C 22 if the conditio ns for transfers laid down
in Articles 44 to 46 GD PR are applied in order to
ensure that the level of protection of natural persons
g uaranteed by GD PR is not undermined. I n the
absence of an adequacy decision or appropriate
sa feg ua rds, B CR -C ma y include a provision that

Adopted
40
onward transfers may exceptionally take place if a
derogation applies in line with Article 49 GDPR.
5.2 Rights of data subjects YES NO Article 47(2)(e) ,
Articles 12 to 19
and 21 to 22
GDPR
The B CR -C should provide data subjects with the
rights of information, access, rectification, erasure,
restriction, notification regarding rectification or
erasure or restriction, objection to .......... , ... ..
not to be subject to decisions based solely on
automated .......... , ......... ......... , .. ...
same way a s these rights are provided for by Art icles
12 to 1 9, and Articles 21 and 22 GDPR.
I t is not mandatory to copy -paste the wording of the
above -
mentioned GD PR provisions. However, the
B CR-C need to create those rig hts in a sufficiently
elabora ted manner that is in line with the content of
these provisions .

5 .3 Accountability and other
tools
YES NO Article 47(2)(d) ,
and Article s 30,
35- 36 ....
Every B CR member acting as controller shall be
responsible for and able to demonstrate compliance
with the B CR -C (see Article 5(2) and Article 24 GDPR).
The B CR-C need to contain a commitment to enter
into contracts with all internal and external
processors and must specify the content of such
contracts, as set out in Article 28(3) GD PR , including
the
duty to follow the controller? s instructions and
implement appropriate technical and org anisational
mea sures.
The B CR-C should contain a commitment that, i n
order to demonstrate compliance, B CR members
have to maintain a record of all categ ories of
proce ssing activities carried out on personal data
transferred under these B CR -C. The B CR -C must

Adopted
41
specify the content of the record, in line with what is
required by Article 30(1) (for controllers) and Article
30(2) (for p rocessors). This record should be
mainta ined in writing , including in electronic form,
and should be made available to the Competent SA
on request.

The B CR -C should contain the commitment that d ata
protection impact assessments should be carried out
for .......... .......... .. ........ ....
transferred under these B CR -C that are likely to
result in a hig h risk to the rig hts and freedoms of
natural persons (see Article 35 .... ).
Where a data protection impact ..........
indicates that the .......... ..... ...... .. . ... .
risk in the absence of measures taken by the
controller to mitigate the risk, the BCR member
acting as a controller should , prior to .......... ,
consult the Competent SA (see Article 36 .... ).
The B CR -C should envisag e that a ppropriate
technical and org anisational measures d esig ned to
implement data protection principles and to
facilitate compliance , in practice, with the
requirements set up by the B CR -C, should be
implemented (data protection by desig n and by
default – see Article 25 .... ).

Adopted
42


23 For fu r ther details, s ee EDP B Rec ommendations 0 1/202 0 on mea sures that s upplement tr ansfer tools to ens ur e c ompliance wi th the EU l evel of pr otec tion of personal
data, available at https ://edpb.europa.eu/our -wo rk -to ol s / ou r -documents/recommendations/recommendations -01 20 20- measures -s up pl emen t -tr ans f er en.
24 See EDP B Rec ommenda tions 0 2 /2 020 on the Eur opea n Es sential Guarantees for s ur veillance mea sures.
5.4.1 Local laws and practices
affecting compliance with the
BCR-C 23
YES NO Article 47(2)(m)
GDPR
The B CR -C shall contain a clear commitment that
BCR members will use the BCR - C as a tool for
transfers only where they have assessed that the law
and practices in the third country of destination
applicable to the .......... .. ... ........ .... ..
the B CR member acting as data
importer, including
any requirements to disclose personal data or
measures authorising access by public authorities,
do not prevent it from fulfilling its oblig ations under
these BCR -C.
The B CR - C should further specify that this is based
on the unde rstanding that laws and practices that
respect the essence of the fundamental rig hts and
freedoms , and do not exceed what is necessary and
proportionate in a democratic society 24 to safeg uard
one of the objectives listed in Article 23(1) GDPR, are
not in contradiction with the B CR -C.
The B CR -C should also contain a commitment that,
in assessing the laws and practices of the third
country which may affect the respect of the
commitments contained in the B CR -C , t h e B CR
members have taken due account, in particular , of
the following elements:
i. T he specific circumst a nces of t he t ra nsfers or set
of transfers, and of any envisag ed onward
transfers
within the same third country or to
another third country, including :

Adopted
43

25
As r ega r ds the a ssessment of the i mpac t of the laws a nd practic es of the thi rd countr ies, please see EDP B Rec ommen d ation s 01 /202 0 o n mea sur es th at s up pl emen t trans fer
tool s to ens ure c ompliance wi th the EU l evel o f protecti on of personal data.
26 As regards the i mpact of s uch laws and practices on compliance wi th the BCR, di fferent el ements may be considered as part of a n over all a ssessment. Suc h el e m e n ts ma y
i ncl ude relevant and documented practical experience wi th prior i nstances of requests for disclosure from public authorities, or the a bsenc e of such r equests, c overing a
s uffi ciently r epresentative ti me- frame. Thi s r efers i n partic ular to i nter na l records or other documentation, drawn up on a continuous basis i n accordance wi th due diligence
- purposes for which the data are transferred
and processed (e. g . marketing , HR , storage,
IT support, clinical trials);
- types of entities involved in the ..........
(the data importer and any further recipient
of any onward transfer);
- economic sector in which the transfer or set
of t ra nsf ers occur;
- categ ories and format of the personal data
transferred;
- location of the .......... , .........
st ora g e ; and
- transmission channels used.
ii. T he laws and practices of the third country of
destination relevant in lig ht of the circumstances
of the tra nsfer
25, including those requiring to
disclose data to public authorities or authorising
access by such authorities and those providing
for access to these data during the transit
between the country of the data exporter and
the country of the data importer , a s well a s t he
applicable limitations and safeg uards 26.

Adopted
44


and certi fied at s enior management l evel, provided that thi s i nformation can be l awfully shared wi th thi rd parties. Where thi
s pr actic al ex perience i s r elied u p on to c oncl ude
that the data i mporter will not be prevented from complying with the BCR, i t needs to be s upported by other relevant, objecti ve el ements , a nd i t is for the BCR members to
c ons ider c arefully whether thes e el ements together c a rr y s ufficient wei ght, i n terms of thei r reliability and representativeness, to s upport this conclusion. In particular, the
BCR members have to take i nto account whether thei r practical experience i s corroborated and not contradicted by publicly ava ilable or other wise a ccessible, reliable
i nformation on the exi s tence or absence of requests wi thin the s ame s ector and/or the application of the l aw i n practice, s uc h as case l aw and reports by i ndependent
overs i ght bodies.
iii. Any relevant contractual, technical or
org anisational safeg uards put in place to
supplement the safeg uards under the B CR -C ,
including measures applied during the
transmission and to the .......... .. ...
personal data in the country of destination.
The B CR-C should also contain a commitment that
where any safeg uards in addition to those envisag ed
under the B CR -C should be put in place, the Liable
B CR member(s), and the relevant
Privacy officer or
Func tion will be informed and involved in such
a ssessment .
The B CR-C should contain also an oblig ation for the
B CR members to document appropriately such
a ssessment , as well as the supplementary measures
selected and implemented . They should ma ke such
documentation available to the competent SAs upon
request.
The B CR-C should oblig e any B CR member acting as
data
importer to promptly notify the data exporter
if, when using these B CR -C as a tool for transfers, and
for the duration of the B CR
membership, it has
rea son s to believe that it is or has become subject to
laws or practices that would prevent it from fulfilling
its oblig ations under the B CR -C, including following

Adopted
45
a chang e in the laws in the third country or a
mea sure (such a s a disclo sure request). This
information should also be provided to the Liable
BCR member(s).
Upon verification of such notification, the B CR
member acting as data exporter, along with the
Liable BCR member(s) and the relevant .......
officer or Function , should co
mmit to promptly
identify supplementary measures (e. g . technical or
org anisational measures to ensure security and
confidentiality) to be adopted by the B CR member
acting as data exporter and/or data importer , in
order to enable them to fulfil their obliga tions under
t he B CR -C . The same applies if a BCR member acting
a s data exporter has reason s
to believe that a BCR
member acting as its data importer can no long er
fulfil its oblig ations under this B CR -C .
Where the BCR member acting as data exporter,
along with the Liable BCR member(s)
and the
relevant ....... ....... .. ........ , . ....... . ...
t he B CR -C – even if accompanied by supplementary
mea sures – cannot be complied with for a transfer
or set of transfers , or if instructed by the C ompetent
SA s, i t commit s t o suspend
the transfer or set of
t ra nsfers a t st a ke, a s well a s a ll t ra nsfers for which
the same .......... ... ......... ..... .... .. .
similar result
, until compliance is ag ain ensured or
the transfer is ended.
The B CR-C should contain a commitment that
following such a suspension, the B CR member acting
as data exporter has to end the transfer or set of

Adopted
46
t ra nsfers if t he B CR -C cannot be complied with and
compliance with the B CR is not restored within one
month of suspension. I n this case, personal data that
ha ve been transferred prior to the suspension, and
any copies thereof, should, at the choice of the B CR
member acting as data exporter , be returned to it or
destroyed in their entirety.
The B CR-C should contain a commitment that the
L iable BCR member(s) and the relevant .......
officer or Function
will inform all other BCR
members of the .......... ....... ... ... .. ...
result s, so that the identified supplementary
measures will be applied in case the same type of
t ra nsfers is c arried out by any other B CR member or,
where effective supplementary measures could not
be put in place, the transfers at stake are suspended
or ended.
The B CR-C needs to include a duty for data exporters
to monitor, on an ong oing basis, and where
appropri ate in collaboration with data importers,
developments in the third countries to which the
data exporters have transferred personal data that
could affect the initial .......... .. ... ..... ..
protection and the decisions taken according ly on
such transfe rs.
5.4.2 Obligations of the data
importer in case of government
access requests

YES NO Article 47(2)(m)
GDPR
Without prejudice to the oblig ation of the B CR
member acting as data importer to inform the data
exporter of its inability to comply with the
commitments contained in the B CR - C (see Section
5.4 . 1 above) , t he B CR -C should also include the
following commitments:

Adopted
47
i. The B CR member acting as data importer will
promptly notify the data exporter and, where
possible, the data subject (if necessary with
the help of the data exporter) if it:
a) receives a leg ally binding request by a
public authority under the laws of the
country of destination, or of an another
third country, for disclosure of personal
data transferred pursuant to the B CR -C ;
such notificatio n will
include information
about the personal data requested, the
requesting authority, the leg al basis for
the request and the response provided;
b) becomes aware of any direct access by
public authorities to personal data
transferred pursuant to the B CR -C in
accordance with the laws of the country of
destination; such notification will include
all information available to the data
importer.
ii. I f prohibited from notifying the data exporter
and / or the data subject, the data importer
will use its best effort
s to obtain a waiver of
such prohibition, with a view to communicate
as much information as possible and as soon
a s possible , and will document its best efforts
in order to be able to demonstrate them upon
request of the data exporter.
iii. The data importer w ill provide the BCR
member acting as data exporter, at regular
intervals, with as much relevant information

Adopted
48
as possible on the requests received (in
particular, number of requests, type of data
requested, requesting authority or
authorities, whether reques ts have been
challeng ed and the outcome of such
challenges, etc.). If the data importer is or
becomes partially or completely prohibited
from providing the data exporter with the
aforementioned information, it will, without
undue delay, inform the data exporter
according ly.
iv. The data importer will preserve the
abovementioned information for as long as
the personal data are subject to the
safeg uards provided by the B CR -C, and sha ll
make it available to the C ompetent SAs upon
request.
v. The data importer will review the legality of
the request for disclosure, in particular
whether it remains within the powers
g ranted to the requesting public authority,
and will challeng e the request if, after careful
assessment, it concludes that there are
reasonable g rounds to consider that the
request is unlawful under the laws of the
country of destination, applicable oblig ations
under international law ,
and principles of
international comity.
The data importer will , under the same
conditions, pursue possibilities of appeal.

Adopted
49

27
See EDP B Rec ommenda tions 0 2 /2 020 on the Eur opea n Es sential Guarantees for s ur veillance mea sures.
When challeng ing a request, the data
importer will seek interim measures with a
view to suspending the effects of the request
until the competent judicial authority has
decided on its merits. I t will not disclose the
personal data requested until required to do
so under the applicable procedural rules.
vi. The data importer will document its legal
assessment and any challeng e to the request
for disclosure and, to the extent permissible
under the laws of the country of destination,
make the documentatio n available to the
data exporter. It will also make it available to
the C ompetent SAs upon request.
vii. The data importer will provide the min imum
am ount of information permissible when
responding to a request for disclosure, based
on a reasonable interpretat ion of the request.

I n any case, the B CR-C should state that transfers of
personal data by a B CR member to any public
authority cannot be massive, disproportionate and
indiscriminate in a manner that would g o beyond
wha t is necessa ry in a democra t ic socie ty 27 (as to the
consequences of such cases, see Section 5.4.1
above ).

Adopted
50
6 - T ERMINATION
6.1 Termination YES NO Article 70(1)(i)
GDPR
The B CR -C should specify that a BCR member acting
as data importer , which ceases to be bound by the
B CR-C may keep, return, or delete the personal data
received under the B CR -C.
I f the data exporter and data importer ag ree that the
data may be kept by the data importer, protection
must be maintained in accordance with Chapter V
GDPR.


7 – NON -COM PL IANC E
7.1. Non -Compliance YES NO Article 70(1)(i)
GDPR
The B CR -C should contain commitments as to the
following obligations:
i. No transfer is made to a B CR member unless
the B CR member is effectively bound by the
B CR -C and can deliver compliance.
ii. The data importer should promptly inform
the data exporter if it is unable to comply
with the B CR - C, for whatever reason,
including the situations further described
under Section 5. 4. 1 above.
iii. Where the data importer is in breach of the
B CR -C
or unable to comply with them, the
data exporter should suspend the transfer.
iv. The data importer should, at the choice of
the data exporter, immediately return or
delete the personal data that has been

Adopted
51
transferred under the B CR -C in its entirety,
where:
- the data exporter has suspended the
transfer, and compliance with this B CR -
C is not restored within a reasonable
time, and in any event within one month
of suspension; or
- the data importer is in substantial or
persistent breach of the B CR -C; or
- the data impor ter fails to comply with a
binding decision of a competent court or
Competent SA reg arding its oblig ations
under the B CR -C.
The same commitments should apply to any copies
of the data. The data importer should certify the
deletion of the data to the data e xporter.
Until the data is deleted or returned, the data
importer should continue to ensure compliance with
t he B CR-C.
I n case of local laws applicable to the data importer
that prohibit the return or deletion
of the transferred personal data, the data i mporter
should warrant that it will continue to ensure
compliance with the B CR-C, and will only process the
data to the extent and for as long as required under
that local law.

Adopted
52
For cases were applicable local laws and/or
practices affect compliance with the B CR- C, see
Section 5.4.1 above.

8 - M ECHANISMS FOR REPORTING AND RECORDING CHANGES
8.1 Process for updating the
BCR-C
YES NO Article 47(2)(k)
GDPR
The B CR -C have to be kept up -to-date in order to
reflect the current situation (for instance to take
into account modifications of the reg ulatory
environment, these ED PB R ecommendations, or
chang es to the scope of the B CR -C).
The B CR -C should impose a duty to report chang es,
including to the list of B CR members, without undue
delay, to all BCR memb ers .
The B CR - C should identify a person or
team/department that keeps a fully updated list of
the B CR members, keeps record of any updates to
t he B CR-C, and pro vides the necessary information
to data subjects, and, upon request, to Competent
S As .
Where a modification to the B CR - C would possibl y
be detrimental to the level of the protection offered
by the B CR-
C or significantly affect them (e.g.
chang es to the binding character, chang e of the
Liable B CR member(s)), it must be communicated in
advance
to the SAs, via the B CR Lead, with a brief
explanation of the reasons for the update. I n this
ca se, t he SAs will a lso a ssess whet her t he cha ng es
made require a new approval.

Adopted
53
Once a year, the SAs should be notified via the B CR
Lead of any chang es to the BCR-C or to the list of B CR
members, with the
brief explanation of the reasons
for the chang es . This includes any chang es made in
order to alig n the B CR -C with any updated version of
these .... ................ ... ... ...... ....
be notified once a year in
instances where no
chang es have been made.
The annual update or notification should also
include the renewal of the confirmation reg arding
assets (see Section 1.5 above).

I t remains the responsibility of the B CR - C holder to
keep it up-to-date and in compliance with Article 47
GD PR and these ED PB R ecommendations.
9 - D E FINITIONS
9.1 List of definitions YES NO Article 70(1)(i)
GDPR
The applicant should include a list of definitions in
t he B CR -C. The list should include the most relevant
terms. To the extent the BCR -
C contain terms
defined in the GD PR , the definitions provided shoul d
not vary from the GD PR . For better readability, the se
definitions should be replicated in the list.
I f the terms “data exporter” and “data importer” are
used, they must be defined. The applicant may find
it useful to add further terms and their definitions.

Adopted
54

For the European D ata Protection B oard

The Chair

( Anu Talus )
I f the term “Competent SA(s)” is used, it shoul d be
defined as referring to the EEA data protection SA
competent for the data exporter.
Where the term “applicable law” is used, it shoul d
be clarified, in each case, whether it refers to
national/local law of a third country as applicable to
the BCR members. I n any case, B CR members must
comply with the requirements set out under
Sections 5.4.1 and 5.4.2 above.
R eferences to GD PR provisions should g enerally be
avoided. However, if there is a need for reference to
a particular provision of the GD PR , it
should be
quoted in full in the B CR-C.