Article 47 GDPR

From GDPRhub
Article 47 - Binding corporate rules
Gdpricon.png
Chapter 10: Delegated and implementing acts

Legal Text


Article 47 - Binding corporate rules

1. The competent supervisory authority shall approve binding corporate rules in accordance with the consistency mechanism set out in Article 63, provided that they:

(a) are legally binding and apply to and are enforced by every member concerned of the group of undertakings, or group of enterprises engaged in a joint economic activity, including their employees;
(b) expressly confer enforceable rights on data subjects with regard to the processing of their personal data; and
(c) fulfil the requirements laid down in paragraph 2.

2. The binding corporate rules referred to in paragraph 1 shall specify at least:

(a) the structure and contact details of the group of undertakings, or group of enterprises engaged in a joint economic activity and of each of its members;
(b) the data transfers or set of transfers, including the categories of personal data, the type of processing and its purposes, the type of data subjects affected and the identification of the third country or countries in question;
(c) their legally binding nature, both internally and externally;
(d) the application of the general data protection principles, in particular purpose limitation, data minimisation, limited storage periods, data quality, data protection by design and by default, legal basis for processing, processing of special categories of personal data, measures to ensure data security, and the requirements in respect of onward transfers to bodies not bound by the binding corporate rules;
(e) the rights of data subjects in regard to processing and the means to exercise those rights, including the right not to be subject to decisions based solely on automated processing, including profiling in accordance with Article 22, the right to lodge a complaint with the competent supervisory authority and before the competent courts of the Member States in accordance with Article 79, and to obtain redress and, where appropriate, compensation for a breach of the binding corporate rules;
(f) the acceptance by the controller or processor established on the territory of a Member State of liability for any breaches of the binding corporate rules by any member concerned not established in the Union; the controller or the processor shall be exempt from that liability, in whole or in part, only if it proves that that member is not responsible for the event giving rise to the damage;
(g) how the information on the binding corporate rules, in particular on the provisions referred to in points (d), (e) and (f) of this paragraph is provided to the data subjects in addition to Articles 13 and 14;
(h) the tasks of any data protection officer designated in accordance with Article 37 or any other person or entity in charge of the monitoring compliance with the binding corporate rules within the group of undertakings, or group of enterprises engaged in a joint economic activity, as well as monitoring training and complaint-handling;
(i) the complaint procedures;
(j) the mechanisms within the group of undertakings, or group of enterprises engaged in a joint economic activity for ensuring the verification of compliance with the binding corporate rules. Such mechanisms shall include data protection audits and methods for ensuring corrective actions to protect the rights of the data subject. Results of such verification should be communicated to the person or entity referred to in point (h) and to the board of the controlling undertaking of a group of undertakings, or of the group of enterprises engaged in a joint economic activity, and should be available upon request to the competent supervisory authority;
(k) the mechanisms for reporting and recording changes to the rules and reporting those changes to the supervisory authority;
(l) the cooperation mechanism with the supervisory authority to ensure compliance by any member of the group of undertakings, or group of enterprises engaged in a joint economic activity, in particular by making available to the supervisory authority the results of verifications of the measures referred to in point (j);
(m) the mechanisms for reporting to the competent supervisory authority any legal requirements to which a member of the group of undertakings, or group of enterprises engaged in a joint economic activity is subject in a third country which are likely to have a substantial adverse effect on the guarantees provided by the binding corporate rules; and
(n) the appropriate data protection training to personnel having permanent or regular access to personal data.

3. The Commission may specify the format and procedures for the exchange of information between controllers, processors and supervisory authorities for binding corporate rules within the meaning of this Article. Those implementing acts shall be adopted in accordance with the examination procedure set out in Article 93(2).

Relevant Recitals

Recital 110: Binding Corporate Rules
A group of undertakings, or a group of enterprises engaged in a joint economic activity, should be able to make use of approved binding corporate rules for its international transfers from the Union to organisations within the same group of undertakings, or group of enterprises engaged in a joint economic activity, provided that such corporate rules include all essential principles and enforceable rights to ensure appropriate safeguards for transfers or categories of transfers of personal data.

Commentary

In order to compensate for a lack of data protection in a third country that has not been declared as safe under Article 45 GDPR, entities can adopt binding corporate rules (BCR) pursuant to Articles 46(2)(b) and 47 GDPR. They constitute an appropriate safeguard for international data transfers.

(1) Binding Corporate Rules

BCRs is one of the appropriate safeguards which can be used, in the absence of an adequacy decision, to transfer personal data outside of the EU. Article 4(20) GDPR defines them as "personal data protection policies” which are adhered to by a controller or processor established in the EU, “for transfers or a set of transfers of personal data to a controller or processor in one or more third countries within a group of undertakings, or group of enterprises engaged in a joint economic activity".

While it did not specifically deal with BCRs, the Court of Justice of the European Union (CJEU) C-311/18 judgement (Schrems II) held that the use of appropriate safeguards requires that they provide a level of protection that is “essentially equivalent to that under EU data protection law based on the Charter. The EDPB has found that this standard applies to all the types of appropriate safeguards in Article 46(2) that are of a contractual nature, which includes BCRs.” In other words, this implies that “the Schrems II judgment is also relevant to BCRs, and that BCRs may require the use of supplementary transfer tools just as the standard contractual clauses do."[1]

They refer specifically to the third-country transfers within one group of undertakings or group of enterprises engaged in a joint economic activity. Therefore, BCRs cannot be used as a justification for international data transfers to entities that are not part of the relevant group of undertakings or group of enterprises engaged in a joint economic activity. Moreover, "group entities must bear in mind that BCR will only prove an adequate level of data protection within the group but cannot serve as legal basis for processing. Thus, the group entities must ensure that such legal basis is fulfilled."[2]

An "enterprise” is defined in Article 4(18) GDPR as “a natural or legal person engaged in an economic activity, irrespective of its legal form, including partnerships or associations regularly engaged in an economic activity”. “A group of undertakings”, following Article 4(19) GDPR, is constituted by “a controlling undertaking and its controlled undertakings”. The GDPR, however, does not define what a “a group of enterprises engaged in a joint economic activity” is. According to Kuner, this could be a joint venture or an alliance, “as long as it is stable”.[3] BCRs may be introduced for either data controllers, data processors, or in a mixed form.[4]

Article 47(1) GDPR establishes the following requirements for BCRs: (i) they are legally binding, apply to and are enforced by every member of the group, including the employees (Article 47(1)(a) GDPR); (ii) expressly confer enforceable rights on data subjects with regard to the processing of their personal data (47(l)(b) GDPR; and (iii) fulfil the requirements laid down in Article 47(2) GDPR.

(a) Legally Binding and Enforced by Every Member Concerned as well as by Employees

The BCRs must contain a clear duty for all the members of the group and for its employees to respect the BCRs. The group will have to explain, in its application form, how the rules are made binding between the companies/entities in the group by, say, intra-group agreements, unilateral undertakings, internal regulatory measures, policies, or other means. The same shall be done with regard to employees by one or more individual and separate agreement/undertaking with sanctions, a clause in the employment contract with sanctions, internal policies with sanctions, or collective agreements with sanctions.[5]

(b) Confer Enforceable Rights on Data Subjects

The BCRs must grant rights to data subjects to enforce the rules as third-party beneficiaries. The rights should cover the judicial remedies for any breach of the rights guaranteed and the right to receive compensation. The BCRs must contain a duty for the EU headquarters, or the EU BCR member with delegated responsibilities, to accept responsibility for the acts of other members linked by the BCRs outside of the EU, to take the necessary action to remedy them, as well as to pay compensation for any damages resulting from the violation of the BCRs by its members. The BCRs must also state that, if a member of the group outside the EU violates them, the courts or other competent authorities in the EU will have jurisdiction, and the data subject will have the rights and remedies against the member that has accepted liability, as if the violation had taken place by them in the Member State in which they are based, instead of the country outside the EU where the member is based.[6]

(c) Respect Specific Content Requirements

See paragraph 2 below.

(2) Minimum Content

Article 47(2) GDPR non-exhaustively lists what should be included in the BCRs. The Article 29 Working Party (WP29) has also introduced specific guidelines for controllers and for processors on this matter. BCRs may include, amongst others: the group’s structure and contact details, the material scope and a general description of the transfers, so as to allow the data protection authorities (DPAs) to assess that the processing carried out in third countries is GDPR compliant (Articles 47(2)(a) and 47(2)(b) GDPR); explanation of how the rules are made binding and enforced among its members and employees (Article 47(1)(a)and 47(2)(c) GDPR); conferral of rights on data subjects to enforce the rules as third-party beneficiaries, including at least data protection principles, transparency and easy access rules, rights of the data subject, national legislation, right to complain through the company’s internal complaint mechanism, cooperation duties with the DPAs, as well as liability and jurisdiction provisions (Articles 47(1)(b), 47(2)(d), 47(2)(e), 47(2)(g), 47(2)(i), 47(2)(l) GDPR); a duty for the EU BCR member to accept responsibility for the acts of other members outside of the EU, to take the necessary action to remedy them, as well as to pay compensation for any damages resulting from the violation of the BCRs by its members, and to pay compensation for any material or non-material damages resulting from the violation of the BCRs by them (Article 47(2)(f) GDPR); commitment that a training on the BCRs will be provided to personnel that have permanent or regular access to personal data (Article 47(2)(n) GDPR; a duty for the group to have data protection audits on regular basis (Article 47(2)(j) GDPR); and to designate where required a DPO (Article 47(2)(h) GDPR).[7]

(3) Exchange of Information

The format and procedures for the exchange of information about BCRs between the controllers, processors and DPAs shall be specified by the Commission, in accordance with Article 93(2) GDPR. Additionally, the European Data Protection Board (EDPB) may issue relevant guidelines and opinions. The EDPB has so far endorsed five WP29 papers relating to BCRs.[8]

Approval Procedure

BCRs are approved by the national DPAs rules in accordance with the consistency mechanism set out in Article 63 GDPR. Following provisions of Article 64(f) GDPR, the EDPB issues a non-binding opinion whenever the DPA aims to approve the BCRs.[9] The group interested in introducing the BCRs should propose the DPA to act as “the BCR Lead”. In its application, the group should include all relevant information about a nature and general structure of the processing activities. The WP29 proposed the following informal criteria to take into account when defining the appropriate DPA: the location(s) of the group’s European headquarters; the location of the company within the group with delegated data protection responsibilities; the location of the company which is best placed (in terms of management function, administrative burden, etc.) to deal with the application and enforcement of the binding corporate rules in the Group; the place where most decisions in terms of the purposes and the means of the processing (i.e. transfer) are taken; and the Member State within the EU from which most or all transfers outside the EEA will take place.

The DPA that receives the application must inform other DPAs concerned about its decision to become the BCR Lead. If it agrees to does so, then the other DPAs have, under Article 57(1)(g) GDPR, a right to raise any objections within two weeks (period extendable to two additional weeks if requested by any DPAs concerned). If the DPA refuses to act as the BCR Lead, it should explain the reasons for its decision, as well as its recommendations (if any) as to which other DPA would be appropriate. Once a decision on the BCR Lead has been made, the corresponding DPA starts to communicate with the applicant, and reviews the draft BCR documents. Other DPAs concerned may act as co-reviewers of the documents.

After the review process, the applicant sends “a consolidated draft” to the BCR Lead , which may be commented by other DPAs concerned. The BCR Lead the submits, following Article 64(1) GDPR and Article 64(4) GDPR, a draft decision to the EDPB. The EDPB, in turn, issues a non-binding opinion on the BCRs. If the opinion endorses the draft decision, the BCR Lead adopts the decision approving the BCRs. If the opinion requires any amendment to the draft BCRs, the BCR Lead, acting under Article 64(7) GDPR, communicates to the Chair of the EDPB, within two-weeks, whether it intends to maintain its draft decision, or it intends to amend it in accordance with the EDPB opinion. If the BCR Lead refuses to include the EDPB amendments in the draft decision, then dispute resolution under Article 65(1) GDPR is triggered. If, on the other hand, the BCR Lead decides to follow the EDPB opinion, it then contacts the applicant immediately in order to request the corresponding amendments to the draft. When the draft BCRs have been finalized in accordance with the EDPB opinion, the BCR Lead amends its initial draft decision, approves the BCRs, and notifies the EDPB. After the approval, the BCR Lead informs all other DPAs concerned about its decision.

The group whose BCRs have not been accepted by the DPA, can challenge this decision under Article 78 GDPR. The EDPB’s opinion may be challenged before the CJEU under the annulment procedure in Article 263 of the TFEU.In order to compensate for a lack of data protection in a third country that has not been declared as safe under [10]

Decisions

→ You can find all related decisions in Category:Article 47 GDPR

References

  1. Kuner, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR) Update of Selected Articles, Article 68 GDPR, p. 194 (Oxford University Press 2021).
  2. von dem Bussche, Voigt, The EU General Data Protection Regulation (GDPR) (Springer, 2017) p. 126.
  3. Kuner, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, p. 820 (Oxford University Press 2021).
  4. Kuner, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, p. 815 (Oxford University Press 2021).
  5. WP29, ‘Working Document setting up a table with the elements and principles to be found in Binding Corporate Rules’, 18/EN WP256 rev.01, 6 February 2018, pp. 5-6 (available here).
  6. WP29, ‘Working Document setting up a table with the elements and principles to be found in Binding Corporate Rules’, 18/EN WP256 rev.01, 6 February 2018, p. 6 (available here).
  7. WP29, ‘Working Document setting up a table with the elements and principles to be found in Binding Corporate Rules’, 18/EN WP256 rev.01, 6 February 2018, pp. 6-7 (available here).
  8. See a full list here.
  9. EDPB, ‘Register of approved binding corporate rules’ (accessible here).
  10. Kuner, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, p. 822 (Oxford University Press 2021).