Article 47 GDPR: Difference between revisions

From GDPRhub
 
(2 intermediate revisions by 2 users not shown)
Line 185: Line 185:


==Legal Text==
==Legal Text==
<br /><center>'''Article 47 - Binding corporate rules'''</center><br />
<br /><center>'''Article 47 - Binding corporate rules'''</center>


<span id="1">1.  The competent supervisory authority shall approve binding corporate rules in accordance with the consistency mechanism set out in Article 63, provided that they:</span>
<span id="1">1.  The competent supervisory authority shall approve binding corporate rules in accordance with the consistency mechanism set out in Article 63, provided that they:</span>
Line 231: Line 231:


==Commentary==
==Commentary==
In order to compensate for a lack of data protection in a third country that has not been declared as safe under Art. 45 GDPR, entities can adopt binding corporate rules (BCR) pursuant to Articles 46(2)(b) and 47 GDPR. They constitute an appropriate safeguard for international data transfers. While it did not specifically deal with BCRs, the Schrems II judgment of the Court of Justice held that the use of appropriate safeguards "''requires that they provide a level of protection that is essentially equivalent to that under EU data protection law based on the Charter. The EDPB has found that this standard applies to all the types of appropriate safeguards in Article 46(2) that are of a contractual nature, which includes BCRs.4 This means that the Schrems II judgment is also relevant to BCRs, and that BCRs may require the use of supplementary transfer tools just as the standard contractual clauses do.''"<ref>''Kuner'', in Kuner et al., The EU General Data Protection Regulation (GDPR) Update of Selected Articles, Article 68 GDPR, p. 194 (Oxford University Press 2021).</ref>
In order to compensate for a lack of data protection in a third country that has not been declared as safe under [[Article 45 GDPR]], entities can adopt binding corporate rules (BCR) pursuant to [[Article 46 GDPR|Articles 46(2)(b)]] and 47 GDPR. They constitute an appropriate safeguard for international data transfers.


===(1) Binding Corporate Rules===
===(1) Binding Corporate Rules===
Binding Corporate Rules are one of the legal basis to transfer personal data outside of the EU to be used in the absence of the adequacy decision.<ref>''Kuner'', in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 47 GDPR, p. 815 (Oxford University Press 2020).</ref>  [[Article 4 GDPR|Article 4(20) GDPR]] defines them as ''"personal data protection policies which are adhered to by a controller or processor established on the territory of a Member State for transfers or a set of transfers of personal data to a controller or processor in one or more third countries within a group of undertakings, or group of enterprises engaged in a joint economic activity''".
BCRs is one of the appropriate safeguards which can be used, in the absence of an adequacy decision, to transfer personal data outside of the EU. [[Article 4 GDPR|Article 4(20) GDPR]] defines them as ''"personal data protection policies''” which are adhered to by a controller or processor established in the EU, “''for transfers or a set of transfers of personal data to a controller or processor in one or more third countries within a group of undertakings, or group of enterprises engaged in a joint economic activity''".  


They refer specifically to the third-country transfers within one group of undertakings or group of enterprises engaged in a joint economic activity. Therefore, BCRs cannot be used as a justification for international data transfers to entities that are not part of the relevant group of undertakings or group of enterprises engaged in a joint economic activity.<ref>Moreover, "''group entities must bear in mind that BCR will only prove an adequate level of data protection within the group but cannot serve as legal basis for processing. Thus, the group entities must ensure that such legal basis is fulfilled''." ''von dem Bussche''',''' Paul Voigt'', The EU General Data Protection Regulation (GDPR) (Springer, 2017) p. 126.</ref>
While it did not specifically deal with BCRs, the Court of Justice of the European Union (CJEU) [[CJEU - C-311/18 - Schrems II|C-311/18 judgement (Schrems II)]] held that the use of appropriate safeguards requires that they provide a level of protection that is ''“essentially equivalent to that under EU data protection law based on the Charter. The EDPB has found that this standard applies to all the types of appropriate safeguards in Article 46(2) that are of a contractual nature, which includes BCRs.'' In other words, this implies that “''the Schrems II judgment is also relevant to BCRs, and that BCRs may require the use of supplementary transfer tools just as the standard contractual clauses do.''"<ref>''Kuner'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR) Update of Selected Articles, Article 68 GDPR, p. 194 (Oxford University Press 2021).</ref>


An "enterprise” is defined in [[Article 4 GDPR|Article 4(18) GDPR]] as  'a natural or legal person engaged in an economic activity, irrespective of its legal form, including partnerships or associations regularly engaged in an economic activity'. “A group of undertakings”, following [[Article 4 GDPR|Article 4(19) GDPR]], is formed by 'a controlling undertaking and its controlled undertakings'.  The GDPR does not define what is 'a group of enterprises engaged in a joint economic activity’. According to Kuner, this could be a joint venture or an alliance, “as long as it is stable”.<ref>''Kuner'', in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 47 GDPR, p. 820 (Oxford University Press 2020).</ref> BCRs may be introduced for data controllers, data processors or in a mixed form.<ref>''Kuner'', in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 47 GDPR, p. 815 (Oxford University Press 2020).</ref>
They refer specifically to the third-country transfers within one group of undertakings or group of enterprises engaged in a joint economic activity. Therefore, BCRs cannot be used as a justification for international data transfers to entities that are not part of the relevant group of undertakings or group of enterprises engaged in a joint economic activity. Moreover, "''group entities must bear in mind that BCR will only prove an adequate level of data protection within the group but cannot serve as legal basis for processing. Thus, the group entities must ensure that such legal basis is fulfilled''."<ref>''von dem Bussche''',''' Voigt'', The EU General Data Protection Regulation (GDPR) (Springer, 2017) p. 126.</ref>


Article 47(1) GDPR establishes the following requirements for the BCRs: (i) they are legally binding, apply to and are enforced by every member of the group, including the employees (Article 47(1)(a) GDPR); (ii) expressly confer enforceable rights on data subjects with regard to the processing of their personal data (47(l)(b) GDPR; and (iii) fulfil the requirements laid down in Article 47(2) GDPR.
An "''enterprise''” is defined in [[Article 4 GDPR|Article 4(18) GDPR]] as “''a natural or legal person engaged in an economic activity, irrespective of its legal form, including partnerships or associations regularly engaged in an economic activity''”. “''A group of undertakings''”, following [[Article 4 GDPR|Article 4(19) GDPR]], is constituted by “''a controlling undertaking and its controlled undertakings''”. The GDPR, however, does not define what a “''a group of enterprises engaged in a joint economic activity''” is. According to Kuner, this could be a joint venture or an alliance, “''as long as it is stable''”.<ref>''Kuner'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, p. 820 (Oxford University Press 2021).</ref> BCRs may be introduced for either data controllers, data processors, or in a mixed form.<ref>''Kuner'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, p. 815 (Oxford University Press 2021).</ref>


Article 47(1) GDPR establishes the following requirements for BCRs: (i) they are legally binding, apply to and are enforced by every member of the group, including the employees (Article 47(1)(a) GDPR); (ii) expressly confer enforceable rights on data subjects with regard to the processing of their personal data (47(l)(b) GDPR; and (iii) fulfil the requirements laid down in Article 47(2) GDPR.
==== (a) Legally Binding and Enforced by Every Member Concerned as well as by Employees ====
==== (a) Legally Binding and Enforced by Every Member Concerned as well as by Employees ====
The BCRs must contain a clear duty for all the members of the Group and for the employees to respect the BCRs. The Group will have to explain in its application form how the rules are made binding between the companies/entities in the group by, say, one or more of intra-group agreement, unilateral undertakings, internal regulatory measures, policies of the group, or other means. The same shall be done with regard to employees by one or more individual and separate agreement/undertaking with sanctions, clause in employment contract with sanctions, internal policies with sanctions, or collective agreements with sanction.
The BCRs must contain a clear duty for all the members of the group and for its employees to respect the BCRs. The group will have to explain, in its application form, how the rules are made binding between the companies/entities in the group by, say, intra-group agreements, unilateral undertakings, internal regulatory measures, policies, or other means. The same shall be done with regard to employees by one or more individual and separate agreement/undertaking with sanctions, a clause in the employment contract with sanctions, internal policies with sanctions, or collective agreements with sanctions.<ref>WP29, ‘Working Document setting up a table with the elements and principles to be found in Binding Corporate Rules’, 18/EN WP256 rev.01, 6 February 2018, pp. 5-6 (available [https://gdprhub.eu/WP29,%20%E2%80%98Working%20Document%20setting%20up%20a%20table%20with%20the%20elements%20and%20principles%20to%20be%20found%20in%20Binding%20Corporate%20Rules%E2%80%99,%2018/EN%20WP256%20rev.01,%206%20February%202018,%20p.%206%20(available%20here). here]).</ref>


==== (b) Confer Enforceable Rights on Data Subjects ====
==== (b) Confer Enforceable Rights on Data Subjects ====
The BCRs must grant rights to data subjects to enforce the rules as third-party beneficiaries. The rights should cover the judicial remedies for any breach of the rights guaranteed and the right to receive compensation. The BCRs must contain a duty for the EU headquarters, or the EU Member with delegated responsibilities to accept responsibility for and to agree to take the necessary action to remedy the acts of other members linked by the BCRs outside of the EU and to pay compensation for any damages resulting from the violation of the BCRs by members of the BCRs. The BCRs must also state that, if a member of the group outside the EU violates the BCRs, the courts or other competent authorities in the EU will have jurisdiction and the data subject will have the rights and remedies against the member that has accepted liability as if the violation had taken place by them in the member state in which they are based instead of the member of the group outside the EU.
The BCRs must grant rights to data subjects to enforce the rules as third-party beneficiaries. The rights should cover the judicial remedies for any breach of the rights guaranteed and the right to receive compensation. The BCRs must contain a duty for the EU headquarters, or the EU BCR member with delegated responsibilities, to accept responsibility for the acts of other members linked by the BCRs outside of the EU, to take the necessary action to remedy them, as well as to pay compensation for any damages resulting from the violation of the BCRs by its members. The BCRs must also state that, if a member of the group outside the EU violates them, the courts or other competent authorities in the EU will have jurisdiction, and the data subject will have the rights and remedies against the member that has accepted liability, as if the violation had taken place by them in the Member State in which they are based, instead of the country outside the EU where the member is based.<ref>WP29, ‘Working Document setting up a table with the elements and principles to be found in Binding Corporate Rules’, 18/EN WP256 rev.01, 6 February 2018, p. 6 (available [https://gdprhub.eu/WP29,%20%E2%80%98Working%20Document%20setting%20up%20a%20table%20with%20the%20elements%20and%20principles%20to%20be%20found%20in%20Binding%20Corporate%20Rules%E2%80%99,%2018/EN%20WP256%20rev.01,%206%20February%202018,%20pp.%206-7%20(available%20here). here]).</ref>


==== (c) Respect Specific Content Requirements ====
==== (c) Respect Specific Content Requirements ====
Line 252: Line 253:


=== (2) Minimum Content ===
=== (2) Minimum Content ===
Article 47(2) GDPR non-exhaustively lists what should be included in the BCRs. The WP29 introduced specific guidelines for controllers<ref>WP29, Working Document setting up a table with the elements and principles to be found in Binding Corporate Rules, WP 256 rev.01, 6 February 2018 (available [https://ec.europa.eu/newsroom/article29/items/614109/en here]).</ref> and for processors<ref>WP29, Working Document setting up a table with the elements and principles to be found in Binding Corporate Rules, WP 256 rev.01, 6 February 2018 (available [https://ec.europa.eu/newsroom/article29/items/614109/en here]).</ref> on that matter. They may include, amongst others: structure and contact details, material scope and a general description of the transfers so as to allow the DPAs to assess that the processing carried out in third countries is compliant (Articles 47(2)(a), 47(2)(b) GDPR); explanation how the rules are made binding and enforced among its members and employees (Article 47(1)(a), 47(2)(c) GDPR); conferral of rights on data subjects to enforce the rules as third-party beneficiaries, including at least data protection principles, transparency and easy access rules, rights of the data subject, national legislation, right to complain through the internal complaint mechanism of the companies, cooperation duties with the DPAs and liability and jurisdiction provisions (Article 47(1)(b), 47(2)(c), 47(2)(e), 47(2)(g), 47(2)(i), 47(2)(l) GDPR;<ref>WP29, Working Document setting up a table with the elements and principles to be found in Binding Corporate Rules, WP 256 rev.01, 6 February 2018 (available [https://ec.europa.eu/newsroom/article29/items/614109/en here]).</ref> a duty for the EU BCR member to accept responsibility for and to agree to take the necessary action to remedy the acts of other members outside of the EU and to pay compensation for any material or non-material damages resulting from the violation of the BCRs by them (Article 47(2)(f)) GDPR; commitment that a training on the BCRs will be provided to personnel that have permanent or regular access to personal data (Article 47(2)(n) GDPR; a duty for the group to have data protection audits on regular basis (Article 47(2)(j) GDPR and to designate where required a DPO (Article 47(2)(h) GDPR).
Article 47(2) GDPR non-exhaustively lists what should be included in the BCRs. The Article 29 Working Party (WP29) has also introduced specific guidelines for controllers and for processors on this matter. BCRs may include, amongst others: the group’s structure and contact details, the material scope and a general description of the transfers, so as to allow the data protection authorities (DPAs) to assess that the processing carried out in third countries is GDPR compliant (Articles 47(2)(a) and 47(2)(b) GDPR); explanation of how the rules are made binding and enforced among its members and employees (Article 47(1)(a)and 47(2)(c) GDPR); conferral of rights on data subjects to enforce the rules as third-party beneficiaries, including at least data protection principles, transparency and easy access rules, rights of the data subject, national legislation, right to complain through the company’s internal complaint mechanism, cooperation duties with the DPAs, as well as liability and jurisdiction provisions (Articles 47(1)(b), 47(2)(d), 47(2)(e), 47(2)(g), 47(2)(i), 47(2)(l) GDPR); a duty for the EU BCR member to accept responsibility for the acts of other members outside of the EU, to take the necessary action to remedy them, as well as to pay compensation for any damages resulting from the violation of the BCRs by its members, and to pay compensation for any material or non-material damages resulting from the violation of the BCRs by them (Article 47(2)(f) GDPR); commitment that a training on the BCRs will be provided to personnel that have permanent or regular access to personal data (Article 47(2)(n) GDPR; a duty for the group to have data protection audits on regular basis (Article 47(2)(j) GDPR); and to designate where required a DPO (Article 47(2)(h) GDPR).<ref>WP29, ‘Working Document setting up a table with the elements and principles to be found in Binding Corporate Rules’, 18/EN WP256 rev.01, 6 February 2018, pp. 6-7 (available [https://ec.europa.eu/newsroom/article29/items/614109/en here]).</ref>


=== (3) Exchange of Information ===
=== (3) Exchange of Information ===
The format and procedures for the exchange of information about BCR between the controllers, processors and DPAs shall be specified by the Commission, in accordance with [[Article 93 GDPR|Article 93(2) GDPR]]. Additionally, the European Data Protection Board may issue relevant guidelines and opinions. The EDPB has so far endorsed five papers of the WP29 relating to BCRs.<ref>See a full list [https://edpb.europa.eu/our-work-tools/general-guidance/endorsed-wp29-guidelines here].</ref>
The format and procedures for the exchange of information about BCRs between the controllers, processors and DPAs shall be specified by the Commission, in accordance with [[Article 93 GDPR|Article 93(2) GDPR]]. Additionally, the European Data Protection Board (EDPB) may issue relevant guidelines and opinions. The EDPB has so far endorsed five WP29 papers relating to BCRs.<ref>See a full list [https://edpb.europa.eu/our-work-tools/general-guidance/endorsed-wp29-guidelines here].</ref>


====Approval Procedure====
====Approval Procedure====
BCRs are approved by the national DPAs rules in accordance with the consistency mechanism set out in [[Article 63 GDPR]]. Following provisions of [[Article 64 GDPR|Article 64(f) GDPR]], the EDPB issues a non-binding opinion whenever the DPA aims to approve the BCRs.<ref>EDPB, Register of approved binding corporate rules (accessible [https://edpb.europa.eu/our-work-tools/accountability-tools/bcr_de here]).</ref> The group interested in introducing the BCRs should propose the supervisory authority  to act as “the BCR Lead”. In the application, it should include all relevant information about a nature and general structure of the processing activities. The WP29 proposed the following informal criteria to take into account while defining the right SA: the location(s) of the Group’s European headquarters; the location of the company within the Group with delegated data protection responsibilities; the location of the company which is best placed (in terms of management function, administrative burden, etc.) to deal with the application and to enforce the binding corporate rules in the Group, the place where most decisions in terms of the purposes and the means of the processing (i.e. transfer) are taken; and the member state within the EU from which most or all transfers outside the EEA will take place.<ref>Ibid, p.3.</ref>
BCRs are approved by the national DPAs rules in accordance with the consistency mechanism set out in [[Article 63 GDPR]]. Following provisions of [[Article 64 GDPR|Article 64(f) GDPR]], the EDPB issues a non-binding opinion whenever the DPA aims to approve the BCRs.<ref>EDPB, ‘Register of approved binding corporate rules’ (accessible [https://edpb.europa.eu/our-work-tools/accountability-tools/bcr_de here]).</ref> The group interested in introducing the BCRs should propose the DPA to act as “''the BCR Lead''”. In its application, the group should include all relevant information about a nature and general structure of the processing activities. The WP29 proposed the following informal criteria to take into account when defining the appropriate DPA: the location(s) of the group’s European headquarters; the location of the company within the group with delegated data protection responsibilities; the location of the company which is best placed (in terms of management function, administrative burden, etc.) to deal with the application and enforcement of the binding corporate rules in the Group; the place where most decisions in terms of the purposes and the means of the processing (i.e. transfer) are taken; and the Member State within the EU from which most or all transfers outside the EEA will take place.  


The DPA that received the application informs other DPAs concerned about its decision to become the BCR Lead. If it agrees to does so, then the other DPAs have, under [[Article 57 GDPR|Article 57(1)(g) GDPR]], a right to raise any objections within two weeks (period extendable to two additional weeks if requested by any SA concerned).<ref>Ibid, p.4.</ref> If the DPA refuses to act as the BCR Lead, it should explain the reasons for its decision as well as its recommendations (if any) as to which other DPA would be appropriate.<ref>Ibid, p.4.</ref>
The DPA that receives the application must inform other DPAs concerned about its decision to become the BCR Lead. If it agrees to does so, then the other DPAs have, under [[Article 57 GDPR|Article 57(1)(g) GDPR]], a right to raise any objections within two weeks (period extendable to two additional weeks if requested by any DPAs concerned). If the DPA refuses to act as the BCR Lead, it should explain the reasons for its decision, as well as its recommendations (if any) as to which other DPA would be appropriate. Once a decision on the BCR Lead has been made, the corresponding DPA starts to communicate with the applicant, and reviews the draft BCR documents. Other DPAs concerned may act as co-reviewers of the documents.  


Once a decision on the BCR Lead has been made, the latter starts the discussions with the applicant and review the draft BCR documents. Other DPAs concerned may act as co-reviewers of the documents. After the review process, the applicant sends to the BCR Lead “a consolidated draft” that maybe commented by other DPAs concerned. The BCR Lead submits, following [[Article 64 GDPR|Article 64(1) GDPR]] and [[Article 64 GDPR|Article 64(4) GDPR]], a draft decision to the EDPB. The EDPB issues a non-binding opinion on the BCRs. If the opinion endorses the draft decision, the BCR Lead adopts the decision approving the BCRs. If the opinion requires any amendment to the draft BCRs, the BCR Lead, acting under [[Article 64 GDPR|Article 64(7) GDPR]], communicate to the Chair of the Board within the two-week that either it intends to maintain its draft decision or that it intends to amend it in accordance with the EDPB opinion. If the BCR Lead refuses to include the EDPB amendments in the draft decision, then dispute resolution under [[Article 65 GDPR|Article 65(1) GDPR]] is triggered. If the BCR Lead decides to follow the EDPB opinion, it contacts the applicant immediately in order to request the amendments to the draft. When the draft BCRs have been finalized in accordance with the EDPB opinion, the BCR Lead amends its initial draft decision, approves the BCRs and notifies the EDPB. After the approval, the BCR Lead informs all other DPAs concerned about its decision.<ref>Ibid, p.5.</ref>
After the review process, the applicant sends “''a consolidated draft''” to the BCR Lead , which may be commented by other DPAs concerned. The BCR Lead the submits, following [[Article 64 GDPR|Article 64(1) GDPR]] and [[Article 64 GDPR|Article 64(4) GDPR]], a draft decision to the EDPB. The EDPB, in turn, issues a non-binding opinion on the BCRs. If the opinion endorses the draft decision, the BCR Lead adopts the decision approving the BCRs. If the opinion requires any amendment to the draft BCRs, the BCR Lead, acting under [[Article 64 GDPR|Article 64(7) GDPR]], communicates to the Chair of the EDPB, within two-weeks, whether it intends to maintain its draft decision, or it intends to amend it in accordance with the EDPB opinion. If the BCR Lead refuses to include the EDPB amendments in the draft decision, then dispute resolution under [[Article 65 GDPR|Article 65(1) GDPR]] is triggered. If, on the other hand, the BCR Lead decides to follow the EDPB opinion, it then contacts the applicant immediately in order to request the corresponding amendments to the draft. When the draft BCRs have been finalized in accordance with the EDPB opinion, the BCR Lead amends its initial draft decision, approves the BCRs, and notifies the EDPB. After the approval, the BCR Lead informs all other DPAs concerned about its decision.  


The group whose BCRs have been not accepted by the DPA can challenge it under Article 78 GDPR. The opinion of the EDPB may be challenged before the European Court of Justice in the annulment procedure under Article 263 of the TFEU.<ref>''Kuner'', in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 47 GDPR, p. 815 (Oxford University Press 2020).</ref>
The group whose BCRs have not been accepted by the DPA, can challenge this decision under [[Article 78 GDPR]]. The EDPB’s opinion may be challenged before the CJEU under the annulment procedure in Article 263 of the TFEU.<span lang="EN-GB">In order to compensate for a lack of data
 
protection in a third country that has not been declared as safe under </span><ref>''Kuner'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, p. 822 (Oxford University Press 2021).</ref>
----


==Decisions==
==Decisions==

Latest revision as of 15:15, 28 April 2022

Article 47 - Binding corporate rules
Gdpricon.png
Chapter 10: Delegated and implementing acts

Legal Text


Article 47 - Binding corporate rules

1. The competent supervisory authority shall approve binding corporate rules in accordance with the consistency mechanism set out in Article 63, provided that they:

(a) are legally binding and apply to and are enforced by every member concerned of the group of undertakings, or group of enterprises engaged in a joint economic activity, including their employees;
(b) expressly confer enforceable rights on data subjects with regard to the processing of their personal data; and
(c) fulfil the requirements laid down in paragraph 2.

2. The binding corporate rules referred to in paragraph 1 shall specify at least:

(a) the structure and contact details of the group of undertakings, or group of enterprises engaged in a joint economic activity and of each of its members;
(b) the data transfers or set of transfers, including the categories of personal data, the type of processing and its purposes, the type of data subjects affected and the identification of the third country or countries in question;
(c) their legally binding nature, both internally and externally;
(d) the application of the general data protection principles, in particular purpose limitation, data minimisation, limited storage periods, data quality, data protection by design and by default, legal basis for processing, processing of special categories of personal data, measures to ensure data security, and the requirements in respect of onward transfers to bodies not bound by the binding corporate rules;
(e) the rights of data subjects in regard to processing and the means to exercise those rights, including the right not to be subject to decisions based solely on automated processing, including profiling in accordance with Article 22, the right to lodge a complaint with the competent supervisory authority and before the competent courts of the Member States in accordance with Article 79, and to obtain redress and, where appropriate, compensation for a breach of the binding corporate rules;
(f) the acceptance by the controller or processor established on the territory of a Member State of liability for any breaches of the binding corporate rules by any member concerned not established in the Union; the controller or the processor shall be exempt from that liability, in whole or in part, only if it proves that that member is not responsible for the event giving rise to the damage;
(g) how the information on the binding corporate rules, in particular on the provisions referred to in points (d), (e) and (f) of this paragraph is provided to the data subjects in addition to Articles 13 and 14;
(h) the tasks of any data protection officer designated in accordance with Article 37 or any other person or entity in charge of the monitoring compliance with the binding corporate rules within the group of undertakings, or group of enterprises engaged in a joint economic activity, as well as monitoring training and complaint-handling;
(i) the complaint procedures;
(j) the mechanisms within the group of undertakings, or group of enterprises engaged in a joint economic activity for ensuring the verification of compliance with the binding corporate rules. Such mechanisms shall include data protection audits and methods for ensuring corrective actions to protect the rights of the data subject. Results of such verification should be communicated to the person or entity referred to in point (h) and to the board of the controlling undertaking of a group of undertakings, or of the group of enterprises engaged in a joint economic activity, and should be available upon request to the competent supervisory authority;
(k) the mechanisms for reporting and recording changes to the rules and reporting those changes to the supervisory authority;
(l) the cooperation mechanism with the supervisory authority to ensure compliance by any member of the group of undertakings, or group of enterprises engaged in a joint economic activity, in particular by making available to the supervisory authority the results of verifications of the measures referred to in point (j);
(m) the mechanisms for reporting to the competent supervisory authority any legal requirements to which a member of the group of undertakings, or group of enterprises engaged in a joint economic activity is subject in a third country which are likely to have a substantial adverse effect on the guarantees provided by the binding corporate rules; and
(n) the appropriate data protection training to personnel having permanent or regular access to personal data.

3. The Commission may specify the format and procedures for the exchange of information between controllers, processors and supervisory authorities for binding corporate rules within the meaning of this Article. Those implementing acts shall be adopted in accordance with the examination procedure set out in Article 93(2).

Relevant Recitals

Recital 110: Binding Corporate Rules
A group of undertakings, or a group of enterprises engaged in a joint economic activity, should be able to make use of approved binding corporate rules for its international transfers from the Union to organisations within the same group of undertakings, or group of enterprises engaged in a joint economic activity, provided that such corporate rules include all essential principles and enforceable rights to ensure appropriate safeguards for transfers or categories of transfers of personal data.

Commentary

In order to compensate for a lack of data protection in a third country that has not been declared as safe under Article 45 GDPR, entities can adopt binding corporate rules (BCR) pursuant to Articles 46(2)(b) and 47 GDPR. They constitute an appropriate safeguard for international data transfers.

(1) Binding Corporate Rules

BCRs is one of the appropriate safeguards which can be used, in the absence of an adequacy decision, to transfer personal data outside of the EU. Article 4(20) GDPR defines them as "personal data protection policies” which are adhered to by a controller or processor established in the EU, “for transfers or a set of transfers of personal data to a controller or processor in one or more third countries within a group of undertakings, or group of enterprises engaged in a joint economic activity".

While it did not specifically deal with BCRs, the Court of Justice of the European Union (CJEU) C-311/18 judgement (Schrems II) held that the use of appropriate safeguards requires that they provide a level of protection that is “essentially equivalent to that under EU data protection law based on the Charter. The EDPB has found that this standard applies to all the types of appropriate safeguards in Article 46(2) that are of a contractual nature, which includes BCRs.” In other words, this implies that “the Schrems II judgment is also relevant to BCRs, and that BCRs may require the use of supplementary transfer tools just as the standard contractual clauses do."[1]

They refer specifically to the third-country transfers within one group of undertakings or group of enterprises engaged in a joint economic activity. Therefore, BCRs cannot be used as a justification for international data transfers to entities that are not part of the relevant group of undertakings or group of enterprises engaged in a joint economic activity. Moreover, "group entities must bear in mind that BCR will only prove an adequate level of data protection within the group but cannot serve as legal basis for processing. Thus, the group entities must ensure that such legal basis is fulfilled."[2]

An "enterprise” is defined in Article 4(18) GDPR as “a natural or legal person engaged in an economic activity, irrespective of its legal form, including partnerships or associations regularly engaged in an economic activity”. “A group of undertakings”, following Article 4(19) GDPR, is constituted by “a controlling undertaking and its controlled undertakings”. The GDPR, however, does not define what a “a group of enterprises engaged in a joint economic activity” is. According to Kuner, this could be a joint venture or an alliance, “as long as it is stable”.[3] BCRs may be introduced for either data controllers, data processors, or in a mixed form.[4]

Article 47(1) GDPR establishes the following requirements for BCRs: (i) they are legally binding, apply to and are enforced by every member of the group, including the employees (Article 47(1)(a) GDPR); (ii) expressly confer enforceable rights on data subjects with regard to the processing of their personal data (47(l)(b) GDPR; and (iii) fulfil the requirements laid down in Article 47(2) GDPR.

(a) Legally Binding and Enforced by Every Member Concerned as well as by Employees

The BCRs must contain a clear duty for all the members of the group and for its employees to respect the BCRs. The group will have to explain, in its application form, how the rules are made binding between the companies/entities in the group by, say, intra-group agreements, unilateral undertakings, internal regulatory measures, policies, or other means. The same shall be done with regard to employees by one or more individual and separate agreement/undertaking with sanctions, a clause in the employment contract with sanctions, internal policies with sanctions, or collective agreements with sanctions.[5]

(b) Confer Enforceable Rights on Data Subjects

The BCRs must grant rights to data subjects to enforce the rules as third-party beneficiaries. The rights should cover the judicial remedies for any breach of the rights guaranteed and the right to receive compensation. The BCRs must contain a duty for the EU headquarters, or the EU BCR member with delegated responsibilities, to accept responsibility for the acts of other members linked by the BCRs outside of the EU, to take the necessary action to remedy them, as well as to pay compensation for any damages resulting from the violation of the BCRs by its members. The BCRs must also state that, if a member of the group outside the EU violates them, the courts or other competent authorities in the EU will have jurisdiction, and the data subject will have the rights and remedies against the member that has accepted liability, as if the violation had taken place by them in the Member State in which they are based, instead of the country outside the EU where the member is based.[6]

(c) Respect Specific Content Requirements

See paragraph 2 below.

(2) Minimum Content

Article 47(2) GDPR non-exhaustively lists what should be included in the BCRs. The Article 29 Working Party (WP29) has also introduced specific guidelines for controllers and for processors on this matter. BCRs may include, amongst others: the group’s structure and contact details, the material scope and a general description of the transfers, so as to allow the data protection authorities (DPAs) to assess that the processing carried out in third countries is GDPR compliant (Articles 47(2)(a) and 47(2)(b) GDPR); explanation of how the rules are made binding and enforced among its members and employees (Article 47(1)(a)and 47(2)(c) GDPR); conferral of rights on data subjects to enforce the rules as third-party beneficiaries, including at least data protection principles, transparency and easy access rules, rights of the data subject, national legislation, right to complain through the company’s internal complaint mechanism, cooperation duties with the DPAs, as well as liability and jurisdiction provisions (Articles 47(1)(b), 47(2)(d), 47(2)(e), 47(2)(g), 47(2)(i), 47(2)(l) GDPR); a duty for the EU BCR member to accept responsibility for the acts of other members outside of the EU, to take the necessary action to remedy them, as well as to pay compensation for any damages resulting from the violation of the BCRs by its members, and to pay compensation for any material or non-material damages resulting from the violation of the BCRs by them (Article 47(2)(f) GDPR); commitment that a training on the BCRs will be provided to personnel that have permanent or regular access to personal data (Article 47(2)(n) GDPR; a duty for the group to have data protection audits on regular basis (Article 47(2)(j) GDPR); and to designate where required a DPO (Article 47(2)(h) GDPR).[7]

(3) Exchange of Information

The format and procedures for the exchange of information about BCRs between the controllers, processors and DPAs shall be specified by the Commission, in accordance with Article 93(2) GDPR. Additionally, the European Data Protection Board (EDPB) may issue relevant guidelines and opinions. The EDPB has so far endorsed five WP29 papers relating to BCRs.[8]

Approval Procedure

BCRs are approved by the national DPAs rules in accordance with the consistency mechanism set out in Article 63 GDPR. Following provisions of Article 64(f) GDPR, the EDPB issues a non-binding opinion whenever the DPA aims to approve the BCRs.[9] The group interested in introducing the BCRs should propose the DPA to act as “the BCR Lead”. In its application, the group should include all relevant information about a nature and general structure of the processing activities. The WP29 proposed the following informal criteria to take into account when defining the appropriate DPA: the location(s) of the group’s European headquarters; the location of the company within the group with delegated data protection responsibilities; the location of the company which is best placed (in terms of management function, administrative burden, etc.) to deal with the application and enforcement of the binding corporate rules in the Group; the place where most decisions in terms of the purposes and the means of the processing (i.e. transfer) are taken; and the Member State within the EU from which most or all transfers outside the EEA will take place.

The DPA that receives the application must inform other DPAs concerned about its decision to become the BCR Lead. If it agrees to does so, then the other DPAs have, under Article 57(1)(g) GDPR, a right to raise any objections within two weeks (period extendable to two additional weeks if requested by any DPAs concerned). If the DPA refuses to act as the BCR Lead, it should explain the reasons for its decision, as well as its recommendations (if any) as to which other DPA would be appropriate. Once a decision on the BCR Lead has been made, the corresponding DPA starts to communicate with the applicant, and reviews the draft BCR documents. Other DPAs concerned may act as co-reviewers of the documents.

After the review process, the applicant sends “a consolidated draft” to the BCR Lead , which may be commented by other DPAs concerned. The BCR Lead the submits, following Article 64(1) GDPR and Article 64(4) GDPR, a draft decision to the EDPB. The EDPB, in turn, issues a non-binding opinion on the BCRs. If the opinion endorses the draft decision, the BCR Lead adopts the decision approving the BCRs. If the opinion requires any amendment to the draft BCRs, the BCR Lead, acting under Article 64(7) GDPR, communicates to the Chair of the EDPB, within two-weeks, whether it intends to maintain its draft decision, or it intends to amend it in accordance with the EDPB opinion. If the BCR Lead refuses to include the EDPB amendments in the draft decision, then dispute resolution under Article 65(1) GDPR is triggered. If, on the other hand, the BCR Lead decides to follow the EDPB opinion, it then contacts the applicant immediately in order to request the corresponding amendments to the draft. When the draft BCRs have been finalized in accordance with the EDPB opinion, the BCR Lead amends its initial draft decision, approves the BCRs, and notifies the EDPB. After the approval, the BCR Lead informs all other DPAs concerned about its decision.

The group whose BCRs have not been accepted by the DPA, can challenge this decision under Article 78 GDPR. The EDPB’s opinion may be challenged before the CJEU under the annulment procedure in Article 263 of the TFEU.In order to compensate for a lack of data protection in a third country that has not been declared as safe under [10]

Decisions

→ You can find all related decisions in Category:Article 47 GDPR

References

  1. Kuner, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR) Update of Selected Articles, Article 68 GDPR, p. 194 (Oxford University Press 2021).
  2. von dem Bussche, Voigt, The EU General Data Protection Regulation (GDPR) (Springer, 2017) p. 126.
  3. Kuner, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, p. 820 (Oxford University Press 2021).
  4. Kuner, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, p. 815 (Oxford University Press 2021).
  5. WP29, ‘Working Document setting up a table with the elements and principles to be found in Binding Corporate Rules’, 18/EN WP256 rev.01, 6 February 2018, pp. 5-6 (available here).
  6. WP29, ‘Working Document setting up a table with the elements and principles to be found in Binding Corporate Rules’, 18/EN WP256 rev.01, 6 February 2018, p. 6 (available here).
  7. WP29, ‘Working Document setting up a table with the elements and principles to be found in Binding Corporate Rules’, 18/EN WP256 rev.01, 6 February 2018, pp. 6-7 (available here).
  8. See a full list here.
  9. EDPB, ‘Register of approved binding corporate rules’ (accessible here).
  10. Kuner, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, p. 822 (Oxford University Press 2021).