Article 47 GDPR

From GDPRhub
Revision as of 15:33, 19 August 2021 by JS (talk | contribs) (→‎References)
Article 47 - Binding corporate rules
Gdpricon.png
Chapter 10: Delegated and implementing acts

Legal Text


Article 47 - Binding corporate rules


1. The competent supervisory authority shall approve binding corporate rules in accordance with the consistency mechanism set out in Article 63, provided that they:

(a) are legally binding and apply to and are enforced by every member concerned of the group of undertakings, or group of enterprises engaged in a joint economic activity, including their employees;
(b) expressly confer enforceable rights on data subjects with regard to the processing of their personal data; and
(c) fulfil the requirements laid down in paragraph 2.

2. The binding corporate rules referred to in paragraph 1 shall specify at least:

(a) the structure and contact details of the group of undertakings, or group of enterprises engaged in a joint economic activity and of each of its members;
(b) the data transfers or set of transfers, including the categories of personal data, the type of processing and its purposes, the type of data subjects affected and the identification of the third country or countries in question;
(c) their legally binding nature, both internally and externally;
(d) the application of the general data protection principles, in particular purpose limitation, data minimisation, limited storage periods, data quality, data protection by design and by default, legal basis for processing, processing of special categories of personal data, measures to ensure data security, and the requirements in respect of onward transfers to bodies not bound by the binding corporate rules;
(e) the rights of data subjects in regard to processing and the means to exercise those rights, including the right not to be subject to decisions based solely on automated processing, including profiling in accordance with Article 22, the right to lodge a complaint with the competent supervisory authority and before the competent courts of the Member States in accordance with Article 79, and to obtain redress and, where appropriate, compensation for a breach of the binding corporate rules;
(f) the acceptance by the controller or processor established on the territory of a Member State of liability for any breaches of the binding corporate rules by any member concerned not established in the Union; the controller or the processor shall be exempt from that liability, in whole or in part, only if it proves that that member is not responsible for the event giving rise to the damage;
(g) how the information on the binding corporate rules, in particular on the provisions referred to in points (d), (e) and (f) of this paragraph is provided to the data subjects in addition to Articles 13 and 14;
(h) the tasks of any data protection officer designated in accordance with Article 37 or any other person or entity in charge of the monitoring compliance with the binding corporate rules within the group of undertakings, or group of enterprises engaged in a joint economic activity, as well as monitoring training and complaint-handling;
(i) the complaint procedures;
(j) the mechanisms within the group of undertakings, or group of enterprises engaged in a joint economic activity for ensuring the verification of compliance with the binding corporate rules. Such mechanisms shall include data protection audits and methods for ensuring corrective actions to protect the rights of the data subject. Results of such verification should be communicated to the person or entity referred to in point (h) and to the board of the controlling undertaking of a group of undertakings, or of the group of enterprises engaged in a joint economic activity, and should be available upon request to the competent supervisory authority;
(k) the mechanisms for reporting and recording changes to the rules and reporting those changes to the supervisory authority;
(l) the cooperation mechanism with the supervisory authority to ensure compliance by any member of the group of undertakings, or group of enterprises engaged in a joint economic activity, in particular by making available to the supervisory authority the results of verifications of the measures referred to in point (j);
(m) the mechanisms for reporting to the competent supervisory authority any legal requirements to which a member of the group of undertakings, or group of enterprises engaged in a joint economic activity is subject in a third country which are likely to have a substantial adverse effect on the guarantees provided by the binding corporate rules; and
(n) the appropriate data protection training to personnel having permanent or regular access to personal data.

3. The Commission may specify the format and procedures for the exchange of information between controllers, processors and supervisory authorities for binding corporate rules within the meaning of this Article. Those implementing acts shall be adopted in accordance with the examination procedure set out in Article 93(2).

Relevant Recitals

Recital 110

A group of undertakings, or a group of enterprises engaged in a joint economic activity, should be able to make use of approved binding corporate rules for its international transfers from the Union to organisations within the same group of undertakings, or group of enterprises engaged in a joint economic activity, provided that such corporate rules include all essential principles and enforceable rights to ensure appropriate safeguards for transfers or categories of transfers of personal data.

Commentary

Definition

Binding Corporate Rules are one of the legal basis to transfer personal data outside of the EU to be used in the absence of the adequacy decision.[1] They refer specifically to the third-country transfers within one group of undertakings or group of enterprises engaged in a joint economic activity. Article 4(20) GDPR defines them as ‘personal data protection policies’ designed for this specific type of processing.

The format and procedures for the exchange of information about BCR between the controllers, processors and DPAs shall be specified by the Commission, in accordance with Article 93(2) GDPR. Additionally, the European Data Protection Board may issue relevant guidelines and opinions. The EDPB has so far endorsed five papers of the WP29 relating to BCRs.[2]

Material Scope

BCRs relate to third-country transfers within one group of undertakings or group of enterprises engaged in a joint economic activity.   An "enterprise” is defined in Article 4(18) GDPR as  'a natural or legal person engaged in an economic activity, irrespective of its legal form, including partnerships or associations regularly engaged in an economic activity'. “A group of undertakings”, following Article 4(19) GDPR, is formed by 'a controlling undertaking and its controlled undertakings'.  The GDPR does not define what is 'a group of enterprises engaged in a joint economic activity’. According to Kuner, this could be a joint venture or an alliance, “as long as it is stable”.[3] BCRs may be introduced for data controllers, data processors or in a mixed form.[4]

Approval Procedure

BCRs are approved by the national DPAs rules in accordance with the consistency mechanism set out in Article 63 GDPR. Following provisions of Article 64(f) GDPR, the EDPB issues a non-binding opinion whenever the DPA aims to approve the BCRs.[5] The group interested in introducing the BCRs should propose the supervisory authority  to act as “the BCR Lead”. In the application, it should include all relevant information about a nature and general structure of the processing activities. The WP29 proposed the following informal criteria to take into account while defining the right SA: the location(s) of the Group’s European headquarters; the location of the company within the Group with delegated data protection responsibilities; the location of the company which is best placed (in terms of management function, administrative burden, etc.) to deal with the application and to enforce the binding corporate rules in the Group, the place where most decisions in terms of the purposes and the means of the processing (i.e. transfer) are taken; and the member state within the EU from which most or all transfers outside the EEA will take place.[6]

The DPA that received the application informs other DPAs concerned about its decision to become the BCR Lead. If it agrees to does so, then the other DPAs have, under Article 57(1)(g) GDPR, a right to raise any objections within two weeks (period extendable to two additional weeks if requested by any SA concerned).[7] If the DPA refuses to act as the BCR Lead, it should explain the reasons for its decision as well as its recommendations (if any) as to which other DPA would be appropriate.[8]

Once a decision on the BCR Lead has been made, the latter starts the discussions with the applicant and review the draft BCR documents. Other DPAs concerned may act as co-reviewers of the documents. After the review process, the applicant sends to the BCR Lead “a consolidated draft” that maybe commented by other DPAs concerned. The BCR Lead submits, following Article 64(1) GDPR and Article 64(4) GDPR, a draft decision to the EDPB. The EDPB issues a non-binding opinion on the BCRs. If the opinion endorses the draft decision, the BCR Lead adopts the decision approving the BCRs. If the opinion requires any amendment to the draft BCRs, the BCR Lead, acting under Article 64(7) GDPR, communicate to the Chair of the Board within the two-week that either it intends to maintain its draft decision or that it intends to amend it in accordance with the EDPB opinion. If the BCR Lead refuses to include the EDPB amendments in the draft decision, then dispute resolution under Article 65(1) GDPR is triggered. If the BCR Lead decides to follow the EDPB opinion, it contacts the applicant immediately in order to request the amendments to the draft. When the draft BCRs have been finalized in accordance with the EDPB opinion, the BCR Lead amends its initial draft decision, approves the BCRs and notifies the EDPB. After the approval, the BCR Lead informs all other DPAs concerned about its decision.[9]

Basic Requirements for BCRs

Article 47(1) GDPR establishes following requirements for the BCRs:

1.    they are legally binding, apply to and are enforced by every member of the group, including the employees (Article 47(1)(a) GDPR).

2.      expressly confer enforceable rights on data subjects with regard to the processing of their personal data (47(l)(b) GDPR and

3.      fulfil the requirements laid down in Article 47(2) GDPR.

Article 47(2) GDPR non-exhaustively lists what should be included in the BCRs. The WP29 introduced specific guidelines for controllers[10] and for processors[11] on that matter. They may include, amongst others: structure and contact details, material scope and a general description of the transfers so as to allow the DPAs to assess that the processing carried out in third countries is compliant (Articles 47(2)(a), 47(2)(b) GDPR); explanation how the rules are made binding and enforced among its members and employees (Article 47(1)(a), 47(2)(c) GDPR); conferral of rights on data subjects to enforce the rules as third-party beneficiaries, including at least data protection principles, transparency and easy access rules, rights of the data subject, national legislation, right to complain through the internal complaint mechanism of the companies, cooperation duties with the DPAs and liability and jurisdiction provisions (Article 47(1)(b), 47(2)(c), 47(2)(e), 47(2)(g), 47(2)(i), 47(2)(l) GDPR[12]; a duty for the EU BCR member to accept responsibility for and to agree to take the necessary action to remedy the acts of other members outside of the EU and to pay compensation for any material or non-material damages resulting from the violation of the BCRs by them (Article 47(2)(f)) GDPR; commitment that a training on the BCRs will be provided to personnel that have permanent or regular access to personal data (Article 47(2)(n) GDPR; a duty for the group to have data protection audits on regular basis (Article 47(2)(j) GDPR and to designate where required a DPO (Article 47(2)(h) GDPR).

Remedies

The group whose BCRs have been not accepted by the DPA can challenge it under Article 78 GDPR. The opinion of the EDPB may be challenged before the European Court of Justice in the annulment procedure under Article 263 of the TFEU.[13]


Decisions

→ You can find all related decisions in Category:Article 47 GDPR

References

  1. Kuner, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 47 GDPR, p. 815 (Oxford University Press 2020).
  2. See a full list here.
  3. Kuner, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 47 GDPR, p. 820 (Oxford University Press 2020).
  4. Kuner, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 47 GDPR, p. 815 (Oxford University Press 2020).
  5. EDPB, Register of approved binding corporate rules (accessible here).
  6. Ibid, p.3.
  7. Ibid, p.4.
  8. Ibid, p.4.
  9. Ibid, p.5.
  10. Article 29 Working Group, Working Document setting up a table with the elements and principles to be found in Binding Corporate Rules, WP 256 rev.01, 6 February 2018 (available here).
  11. Article 29 Working Group, Working Document setting up a table with the elements and principles to be found in Binding Corporate Rules, WP 256 rev.01, 6 February 2018 (available here).
  12. Article 29 Working Group, Working Document setting up a table with the elements and principles to be found in Binding Corporate Rules, WP 256 rev.01, 6 February 2018 (available here).
  13. Kuner, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 47 GDPR, p. 815 (Oxford University Press 2020).