The Article 29 Working Party (WP29) has published updated guidelines on Binding Corporate Rules (BCRs) to reflect the requirements set out in the General Data Protection Regulation (GDPR). The two documents, which replace previous WP29 working papers (WP 153 and WP 195) and remain open for public consultation until January 17, 2018, are:
(i) Working Document setting up a table with the elements and principles to be found in Binding Corporate Rules (WP 256)
(ii) Working Document setting up a table with the elements and principles to be found in Processor Binding Corporate Rules (WP 257)
The two documents include tables setting out the elements and principles to be included in controller BCRs and processor BCRs. These tables have been amended specifically to:
Meet the requirements of Article 47 GDPR
- Clarify the necessary content of BCRs as stated in Article 47 GDPR
- Make the distinction between what must be included in BCRs and what must be presented to the competent supervisory authority in the BCRs application
- Give the principles the corresponding text references in Article 47 GDPR (for controller BCRs)
- Provide further guidance on each of the requirements
Both documents note that Article 47 GDPR is clearly modeled on the working documents relating to BCRs previously adopted by WP29. However, to ensure their compatibility with GDPR, Article 47 does specify new requirements to be considered for adopting new BCRs or updating existing ones.
The documents draw attention to the following elements:
Specific to controller BCRs:
- Transparency: All data subjects benefiting from the third-party beneficiary rights should be provided with the information stipulated in Articles 13 and 14 GDPR and information on their rights in regard to processing and the means to exercise those rights, the clause relating to liability and the clauses relating to the data protection principles.
- Data protection principles: Along with the principles of transparency, fairness, purpose limitation, data quality and security, the BCRs should also explain the other principles referred to in Article 47(2(d) GDPR – such as the principles of lawfulness, data minimization, etc.
- Accountability: Every entity acting as controller shall be responsible for, and be able to demonstrate compliance with, the BCRs (Art 5(2) GDPR).
Specific to processor BCRs:
- Third-party beneficiary rights: Data subjects should be able to enforce the BCRs as third-party beneficiaries directly against the processor where requirements at stake are specifically directed to processors, in accordance with the GDPR (Articles 28, 29, 79 GDPR).
- Data protection principles: Along with the obligations arising from the principles of transparency, fairness etc., the BCRs should also explain how other requirements (e.g. in relation to data subject rights and sub-processing) will be observed by the processor.
- Accountability: Processors will have an obligation to make available to the controller all information necessary to demonstrate compliance with their obligations, including through audits and inspections conducted by the controller or an auditor mandated by the controller (Article 28(3)(h) GDPR).
- Service agreement: The services agreement between the controller and the processor must contain all required elements as provided by Article 28 GDPR.
Common to both types of BCRs:
- Right to lodge a complaint: Data subjects should be given the choice to bring their claim either before the supervisory authority in the member state of their habitual residence, place of work or place of the alleged infringement (pursuant to Article 77 GDPR), or before the competent court of the EU member states (choice for the data subject to act before the courts where the data exporter has an establishment or where the data subject has his or her habitual residence (Article 79 GDPR)).
- Scope of application: The BCRs shall specify the structure and contact details of the group of undertakings or group of enterprises engaged in joint economic activity and of each of its members (Article 47(2)(a)). The BCRs must also specify its material scope, for instance the data transfers or set of data transfers, including the categories of personal data, type of processing and its purposes, etc. (Article 47(2)(b) GDPR).
Amendments of already adopted controller and processor BCRs
Although Article 46(5) GDPR states that existing BCR authorizations will remain valid until amended, replaced or repealed by the supervisory authority, companies with approved BCRs are advised to take steps to bring their BCRs into line with GDPR. As of May 25, 2018, companies should notify any relevant changes made to their BCRs to all group members and to the supervisory authorities, via the lead supervisory authority, as part of their annual update.
For organizations seeking to apply for BCRs, the latest WP29 working documents will be a helpful tool to ensure their BCRs are in line with GDPR requirements. The applications should still follow the previous format (see WP29’s model application form) but the updated table of requirements will be the main reference point during the application process. It is also clear that organizations with approved BCRs already in place should be taking steps to update their BCRs in line with the GDPR. The latest guidelines should help them identify what changes need to be implemented.