In the absence of an adequacy decision, data exporters may rely on Binding Corporate Rules ("BCRs"), which are designed to allow groups of companies and multinational organisations to transfer personal data from the EEA to affiliate entities located outside the EEA in compliance with Chapter V of the GDPR.[1]
BCRs are internal rules adopted by a group of companies, which set out its global policy for international transfers of personal data. These rules must be binding and complied with by all group entities, regardless of their countries of establishment, as well as by all their employees. Moreover, they must expressly confer enforceable rights to data subjects with regard to the processing of their personal data.
There exist two different types of BCRs. The choice of the correct type of the BCR is important since they cover different situations which are subject to different requirements to the content of the BCRs as specified by article 47 GDPR.
The Controller BCRs cover transfers from a group entity established in the EEA and acting as a controller to another group entity established in the third country which is acting as a controller, a processor or a sub-processor. More information on the scope and the requirements in the BCR for Controllers can be found in the EDPB Referential for Controllers BCR, adopted on 20 June 2023.[2]
The Processor BCRs cover transfers from a group entity established in the EEA and acting as a processor for an external controller to another group entity as sub-processor. More information on the scope and requirements in the BCR for Processors can be found in the amended Working Document of the Article 29 Working Party (WP29) on Binding Corporate Rules for Processors (wp257rev).[3]
The BCRs are approved by the competent supervisory authority, which coordinates with other supervisory authorities in accordance with the consistency mechanism set out in Article 63 of the GDPR.
Approval process for BCRs
The procedure for approving binding corporate rules (BCRs) for controllers and processors is laid out under Articles 47 (1), 63, 64 and (where necessary) 65 of the GDPR.
The approval process for BCR’s consists of the following steps[4]:
- identification of the lead supervisory authority for the approval of the BCRs,
- cooperation procedure for the approval of BCRs between the lead supervisory authority the supervisory authorities acting as co-reviewers and the other concerned supervisory authorities,
- adoption of the EDPB opinion,[5]
- issuing of a national decision by the lead supervisory authority, taking into account the EDPB’s opinion.
In accordance with Article 6 of the Regulation n°7/2020 of 3 April 2020 of the CNPD[6] laying down the amount and payment terms of the fees within the framework of its powers of authorisation and consultation, each group of undertakings established on the territory of Luxembourg, who submits binding corporate rules to the CNPD for approval pursuant to Article 47 of the GDPR, must pay a fee of 1.500 € to the CNPD.
[1] Articles 46, paragraph 2, and 47 of the GDPR.
[2] EDPB Recommendations 1/2022 on the Application for Approval and on the elements and principles to be found in Controller Binding Corporate Rules.
[3] Working Document on Binding Corporate Rules for Processors (wp257rev.01) :https://ec.europa.eu/newsroom/article29/items/614110
[4] Articles 47, paragraph 1, 63 and 64, paragraph 1, letter f) of the GDPR and Article 29 Working Party, Working Document of 11 April 2018 setting forth a co-operation procedure for the approval of “Binding Corporate Rules” for controllers and processors under the GDPR (WP263rev.01),, endorsed by the European Data Protection Board on 25 May 2018.
[5] In accordance with Article 64, paragraph 3 of the GDPR.
[6] Available at : https://cnpd.public.lu/content/dam/cnpd/fr/decisions-avis/2020/07-2020-reglement-CNPD-redevances-signe.pdf.