The Recommendations will be open for consultation until 10 January 2023.
The European Data Protection Board has held its November plenary. It adopted Recommendations on the application for approval and on the elements and principles to be found in Controller Binding Corporate Rules (BCR-C). These recommendations update the existing BCR-CI, which contain criteria for BRC-C approval, and merge it with the standard application form for BRC-C. The new recommendations build upon the agreements reached by data protection authorities during approval procedures on BCR applications since the GDPR came into force. They also provide additional guidance and aim to ensure a level playing field for all BCR applicants. The recommendations also bring the existing guidance into line with the requirements in the CJEU's Schrems II ruling.
BCR-Cs are a transfer tool that can be used by a group of undertakings or enterprises, engaged in a joint economic activity, to transfer personal data outside the EEA to controllers or processors within the same group. BCRs create enforceable rights and set out commitments to establish a level of data protection essentially equivalent to the one provided by the GDPR.
The aim of these recommendations is to:
A second set of recommendations for BCR processors is currently being developed.