WP 29 Updates Documents on BCRs
Monday, December 11, 2017
WP 29, Article, Updates
Print Mail Download i

WP 29 has published the following documents adopted on 29 November 2017:

  • WP 256 Working Document setting up a table with the elements and principles to be found in  Binding Corporate Rules; and

  • WP 257 Working Document setting up a table with the elements and principles to be found in Processor Binding Corporate Rules

WP 29 sets out that taking into account that Article 47.2 GDPR sets forth a minimum set of elements to be inserted within Binding Corporate Rules, these amended tables are meant to:

  • Adjust the wording of the previous referential so as to keep it in line with Article 47 GDPR;

  • Clarify the necessary content of BCRs as stated in Article 47 (taking into account documents WP 742 and WP 1083, for controller BCR and in document WP 204 for processor BCRs, as adopted by the WP29 within the framework of the directive 95/46/EC and );

  • Make the distinction between what must be included in BCRs and what must be presented to the competent Supervisory Authority (competent SA) in the BCRs application (document WP 1334 for Controller BCRs and document WP 195a for Processor BCRs );

  • For Controller BCRs : give the principles the corresponding text references in Article 47 GDPR; and

  • Provide explanations/comments on the principles one by one.

WP29 draws attention in particular to the following elements:

Common to both types of BCRs

  • Right to lodge a complaint: Data subjects should be given the choice to bring their claim either before the Supervisory Authority (‘SA’) in the Member State of his habitual residence, place of work or place of the alleged infringement (pursuant to Art. 77 GDPR) or before the competent court of the EU Member States (choice for the data subject to act before the courts where the data exporter has an establishment or where the data subject has his or her habitual residence (Article 79 GDPR).

  • Scope of application: The BCRs shall specify the structure and contact details of the group of undertakings or group of enterprises engaged in a joint economic activity and of each of its members (GDPR Art. 47.2.a). The BCRs must also specify its material scope, for instance the data transfers or set of transfers, including the categories of personal data, the type of processing and its purposes, the types of data subjects affected and the identification of the recipients in the third country or countries (GDPR Art. 47.2.b).

Specific to Controller BCRs

  • Data Protection principles: Along with the principles of transparency, fairness, purpose limitation, data quality, security, the BCRs should also explain the other principles referred to in Article 47.2.d – such as, in particular, the principles of lawfulness, data minimisation, limited storage periods, guarantees when processing special categories of personal data, the requirements in respect of onward transfers to bodies not bound by the binding corporate rules.

  • Transparency: All data subjects benefitting from the third party beneficiary rights should in particular be provided with information as stipulated in Articles 13 and 14 GDPR and information on their rights about processing and the means to exercise those rights, the clause relating to liability and the clauses relating to the data protection principles.

  • Accountability: Every entity acting as data controller shall be responsible for and able to demonstrate compliance with the BCRs (GDPR Art. 5.2).

Specific to Processor BCRs

  • Data Protection principles: Along with the obligations arising from principles of transparency, fairness, lawfulness, purpose limitation, data quality, security, the BCRs should also explain how other requirements, such as, in particular, in relation to data subjects rights, sub-processing and onward transfers to entities not bound by the BCRs will be observed by the processor.

  • Accountability: Processors will have an obligation to make available to the controller all information necessary to demonstrate compliance with their obligations including through audits and inspections conducted by the Controller or an auditor mandated by the Controller (Art. 28-3-h GDPR).

  • Service Agreement: The Service Agreement between the Controller and the Processor must contain all required elements as provided by Article 28 of the GDPR.

© Copyright 2024 Squire Patton Boggs (US) LLP

Current Legal Analysis

More from Squire Patton Boggs (US) LLP

I Won’t Take This Sitting Down – How To Escape Liability for Kind Thoughts in The Workplace (UK)
by: David Whincup
Heavyweight Fight, Did the US or EU KO the AI Treaty?
by: Andrea Otaola , Claire Murphy
Are you Ready for Washington and Nevada’s Consumer Health Data Laws?
by: Alan L. Friel , Kyle R. Fath
Navigating AI Risks: A Guide to Enhancing Corporate Compliance Programs
by: Colin R. Jennings , Ayako Russell
EEOC Releases Final Rule Implementing Pregnant Workers Fairness Act (US)
by: Laura Lawless
Top Tips for Identifying and Addressing Poor Service in Pensions
by: Victoria Leigh
New CFIUS Rules to Enhance Enforcement and Investigation Activities
by: Ben Squires
April’s APRA: Could Draft Privacy Legislation Blossom into Law in 2024?
by: Julia B. Jacobson , Alan L. Friel
42 C.F.R. Part 2 Final Rule to Align with the HIPAA Privacy Rules
by: John E. Wyand , Kimberly J. Donovan
Supply Chains are the Next Subject of Cyberattacks
by: Sarah K. Rathke , Kristin L. Bryan

Upcoming Legal Education Events

 

NLR Logo

We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins