In order to reflect the requirements of GDPR, the Article 29 Working Party (WP29) has published the following updated guidelines on Binding Corporate Rules (BCRs):
- Working Document setting up a table with the elements and principles to be found in Binding Corporate Rules (WP 256)
- Working Document setting up a table with the elements and principles to be found in Processor Binding Corporate Rules (WP 257)
The tables have been amended to meet the requirements of Article 47 GDPR, in order to clarify the necessary content of BCRs and make the distinction between what must be included in BCRs to be presented to the competent supervisory authority in the BCRs application. The amendments will also affect corresponding the principles with the Article 47 text references for controller BCRs, as well as providing further guidance on each of the requirements.
Those seeking to apply for BCRs will find the latest WP29 working documents to be a helpful tool to ensure compliance with GDPR requirements. The applications should still follow the previous format but the updated table of requirements will be the main reference point during the application process.
For those organisations with approved BCRs already in place, they should take steps to update their BCRs in line with the GDPR, and these latest WP29 guidelines should help them identify what changes need to be implemented.
The documents pay particular attention to the following elements specific to controller BCRs:
|
Controller BCRs |
Processor BCRs |
Both |
|
Transparency – data subjects who benefit from third-party rights be provided with information contained in Articles 13 + 14, information on those rights, liability clause and data protection principles clauses |
Third-party beneficiary rights – data subjects should be able to enforce BCRs as third-party beneficiaries directly against processor where requirements are purposefully directed to processors – Articles 28,29,79 GDPR |
Right to lodge a complaint - Data subjects should be given the choice to bring their claim either before the supervisory authority in the member state of their habitual residence, place of work or place of the alleged infringement (pursuant to Article 77 GDPR), or before the competent court of the EU member states |
|
Data Protection Principles – BCRs should also explain other principles referred to in Article 47(2)(d) GDPR, such as lawfulness, minimization, etc. |
Data Protection Principles – BCRs should also explain other principles, such as subject access rights and sub-processing, will be observed by the processor |
Scope of application – BCRs shall specify the structure and contact details of the group of undertakings or group of enterprises engaged in joint economic activity and of each of its members (Article 47(2)(a)) |
|
Accountability – entity acting as controller must be able to demonstrate compliance with BCRs – Article 5(2) GDPR |
Accountability – obligation to make available to controller all necessary to demonstrate compliance with their obligations, including via audits and inspections conducted by controller or auditor |
Amendments of already adopted controller and processor BCRs - BCRs are advised to take steps to bring their BCRs into line with GDPR. From 25 May 2018, companies should notify any relevant changes made to their BCRs to all group members and to the supervisory authorities, via the lead supervisory authority, as part of their annual update |
|
Service Agreement – agreement between controller and processor must contain all required elements under Article 28 |
Contact our Data Protection and GDPR Solicitors Liverpool, Wirral, Merseyside and Across England & Wales
It is vital that you have the right legal guidance on your GDPR obligations to ensure you avoid penalties for non-compliance. Our data protection and GDPR lawyers provide straightforward and practical guidance for your business. For free initial advice from our team, contact us on 0151 659 1070 or complete our online enquiry form.
