Procedure BCR application
All transfers of personal data outside the European Union have to guarantee an adequate level of protection of personal data (article 44 GDPR). This level of adequate protection can be established in different ways, one of them being the adoption of Binding Corporate Rules (article 47 GDPR). BCR’s allow a companies to exchange personal data – also outside the EU – within their corporate structure, whilst preserving the level of protection offered by the GDPR.
Which procedure has to be followed to submit a BCR-application?
✅ STEP 1
Are you a controller ? Fill out form WP264
Are you a processor ? Fill out form WP265.
✅ STEP 2
Following section 1.3 of forms WP264 and WP265 mentioned in step 1, you will have to indicate a lead supervisory authority (article 64 GDPR) and justify the reasons for your choice according to the criteria listed in in section 1.2 of form WP263 rev.01. You will provide to the authority – which is in your view the lead authority – the information set out in section 1.5 of form WP263 rev.01.
✅ STEP 3
(+ max 2 weeks)
The designated data protection authority will take a decision on whether or not it is competent. We can ask extra information if necessary in order to verify our competence. If the data protection authority deems it is competent to examine your BCR-application, it will inform the other data protection authorities which are affected by your BCR-application, of its decision. These other data protection authorities will have two week to raise objections against the proposed decision on the competence of the lead authority for the BCR-application.
In the context of BCR-proceedings, the affected data protection authorities will be:
• For controller-BCR’s : all data protection authorities of the member states from which transfers of personal data are originating.
|1 month||If the designated lead authority deems it is not competent, it will inform the applicant by a motivated decision and will suggest a data protection authority which is better placed to deal with the BCR-application.|
✅ STEP 4
|If none of the affected data protection authorities have raised objections, the competence of the designated lead authority is established. The lead authority will chose one or two co-reviewing data protection authorities (two when 14 or more member states are affected by the BCR) which will assist the lead supervisory authority in checking the submitted BCR’s against the criteria set out in WP256 (for controllers) and WP257 (for processors).|
|1 month||When the competent lead authority is of the opinion that the criteria listed in in WP256 (for controllers) and WP257 (for processors) are met, it will send over the BCR’s to the co-reviewing authorities. The co-reviewing authorities will have one month to provide feedback and raise objections. If objections are raised, the lead supervisory authority will relay those to the applicant.|
✅ STEP 5
|Max 1 month||When the competent lead authority and the co-reviewing authorities agree that the submitted BCR’s guarantee an adequate level of protection, the BCR’s will be submitted to all affected data protection authorities for final feedback.|
|No deadline||If the affected data protection authorities raise objections against the BCR’s, the lead supervisory authority will relay those to the applicant.|
✅ STEP 6
(plus max 6 weeks)
|If no objections are raised, the lead supervisory authority will submit its draft approval decision to the European Data Protection Board (EDPB). The EDPB will issue an opinion within 8 weeks according to the procedures set out in article 64.3 of the GDPR and article 10 of its rules of procedure. The deadline of 8 weeks can be extended with 6 extra weeks if necessary.|
|No deadline||a. If the EDBP approved the BCR, the lead supervisory authority will adopt an approval decision;|
b. If the EDBP considers that further amendments are necessary, the lead supervisory authority will relay those to the applicant.
✅ STEP 7
|No deadline||When the BCR’s have been approved by the lead supervisory authority, the approval decision and the finalised BCR’s will be communicated to all affected data protection authorities.|
In accordance with Article 46.2 of the GDPR, the national approval procedures don't exist anymore !