Listen to this post

On June 30, 2023, the European Data Protection Board (“EDPB”) published Recommendations 1/2022 on the Application for Approval and on the elements and principles to be found in Controller Binding Corporate Rules (Art. 47 GDPR) (the “Recommendations”), which were adopted on June 20, 2023. Binding corporate rules (“BCRs”) are a mechanism for transferring personal data to third countries in accordance with Chapter V of the EU General Data Protection Regulation (“GDPR”), and must be approved by the relevant organization’s lead supervisory authority. BCRs create enforceable rights and set out commitments in order to create, for the personal data transferred under the BCRs, a level of protection essentially equivalent to that provided by the GDPR.

The purpose of the Recommendations is to:

  • Provide a standard form for the application for approval of BCRs for controllers (“BCRs-C”);
  • Clarify the necessary content of BCRs-C as stated in Article 47 of the GDPR;
  • Make a distinction between what must be included in BCRs-C and what must be presented to the BCR’s lead supervisory authority in the application; and
  • Provide explanations and comments on the requirements.