The ICO published new guidelines on Binding Corporate Rules (BCRs) on 25 July 2022. There have been significant delays in approvals of UK BCRs by the ICO following Brexit. The new guidelines are aimed at adding clarity to the application process.
What are UK BCRs?
As a reminder, BCRs are one of the appropriate safeguards for transferring personal data from the UK to recipients in third countries under Article 46.2(b) of the UK GDPR. BCRs are appropriate for use by a group of undertakings or a group of enterprises engaged in a joint economic activity, such as companies affiliated with each other. BCRs cover transfers of personal data from controllers within the group established in the UK to controllers or processors in third countries (BCR-C) and from controllers outside the group but established in the UK to processors within the group in third countries (BCR-P). Companies with approved UK BCRs can transfer personal data internally within the group from the UK entities to affiliated entities in third countries that adhere to the approved UK BCRs.
The ICO labelled the BCRs as "the gold standard" transfer tool. This is because companies adhering to the BCRs must provide evidence to the ICO on how they will effectively ensure data subjects’ rights and comply with the data protection principles. The internal processes and procedures must be legally binding and go through intensive review by the ICO before being approved.
UK BCRs are a suite of documents rather than one single BCR policy and consist of the following:
|a completed electronic copy of the application form||The application form must show: - the UK entity has sufficient funds to provide remedies and/or pay compensation for liabilities arising under the UK BCRs;|
- internal audit and verification procedures;
- process for training and awareness raising;
- confirmation that companies adhering to the UK BCRs will cooperate with the ICO;
- process for reporting and recording changes; and
- maintain the network of DPOs or appropriate staff.
|The application form is separate for BCR-C and BCR-P. Although the applications for BCR-C and BCR-P are separate, for those organisations applying for both BCR-C and BCR-P can combine the supporting documents as long as it is clear where a controller and processor obligations are addressed in the documents.|
|an electronic copy of the draft binding instrument||The ICO's preference is that this is an intra-group agreement setting out the binding nature of the UK BCR policy.||BCR-P to include Article 28 GPDR clauses for processors.|
To ensure data subjects ' rights are effective companies must confer third-party beneficiary rights to the data subjects and refer to the application of the Contracts (Rights of Third Parties) Act 1999 in the intra-group agreement.
|a BCR policy||This should be one document and expected to be published. The BCR policy must be easy to understand by the data subjects.||The policy and other UK BCR documents must have a clear UK focus and not combine EU and UK analysis.|
|a referential table||This table is to show how the UK BCR documents meet the requirements of Article 47 GDPR on BCRs. It has an additional Annex for BCR-P purposes, where companies also need to show how they meet the requirements of Article 28 GDPR.||The requirements are largely the same as in the referential table issued by the Article 29 Working Party (WP195) in terms of requirements regarding the binding nature of the BCRs, their effectiveness, and cooperation obligation, process of updating the BCRs.|
|other supporting documents||BCR policy can contain copies of other company policies attached in the annexes, if referenced.||Global policies references in the UK BCR policy must comply with the UK GDPR.|
How is the process simplified?
The ICO provides clarifications to the application process and what it expects to see in the UK BCRs documents. Considering that the European Data Protection Board has not yet updated its BCR guidelines since the GDPR came into force, these guidelines provide clarity and can save organisations time when preparing the documents.
Request supporting documents only [after the application has been submitted].
Confirmation of the requirement for the TIA for data transfers
The ICO confirms that a transfer impact assessment (TIA) is required when using the UK BCRs following Schrems II decision. The ICO does not need to see the TIA but expects that the TIA has been conducted and regularly reviewed.
Nevertheless, the guidelines do not specifically cover the supplementary measures to be applied for transfers reliant on the BCRs in case local national laws prevent from complying with the BCRs.