European Data Protection Board – Thirty-fifth Plenary session: Information note on Binding Corporate Rules with UK SA as Lead Authority

European Data Protection Board – Thirty-fifth Plenary session: Information note on Binding Corporate Rules with UK SA as Lead Authority

Brussels, 23 July – In light of the upcoming end to the Brexit transition period, the EDPB has adopted an information note outlining the actions that need to be taken by Supervisory Authorities (SAs), the holders of approved Binding Corporate Rules (BCRs) and organisations that have BCRs pending with the UK SA to ensure that these BCRs can still be used as a valid transfer tool, following the end of the transition period. As the UK SA will no longer qualify as a competent SA under the GDPR at the end of the transition period, the approval decisions of the UK SA taken under the GDPR will no longer have legal effect in the EEA. In addition, the content of the BCRs in question may need to be amended before the transition period ends, as these BCRs generally contain references to the UK legal order. This also applies to BCRs already approved under Directive 94/46/EC. 
 
BCR holders who have the UK SA as their BCR Lead SA need to put in place all organisational arrangements to identify a new BCR Lead SA in the EEA. The change of BCR Lead SA will have to take place before the end of the Brexit transition period. 

Current BCR applicants are encouraged to put in place all organisational arrangements to identify a new BCR Lead SA in the EEA well in advance of the end of the Brexit transition period, including contacting the SA in question to provide all necessary information as to why this SA is being considered as the new BCR Lead SA. The latter will then take over the application and formally initiate an approval procedure subject to an opinion of the EDPB. Any BCR approved by the UK SA under the GDPR will require the new EEA BCR Lead SA to issue a new approval decision before the end of the transition period, following an opinion from the EDPB. The EDPB also adopted an annex containing a checklist of elements to be amended in BCR documents in the context of Brexit. 
 
This information note is without prejudice to the analysis currently undertaken by the EDPB on the consequences of the CJEU judgment DPC v Facebook Ireland and Schrems for BCRs as transfer tools.

The agenda to the thirty-fifth plenary is available here.

Note to editors:
Please note that all documents adopted during the EDPB Plenary are subject to the necessary legal, linguistic and formatting checks and will be made available on the EDPB website once these have been completed.

                                                                                                                                                                                                                                                                                                                                                                     EDPB_Press Release_2020_13