EDPB updates BCR-C documents: inspired by (but not limited to) Schrems

The EDPB has recently issued an updated set of controller BCR ("BCR-C") application forms and referential table. These are out for consultation until 10 January 2023. Once approved, these new BCR-C documents will repeal the existing BCR-C referential (WP 256) and BCR controller application form (WP264).

While a significant change is the introduction of requirements addressing Schrems (see links to blog on the Schrems EDPB guidance here), the EDPB has introduced further changes which are described in more detail below.
 
How does this affect you? 

• If you are considering applying for BCR-C: the (soon to be replaced) WP256 develops the BCR requirements set out in Article 47 GDPR. The new referential table will set out what controllers must include in their BCRs. When considering applying for BCRs, controllers will have to take this table into account and whether they can uphold the commitments therein.
• If you have applied for BCR-C: if you have recently applied for BCR-C, it is possible that your lead authority (or other authorities, depending on where you are in the application process) will require that you update your BCR so that they align to the elements set out in the new referential table. It is possible that BCR applicants are required to use the updated application forms.
• If you are a BCR-C holder: you will have to check that your BCR-C align with the new referential, it is likely that you will have to tweak your current BCRs and make more substantive changes if you have not yet updated them for Schrems purposes. Depending on what your current BCRs state on the point (and if updates are required), such updates would have to be notified to your lead authority during your annual updates.
• If you hold a BCR-P:  If you are a BCR-P holder: this does not affect you.  However, we envisage that the EDPB will, in due course, issue an update of the processor BCR referential, which will require you to update your BCRs in a similar manner.
• If you engage a vendor with a BCR: If you engage a vendor who holds a BCR-C, this does not affect you as the requirements are only for your vendor's internal transfers.     

What are the main changes?
 
Documents for submission 

• Part 1 of the application form. This includes a new section with an acknowledgement from the BCR members that (i) BCR-C approval does not include an assessment of compliance with GDPR requirements and that group members need to ensure they comply with GDPR requirements as applicable; and that (ii) EEA data exporters (if needed for the support of the data importers) will have to carry out a transfer impact assessment before transferring any personal data under the BCRs and, if necessary, put supplementary measures in place. (This of course is the same as is required when SCCs are the transfer tool used.) Where this is not possible (or where the legislation in importing countries undermine the level of data protection provided under EU law) the data exporter should suspend or end the transfer.  
• Part 2 of the application form. This has been substantially shortened. However, the updated referential table (now called table of "Elements and Principles to be found in the BCR-C" is to be added as Annex 2 of the application form). The applicant will have to set out, for each requirement in the table, where such requirement is addressed in the BCR or the application.   

Substantive changes - New referential table 

• New Schrems requirements. New content regarding the carrying out transfer impact assessments and the steps to follow when the non-EEC BCR member importer receives a request for access by a public authority has been added. In addition to this, references to Schrems-related requirements are present throughout the document, for instance, with regards to training, it sets out that training procedures should include how to manage requests for access by public authorities.
• More detail and new content. The new referential table is more prescriptive than WP265 in relation to how BCR requirements are to be met. This applies across the board, including for strategic requirements such as transparency / publication of the BCRs, legal binding mechanisms or the regulation of third party beneficiary rights. Furthermore, the new referential table requires the provision of additional content, for example a list of definitions of data protection terms used. There are other new sections, for instance, one providing new rules regarding what importers who cease to be bound by the BCR should do with the information. There are also extended rules regarding the consequences of non-compliance with the BCR-C policy. Some of the guidance regarding the BCR content is not as clear as it could be. For example, controllers are required to specify 'per transfer or set of transfers' the following information: categories of personal data; types of personal data; categories of data subjects and the third country recipients. However, the guidance then says that "information on the transfers must be exhaustive" in the same text not necessarily "with a high degree of specificity or granularity". Hopefully, guidance on this point may be updated prior to the document being finalised.
• Expected changes. The EDPB clarifies some requirements and how they should be addressed in the BCR-C policy, which is likely many BCR applicants / holders had already taken into account for instance, it clarifies that the DPO should not have any tasks that could result in a conflict of interest.

Conclusion
 
With this update to the BCR-C rules and requirements the EDPB 'tightens' BCR requirements in a post-Schrems era. We shall have to wait and see the final version of document but there is no doubt that this is another step to making the application of data transfer safeguards under the GDPR more onerous for controllers who wish to transfer personal data (in this case, within the group) outside of the EEA.