EDPB Document Setting Forth a Co-Operation procedure for the approval of Binding Corporate Rules for controllers and processors

EDPB Document Setting Forth a Co-Operation procedure for the approval of Binding Corporate Rules for controllers and processors

In the complex landscape of global data protection, Binding Corporate Rules (BCR) emerge as an essential tool for multinational companies. These internal policies, which are mandatory in nature, allow for the legitimization of international personal data transfers within a corporate group, ensuring a level of protection equivalent to that required by the GDPR, even beyond the borders of the European Union. Given their importance, having an efficient and harmonized approval procedure is crucial.

This legal note summarizes and explains the Cooperation Procedure for the Approval of Binding Corporate Rules, as established by the EDPB. The EDPB, which ensures the consistent application of the GDPR across the European Union, has issued this procedure to facilitate regulatory compliance by corporate groups transferring personal data outside the European Economic Area (EEA). The document, adopted on March 13, 2025, updates the previous working document, incorporating practical experience and seeking to optimize cooperation among supervisory authorities within the GDPR framework.

Who does this procedure apply to?

This procedure applies to corporate groups, including both data controllers and processors, that wish to implement BCR to legitimize international personal data transfers within their organization. It applies to companies based in the EU that transfer data to their subsidiaries outside the EU, or to companies outside the EU that transfer data from the EU to their headquarters.

In what circumstances is it relevant?

The procedure is relevant when a corporate group needs to transfer personal data from the European Union to entities located in countries that do not offer a level of data protection deemed “adequate” by the European Commission. In such cases, BCR become a valid legal instrument to ensure the protection of the transferred data, provided they are approved following this procedure. BCR allow companies to demonstrate compliance with GDPR requirements when transferring data outside the EEA.

What are BCR?

BCR are internal policies of a corporate group that establish mandatory data protection standards for all entities within the group, regardless of their geographical location. These standards must ensure a level of data protection essentially equivalent to that guaranteed by the GDPR. Approval of BCR by the competent supervisory authorities legitimizes international data transfers within the corporate group.

Phases of the approval procedure

The BCR approval procedure unfolds through the following phases, aimed at ensuring the consistency and effectiveness of the proposed standards:

1. The first step is for the corporate group to propose a Supervisory Authority (SA) as the process leader. The choice of this SA must be justified based on objective criteria, such as the location of the group’s central administration in Europe, the location of the centralized data protection function, or the place where decisions regarding data processing are made. The proposed SA must formally accept its role as leader.
2. The lead SA is responsible for thoroughly reviewing the documentation submitted by the corporate group, including the BCR draft. This review aims to verify that the BCR comply with GDPR requirements and ensure adequate protection of personal data.
3. To ensure a comprehensive evaluation, the lead SA shares the revised BCR draft with one or two co-reviewer SAs. These co-reviewer SAs examine the draft and provide their comments and suggestions to the lead SA.
4. Once the comments from the co-reviewer SAs are incorporated, a consolidated BCR draft is prepared. This draft is distributed to all concerned SAs, who have the opportunity to make observations and propose modifications. The goal of this phase is to reach a general consensus on the BCR content.
5. In case controversies or differences of opinion arise during the review process, the lead SA may convene informal sessions, known as “BCR sessions. These sessions bring together the concerned SAs and the EDPB Secretariat to discuss contentious points and seek consensual solutions.
   Once consensus is reached among the SAs, the lead SA submits the final BCR draft to the EDPB for its opinion.
6. The EDPB’s opinion is a key element in ensuring consistency and uniformity in the application of the GDPR across the European Union.
7. Finally, the lead SA, taking into account the EDPB’s opinion, formally adopts the decision to approve the BCR. This approval legitimizes international data transfers within the corporate group, provided the conditions set out in the BCR are met.

The document also specifies in detail the role and responsibilities of the lead SA in each phase of the procedure, defines the concept of “round” in the context of BCR review, and describes the procedure for organizing and conducting BCR sessions.

Translations

In order to facilitate the participation of all concerned SAs, the document stipulates that the documentation must be submitted in the language of the lead SA and, where possible, in English. Additionally, the final BCR draft and the approved BCR must be translated into the languages of the SAs from which data transfers are made.

In summary, this document provides a clear and detailed procedural framework for the approval of BCR, promoting cooperation among supervisory authorities and ensuring an adequate level of protection for personal data transferred internationally within the GDPR context.