The process of drafting, and respectively approving a BCR is not an easy one. It is often cumbersome and requires a high level of expertise and knowledge of not only the national, as well as the European legal framework, but also of the working documents of the European Data Protection Board (formerly Article 29 Working Party). The latter form the backbone of the BCR itself.
There are two application forms – for controllers and for processors. The information that needs to be shared is as follows:
– structure and contact details of the applicant and of the corporate group;
– short description of the data flows;
– determination of the lead supervisory authority, that is the authority with the primary responsibility for dealing with a cross-border data processing activity, for example when a data subject makes a complaint about the processing of his or her personal data.;
– binding nature of the BCRs or how are they made legally binding for all the entities, members of the corporate group and for the individuals whose data is processed by the members of the corporate group;
– effectiveness, which normally includes description of the audit programmes, corporate government activities, etc.
– how is the cooperation between the National Supervisory Authority and the corporate group is carried out;
– description of the mechanisms of reporting and recording changes to the BCRs – all the group entities, as well as the supervisory authority have to be informed for any change in the BCR as soon as possible;
– data protection safeguards – what are the appropriate technical and organisational measures for data protection that has been implemented;
– annexes, such as a copy of the BCR itself and any relevant documentation.
The documentation is then submitted for approval by the competent supervisory authority.
Basically, the entity that submits the BCR proposes the competent supervisory authority as a lead authority. Of course, the applicant justifies the choice made considering the following factors:
– the location(s) of the corporate group’s European headquarters;
– the location of the company within the group with delegated data protection responsibilities;
– the location of the company which is best placed (in terms of management function, administrative burden, etc.) to deal with the application and to enforce the binding corporate rules in the group;
– the place where most decisions in terms of the purposes and the means of the processing (i.e. transfer) are taken;
– the member state within the EU from which most or all transfers outside the EEA will take place.
After that the cooperation procedure begins.
The proposed lead supervisory authority will forward the information received as to why it has been selected by the company to be the lead authority for the BCRs to all supervisory authorities concerned with an indication of whether or not it agrees to be the BCR lead. If the entry point agrees to be the lead authority, the other concerned supervisory authorities will be asked if they have any objections to raise within two weeks.
Once a decision on the BCR lead has been made, the latter will start the discussions with the applicant and review the draft BCR documents. In order to have a more consistent approach, it will send a first revised draft of the BCRs and the related documents to one or two supervisory authorities which will act as co-reviewers and will help the BCR Lead in the assessment. There may need to be several different drafts or exchanges between the applicant and the relevant authorities before a satisfactory draft is produced.
The result from the abovementioned discussions should be a “consolidated draft” sent by the applicant to the BCR lead which will circulate it among all concerned supervisory authorities for comments. Any further comments will be sent back to the applicant, so that they can be incorporated in the consolidated draft. If the lead authority is satisfied with how all the comments received are addressed, then the applicant will be invited to send a “final draft” to it. A draft decision will be submitted to the European Data Protection Board, along with all the relevant information, documentation and the views of the concerned supervisory authorities. The EDPB will adopt an opinion on the matter. If it supports the draft of the BCR as it is submitted, then the lead supervisory authority will approve the draft BCR.
After the BCR has been approved, it will be sent again to all the concerned supervisory authorities.