Binding Corporate Rules: What’s new in the updated EDPB guidance?

Hogan Lovells

Hogan Lovells

This summer, the European Data Protection Board (“EDPB”) published the final version of its Recommendations 01/2022 (“Recommendations”) on Binding Corporate Rules for Controllers (“C-BCR”). During the turbulence caused by the “Schrems II” ruling of the European Court of Justice (“CJEU”), Binding Corporate Rules were able to defend their reputation as the most robust mechanism and “gold standard” for international transfers of personal data subject to the GDPR. Given recent and potential action against the EU-US Data Privacy Framework adequacy decision (seehere), BCR could once again serve as a transfer mechanism that ensures long-term legal certainty. In addition to ourprevious analysis of the draft C-BCR Recommendations, this article provides an overview of the further changes in the final Recommendations on C-BCR and its impact on companies, as well as the status of the anticipated Recommendations on BCR for Processors.


BCR are legally binding internal rules adopted by multinational corporations to facilitate transfers of personal data to non-EEA countries in accordance with Article 46(2)(b) and Article 47 GDPR. In contrast to the Standard Contractual Clauses of the European Commission (SCC), BCR are approved by the European data protection authorities (DPAs) individually and therefore provide a greater level of legal certainty for companies that transfer personal data across borders.

On 14 November 2022, the EDPB published its draft Recommendations for C-BCR which introduced several updates on the material requirements for C-BCR. Following public consultation which closed on 10 January 2023, the EDPB adopted the final version of its Recommendations on 20 June 2023. For more information on BCR as a transfer mechanism under the GDPR and our analysis of the draft Recommendations, please refer to our previous article.

Key Updates in the Final C-BCR Recommendations

The final Recommendations include very few amendments to the material requirements for C-BCR as proposed in the draft Recommendations (and outlined in our previous article).

Minor revisions are introduced such as the inclusion of examples or clarifications which apply mainly to the following requirements within the table specifying the elements and principles to be found in C-BCR:

  • Binding Nature - internally: Where a group company relies on internal policies and sanctions or other means for making the C-BCR legally on employees, they are required to properly demonstrate how this will be enforced in practice vis-à-vis the employees (Sec. 1.2) in addition to demonstrating how those means make the C-BCR legally binding on employees.

  • Binding Nature - externally: The duty to inform all data subjects about any update to the C-BCR and the list of BCR members has been retained and the EDPB has added, by way of example, that this can be undertaken by publishing the new version without undue delay (Sec.1.3.1). In addition, there is focus on explaining, in the application form, how the instrument(s) a company group intends to rely on to make the C-BCR internally binding also enables the C-BCR elements against the group company, for example, with respect to an intra-group agreement, the company group should explain how the agreement will be enforceable by data subjects (Sec 1.3.1).

  • Effectiveness: A reminder that no transfer can be made under the C-BCR to a BCR member unless the member is effectively bound by the C-BCR and can deliver compliance, which includes that appropriate training on the C-BCR can effectively be provided to the employees of the respective member (Sec. 3.1).

Mechanisms for reporting and recording changes: Clarification that supervisory authorities should be notified once a year in instances where no changes have been made to the C-BCR and that the annual update or notification should include the renewal of the confirmation regarding assets (Sec 8.1).

Impact on Companies

The EDPB states that it expects all new and ongoing C-BCR applicants as well as current holders of C-BCR to bring their C-BCR in line with the updated final C-BCR


Groups of companies that have an application for C-BCR pending with their lead DPA need to make sure that their application materials as well as their C-BCR meet the standards of the final updated C-BCR Recommendations. C-BCR applications that already reached the stage of a “consolidated draft” in June 2023 and for which the EDPB also issues its opinion by the end of 2023 will have to bring their BCR in line with the C-BCR Recommendations with their 2024 annual update.

Groups of companies that already rely on approved C-BCR, as well as organizations with pending C-BCR applications, will need to update their C-BCR and underlying procedures with their 2024 annual update.

Groups of companies that are just in the planning stage of setting up their own C-BCR should consider the updated C-BCR Recommendations from the outset.

Will the EDPB also issue Updated Guidance on Processor-BCR?

The recent updates to the EDPB’s guidance only apply to C-BCR, while for Binding Corporate Rules for Processors (“P-BCR”) the “pre-Schrems II” recommendations underWorking Paper 265 dated April 2018 still apply. As indicated by theEDPB’s list of approved BCR, the current P-BCR recommendations are still applied by the EU data protection authorities. It is planned to develop a new set of EDPB Recommendations on P-BCR that take into account the requirements formulated by the CJEU. However, the timeline for the publication of the draft for such P-BCR Recommendations is still unclear. Given the significant relevance of P-BCR in practice, companies are well advised to further consider the developments in this regard.

[View source.]

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Hogan Lovells | Attorney Advertising

Written by:

Hogan Lovells

Hogan Lovells on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide