Insurance Europe has responded to a consultation conducted by the European Data Protection Board (EDPB) on its draft recommendation on the application for approval and on the elements to be found in the Controller Binding Corporate Rules (BCR-Cs).
BCRs are an essential transfer tool that can be used by a group of undertakings or enterprises, engaged in a joint economic activity, to transfer personal data outside of the European Economic Area to controllers or processors within the same group. BCRs create enforceable rights and set out commitments to establish a level of data protection essentially equivalent to the one provided by the General Data Protection Regulation (GDPR).
Following the publication of these recommendations, companies will be asked to update their BCR-Cs to align them with the new EDPB guidance. However, while the changes to bring existing guidance in line with the requirements in the CJEU’s Schrems II ruling are justifiable, in many instances the EDPB recommendations establish new requirements that cannot be directly derived from Article 47 of the GDPR. This was not previously foreseen and means a significant additional effort for the companies concerned.
Additionally, the recommendations do not lay out a proper transitional arrangement to allow companies to update their BCRs. The EDPB recommendations imply a one-year time frame for companies to carry out the update and subsequently notify the relevant supervisory authority. However, such a timeframe does not take into account all of the associated implementation work that will be needed, such as, among others, the update to training programs for employees and the preparation of new FAQs.