WP29 Issues Working Document Setting Forth a Cooperation Procedure for Approval of Binding Corporate Rules (BCR) Under the GDPR

The Article 29 Working Party (WP29) has been fairly active this week of April 10. Not only did they issue revised guidelines on both transparency and on consent, the EU advisory body also issued a working document setting forth a cooperation procedure for approval of “Binding Corporate Rules” (BCR) for controllers and processors (document). Even though the document may not seem as relevant as the other two guidelines right now due to the current focus by controllers and processors on actual GDPR requirements (where BCRs are not an obligation per se, but one of the different options controllers and processors can rely on for the transfer of personal data to third countries,) it is still noteworthy as it contains rules and procedures that are absent from GDPR.

Indeed, the GDPR details in its article 47 what BCRs should contain and provides that they be approved by the “competent supervisory authority” (SA) “in accordance with the consistency mechanism set out in article 63,” but is actually silent on the cooperation process that must occur between Supervisory Authorities for review and approval of BCRs, and on how to identify the Supervisory Authority competent to act as the lead authority for BCRs.

Identify the BCR Lead SA

The WP29 offers a non-exhaustive list of criteria relevant to determine who the Lead Supervisory Authority for the BCR should be:

  1. the location(s) of the Group’s European headquarters;
  2. the location of the company within the Group with delegated data protection responsibilities;
  3. the location of the company which is best placed (in terms of management function, administrative burden, etc.) to deal with the application and to enforce the binding corporate rules in the Group;
  4. the place where most decisions in terms of the purposes and the means of the processing (e.g. transfer) are taken; and e. the member state within the EU from which most or all transfers outside the EEA will take place.

Supervisory Authorities’ Cooperation process

We summarized the BCR process and cooperation procedure in the diagram below:


Living Document

The Document itself specifies that it will be reviewed and updated (where necessary,) based on the practical experience gained through the application of the GDPR.

How OneTrust Helps

OneTrust offers a BCR Readiness Assessment (Controllers), based on the Article 29 Working Party’s WP133, and BCR Readiness Assessment (Processors), based on the Article 29 Working Party’s WP195, the recommended standard application for approval of BCRs for controllers and processors for the transfer of personal data. This assessment will help you determine whether your organization is a good candidate for binding corporate rules (BCRs). After filling out the questionnaire, you are able to view any areas where there are gaps, along with recommendations on how to address those gaps before continuing with the BCR process.

Contact us at [email protected] for more information or to request a demo!