On 11 April 2018, the Article 29 Working Party published its Working Document Setting Forth a Co-Operation Procedure for the approval of “Binding Corporate Rules” for controllers and processors under the GDPR.
The document updates the WP 107 and outlines cooperation procedures in line with the GDPR.
Some important points to consider:
- binding corporate rules are to be approved by the competent supervisory authority;
- as the group applying for approval of its BCRs may have entities in more than one Member State, this procedure may involve a number of concerned Supervisory Authorities;
- the GDPR does not lay down specific rules for the cooperation phase which should take place among the concerned SAs in advance of referral to the EDPB nor does it specify the rules for identifying the competent SA – which will act as Lead Authority for the BCRs;
- the role of such BCR Lead includes acting as a single point of contact with the applicant organization or group during the approval process and managing the application procedure in its cooperation phase.