3
Adopted
The European Data Protection Board
Having regard to Article 63, Article 64(1)(f) and Article 47 of the Regulation 2016/679/EU of the
European Parliament and of the Council of 27 April 2016 on the protection of natural persons with
regard to the processing of personal data and on the free movement of such data, and repealing
Directive 95/46/EC (hereinafter “GDPR”),
Having regard to the European Economic Area (hereinafter “EEA”) Agreement and in particular to
Annex XI and Protocol 37 thereof, as amended by the Decision of the EEA joint Committee No
154/2018 of 6 July 2018
,
Having regard to Articles 10 and 22 of its Rules of Procedure.
Whereas:
(1) The main role of the European Data Protection Board (hereinafter the “EDPB”) is to ensure the
consistent application of the GDPR throughout the EEA. To this effect, it follows from Article 64(1)(f)
GDPR that the EDPB shall issue an opinion where a supervisory authority (hereinafter “SA”) aims to
approve binding corporate rules (hereinafter “BCRs”) within the meaning of Article 47 GDPR.
(2) The EDPB welcomes and acknowledges the efforts the companies make to uphold the GDPR
standards in a global environment. Building on the experience under Directive 95/46/EC, the EDPB
affirms the important role of BCRs to frame international transfers and its commitment to support the
companies in setting-up their BCRs. This opinion aims towards this objective and takes into account
that the GDPR strengthened the level of protection, as reflected in the requirements of Article 47
GDPR, and conferred to the EDPB the task to issue an opinion on the competent SA’s (BCRs Lead) draft
decision aiming to approve BCRs. This task of the EDPB aims to ensure the consistent application of
the GDPR, including by the SAs, controllers, and processors.
(3) Pursuant to Article 46(1) GDPR, in the absence of a decision pursuant to Article 45(3) GDPR, a
controller or processor may transfer personal data to a third country or international organisation only
if the controller or processor has provided appropriate safeguards, and on condition that enforceable
data subject rights and effective legal remedies for data subjects are available. A group of undertakings
or group of enterprises engaged in a joint economic activity may provide such safeguards by the use
of legally binding BCRs, which expressly confer enforceable rights on data subjects and fulfil a series of
requirements (Article 46 GDPR). The specific requirements listed in the GDPR are the minimum items
BCRs shall specify (Article 47(2) GDPR). The BCRs are subject to approval from the competent SA, in
accordance with the consistency mechanism set out in Article 63 and Article 64(1)(f) GDPR, provided
that the BCRs meet the conditions set out in Article 47 GDPR, together with the requirements set out
in the relevant working documents of the Article 29 Working Party