When and how to submit your BCRs project to the data protection authorities?
The new BCRs approval procedure resulting from the GDPR now provides for the referral of the European Data Protection Board (EDPB). To this end, it is important to clearly identify the documents making up the file for the purposes of the instruction by the competent authority and by the other authorities.
What is the approval procedure for BCRs?
The approval procedure comprises five stages:
- a first level of instruction carried out at national level by the competent authority;
- at the end of this first stage of support, the modified draft is sent to two other data protection authorities which can then make comments;
- the file is then sent to all the authorities in the framework of a stage known as "cooperation". The competent authority acts as an intermediary by forwarding to the applicant the requests for modifications from its counterparts;
- The file is submitted to the European Data Protection Board (EDPB) for its opinion;
- Finally, the draft is adopted by the competent authority. The opinion of the EDPB and the deliberation of the competent authority are published.
The GDPR has introduced an additional step in the procedure for the approval of BCRs: the submission of the file to the EDPB for its opinion. The "mutual recognition" (which made it possible to recognise that the investigation conducted by one authority was valid for several others) has disappeared. The succession of these different stages ensures that all the authorities have the opportunity to acquaint themselves with the file and to comment on it, so that the file has the adequate level of protection for its approval.
The time required to appraise binding company rules can go from 18 to 24 months on average. This is justified by the scope of the BCRs and the need to provide the applicant with maximum legal certainty at European level.
When can a project be submitted to the CNIL?
The BCRs project must be well thought through and sufficiently mature to be submitted to the CNIL.
To help groups assess the level of compliance of their project, a self-assessment tool is available to them.
If, at the end of the assessment, the level of the project is satisfactory, it is ready to be sent to the CNIL. A high level of maturity reduces the duration of the appraisal.
How to submit a BCR draft to the CNIL?
Your BCRs application for approval must include the following documents:
- The BCRs-C’ draft and its appendices (list of entities, complaint handling policy, etc.);
- the completed BCRs-C' instruction form (Recommendations 1/2022 - part 2);
- the completed approval framework (Recommendations 1/2022 - part 3) including the references to the articles of your binding corporate rules’ draft.
The preparatory documents may be sent in English but the French translation of the BCRs’ draft submitted to the CNIL for approval is essential to finalise the instruction.
Your BCRs application for approval must include the following documents:
- The BCRs-P’ draft and its appendices (list of entities, etc.);
- the completed application for approval form (WP265);
- the completed working document (WP257) including the references to the articles of your binding corporate rules’ draft.
The preparatory documents can be sent in English but the French translation of the BCRs’ draft submitted to the CNIL for approval is essential to finalise the instruction.
Firstly, the group sends the instruction form of BCR "controller" (Recommendations 1/2022 - part 2) and/or BCR "processor" (WP265).
The CNIL notifies its European counterparts of its referral as competent authority. The other supervisory authorities have a period of one month to raise objections: the instruction of BCRs files may not begin until this period has elapsed.
Afterwards, the group can send the fully completed application for approval form as well as its BCRs’ draft.
How does the CNIL assist you?
When the CNIL is the competent authority, it is the sole contact for the applicant. The CNIL's services accompany the group through the procedure until the BCRs comply with the Europeans’ working documents frameworks.
In practice, the applicant, possibly represented by a law firm, keeps the BCRs’ draft. The CNIL's services will, on the one hand, examine the file, ask questions and guide the applicant by suggesting modifications, if necessary, and on the other hand, explain the requests of the other authorities. In this respect, the applicant may be asked to provide additional information or documents that were not provided at the time of the initial referral.
The CNIL also intervenes during the cooperation phase by making the applicant's voice heard, when necessary, and by providing information on the organisation to the other authorities. Finally, through its active participation in the cooperation in the context of the examination of BCRs files at the EDPB, including files from other authorities, the CNIL provides the applicant with practical advice and feedback.
You can contact the CNIL's compliance tools department, which is at your side for any question relating to the procedure or methodology applicable to BCRs. You must submit your project to the CNIL via a dedicated teleservice.
- For more information, you can refer to the elements contained in the reference documents and instruction forms below:
- Instruction form (Recommendations 1/2022 - part 2)
- Approval framework (Recommendations 1/2022 - part 3)
Instruction of the BCRs by the supervisory authorities
You will find more information on the instruction procedure for the adoption of BCRs by the supervisory authorities on the website of the European Commission and that of the European Data Protection Board.
