ParticuliersProfessionnelsPresse
FrEnGestionnaire de cookies
  1. Accueil
  2. BCRs - Self-assessment tool

BCRs - Self-assessment tool

  • BINDING NATURE
  • EFFICIENCY
  • COOPERATION DUTY
  • DESCRIPTION OF THE PROCESSING
  • ASSESSMENT OF LEGISLATION
  • COMMUNICATION ARRANGEMENTS
  • WARRANTIES
  • Summary
  • Results

BCR project : Test your group's maturity level

The CNIL proposes a self-assessment tool for groups wishing to implement BCRs. It allows you to check the project's level of maturity in relation to the requirements set out in the BCR guidelines adpoted by the EDPB.

Binding nature

 

Q1 - Will an obligation to comply with the BCR be imposed on member entities?

Article 4 GDPR (BCR definition)
Article 47 GDPR (in particular 47(1)(a) and 47(1)(c))
BCR referential for Data Controllers Recommendations 1/2022 (in particular criteria 1.1 and 1.2)
BCR referential for Processors WP257 (in particular criteria 1.1 and 1.2)

> Recommended actions

Identify the tool making the BCR binding, that is the most adapted to the structure of the group of member entities (intragroup contract, unilateral declaration or other means that you must be able to justify).

Q2 - Is the group able to enforce the BCR to each member entity and its employees?

Article 47 GDPR (in particular 47(1)(a) and 47(1)(c))
BCR referential for Data Controllers Recommendations 1/2022 (in particular criteria 1.1 and 1.2)
BCR referential for Processors WP257 (in particular criteria 1.1 and 1.2)

> Recommended actions

Identify the tool(s) making the BCR binding on employees of member entities (individual agreement or commitment, clause in the employment contract, internal policies, collective agreement, or other means that you must be able to justify).

Q3 - Internal procedures must be put in place to ensure proper application of the BCR by the employees of the member entities. Will the group apply a sanction mechanism for employees in case of non-compliance with these procedures?

BCR referential for Data Controllers Recommendations 1/2022 (in particular criteria 1.1 and 1.2)
BCR referential for Processors WP257 (in particular criteria 1.1 and 1.2)

> Recommended actions

Implement internal procedures to train employees on BCR obligations. Make these procedures available to employees of member entities. Impose sanctions in case of non-compliance with the BCR.

Q4 - Will a procedure to exercise the rights of third-party beneficiaries (data subjects whose data are transferred) be provided for and made available to the data subjects?

Article 47 GDPR (in particular 47(1)(b) and 47(1)(c))
BCR referential for Data Controllers Recommendations 1/2022 (in particular criteria 1.3.1 and 1.3.2)
BCR referential for Processors WP257 (in particular criteria 1.3)

> Recommended actions

Implement a step-by-step procedure to enable data subjects to exercise their rights as third-party beneficiaries. Make this procedure available to third-party beneficiaries.

Q5 - Do the BCR provide for an internal procedure allowing data subjects to lodge a complaint in the event of a breach of the BCR by one or more entities of the group?

Point of attention: The BCR must also provide for the right to lodge a complaint with the competent supervisory authority and before the competent courts.  

Article 47 GDPR (in particular 47(2)(d) and 47(2)(i))
BCR referential for Data Controllers Recommendations 1/2022 (in particular criteria 1.3.2)
BCR referential for Processors WP257 (in particular criteria 2.2)

> Recommended actions

Implement a procedure to allow data subjects to lodge a complaint in the event of a breach of the BCR by one or more BCR members. Bring this procedure to the attention of the persons concerned.

Q6 - Has the group identified the entity or entities located in the EEA that will bear responsibility in the event of a breach of the BCR by an entity located outside the EEA?

Article 47 GDPR (in particular 47(2)(f))
BCR referential for Data Controllers Recommendations 1/2022 (in particular criteria 1.4)
BCR referential for Processors WP257 (in particular criteria 1.5)

> Recommended actions

Identify the entity or entities located in the EEA that will bear responsibility for any breach of the BCR.

Q7 - Are the liable entity or entities able to demonstrate that they will have sufficient financial resources to pay compensation in the event of a breach of the BCR, for example by providing consolidated accounts or an insurance certificate covering this risk?

BCR referential for Data Controllers Recommendations 1/2022 (in particular criteria 1.5)
BCR referential for Processors WP257 (in particular criteria 1.6)

> Recommended actions 

Ensure that this risk is identified by the liable entity or entities and that they are always capable of paying financial compensation in the event of a breach of the BCR. Make available, to the data protection authorities, evidence demonstrating the existence of sufficient financial resources to pay compensation in the event of a breach of the BCR (consolidated accounts or group insurance certificate covering the breach of the BCR).

Q8 - Do the BCR provide that the burden of proof lies with the liable entity or entities located in the EEA?

Article 47 GDPR (in particular 47(2)(f))
BCR referential for Data Controllers Recommendations 1/2022 (in particular criteria 1.6)
BCR referential for Processors WP257 (in particular criteria 1.7)

> Recommended actions

Provide in the BCR that the burden of proof lies with the liable entity or entities located in the EEA.

Q9 - Do the BCR require member entities to provide understandable information to data subjects (information on the characteristics of the transfers, their rights and the means of exercising them)?

Article 47 GDPR (in particular 47(2)(g))
BCR referential for Data Controllers Recommendations 1/2022 (in particular criteria 1.7)
BCR referential for Processors WP257 (in particular criteria 1.8)

> Recommended actions 

Provide in the BCR that information intended for data subjects will be published in a clear and plain language that is comprehensible to them. For example: information on the characteristics of transfers (material and geographical scope of BCR), their rights and the means of exercising them.

Q10 - Will the group make the BCR available on the websites and intranets of each of the member entities?

BCR referential for Data Controllers Recommendations 1/2022 (in particular criteria 1.7)
BCR referential for Processors WP257 (in particular criteria 1.8)

> Recommended actions

Make the BCR easily accessible on the internet and intranet sites of each of the member entities.

The information entered in this questionnaire will not be stored by the CNIL. Once completed, you will be able to download your answers.