BCRs are an essential transfer tool that can be used by a group of undertakings or enterprises, engaged in a joint economic activity, to transfer personal data outside of the European Economic Area to controllers or processors within the same group. BCRs create enforceable rights and set out commitments to establish a level of data protection essentially equivalent to the one provided by the General Data Protection Regulation (GDPR).
Following the publication of these recommendations, companies will be asked to update their BCRs to align them with the new EDPB guidance. However, while the changes to bring existing guidance in line with the requirements in the CJEU's Schrems II ruling are justifiable, in many instances the EDPB recommendations establish new requirements that cannot be directly derived from Article 47 of the GDPR. This was not previously foreseen and means a significant additional effort for the companies concerned.
Additionally, the recommendations do not lay out a proper transitional arrangement to allow companies to update their BCRs. The EDPB recommendations imply a one-year time frame for companies to carry out the update and subsequently notify the relevant supervisory authority. However, such a timeframe does not take into account all of the associated implementation work that will be needed, such as, among others, the update to training programs for employees and the preparation of new FAQs.
According to the Insurance Europe response, "the EDPB should lay out a proper transitional arrangement to allow enough time for companies to update their existing BCRs. The proposed one-year timeframe is not enough given the complex and extensive update requested by the EDPB. In the absence of such a transitional period, the recommendations should apply only to new BCRs that have not yet been approved by the competent supervisory authority, while existing BCR-holders should be able to align their BCRs at the time of their next planned update (for instance to take into account modifications of the regulatory environment or changes to the scope of the BCR-C)."