
Trump Administration Executive Order (EO) Tracker
On 19 March 2025, the European Data Protection Board published an updated procedure for co-operation between EU data protection supervisory authorities approving GDPR Binding Corporate Rules for intra-group transfers of EU personal data to non-EU countries. Compared with what had already been documented at the EU-level, the updated approval procedure aims to shorten the time for Binding Corporate Rules approval through a streamlined procedure. The procedure can be used for approvals of controller and processor Binding Corporate Rules and provides significantly more detail about the multi-jurisdiction review process that Binding Corporate Rules applications must go through. From an applicant’s perspective, the new procedure promotes consistency for regulator communications during the application process and sets expectations for processing timelines.
Binding Corporate Rules (“BCR”) are essentially legally binding rules within a multinational group of companies that govern their transfers of personal data outside the EU. In order to legitimize international data transfers under the GDPR, BCR must be approved by the competent supervisory authority (“SA”) in the relevant EU Member States from where the transfers are to take place.
The procedure for approving BCR for controllers and processors is primarily laid out in Art. 47(1), and Art. 63 GDPR which sets forth that the approving SA must cooperate with other concerned SAs before approving BCR applications through the GDPR’s consistency mechanism. Ultimately, while an individual SA can approve BCR applications, it is required to confer with other concerned SAs. However, the GDPR does not lay down specific rules for this cooperation phase which should take place among the concerned SAs with specific regard to BCR.
The EDPB’s document on the co-operation procedure addresses this by specifying the BCR approval procedure with an involvement of multiple SAs. It outlines criteria for identifying which SA is “competent” and should act as the BCR’s approving SA (“BCR Lead”) and describes in detail the phases through which BCR applications should be reviewed. These elements are valuable for companies planning their BCR application processes, though the EDPB clarifies that they are “informal.” Applicants should expect that deviation from the written procedure is possible.
The new approval procedure replaces existing documentation in Working Paper 263rev.01, which had been last updated by the Article 29 Working Party in 2018 and subsequently endorsed by the EDPB.
The approval procedure initially provides guidance for identifying the appropriate BCR Lead—the competent SA who will receive the BCR application, handle all communications with applicants, and guide it through the review process. The criteria for determining which SA to approach as BCR Lead have not changed compared to WP263.rev01. In practice, for most BCR applicants the BCR Lead will likely be the SA in the EU Member State where their European headquarters are located, although exceptions are possible if another location is best placed in terms of handling of data processing issues and data protection compliance responsibilities.
The EDPB envisions the co-operation procedure in four distinct phases: The BCR Lead review phase, the co-review phase, the cooperation phase, and the EDPB opinion phase. These phases are broadly consistent with how the BCR review has been described in previous documentation, though the specific goals and practices for each phase and relevant deadlines have been clarified.
The new approval procedure’s primary innovation is in two new concepts offered by the EDPB to streamline the overall BCR approval process and ensure consistent communications with applicants regardless of what phase of the review process is currently triggered.
First, the EDPB has formalized “rounds” to create separate events when information exchange between the applicant and the reviewing SA (through the BCR Lead). The round is an organizational concept that can apply regardless of what phase of the application review process the BCR application is in.
In the co-review phase, for example, a new round is initiated each time the BCR Lead returns the draft BCR to the applicant to make updates in response to feedback from reviewers. The round concludes once the applicant returns the BCR to the BCR Lead for review. Clarification requests for feedback already received, and internal discussions among reviewing SAs do not impact the scope of a round. The EDPB did not limit the number of rounds that could be used in during the approval procedure.
Secondly, the EDPB has created a new forum for co-operation between reviewing SAs known as “BCR Sessions.” BCR Sessions are not a required element of the approval procedure but can be initiated by the BCR Lead during any phase to resolve outstanding issues among reviewing SAs and consolidate feedback before it is submitted to applicants.
BCR Sessions provide an improved process for resolving issues among reviewing SAs as well as other improvements that should facilitate BCR applications, such as being facilitated by the EDPB secretariat and describing the materials BCR Leads must provide other SAs during the BCR Session. Within the BCR Sessions, the approval procedure also requires activities to follow specific timelines (e.g., the BCR Lead must send consolidated comments to SAs “without undue delay” and SAs must raise objections within 5 working days).
The EDPB’s new approval procedure should not require specific action by organizations who already have approved BCR because BCR requirements have not changed. In 2023, the EDPB adopted new BCR requirements, and in 2024, all approved EU BCR holders were required to update their existing BCR to reflect the new requirements. The EU SAs determined that updates to BCR approved prior to the GDPR – when revised to meet the new requirements - should be treated as involving “significant changes” This meant that they had to go through the full approval process again, rather than being considered an annual update that could be considered solely by approving SA. Fortunately, the approval process that SAs have been using in practice appears to have been aligned with the EDPB’s new BCR approval procedure outlined above already and has been functioning efficiently so far.
The EDPB’s updates to the EU BCR approval procedure have also not caused significant delays for new or existing UK BCR applicants and the UK Information Commissioner’s Office (ICO) own streamlined approach to UK BCR. The ICO, for now, is content to rely on current (approved) EU BCR. Most helpfully, the UK BCR addendum includes an inbuilt mechanism which ensures that UK BCR automatically update in line with any new or revised versions of EU BCR once approved, without requiring a separate review process by the ICO.
BCR are long considered as the gold standard tool for international transfers of EU personal data. In times of increasing geopolitical uncertainty, BCR approved by EU authorities can play a crucial role for ensuring data protection compliance when transferring personal data in multinational groups. The updated BCR approval procedure could further encourage companies to implement BCR, as it brings greater clarity and predictability to the BCR approval process.
For companies seeking BCR approval, it is crucial to:
Nevertheless, companies should keep in mind that the description of the approval procedure by the EDPB is “informal” and deviations may occur in the individual case. Just as BCR must be individually tailored to the companies seeking BCR approval, the strategy for the approval procedure should also be developed in the individual case to ensure an effective handling of the application. The updated documentation for the approval procedure will be of valuable help for this exercise.
Authored by Henrik Hanssen, Julian Flamant, Katie McMullan, and Eduardo Ustaran.