News

Streamlined BCR approval: Understanding the EDPB's updated procedure

31 March 2025

On 19 March 2025, the European Data Protection Board published an updated procedure for co-operation between EU data protection supervisory authorities approving GDPR Binding Corporate Rules for intra-group transfers of EU personal data to non-EU countries. Compared with what had already been documented at the EU-level, the updated approval procedure aims to shorten the time for Binding Corporate Rules approval through a streamlined procedure. The procedure can be used for approvals of controller and processor Binding Corporate Rules and provides significantly more detail about the multi-jurisdiction review process that Binding Corporate Rules applications must go through. From an applicant’s perspective, the new procedure promotes consistency for regulator communications during the application process and sets expectations for processing timelines.

Background

Binding Corporate Rules (“BCR”) are essentially legally binding rules within a multinational group of companies that govern their transfers of personal data outside the EU. In order to legitimize international data transfers under the GDPR, BCR must be approved by the competent supervisory authority (“SA”) in the relevant EU Member States from where the transfers are to take place.

The procedure for approving BCR for controllers and processors is primarily laid out in Art. 47(1), and Art. 63 GDPR which sets forth that the approving SA must cooperate with other concerned SAs before approving BCR applications through the GDPR’s consistency mechanism. Ultimately, while an individual SA can approve BCR applications, it is required to confer with other concerned SAs. However, the GDPR does not lay down specific rules for this cooperation phase which should take place among the concerned SAs with specific regard to BCR.

The EDPB’s document on the co-operation procedure addresses this by specifying the BCR approval procedure with an involvement of multiple SAs. It outlines criteria for identifying which SA is “competent” and should act as the BCR’s approving SA (“BCR Lead”) and describes in detail the phases through which BCR applications should be reviewed. These elements are valuable for companies planning their BCR application processes, though the EDPB clarifies that they are “informal.” Applicants should expect that deviation from the written procedure is possible.

The new approval procedure replaces existing documentation in Working Paper 263rev.01, which had been last updated by the Article 29 Working Party in 2018 and subsequently endorsed by the EDPB.

Identifying BCR Lead Supervisory Authority

The approval procedure initially provides guidance for identifying the appropriate BCR Lead—the competent SA who will receive the BCR application, handle all communications with applicants, and guide it through the review process. The criteria for determining which SA to approach as BCR Lead have not changed compared to WP263.rev01. In practice, for most BCR applicants the BCR Lead will likely be the SA in the EU Member State where their European headquarters are located, although exceptions are possible if another location is best placed in terms of handling of data processing issues and data protection compliance responsibilities.

BCR co-operation “phases”

The EDPB envisions the co-operation procedure in four distinct phases: The BCR Lead review phase, the co-review phase, the cooperation phase, and the EDPB opinion phase. These phases are broadly consistent with how the BCR review has been described in previous documentation, though the specific goals and practices for each phase and relevant deadlines have been clarified.

BCR Lead Review Phase – The SA receiving the BCR Application considers whether it should act as BCR Lead or whether a different SA should act as BCR Lead. The proposed BCR Lead shares its selection with other SAs and requests feedback, with silence considered consent. Once a BCR Lead is chosen, it begins discussions with the applicant and reviews the draft BCR documents. (2-4 weeks)
Co-Review Phase – The BCR Lead will send the first revised draft of the BCR and related documents to one or two co-reviewing SAs for assessment. If there is no response from a co-reviewer it is deemed to have agreed. Multiple rounds of drafts and exchanges may occur between reviewers and the applicant before a final version is agreed upon. (~1 month for initial responses)
Cooperation Phase – The applicant will send a “consolidated draft” of the BCR to the BCR Lead, which will circulate it among all SAs for comments. If no reasoned objections are raised, the SAs are deemed to agree with the draft. The BCR Lead will then send any further comments to the applicant and may resume discussions if needed. (~1 month for initial objections)
EDPB Opinion Phase – The BCR Lead will submit the draft BCR to the EDPB for its opinion. The EDPB opinion is non-binding but likely to be instructive and BCR Leads can require the applicant to amend its application. (8-14 weeks, according to Art. 64(3) GDPR)

“Rounds” and “BCR Sessions”

The new approval procedure’s primary innovation is in two new concepts offered by the EDPB to streamline the overall BCR approval process and ensure consistent communications with applicants regardless of what phase of the review process is currently triggered.

First, the EDPB has formalized “rounds” to create separate events when information exchange between the applicant and the reviewing SA (through the BCR Lead). The round is an organizational concept that can apply regardless of what phase of the application review process the BCR application is in.

In the co-review phase, for example, a new round is initiated each time the BCR Lead returns the draft BCR to the applicant to make updates in response to feedback from reviewers. The round concludes once the applicant returns the BCR to the BCR Lead for review. Clarification requests for feedback already received, and internal discussions among reviewing SAs do not impact the scope of a round. The EDPB did not limit the number of rounds that could be used in during the approval procedure.

Secondly, the EDPB has created a new forum for co-operation between reviewing SAs known as “BCR Sessions.” BCR Sessions are not a required element of the approval procedure but can be initiated by the BCR Lead during any phase to resolve outstanding issues among reviewing SAs and consolidate feedback before it is submitted to applicants.

BCR Sessions provide an improved process for resolving issues among reviewing SAs as well as other improvements that should facilitate BCR applications, such as being facilitated by the EDPB secretariat and describing the materials BCR Leads must provide other SAs during the BCR Session. Within the BCR Sessions, the approval procedure also requires activities to follow specific timelines (e.g., the BCR Lead must send consolidated comments to SAs “without undue delay” and SAs must raise objections within 5 working days).

Impact for existing BCR holders and UK BCRs

The EDPB’s new approval procedure should not require specific action by organizations who already have approved BCR because BCR requirements have not changed. In 2023, the EDPB adopted new BCR requirements, and in 2024, all approved EU BCR holders were required to update their existing BCR to reflect the new requirements. The EU SAs determined that updates to BCR approved prior to the GDPR – when revised to meet the new requirements - should be treated as involving “significant changes” This meant that they had to go through the full approval process again, rather than being considered an annual update that could be considered solely by approving SA. Fortunately, the approval process that SAs have been using in practice appears to have been aligned with the EDPB’s new BCR approval procedure outlined above already and has been functioning efficiently so far.

The EDPB’s updates to the EU BCR approval procedure have also not caused significant delays for new or existing UK BCR applicants and the UK Information Commissioner’s Office (ICO) own streamlined approach to UK BCR. The ICO, for now, is content to rely on current (approved) EU BCR. Most helpfully, the UK BCR addendum includes an inbuilt mechanism which ensures that UK BCR automatically update in line with any new or revised versions of EU BCR once approved, without requiring a separate review process by the ICO.

What companies should do

BCR are long considered as the gold standard tool for international transfers of EU personal data. In times of increasing geopolitical uncertainty, BCR approved by EU authorities can play a crucial role for ensuring data protection compliance when transferring personal data in multinational groups. The updated BCR approval procedure could further encourage companies to implement BCR, as it brings greater clarity and predictability to the BCR approval process.

For companies seeking BCR approval, it is crucial to:

Get familiarized with the new EDPB BCR approval procedure,
Identify the BCR Lead, and ensure that both the applicant and the BCR Lead are satisfied with their respective responsibilities,
Engage proactively with the BCR Lead, and
Be prepared to actively participate in the formalized rounds during the BCR approval procedure.

Nevertheless, companies should keep in mind that the description of the approval procedure by the EDPB is “informal” and deviations may occur in the individual case. Just as BCR must be individually tailored to the companies seeking BCR approval, the strategy for the approval procedure should also be developed in the individual case to ensure an effective handling of the application. The updated documentation for the approval procedure will be of valuable help for this exercise.

Authored by Henrik Hanssen, Julian Flamant, Katie McMullan, and Eduardo Ustaran.