I would have a question related to data transfers to third countries under the BCR umbrella.
Are the BCR’s approved under Directive ’95 considered as a valid mechanism for transfers to 3rd countries?
According to WP29 it is stated that while in accordance with article 46-5 of the GDPR, authorisations by a Member State or supervisory authority made on the basis of Article 26(2) of Directive 95/46/EC will remain valid until amended, replaced or repealed, if necessary, by that supervisory authority, groups with approved BCRs should, in preparing to the GDPR, bring their BCRs in line with GDPR requirements.
However, how can a controller verify that BCR approved before 2018 has been brought in line with GDPR? Art.47 does not specify procedure for updates to BCR’s as far as I can tell..
I am currently dealing with a supplier who refuses to proceed with SCC claiming that there BCR approved by the European Commission under Directive’95 are legitimate safeguard for the transfer.
Any advice or further considerations would be much appreciated.