Data transfers to third countries under BCR umbrella
I would have a question related to data transfers to third countries under the BCR umbrella.
Are the BCR’s approved under Directive ’95 considered as a valid mechanism for transfers to 3rd countries?
According to WP29 it is stated that while in accordance with article 46-5 of the GDPR, authorisations by a Member State or supervisory authority made on the basis of Article 26(2) of Directive 95/46/EC will remain valid until amended, replaced or repealed, if necessary, by that supervisory authority, groups with approved BCRs should, in preparing to the GDPR, bring their BCRs in line with GDPR requirements.
However, how can a controller verify that BCR approved before 2018 has been brought in line with GDPR? Art.47 does not specify procedure for updates to BCR’s as far as I can tell..
I am currently dealing with a supplier who refuses to proceed with SCC claiming that there BCR approved by the European Commission under Directive’95 are legitimate safeguard for the transfer.
Any advice or further considerations would be much appreciated.
Assign topic to the user
EU GDPR DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
EU GDPR DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
EU GDPR DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
Article 94 GDPR states that “References to the repealed Directive shall be construed as references to this Regulation. References to the Working Party on the Protection of Individuals with regard to the Processing of Personal Data established by Article 29 of Directive 95/46/EC shall be construed as references to the European Data Protection Board established by this Regulation.”There is continuity between Directive 95/46/EC and the GDPR. The adoption of BCR is a long process involving different stages of exam and approval from Data Protection Authorities and the Working Party (under the Directive 95/46/EC) which became the European Data Protection Board (under GDPR). So, BCRs adopted are still valid.However, you need to check in the BCR which is the Leading Authority, because in July 2020 the European Data Protection Board stated that the BCR having the UK Data Protection Authority (ICOs, or Information Commissioner’s Office) as the Leading Authority needs to be amended because of Brexit.
Here you can find the statement: https://edpb.europa.eu/news/news/2020/european-data-protection-board-thirty-fifth-plenary-session-information-note-binding_en
If you need to know more about how to transfer data in third countries under the EU GPDR here you can find more information:
- 3 steps for data transfers according to GDPR: https://advisera.com/articles/3-steps-for-data-transfers-according-to-gdpr/
- Free webinar – How to make personal data transfers to other countries compliant with GDPR: https://advisera.com/webinars/how-to-make-personal-data-transfers-compliant-with-gdpr-free-webinar-on-demand/
You can also consider enrolling in this free online training EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//
Comment as guest or Sign in
Apr 23, 2021