Europejska Rada Ochrony Danych, Recommendations 1/2022 on the Application for Approval and on the elements and principles to be found in Controller Binding Corporate Rules (Art. 47 GDPR)

Recommendations 1/2022on the Application for Approval and on the elements and principles to be found in Controller Binding Corporate Rules (Art. 47 GDPR)

Adopted on 20 June 2023

The European Data Protection Board

Having regard to Article 70(1)(i) of the Regulation 2016/679/EU of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, (hereinafter „GDPR”),

Having regard to the EEA Agreement and in particular to Annex XI and Protocol 37 thereof, as amended by the Decision of the EEA joint Committee No 154/2018 of 6 July 2018 ,

Having regard to Articles 12 and 22 of its Rules of Procedure,

HAS ADOPTED THE FOLLOWING RECOMMENDATIONS:

1 INTRODUCTION

1.The GDPR expressly provides for the use of binding corporate rules (hereinafter „BCR”) by a group of undertakings, or a group of enterprises engaged in a joint economic activity (hereinafter...