The ICO exists to empower you through information.

(B) Processor - Traditional UK BCR application process

Share Download options

Pages

Format

Latest updates

14 August 2023 - We have updated the guidance on the binding instrument for Controller and Processor Binding Corporate Rules (BCRs) to reflect our expectation about what the type of binding instruments should form part of your UK BCRs. 

Who is the guidance for?

Before preparing the UK BCR application pack, it is important for you to read this guidance. This guidance will also assist you with your ongoing obligations post-approval.

We have updated our UK BCR approval process for both Controllers and Processors. This takes into account the Schrems II CJEU judgment which remains applicable to the UK.

This guidance focusses on UK Processor BCRs (UK BCR-P). If you are looking for UK Controller BCRs (UK BCR-C), you should consult the separate updated guidance for UK Controller BCRs.

How should we use this guidance?

This updated guidance has 13 sections and complements the revised referential table (which must be completed by all applicants), Annex 1 and the application form for a UK BCR-P. This guidance is intended to assist Processors when preparing the UK BCR pack for approval and clarifies what we expect to see within the BCR policy, the application form, the binding instrument and any supporting documents. It clarifies the UK BCR requirements in Article 47 UK GDPR and sets out our expectations when considering issuing a UK BCR approval.

In detail

Overarching principles and spirit of Article 47 UK GDPR

As international data flows increase, it is imperative that appropriate safeguards are implemented and high standards are maintained to protect personal data leaving the UK. Controllers must ensure they can demonstrate to the Commissioner’s satisfaction that they meet the requirements laid down in Article 47 UK GDPR, along with any additional requirements in this guidance, both as part of the application process and in practice.

It is our position that UK BCRs, as set out in Article 47 UK GDPR, comprise of:

  • the relevant application form;
  • the binding instrument;
  • the referential table (plus Annex 1);
  • the BCR Policy (as defined below); and
  • other (relevant) policies and procedures as referenced in the UK BCRs.

In combination, we consider these documents to be the UK BCRs under UK GDPR.

A fundamental change to the approval process is the revision of the referential table. You must understand and demonstrate your understanding of the spirit and intent behind Article 47 in your policies and procedures and your compliance with Article 47 and UK GDPR more broadly.

The new referential table focuses on referencing the requirements, with explanatory text mainly appearing in this guidance.

Another important change is what must appear in the UK BCR document we are calling the ‘BCR Policy’. This is the document we expect you to publish in full. It provides people with the key Article 47 information they need about their data and its transfers under the UK BCRs. You should focus on the essential elements of the UK BCRs as a whole which are of most importance to people. Other elements of the UK BCRs should appear in other documentation (such as the application form or binding instrument). These remain critical to the UK BCR approval process.

The importance of people having effective and enforceable rights and effective regulatory oversight for ICO

In Article 47(1)(b), UK BCRs must confer enforceable and effective rights on people and Controllers. Therefore, as part of the approval process, we ask you to reflect this requirement in the formal binding instrument entered into between members of UK BCRs and include a summary of those rights in the BCR Policy. People should not be faced with additional hurdles to enforce those rights.

It is vital that those rights are effective within the UK contractual legal framework. Therefore, you must explicitly refer to the application of the Contracts (Rights of Third Parties) Act 1999 in the binding instrument to benefit people and Controllers.

In order to ensure that people and Controllers’ UK BCR rights are effective and enforceable, you must have a UK legal entity with the delegated responsibility for your UK BCRs. The legal entity(ies) must be one with legal personality in the UK. If you wish to put forward an entity that is not a legal entity in the UK (ie a branch), you are required to provide supporting evidence about how you will ensure people and Controllers’ effective and enforceable rights. In these cases, we will seek a parent company guarantee formally confirming that:

  • the non-legal entity(ies) based in the UK will accept service of any legal proceedings;
  • the non-legal entity(ies) has sufficient assets to meet any liabilities under the UK BCRs; and
  • the parent company will step in to cover any shortcomings of the non-legal UK entity(ies).

If you cannot meet these conditions in full, you must put forward a UK legal entity as the entity with delegated responsibility for your UK BCRs.

We speak of UK entity or entities. We recognise that there are some corporate structures whereby there is more than one UK legal entity that is transferring data out of the UK under a single set of UK BCRs and that each exporting UK legal entity has a separate and distinct liability model. We refer to this arrangement as an exporting entity model. Where this model is used, we expect you to communicate the model to people and assure us that the structure will not undermine effective and enforceable rights or undermine the protections afforded under the UK BCRs.

Further, you must address the issue of liability both in the binding instrument and in summary form in your BCR Policy. Your nominated UK legal entity(ies) with delegated responsibility must ensure they are able to meet those liabilities under the UK BCRs. Consequently, during the approval process, we will seek assurances and commitments that the nominated UK entity(ies) either has or can individually call on sufficient assets to remedy any breach of the UK BCRs.

Nothing within the UK BCRs should undermine people or Controllers’ effective and enforceable UK BCR rights. Similarly, people must not carry the burden of proving an alleged breach of the UK BCRs. The burden of proof remains with the UK legal entity(ies) with the delegated responsibility for the UK BCRs.

It is imperative that you provide a satisfactory position with a UK focus. The Commissioner is unable to accept any documentation that combines EU and UK BCRs that potentially could undermine the protections and safeguards available under UK law.

It is also important that the regulatory oversight of UK BCRs is robust and credible. This means that we require full oversight, not only of the UK entity(ies) with the delegated responsibility, but all members who sign up to the UK BCRs. We expect to be able to engage with the UK legal entity(ies) as our only point of contact to discuss all elements of compliance with the UK BCRs. We also expect the UK entity(ies) to ensure that all UK BCR members commit to full co-operation as needed under the UK BCRs.

Appropriate safeguards – the impact of Schrems II and the importance of undertaking a transfer risk assessment

The CJEU decision in Schrems II continues to be an important consideration for international transfers from the UK.

We do not need to see evidence of a transfer risk assessment as part of the UK BCR approval process. However, we expect you to undertake transfer risk assessments whenever transfers of personal data from the UK to a third country take place. We also expect you to regularly review risk assessments and adjust your UK BCRs if your reviews reveal that data protection rights and the high standards afforded under UK GDPR are, or may be, undermined if transfers continue to take place. We will therefore seek assurances on this in the UK BCR approval process and as an ongoing commitment from you, after the UK BCRs have been approved.

Overarching accountability principles and transparency

In general, you should remember the accountability requirements under UK GDPR and the principles set out in Article 25 UK GDPR. At any time, we may request copies of transfer risk assessments that you have conducted, records of processing activities or any other relevant documentation. This is part of our own ongoing statutory duty to monitor the approved UK BCRs.

Once approved, you should review UK BCRs on a regular basis to ensure that they continue to accurately align with the data flows taking place. Whilst we only expect to be notified of administrative changes as part of the general annual update, you must ensure that you promptly inform us of any significant changes that could potentially undermine the protections afforded under the UK BCRs.

UK BCR holders and applicants both have ongoing transparency obligations. This includes the obligation to provide full transparency to people (and Controllers) on what data is flowing out of the UK. When drafting the BCR Policy, you should ensure that people can easily understand it by keeping your audience at the forefront of your mind through your choice of language, tone, content and approach. As part of the approval process, we will pay close attention to how easily people can understand the core identified requirements that must be present in the BCR Policy.

Where the national laws of a third country in which a BCR member is established could conflict with the UK BCRs, both applicants for and holders of UK BCRs must notify us and Controllers. Compliance with UK BCRs must take precedence unless the laws of that third country offer a higher level of protection than that available under the UK BCRs. You have an ongoing duty to ensure you can demonstrate compliance with both the BCRs and UK GDPR more broadly, if requested by us.

Scope of Processor BCRs

A UK BCR-P is primarily intended to enable and protect intra-group international data transfers between members of the Processor BCR group. We understand that, in many cases, approved BCR-P are being relied on as an international transfer tool by external third party UK Controllers. We are aware that those UK Controllers may be sending data directly to an overseas processor member of a BCR-P group, regardless of which member of that group they are contracting with.

We acknowledge and recognise this as a broader, practical use of a UK BCR-P. We accept that an external third party UK Controller may transfer data directly to members of a UK BCR-P located in third countries, without first passing data to the UK based BCR-P member.

Controllers and Processors must remember the core objective of Chapter V of UK GDPR. Namely to ensure that:

(i) protections afforded under UK GDPR are not undermined;
(ii) people do not suffer prejudice; and
(iii) effective and enforceable rights remain for those people and for the Controllers seeking to rely on the safeguards provided by the UK BCR-P.

More generally, you should remember your Article 28 obligations under UK GDPR. Where an external third party UK Controller sends personal data directly to an overseas member of a BCR-P, the Article 28 service contract must also reflect any BCR arrangements in place for personal data transfers. The onus remains on both parties to ensure that enforceable third party rights flow and extend into those service agreements and are not limited to the BCR-P documentation, including but not limited to the binding instrument for the BCR-P itself.

We will therefore seek assurances on legal enforceability of the BCR-P obligations in the UK courts against the UK legal entity(ies) to the UK BCR-P and will expect to see contractually enforceable third party rights in the BCR-P binding instrument given to external third party Controllers and their people (meaning their data subjects). Consequently, a requirement to commit to this will appear in Annex 1 (the UK BCR-P referential table ).

The importance of Article 28 obligations and Processors obligations more broadly

Whilst this guidance does not intend to repeat the general obligations for Controller and Processors that exist under UK GDPR, ICO reminds you of the obligations contained in Article 28 UK GDPR. ICO will not examine specific contractual arrangements but as part of the UK BCR-P approval process, you are expected to commit to those arrangements being in place prior to the processing or transfer of personal data under the UK BCR-Ps.

You are also reminded that the use of sub-contractors must be agreed with the relevant Controller and that you cannot avoid your duties, obligations and liabilities through the use of sub-contractors.

Guidance on completing the application form

You are required to complete the UK BCR-P application form. If you are seeking Controller UK BCR’s, you should complete a separate Controller UK BCR-C application form.

The application form is an overarching document of the UK BCRs. It is where we will refer for additional contextual information (over and above the specific requirements of Article 47). It provides an assurance that you have understood the intent, spirit and requirements of Article 47 and will implement them in practice. You must be able to demonstrate how you have or how you intend to embed the UK BCRs and how they will be actively managed and monitored to accurately reflect the international data flows taking place under them.

Within the application form, we will seek information around your data flows from the UK to destination third countries. Where there is more than one UK legal entity sending data out of the UK, we expect to see data flows, types of data subjects, categories of data and destination countries for each exporting entity.

Guidance on the binding instrument

Article 47(1)(b) UK GDPR makes it clear that peoples’ effective and enforceable rights must exist and that the UK BCRs as a whole are binding and enforceable both internally and externally.

It is our expectation to see as the legally binding instrument either:

  • an intra group agreement (IGA) (sometimes called an intra company agreement), for a group of undertakings; or
  • a joining agreement, for a group of enterprises engaged in a joint economic activity.

In each case, the binding instrument must be governed by UK law and executed by or on behalf of all the BCR members.

Having considered various types of instrument, we concluded that only these two types meet all the requirements of Article 47, in particular the requirements for:

  • effective UK rights for data subjects and for third party controllers, which are enforceable in the UK courts; and
  • the BCRs to apply to and be enforceable by all BCR members.

People must have an entity against which they can enforce their rights under Article 47. People need to be able to do that with ease, from within the UK and through the UK courts.

If you wish to put to the ICO an alternative legally binding instrument other than an IGA or joining agreement, the onus is on you to provide an external Counsel’s opinion explaining how it meets all the requirements of Article 47. Please note that putting forward an alternative legally binding instrument could delay your approval process.

Similarly, where you present internal policies or codes of conduct to support the internal binding nature of the UK BCRs, you must demonstrate how those policies are internally binding and how you will ensure enforceability (with evidence, where necessary).

Guidance on completing the BCR referential table (and Annex 1 for BCR-P applicants)

We expect you to complete the UK BCR referential table. In addition, Annex 1 of the table is required for a UK BCR-P application. You should simply signpost the relevant sections of the UK BCR documents where we can locate the information that demonstrates your compliance with the spirit of each relevant section of Article 47.

Guidance on content of BCR Policy

You should ensure that where information is required within the BCR Policy, you provide it in a style that the people will understand. You should avoid copying information from elsewhere that is not tailored to your audience, even if the Article 47 requirement is identical. For example, the referential table may direct you to include certain information in the binding instrument and in summary form within the BCR Policy. We expect you to write the information within the binding instrument in a way that satisfies the UK legal contractual framework (ie provides legally certainty). However, you should draft the content of the BCR Policy in a style that is suitable for your audience.

Purpose of your supporting policies and procedures

You should include relevant supporting policies or procedures, where they are referenced as part of your application. These demonstrate that you have a full compliance programme which sits behind and complements the UK BCRs. This includes your approach to training, audit or verifications, complaint handling and how you communicate UK BCRs to staff at all levels. Policies and procedures also demonstrate the process you and your staff will follow to ensure protections are not undermined.

In essence, policies and procedures demonstrate your accountability framework in a transparent manner. Any global policies and procedures must therefore comply with UK GDPR more broadly and specifically within the BCR sphere where you are seeking a UK BCR approval. It is against this spirit and intent that we will assess key supporting policies and procedures. You must remember that BCRs must be binding internally as well as externally. As UK BCRs consist of a number of documents, we will focus on how the whole suite of BCR documents are made binding.

Co-operation with the ICO & Controller (including about any updates or significant changes to approved UK BCRs)

Members of the UK BCRs are reminded of a clear duty to cooperate with the ICO. This includes a commitment to consider any communication or recommendation that we may issue about UK BCRs and to comply with any formal decisions or notices we may issue.

This duty complements your duty to co-operate with and act in accordance with the instructions of the Controller, that may itself be answering requests for information from us.

Onward transfers of transferred data in this context

Transfers outside the UK BCR group members are not covered by the UK BCRs. Therefore, you must apply safeguards, in accordance with Chapter V UK GDPR, to personal data that has passed from UK BCR members to an entity(ies) outside the UK BCR group.