On 19 December 2023, the Information Commissioner’s Office (ICO) published its updated guide on UK Binding Corporate Rules (BCRs), introducing the UK BCR Addendum for controllers and processors (the Addendum). It will enable organisations with existing EU BCRs to include data transfers from the UK.
Under the UK General Data Protection Regulation (UK GDPR), the transfer of personal data to a third-country recipient is restricted, given the risks presented by personal data being processed outside the UK. Restricted transfers may only take place under certain circumstances, e.g., where there is an adequacy decision, or there are appropriate contractual safeguards, such as standard contractual clauses (SCCs) or binding corporate rules (BCRs), have been put in place.
Following Brexit, EU BCR holders who wanted to rely on this mechanism to effect transfers of personal data from the UK were required to draft bespoke UK BCR documentation, which resulted in extensive drafting work, and lengthy ICO approval periods. It is still possible for holders of EU and UK BCRs to create and maintain two separate versions of their BCRs, according to the Guidance.
Who can use the Addendum?
The BCRs are designed for use for data transfers by multinational corporations or enterprises engaged in a joint economic activity (such as a joint venture). Organisations with an approved EU BCR are now able to create and submit to the ICO a UK BCR Addendum to its existing EU BCR, which extends the scope of the approved EU BCR to include UK-restricted transfers and satisfies the BCR requirements under the UK GDPR.
The Addendum application
The Guidance indicates that the UK BCR application consists of the following documents to be submitted to the ICO:
- Your complete UK BCR Addendum;
- Your complete EU BCR;
- Your EU BCR approval; and
- A UK BCR Summary document, which provides information to the data subjects under the UK BCR.
Organisations may use the addendum (i) as a standard form without modifications; or (ii) as a template which may be amended and to which alternative clauses may be instated to meet particular business needs. In addition, the Guidance clarifies that a controller and processor require separate applications.
While the updated UK BCR Addendum is anticipated to expedite the ICO’s review process, the approval timeline may vary depending on how closely the application aligns with the standard or bespoke template form of the Addendum. It is advised that organisations using the Addendum as a template highlight and provide a rationale for their amendments.
Separately, the Guidance makes clear that changes to an organisation’s EU BCR will directly influence its UK BCR under the terms of the Addendum. Accordingly, in cases of suspension, withdrawal or revocation of the EU BCR, the UK BCR will be similarly affected, and another international transfer mechanism must be adopted.