# Opinion 24/2025 on the decision of the Polish Supervisory Authority regarding the Controller Binding Corporate Rules of the BOX Group

- Type: Guidance
- Source: EDPB
- Identifier: opinion-242025-on-the-decision-of-the-polish-supervisory-en
- Date: 2025-10-07
- Original: https://www.edpb.europa.eu/documents/opinion-of-the-board-art-64/opinion-242025-on-the-decision-of-the-polish-supervisory_en
- Canonical: https://overview.legal/posts/125694
- Topics: Social Media, Codes of Conduct, Identification, Processors, International Transfer, Supervisory Authorities, Supervision, Personal Data, Processing, Controllers

## Summary

Opinion 24/2025 on the decision of the Polish Supervisory Authority regarding the Controller Binding Corporate Rules of the BOX Group Adopted on 07 October 2025 1 | 2 | The European Data Protection Board Having regard to Article 63, Article 64(1)(f) and Article 47 of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing…

## Full text

Opinion 24/2025 on the decision of the Polish Supervisory Authority regarding the Controller Binding Corporate Rules of the BOX Group Adopted on 07 October 2025 1 | 2 | The European Data Protection Board Having regard to Article 63, Article 64(1)(f) and Article 47 of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter “GDPR”), Having regard to the European Economic Area (hereinafter “EEA” ) Agreement and in particular to Annex XI and Protocol 37 thereof, as amended by the Decision of the EEA joint Committee No 154/2018 of 6 July 2018 1 , Having regard to the judgment of the Court of Justice of the European Union Data Protection Commissioner v. Facebook Ireland Ltd and Maximillian Schrems, C-311/18 of 16 July 2020, Having regard to EDPB Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data of 18 June 2021, Having regard to EDPB Recommendations 1/2022 on the Application for Approval and on the elements and principles to be found in Controller Binding Corporate Rules (Art. 47 GDPR) of 20 June 2023 (hereinafter “the Recommendations”), Having regard to Articles 10 and 22 of its Rules of Procedure. Whereas: (1) The main role of the European Data Protection Board (hereinafter the “EDPB” ) is to ensure the consistent application of the GDPR throughout the EEA. To this effect, it follows from Article 64(1)(f) GDPR that the EDPB shall issue an opinion where a supervisory authority (hereinafter “SA” ) aims to approve binding corporate rules (hereinafter “BCRs” ) within the meaning of Article 47 GDPR. (2) The EDPB welcomes and acknowledges the efforts the companies make to uphold the GDPR standards in a global environment. Building on the experience under Directive 95/46/EC, the EDPB affirms the important role of BCRs to frame international transfers and its commitment to support the companies in setting-up their BCRs. This opinion aims towards this objective and takes into account that the GDPR strengthened the level of protection, as reflected in the requirements of Article 47 GDPR, and conferred to the EDPB the task to issue an opinion on the competent SA’s draft decision aiming to approve BCRs. This task of the EDPB aims to ensure the consistent application of the GDPR, including by the SAs, controllers, and processors. (3) Pursuant to Article 46(1) GDPR, in the absence of a decision pursuant to Article 45(3) GDPR, a controller or processor may transfer personal data to a third country or international organisation only if the controller or processor has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available. A group of undertakings or group of enterprises engaged in a joint economic activity may provide such safeguards by the use of legally binding BCRs, which expressly confer enforceable rights on data subjects and fulfil a series of requirements 1 References to “Member States” made throughout this opinion should be understood as references to “EEA Member States”. 3 | (Article 46 GDPR). The implementation and adoption of BCRs by a group of undertakings is intended to provide guarantees that apply uniformly in all third countries and, consequently, independently of the level of protection guaranteed in each third country. The specific requirements listed in the GDPR are the minimum items BCRs shall specify (Article 47(2) GDPR). The BCRs are subject to approval from the competent SA (hereinafter “the BCR Lead” ), in accordance with the consistency mechanism set out in Article 63 and Article 64(1)(f) GDPR, provided that the BCRs meet the conditions set out in Article 47 GDPR, together with the requirements set out in the EDPB Recommendations 1/2022 on the Application for Approval and on the elements and principles to be found in Controller Binding Corporate Rules (Art. 47 GDPR), adopted on 20 June 2023, which supersede the working documents WP256 rev.01 and WP264 of the Article 29 Working Party 2 . (4) This opinion only covers the EDPB’s consideration that the BCRs submitted for the required opinion afford appropriate safeguards in that they meet all requirements of Article 47 GDPR and the Recommendations. Accordingly, this opinion and the SAs’ review do not address elements and obligations of the GDPR mentioned in the BCRs at issue other than those related to Article 47 GDPR. This also applies to any supplementary measures that an exporter subject to the GDPR may be required to adopt, depending on the circumstances of the transfer, in order to ensure compliance with the commitments taken in the BCRs. (5) The EDPB recalls that, in accordance with the judgment of the Court of Justice of the European Union C-311/18 , it is the responsibility of the data exporter subject to the GDPR, if needed with the help of the data importer, to assess whether the level of protection required by EU law is respected in the third country concerned, in order to determine if the guarantees provided by BCRs can be complied with in practice, taking into consideration the possible interference created by the third country legislation with the fundamental rights. If this is not the case, the data exporter subject to the GDPR, if needed with the help of the data importer, should assess whether they can provide supplementary measures to ensure an essentially equivalent level of protection as provided in the EU. (6) Taking into account the specific characteristics of BCRs provided for by Article 47(1) and (2) GDPR, each application should be addressed individually and is without prejudice to the assessment of any other BCRs. The EDPB recalls that BCRs should be customised to take account of the structure of the group of companies that they apply to, the processing they undertake, and the policies and procedures that they have in place to protect personal data 3 . (7) The opinion of the EDPB shall be adopted, pursuant to Article 64(3) GDPR in conjunction with Article 10(2) of the EDPB Rules of Procedure, within eight weeks after the Chair has decided that the file is complete. Upon decision of the EDPB Chair, this period may be extended by a further six weeks, taking into account the complexity of the subject matter. 2 The Working Party on the Protection of Individuals with regard to the Processing of Personal Data instituted by Article 29 of Directive 95/46/EC. The following documents, which were endorsed by the EDPB, are now superseded by the EDPB Recommendations: Article 29 Working Party’s Working Document setting up a table with the elements and principles to be found in Binding Corporate Rules (WP 256 rev.01) and Article 29 Working Party’s Recommendation on the Standard Application for Approval of Controller Binding Corporate Rules for the Transfers of Personal Data (WP 264). 3 This view was expressed by the Article 29 Working party in Working Document Setting up a framework for the structure of Binding Corporate Rules, adopted on 24 June 2008, WP154. 4 | (8) Finally, the EDPB highlights that any documentation submitted may be subject to access to documents requests in accordance with the SAs’ national laws and with Regulation 1049/2001 4 , applicable to the EDPB pursuant to Article 76 (2) GDPR. Has adopted the following opinion: 1 Summary of the facts 1 The BCR-C of the BOX Group was originally approved by the UK SA under Directive 95/46/EC. Following the Brexit, several amendments were necessary before the expiration of the transition period, including the identification of a BCR Lead SA in the EEA 5 . On 15 February 2023, the PL SA accepted to act as the BCR Lead for the BCR-C of BOX Poland and the Group’s entities (hereinafter, the “BOX Group”). 2 In accordance with the cooperation procedure as set out in WP263 rev.01, the updated draft BCR-C of the BOX Group was reviewed by the PL SA as the BCR Lead. The updated draft BCR-C of the BOX Group was also reviewed in the context of the cooperation procedure and its content was agreed by the SAs. 3 On 31 March 2025, the PL SA adopted a decision approving the updated BCR-C of the BOX Group. While the EDPB Opinion had not been adopted at that time due to a misunderstanding on the appropriate procedure, the substantial assessment of the BCR-C had taken place and its content was agreed by the SAs. The formal requirements for the approval of the BCR-C are retroactively met by the request of the PL SA of an opinion of the EDPB pursuant to Article 64(1)(f) GDPR on 25 August 2025. The decision on the completeness of the file was taken on 29 August 2025. 2 Assessment 4 The draft BCR-C of the BOX Group covers the processing of personal data transferred to BOX Group entities outside the EEA and to onward transfers of said data, when the processing is carried out by BOX Group entities bound by the BCR-C and acting as controller or as processors on behalf of other members of the Group 6 . 5 Concerned data subjects include former and current employees; job applicants; contractors; Board members; service providers, suppliers and consultants; customers; web and on-site visitors and users 7 . 6 The updated draft BCR-C of the BOX Group was scrutinised according to the procedures set up by the EDPB and its content was agreed by the SAs. Therefore, the EDPB concludes that, at the time of adoption of the PL SA’s approval decision, the updated BCR-C of the BOX Group 4 Regulation (EC) No 1049/2001 of the European Parliament and of the Council of 30 May 2001 regarding public access to European Parliament, Council and Commission documents. 5 See https://www.edpb.europa.eu/sites/default/files/files/file1/edpb informationnoteforgroupswithicoasbcrleadsa 20200722 en.pdf 6 Section 1.2 of the BCR-C. 7 Section 1.1 BCR-C and Appendix 10. 5 | contained all the elements required under Article 47 GDPR and the Recommendations. Therefore, the EDPB does not have any concerns that need to be addressed. 3 Conclusions 7 Taking into account the above and the commitments that the group members will undertake by signing the Intra-Group Agreement, the EDPB considers that at the time of adoption of the PL SA’s approval decision, the updated BCR-C of the BOX Group contained appropriate safeguards to ensure that the level of protection of natural persons guaranteed by the GDPR is not undermined when personal data is transferred to and processed by the group members based in third countries. The EDPB recalls that the approval of BCRs by the BCR Lead does not entail the approval of specific transfers of personal data to be carried out on the basis of the BCRs. Accordingly, the approval of BCRs may not be construed as the approval of transfers to third countries included in the BCRs for which an essentially equivalent level of protection to that guaranteed within the EU cannot be ensured. 8 Finally, the EDPB also recalls the provisions contained within Article 47(2)(k) GDPR and the Recommendations providing the conditions under which the applicant may modify or update the BCRs, including updates to the list of BCRs group members. 4 Final remarks 9 This opinion is addressed to the BCR Lead and will be made public pursuant to Article 64(5)(b) GDPR. 10 According to Article 64(7) and (8) GDPR, the BCR Lead shall communicate its response to this opinion to the Chair within two weeks after receiving the opinion. For the European Data Protection Board The Chair (Anu Talus)

---
Generated by overview.legal · https://overview.legal/posts/125694 · 2026-07-17
