Skip to content
Guidance · EDPB ·022021-on-the-draft-decision-of-the-swedish EN LLM context A cited markdown file you can paste into your AI assistant (ChatGPT, Claude, a RAG or project knowledge base) to ground it in this document. Contains: this document’s text, its sections with their topics, and the full text of every law provision it applies. Everything links back to its source on overview.legal — legal information, not advice.

Opinion 02/2021 on the draft decision of the Swedish Supervisory Authority regarding the Controller Binding Corporate Rules of Elanders Group

Summary

1 Adopted Opinion 2/2021 on the draft decision of the Swedish Supervisory Authority regarding the Controller Binding Corporate Rules of Elanders Group Adopted on 22 January 2021 2 Adopted 3 Adopted The European Data Protection Board Having regard to Article 63, Article 64(1) (f) and Article 47 of the Regulation 2016/679/EU of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of…

How it connects

Full text

1 Adopted Opinion 2/2021 on the draft decision of the Swedish Supervisory Authority regarding the Controller Binding Corporate Rules of Elanders Group Adopted on 22 January 2021 2 Adopted 3 Adopted The European Data Protection Board Having regard to Article 63, Article 64(1) (f) and Article 47 of the Regulation 2016/679/EU of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter “ GDPR”), Having regard to the European Economic Area ( hereinafter “ EEA ” ) Agreement and in particular to Annex XI and Protocol 37 thereof, as amended by the Decision of the EEA joint Committee No 154/2018 of 6 July 2018 1 , Having regard to Article s 10 and 2 2 of its Rules of Procedure . Whereas: (1) The main role of the European Data Protection Board (here in after the “ EDPB ” ) is to ensure the consistent application of the GDPR throughout the EEA . To this effect, it follows from A rticle 64(1)(f) GDPR that the EDPB shall issue an opinion where a supervisory authority ( here in after “ SA ” ) aims to approve binding corporate rules ( here in after “ BCRs ” ) within the meaning of A rticle 47 GDPR. (2) The EDPB welcomes and acknowledges the efforts the companies make to uphol d the GDPR standards in a global environment. Building on the experience under Directive 95/46/EC , the EDPB affirms the important role of BCRs to frame international transfers and its commitment to support the companies in setting - up their BCRs. This opini on aims towards this objective and takes into account that the GDPR strengthened the level of protection, as reflected in the requirements of A rticle 47 GDPR , and conferred to the EDPB the task to issue an opinion on the competent SA ’s (BCR s Lead) draft de cision aiming to approve BCRs. This task of the EDPB aims to ensure the consistent application of the GDPR, including by the SAs , controllers , and processors. (3) Pursuant to Article 46(1) GDPR, in the absence of a decision pursuant to Article 45 ( 3) GDPR , a controller or processor may transfer personal data to a third country or international organisation only if the controller or processor has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedi es for data subjects are available. A group of undertakings or group of enterprises engaged in a joint economic activity may provide such safeguards by the use of legally binding BCRs, which expressly confer enforceable rights on data subjects and fulfil a series of requirements ( A rticle 46 GDPR). The specific requirements listed in the GDPR are the minimum items BCRs shall specify ( A rticle 47(2) GDPR). The BCRs are subject to approval from the competent SA , in accordance with the consistency mechanism set out in A rticle 63 and Article 64(1)(f) GDPR, provided that the BCRs meet the conditions set out in Article 47 GDPR, together with the requirements set out in the relevant working documents of the Article 29 Working Party 2 , endorsed by the EDPB. 1 References to “Member States” made throughout this opinion should be understood as references to “EEA Member States”. 2 The Working Party on the Protection of Individuals with regard to the Processing of Personal Data instituted by Article 29 of Directive 95/46/EC . 4 Adopted (4) This op inion only covers EDPB’s consideration that the BCRs submitted for the required opinion afford appropriate safeguards in that they meet all requirements of Article 47 GDPR and WP256 rev01 of the Article 29 Working Party, as endorsed by the EDPB 3 . According ly, this opinion and the SAs’ review do not address elements and obligations of the GDPR mentioned in the BCRs at issue other than those related to Article 47 GDPR . (5 ) WP256 rev.01 of the Article 29 Working Party , as endorsed by the EDPB, provides for the required elements for BCRs for controllers (hereinafter “BCR - C”) , including the Intra - Company Agreement where applicable, and the application form. WP264 of the Article 29 Working Party, as endorsed by the EDPB, p rovides for recommendations to the applicants to help them demonstrate how to meet the requirements of A rticle 47 GDPR and WP256 rev01. Additionally, WP264 informs the applicants that any documentation submitted is subject to access to documents requests i n accordance with the SAs ’ national laws. The EDPB is subject to Regulation 1049/2001 4 pursuant to A rticle 76(2) GDPR. ( 6 ) Taking into account the specific characteristics of BCRs provided for by Article 47(1) and (2) GDPR , each application should be add ressed individually and is without prejudice to the assessment of any other BCRs . The EDPB recalls that BCRs should be customised to take account of the structure of the group of companies that they apply to, the processing they undertake , and the policies and procedures that they have in place to protect personal data 5 . (7 ) The opinion of the EDPB shall be adopted, pursuant to Article 64(3) GDPR in conjunction with A rticle 10(2) of the EDPB Rules of Procedure, within eight weeks after the Chair has decided that the file is complete. Upon decision of the EDPB Chair, this period may be extended by a further six weeks, taking into account the complexity of the subject matter. HAS ADOPTED THE FOLLOWING OPINION : 1 SUMMARY OF THE FACTS 1. In accordance with t he cooperation procedure as set out in WP263 rev.01, the draft BCR - C of Elanders Group were reviewed by the Swedish Supervisory Authority as the Lead SA (hereinafter the “BCR Lead SA”) . 2. The BCR Lead SA has submitted its draft decision regarding the draft BCR - C of Elanders Group , requesting an opinion of the EDPB pursuant to A rticle 64(1)(f) GDPR on 17 November 2020 . The decision on the completeness of the file was taken on 26 November 2020 . 3 Article 29 Working Party , Working Document setting up a table with the elements and principles to be found in Binding Corporate Rules , a s last r evised and a dopted on 6 February 2018 , WP 256 rev.01. 4 Regulation (EC) No 1049/2001 of the European Parliament and of the Council of 30 May 2001 regarding public access to European Parliament, Council and Commission documents . 5 This view was expressed by the Article 29 Working party in Working Document Setti ng up a framework for the structure of Binding Corporate Rules, adopted on 24 June 2008 , WP154. 5 Adopted 2 ASSESSMENT 3. The draft BCR - C of Elanders Group covers all processing of personal data relating to data subjects by all Elanders Group companies and those who are obligated to these BCR by contract having their headquarter : 1) outside an EEA country to the extent that this personal data has been transferred from a particip ating company established in an EEA country or established in a country with an adequate level of data protection as acknowledged by a decision of the EU Commission to a participating company established outside the EEA ; and 2) in an EEA country or in a country with an adequate level of data protection as acknowledged by a decision of the EU Commission. 4. Concerned data subjects include customers, interested parties, subscribers, employees, vendors, consultants, suppliers, commer cial agents and contact partners . 5. The draft BCR - C of Elanders Group have been scrutinised according to the procedures set up by the EDPB. The SAs assembled within the EDPB have concluded that the Elanders Group draft BCR - C contain all elements required und er A rt icle 47 GDPR and WP256 rev01, in accordance with the draft decision of the BCR Lead SA submitted to the EDPB for an opinion. Therefore, the EDPB does not have any concerns that need to be addressed. 3 CONCLUSIONS / RECOMM ENDATIONS 6. Taking into account the above and the commitments that the group members will undertake by signing the Elanders Intra - Group Agreement for Compliance with BCR - C , the EDPB considers that the draft d ecision of the Swedish Supervisory Authority may be adopted as it is, since the draft BCR - C of Elanders Group contain appropriate safeguards to ensure that the level of protection of natural persons guaranteed by the GDPR is not undermined when personal data will be transferred to and processed by the g roup m embers based in third countries. Finally, the EDPB also recalls the provisions contained within A rticle 47(2)(k) GDPR and WP256 rev.01 providing the conditions under which the applicant may modify or update the BCRs, includi ng updates to the list of BCRs g roup m embers . 4 FINAL REMARKS 7. This opinion is addressed to the Swedish Supervisory Authority and will be made public pursuant to A rticle 64(5 )( b) GDPR. 8. According to Article 64 (7) and (8) GDPR, the Swedish Supervisory Authority shall communicate its response to this opinion to the Chair within two weeks after receiving the opinion . 9. Pursuant to A rticle 70(1)(y) GDPR, the Swedish Supervisory Authority shall communicate the final decision to the EDPB for inclusion in the register of decisions which have been subject to the consistency mechanism. 10. In accordance with the judgment of the Court of Justice of the European Union C - 311/187 6 , it is the responsibility of the data exporter in a Member State, if needed with the help of the data importer, to assess w hether the level of protection required by EU law is respected in the third country concerned, in order to determine if the guarantees provided by BCRs can be complied with in practice, taking into consideration the possible interference created by the thi rd country legislation with the fundamental 6 CJEU, Data Protection Commissioner v .Facebook Ireland Ltd and Maximillian Schrems , 16 July 2020, C - 311/18. 6 Adopted rights. If this is not the case, the data exporter in a Member State, if needed with the help of the data importer, should assess whether they can provide supplementary measures to ensure an essentially equivalen t level of protection as provided in the EU . For the European Data Protection Board The Chair (Andrea Jelinek)

Similar Content