Opinion 15/2019 on the draft decision of the competent supervisory authority of the United Kingdom regarding the Binding Corporate Rules of Equinix Inc.
Adopted 1 Opinion 15/ 2019 on the draft decision of the competent supervisory authority of the United Kingdom regarding the Binding Corporate Rules of Equinix Inc. Adopted on 8 October 2019 Adopted 2 4 Final remarks ................................ ................................ ................................ ................................ ... 5 Adopted 3 The European Data Protection Board Having regard to Article 63, Article 64 (1) (f) and Article 47 of the Regulation 2016/679/EU of the…
How it connects
Related across sources
Full text
Adopted 1 Opinion 15/ 2019 on the draft decision of the competent supervisory authority of the United Kingdom regarding the Binding Corporate Rules of Equinix Inc. Adopted on 8 October 2019 Adopted 2 4 Final remarks ................................ ................................ ................................ ................................ ... 5 Adopted 3 The European Data Protection Board Having regard to Article 63, Article 64 (1) (f) and Article 47 of the Regulation 2016/679/EU of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processi ng of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter “GDPR”), Having regard to the EEA Agreement and in particular to Annex XI and Protocol 37 thereof, as amended by the Decision of the EEA joint Committ ee No 154/2018 of 6 July 2018, Having regard to Article 10 and Article 22 of its Rules of Procedure of 25th May 2018 as last modified and adopted on 10 September 2019 , Whereas: (1) The main role of the Board is to ensure the consistent application of the Regulation 2016/679 (hereafter GDPR) throughout the European Economic Ar ea. To this effect, it follows from article 64(1)(f ) GDPR that the Board shall issue an opinion where a supervisory authority (SA) aims to approve binding corporate rules ( BCRs ) wi thin the meaning of article 47 GDPR. (2 ) The EDPB welcomes and acknowledges the efforts the companies make to uphold the GDPR standards in a global environment. Building on the experience under the Directive 95/46/EC the EDPB affirms the important role o f BCRs to frame international transfers and its commitment to support the companies in setting - up their BCRs . T his opinion aim s towards this objective and take s into account that the GDPR strengthened the level of protection, as reflected in the requiremen ts of article 47 GDPR and, in addition, conferred to the EDPB the task to issue an opinion on the competent supervisory authority’s (BCR Lead) draft decision aiming to approve BCRs . This task of EDPB aims to ensure the consistent application of the GDPR, i ncluding by the supervisory authorities, controllers and processors. ( 3 ) Pursuant to Article 46(1) GDPR, in the absence of a decision pursuant to Article 45 ( 3), a controller or processor may transfer personal data to a third country or international organisation only if the controller or processor has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available. A group of undertakings or group of enterprises engag ed in a joint economic activity may provide such safeguards by the use of legally binding BCRs , which expressly confer enforceable rights on data subjects and fulfil a series of requirements (article 46 GDPR). The specific requirements listed in the GDPR a re the minimum items BCRs shall specify (article 47 (2) GDPR). The BCRs are subject to approval from the competent supervisory authority (“competent SA”), in accordance with the consistency mechanism set out in a rticle 63 and 64(1)(f) GDPR , provided that th e BCRs meet the conditions set out in Article 47 GDPR , together with the requirements set out in the relevant working documents of the Article 29 Working Party 1 , endorsed by the EDPB . 1 The Working Party on the Protection of Individuals with regard to the Processing of Personal Data instituted by Article 29 of Directive 95/46/EC . Adopted 4 ( 4 ) WP256 rev . 01 of the Article 29 Working Party , 2 as endorsed by the EDPB, provides for the required elements for BCRs for controllers , including the Intra - Company Agreement where applicable, and the application form. WP264 of the Article 29 Working Party , as endorsed by the EDPB, provides for recommenda tions to the applicants to help them demonstrate how to meet the requirements of article 47 GDPR and WP256 rev01. Additionally, WP264 informs the applicants that any documentation submitted is subject to access to documents requests in accordance to the su pervisory authorities ’ national laws. The EDPB is subject to Regulation 1049/2001 pursuant to article 76(2) GDPR. ( 5 ) Taking into account the specific characteristics of BCRs provided for by Article 47(1) and (2), each application should be addressed individually and is without prejudice to the assessment of any other Binding Corporate Rules. The EDPB recalls that BCRs should be customised to take account of the structure of the group of companies that they apply to, the processing they undertake and t he policies and procedures that they have in place to protect personal data. 3 ( 6 ) The opinion of the EDPB shall be adopted, pursuant to Article 64(3) GDPR in conjunction with a rticle 10(2) of the EDPB Rules of Procedure, within eight weeks after the Chai r has decided that the file is complete. Upon decision of the EDPB Chair, this period may be extended by a further six weeks , taking into account the complexity of the subject matter. HAS ADOPTED THE FOLLOWING OPINION : 1 SUMMARY OF THE FACTS 1. In accordance with the cooperation procedure as set out in the WP263 rev.01, the draft Controller BCRs of Equinix In c. were reviewed by the Information Commissioner of the United Kingdom (UK Supervisory Authority) as the BCRs Lead SA . 2. The Information Commissioner of th e United Kingdom has submitted her draft decision regarding the BCRs of Equinix Inc . , requesting an opinion of the Boa rd pursuant to article 64(1)(f) GDPR on 25/09/2019. The decision on the comple teness of the file was taken on 25/09/2019. 2 A SSESSMENT 3. The draft BCRs of Equinix Inc. , contained in the Global Privacy Policy and its Appendices , cover personal data transferred from entities of Equinix Inc. in the EEA to entities of the group outside the EEA and processed by those entities outside the EEA . Th e related categories of data subjects include employees and business contacts, i.e. suppliers and vendors. 2 Article 29 Working Party , Working Document setting up a table with the elements and principles to be found in Binding Corporate Rules , a s last r evised and a dopted on 6 February 2018 , WP 256 rev.01. 3 This view was expressed by the Article 29 Working party in Working Document Setting up a framework for the structure of Binding Corporate Rules, adopted on 24 June 2008 , WP154. Adopted 5 4. The company may apply different standards for the processing and transfer of personal data that do not fall within this draft BCRs while these stand ards may be included in the same document, i.e. the Global Privacy Policy. 5. The Equinix BCRs have been scrutini s ed according to the procedures set up by the EDPB. The SAs assembled under the EDPB have concluded that the Equinix BCRs contains all elements r equired under a rt icle 47 GDPR and WP256 rev01 , in concordance with the draft decision of the Information Commissioner of the United Kingdom submitted to the EDPB for an opinion. Therefore, the EDPB does not have any concerns which need to be addressed. 3 CONCLUSIONS / RECOMM ENDATIONS 6. Taking into account the above and the commitments that Equinix Inc. will undertake by signing the Equinix Intra - Company Agreement on Binding Corporate Rules, the EDPB considers that the draft Decision of the Information Commis sioner of the United Kingdom upon the Binding Corporate Rules of Equinix group may be adopted as it is , since those Rules ensure appropriate safeguards to ensure that the level of protection of natural persons guaranteed by this Regulation is not undermine d when personal data will be transferred to and processed by the Group Members based in third countries . Finally, the EDPB also recalls the provisions contained within article 47(2)(k) GDPR and WP 256 rev.01 providing the conditions under which the applica nt may modify or update the BCRs , including updates to the list of BCRs Group Mem bers 4 FINAL REMARKS 7. This opinion is addressed to the Information Commissioner of the United Kingdom and will be mad e public pursuant to article 64 (5 )( b ) GDPR. 8. In accordance with article 64 (7) and (8) GDPR, the Information Commissioner shall communicate her response to this opinion to the Chair within two weeks after receiving the opinion . 9. Pursuant to article 70(1)(y) GDPR , the Information Commissione r shall communicate the f inal decision to the Board for inclusion in the register of decisions which have been subject to the consistency mechanism. For the European Data Protection Board The Chair (Andrea Jelinek)