The Article 29 Working Party has recently released several new documents of interest to companies that collect and process data about EU residents and who move data from the EU to the United States.

First, the Working Party released “Recommendations on the Standard Application for Approval of Data Controller or Processor Binding Corporate Rules for the Transfer of Personal Data.” Binding Corporate Rules (often referred to as BCRs) are one mechanism available to companies to support the legal transfer of data outside the European Economic Area. Article 45 of the GDPR requires that data transferred to a country which has not been deemed to provide an adequate level of data protection must be protected by other approved means, including BCRs. The Recommendations released by the Working Party are designed to help BCR applicants demonstrate how they fulfill the requirements of Article 47 of the GDPR.

Second, the Working Party released “A Working Document Setting Forth a Co-Operation Procedure for the Approval of Binding Corporate Rules for Controllers and Processors under the GDPR.” The Working Document refers to situations in which a group of enterprises engaged in a joint economic activity, with entities located in more than one Member State, wish to submit draft BCRs to a Supervisory Authority.

The GDPR provides no guidance about how the group of undertakings or enterprises should determine their choice of supervisory authority that would act as point of contact during the approval process and manage the application throughout the cooperation phase with other relevant supervisory authorities. The Working Document provides, however, criteria to identify the appropriate BCR Lead, such as the location of the group’s European Headquarters or the location of the company with the delegated data protection responsibilities. Finally, the Working Document also details the cooperation procedure to follow between the BCR Lead and the other relevant SAs for the approval of BCRs.


Achieved Compliance – helping you navigate the complex world of data compliance.

Through its software guided review and remediation process, education tools and representation services, Achieved Compliance makes it possible for companies to take all the steps needed for meaningful compliance that meets regulators’ expectations.

For more information as to how we can help your organization be GDPR compliant please contact