EDPB adopts template complaint form and a final version of Recommendations on the application for approval and on the elements and principles to be found in Controller BCRs

21 June 2023

Brussels, 21 June - During its latest plenary, the EDPB has adopted a template complaint form to facilitate the submission of complaints by individuals and the subsequent handling of complaints by Data Protection Authorities (DPAs) in cross-border cases.

EDPB Chair, Anu Talus said: “The template is one of the commitments the EDPB Members made during their high-level meeting of April 2022 in Vienna to boost enforcement cooperation among DPAs. It will facilitate the cross-border exchange of information regarding complaints between DPAs and will help DPAs save time and resolve cross-border cases more efficiently."

The template takes into account existing differences between national laws and practices. DPAs will use it on a voluntary basis and can adapt it to their respective national requirements.

The template can be used both for cases where the complaint is filed by the individual personally and for cases where the complaint is filed by someone else, namely a legal representative, an entity acting on behalf of the individual or an entity acting on its own initiative.

In addition, the EDPB developed a template acknowledgement of receipt which aims to provide the complainant with general information on the next steps following submission of the complaint and highlights the right to an effective judicial remedy against a legally binding decision of a DPA.

Following public consultation, the EDPB adopted a final version of the Recommendations on the application for approval and on the elements and principles to be found in Controller Binding Corporate Rules (BCR-C)*. These recommendations form an update to the existing BCR-C referential, which contain criteria for BCR-C approval, and merge it with the standard application form for BCR-C.

The aim of these recommendations is to:

  • provide an updated standard application form for the approval of BCR-Cs;
  • clarify the necessary content of BCR-Cs and provide further explanation;
  • make a distinction between what must be included in a BCR-C and what must be presented to the BCR lead data protection authority in the BCR application.

The recommendations build upon the agreements reached by data protection authorities in the course of approval procedures on concrete BCR applications since the entering into application of the GDPR. The recommendations provide additional guidance and aim to ensure a level playing field for all BCR applicants. The recommendations also bring the existing guidance in line with the requirements in the CJEU’s Schrems II ruling.

From the moment of publication, the referential is applicable to all BCR-C holders. In practice, all BCR-C holders, as well as all new and ongoing BCR-C applicants will have to bring their BCR-C in line with the requirements set out in the recommendations, either during the application process or as part of their 2024 annual update, depending on their specific situation.

 

Note to editors:

­* BCR-Cs are a transfer tool that can be used by a group of undertakings or enterprises, engaged in a joint economic activity, to transfer personal data outside the European Economic Area to controllers or processors within the same group. BCRs create enforceable rights and set out commitments to establish a level of data protection essentially equivalent to the one provided by the GDPR. A second set of recommendations for BCR-processors (BCR-P) is currently being developed.

All documents adopted during the EDPB Plenary are subject to the necessary legal, linguistic and formatting checks and will be made available on the EDPB website once these have been completed.