EDPB Adopts Updated Recommendations for Processor Binding Corporate Rules
The European Data Protection Board (EDPB) has adopted updated recommendations concerning the approval process and required elements of Processor Binding Corporate Rules (BCR-P). These recommendations update the existing BCR-P framework by combining the approval criteria with a standardized application form. The objective is to streamline and clarify the process for organizations seeking BCR-P approval.
Processor Binding Corporate Rules (BCR-P) serve as a mechanism for transferring personal data within a group of companies from the European Economic Area (EEA) to processors located outside the EEA. These rules create enforceable rights and commitments that ensure data protection standards equivalent to those mandated by the General Data Protection Regulation (GDPR). The updated recommendations build on previous approval experiences and align with the revised guidelines for Controller Binding Corporate Rules (BCR-C).
The recommendations specify that BCR-P applies exclusively to intra-group transfers between processors when the controller is not part of the group. They also clarify that BCR-P comply with Article 28(4) of the GDPR, meaning processors using BCR-P are not required to sign separate sub-processing agreements with each sub-processor within the group. This clarification helps reduce administrative burdens and enhances legal certainty for multinational enterprises.
The updated recommendations are open for public consultation until March 2, 2026. Additionally, the EDPB members discussed the upcoming joint opinion on the Digital Omnibus, which is planned for adoption at the February plenary meeting. These actions reflect the ongoing efforts to strengthen and harmonize data protection practices across the EU.
