On 15 January 2026, the European Data Protection Board (“EDPB”) published its updated draft recommendations on the Processor Binding Corporate Rules (“BCR-P”) for public consultation (the “Recommendations”).
This update is the equivalent of the updated recommendations in respect of the Controller BCRs (“BCR-C”), the final version of which was adopted by the EDPB in 2023. The Recommendations, when finalised, will bring the BCR-P requirements in line with the legislative developments since the last set of BCR-P recommendations, published in 2017, including the Schrems II litigation and related impact on international transfers.
Scope of BCR-P
One of the most notable changes in the Recommendations is the more specifically defined scope. The Recommendations state that the BCR-P are not suitable for transfers from an external (non-group) controller within the EEA directly to a processor member of the group who is located outside the EEA. Instead, the Recommendations suggest that the BCR-P is only suitable for transfers by an external controller to a group member located in the EEA acting as processor, who then transfers personal data to a group sub-processor located outside the EEA. The previous version of the EDPB recommendations did not contain this explicit scope provision, which is likely to be a notable development for current BCR-P holders and new applicants alike.
Other notable developments
Another significant development of the Recommendations is the explicit confirmation that approved BCR-Ps satisfy the requirements under Article 28(4) GDPR for intra-group processing. This confirms that no separate sub-processing agreements between group entities bound by the BCR-P, are required, when one acts as sub-processor for another.
There are a number of other updates in the Recommendations, which largely reflect the same considerations as the previous updates to the BCR-C recommendations. Some notable areas of focus are:
- Detail: Greater emphasis on precise and comprehensive descriptions of processing activities, categories of data and data subjects, in addition to data subject rights and remedies.
- Training and audits: The Recommendations include more prescriptive requirements in relation to (i) the training programme for relevant staff and (ii) the nature and frequency of audits.
- International transfer compliance: Requirement to include a clear commitment that the BCR-P is used only as a transfer tool where third country laws and practices do not prevent the data importer from fulfilling its obligations. Where these laws and practices prevent this, the data exporter is required to suspend or end the transfer of personal data. The data importer is also obligated to notify the data exported of changes in third country laws and practices, and any disclosure requests received from government bodies.
What next?
The EDPB has confirmed that for existing BCR-P holders, updates to BCR-Ps in order to comply with the finalised guidelines can be made as part of the annual update. Prospective applicants who have not yet submitted an application to the relevant supervisory authority should take notice of the updated requirements and ensure these are reflected in their documentation, once the Recommendations are finalised.
The public consultation on the Recommendations remains open until 2 March 2026. Feedback can be provided on the Recommendations here.
Contact Us
For more information, please contact any member of the Technology and Innovation Group or your usual Matheson contact.