How to designate the lead authority?
Companies which intend to adopt BCR shall designate a lead authority which will be the contact point and which will handle the procedure for the review of the BCR by all DPAs.
The decision as to which DPA should act as the lead authority is based upon relevant criteria such as:
- the location of the group’s European headquarters;
- the location of the company within the group with delegated data protection responsibilities;
- the location of the company which is best placed (in terms of management function, administrative burden etc) to deal with the application and to enforce the binding corporate rules in the group;
- the place where most decisions in terms of the purposes and the means of the processing are taken; and
- the member states within the EU from which most transfers outside the EEA will take place.
In order to officially designate an authority as the lead authority, the company needs to fulfil WP133 Part I and to communicate it to the authority it intends to designate. The latter circulate this document to the other authorities which have 15 days (extendable to 1 month max) to give their approval and/ or refusal for the designation of this authority as the lead.
Documents to be provided to the lead authority
- List of entities bound by the BCRs
- Element showing that BCR are binding
Any documentation that may show that the commitments in the BCRs are being respected (to be discussed with the lead authority), for instance:
- Guidelines for employees
- Data protection audit plan and programme (internal/external accredited auditors of the company)
- Examples and/or explanation of the training programme
- Description of the internal complaint system
- Security policy for IT systems processing EU personal data
- Certification process to make sure that all new IT applications processing EU data are BCRs compliant.
- Job description of data protection officers or other persons in charge of data protection in the company