What procedure should be followed?
The procedure for applying for authorisation of BCR involves the national DPA reviewing the various elements of the BCR to ensure that it meets the criteria set out by the Article 29 Working Party. The elements are set out in the different documents adopted by the Working Party .
The review procedure has been designed to have one lead authority which means that the applicant company does not need to approach each individual DPA separately. The DPA follow the co-operation procedure but some DPA are members of the mutual recognition group .
Both the documents and the mutual recognition procedure contribute to make the procedure smoother.
The approval of the BCR can be summarised in 5 main steps
First step: the company shall designate the lead authority, i.e. the authority which will be handling the EU co-operation procedure amongst the other European DPAs. More information on how to designate the lead authority .
Second step: the company drafts the BCR which meet the requirements set up in the working papers adopted by the Article 29 Working Party. This draft is submitted to the lead authority which reviews it and provides comments to the company to ensure that the document matches the requirements set out in paper WP 153.
Third step: the lead authority starts the EU cooperation procedure by circulating the BCR to the relevant DPA i.e. of those countries from where entities of the group transfer personal data to entities located in countries which do not ensure an adequate level of protection.
Fourth step: the EU co-operation procedure is closed after the countries under mutual recognition have acknowledged of receipt of the BCR and those which are not under mutual recognition have considered that the BCR complies with the requirements set out in WP29 (within one month).
Fifth step: once the BCR have been considered as final by all DPA, the company shall request authorisation of transfers on the basis of the adopted BCR by each national DPA.