GRI

Opinion 01/2025 on the draft decision of the French Supervisory Authority regarding the Controller Binding Corporate Rules of the Coface Group

News Data protection Guidance
Date: 21st Jan, 2025 Source: European Data Protection Board Country: European Union Original Source

Brief

"On 16 January 2025, the European Data Protection Board adopted Opinion 01/2025 regarding the draft decision of the French Supervisory Authority on the Controller Binding Corporate Rules of the Coface Group. The EDPB concluded that the draft BCR-C of the Coface Group contains appropriate safeguards to ensure the level of protection guaranteed by the GDPR, thereby allowing the BCR Lead to adopt its draft decision as it is."

Adopted

Opinion 01/2025 on the draft decision of the French
Supervisory Authority regarding the Controller Binding
Corporate Rules of the Coface Group

Adopted on 16 January 2025

2
Adopted
TABLE OF CONTENTS
1 SUMMARY OF THE FACTS …………………………………………………………………………………………………. 5
2 ASSESSMENT …………………………………………………………………………………………………………………… 5
3 CONCLUSIONS …………………………………………………………………………………………………………………. 5
4 FINAL REMARKS ………………………………………………………………………………………………………………. 6

3
Adopted
The European Data Protection Board
Having regard to Article 63, Article 64(1)(f) and Article 47 of the Regulation 2016/679/EU of the
European Parliament and of the Council of 27 April 2016 on the protection of natural persons with
regard to the processing of personal data and on the free movement of such data, and repealing
Directive 95/46/EC (hereinafter “GDPR”),
Having regard to the European Economic Area ( hereinafter “EEA”) Agreement and in particular to
Annex XI and Protocol 37 thereof, as amended by the Decision of the EEA joint Committee No
154/2018 of 6 July 20181,
Having regard to the judgment of the Court of Justice of the European Union Data Protection
Commissioner v. Facebook Ireland Ltd and Maximillian Schrems, C-311/18 of 16 July 2020,
Having regard to EDPB Recommendations 01/2020 on measures that supplement transfer tools to
ensure compliance with the EU level of protection of personal data of 18 June 2021,
Having regard to EDPB Recommendations 1/2022 on the Application for Approval and on the elements
and principles to be found in Controller Binding Corporate Rules (Art. 47 GDPR) of 20 June 2023
(hereinafter “the Recommendations”),
Having regard to Articles 10 and 22 of its Rules of Procedure.
Whereas:
(1) The main role of the European Data Protection Board (hereinafter the “EDPB”) is to ensure the
consistent application of the GDPR throughout the EEA. To this effect, it follows from Article 64(1)(f)
GDPR that the EDPB shall issue an opinion where a supervisory authority ( hereinafter “SA”) aims to
approve binding corporate rules (hereinafter “BCRs”) within the meaning of Article 47 GDPR.
(2) The EDPB welcomes and acknowledges the efforts the companies make to uphold the GDPR
standards in a global environment. Building on the experience under Directive 95/46/EC , the EDPB
affirms the important role of BCRs to frame international transfers and its commitment to support the
companies in setting -up their BCRs. This opinion aims towards this objective and takes into account
that the GDPR strengthened the level of prot ection, as reflected in the requirements of Article 47
GDPR, and conferred to the EDPB the task to issue an opinion on the competent SA’s draft decision
aiming to approve BCRs. This task of the EDPB aims to ensure the consistent application of the GDPR,
including by the SAs, controllers, and processors.
(3) Pursuant to Article 46(1) GDPR, in the absence of a decision pursuant to Article 45 (3) GDPR, a
controller or processor may transfer personal data to a third country or international organisation only
if the controller or processor has provided appropriate safeguards, and on condition that enforceable
data subject rights and effective legal remedies for data subjects are available. A group of undertakings
or group of enterprises engaged in a joint economic activity may provide such safeguards by the use
of legally binding BCRs, which expressly confer enforceable rights on data subjects and fulfil a series of

1 References to “Member States” made throughout this opinion should be understood as references to “EEA
Member States”.
4
Adopted
requirements (Article 46 GDPR). The implementation and adoption of BCRs by a group of undertakings
is intended to provide guarantees that apply uniformly in all third countries and, consequently,
independently of the level of protection guaranteed in each third country. The specific requirements
listed in the GDPR are the minimum items BCRs shall specify (Article 47(2) GDPR). The BCRs are subject
to approval from the competent SA (hereinafter “the BCR Lead”), in accordance with the consistency
mechanism set out in Article 63 and Article 64(1)(f) GDPR, provided that the BCRs meet the conditions
set out in Article 47 GDPR, together with the requirements set out in the EDPB Recommendations
1/2022 on the Application for Approval and on the elements and principles to be found in Controller
Binding Corporate Rules (Art. 47 GDPR ), adopted on 20 June 2023 , which supersede the working
documents WP256 rev.01 and WP264 of the Article 29 Working Party2.
(4) This opinion only covers the EDPB’s consideration that the BCRs submitted for the required opinion
afford appropriate safeguards in that they meet all requirements of Article 47 GDPR and the
Recommendations. Accordingly, this opinion and the SAs’ review do not address elements and
obligations of the GDPR mentioned in the BCRs at issue other than those related to Article 47 GDPR.
This also applies to any supplementary measures that an exporter subject to the GDPR may be required
to adopt, depending on the circumstances of the transfer , in order to ensure compliance with the
commitments taken in the BCRs.
(5) The EDPB recalls that, in accordance with the judgment of the Court of Justice of the European
Union C-311/18 , it is the responsibility of the data exporter subject to the GDPR, if needed with the
help of the data importer, to assess whether the level of protection required by EU law is respected in
the third country concerned, in order to determine if the guarantees provided by BCRs can be complied
with in practice, taking into consideration the possible interference created by the third country
legislation with the fundamental rights. If this is not the case, the data exporter subject to the GDPR,
if needed with the help of the data importer, should assess whether they can provide supplementary
measures to ensure an essentially equivalent level of protection as provided in the EU.
(6) Taking into account the specific characteristics of BCRs provided for by Article 47(1) and (2) GDPR,
each application should be addressed individually and is without prejudice to the assessment of any
other BCRs. The EDPB recalls that BCRs should be customised to take account of the structure of the
group of companies that they apply to, the processing they undertake, and the policies and procedures
that they have in place to protect personal data3.
(7) The opinion of the EDPB shall be adopted, pursuant to Article 64(3) GDPR in conjunction with
Article 10(2) of the EDPB Rules of Procedure, within eight weeks after the Chair has decided that the
file is complete. Upon decision of the EDPB Chair, this period may be extended by a further six weeks,
taking into account the complexity of the subject matter.

2 The Working Party on the Protection of Individuals with regard to the Processing of Personal Data instituted
by Article 29 of Directive 95/46/EC. The following documents, which were endorsed by the EDPB, are now
superseded by the EDPB Recommendations: Article 29 Working Party’s Working Document setting up a table
with the elements and principles to be found in Binding Corporate Rules (WP 256 rev.01) and Article 29
Working Party’s Recommendation on the Standard Application for Approval of Controller Binding Corporate
Rules for the Transfers of Personal Data (WP 264).
3 This view was expressed by the Article 29 Working party in Working Document Setting up a framework for the
structure of Binding Corporate Rules, adopted on 24 June 2008, WP154.
5
Adopted
(8) Finally, the EDPB highlights that any documentation submitted may be subject to access to
documents requests in accordance with the SAs’ national laws and with Regulation 1049/2001 4,
applicable to the EDPB pursuant to Article 76 (2) GDPR.
HAS ADOPTED THE FOLLOWING OPINION:
1 SUMMARY OF THE FACTS
1. In accordance with the cooperation procedure as set out in WP263 rev.01, the draft BCR -C of
Compagnie Française d’Assurance pour le Commerce Extérieur and its entities (hereinafter “the Coface
Group”) was reviewed by the French SA as the BCR Lead.
2. The BCR Lead has submitted its draft decision regarding the draft BCR-C of the Coface Group,
requesting an opinion of the EDPB pursuant to Article 64(1)(f) GDPR on 22 November 2024 . The
decision on the completeness of the file was taken on 10 December 2024.
2 ASSESSMENT
3. The draft BCR-C of the Coface Group covers all processing of personal data by Coface entities acting as
a controller or as an internal processor5, who are legally bound by the BCR, regardless of their location6.
4. Concerned data subjects include employees, managing directors or key accounts contacts (clients,
buyers, brokers, agents), prospects, sole traders, business partners and their m anaging directors or
board members7.
5. The draft BCR-C of the Coface Group has been scrutinised according to the procedures set up by the
EDPB. The SAs assembled within the EDPB have concluded that the draft BCR-C of the Coface Group
contains all the elements required under Article 47 GDPR and the Recommendations, in accordance
with the draft decision of the BCR Lead submitted to the EDPB for an opinion. Therefore, the EDPB
does not have any concerns that need to be addressed.
3 CONCLUSIONS
6. Taking into account the above and the commitments that the group members will undertake by signing
the Intra-Group Agreement , the EDPB considers that the draft d ecision of the BCR Lead may be
adopted as it is, since the draft BCR-C of the Coface Group contains appropriate safeguards to ensure
that the level of protection of natural persons guaranteed by the GDPR is not undermined when
personal data is transferred to and processed by the group members based in third countries. The
EDPB recalls that the approval of BCRs by the BCR Lead does not entail the approval of specific transfers
of personal data to be carried out on the basis of the BCRs. Accordingly, the approval of BCRs may not

4 Regulation (EC) No 1049/2001 of the European Parliament and of the Council of 30 May 2001 regarding public
access to European Parliament, Council and Commission documents.
5 “Internal processor” refers to a Coface Group entity processing personal data on behalf of a Coface entity
acting as a controller.
6 Article 3.1 and 3.2 of the BCR-C.
7 Appendix 8 of the BCR-C.
6
Adopted
be construed as the approval of transfers to third countries included in the BCRs for which an
essentially equivalent level of protection to that guaranteed within the EU cannot be ensured.
7. Finally, the EDPB also recalls the provisions contained within Article 47(2)(k) GDPR and the
Recommendations providing the conditions under which the applicant may modify or update the BCRs,
including updates to the list of BCRs group members.
4 FINAL REMARKS
8. This opinion is addressed to the BCR Lead and will be made public pursuant to Article 64(5)(b) GDPR.
9. According to Article 64(7) and (8) GDPR, the BCR Lead shall communicate its response to this opinion
to the Chair within two weeks after receiving the opinion.
10. Pursuant to Article 70(1)(y) GDPR, the BCR Lead shall communicate the final decision to the EDPB for
inclusion in the register of decisions which have been subject to the consistency mechanism.

For the European Data Protection Board
The Chair

(Anu Talus)

Highlights content goes here...

Purpose

The European Data Protection Board (EDPB) has adopted an opinion on the draft decision of the French Supervisory Authority regarding the Controller Binding Corporate Rules (BCRs) of the Coface Group. This opinion aims to ensure the consistent application of the General Data Protection Regulation (GDPR) throughout the European Economic Area (EEA). The EDPB’s role is crucial in ensuring that BCRs meet the requirements of Article 47 GDPR and the Recommendations, which provide a framework for international transfers.

Effects on Industry

The adoption of this opinion will have significant effects on industries, companies, and consumers. Firstly, it ensures that BCRs submitted by controllers and processors are reviewed and approved in accordance with the EDPB’s guidelines. This provides a level of protection for natural persons within the EU and ensures that personal data is transferred to third countries in compliance with the GDPR.

Furthermore, this opinion will have long-term effects on the industry. It sets a precedent for future applications of BCRs and provides guidance on the requirements for approval. Companies will need to ensure that their BCRs meet these requirements, which may lead to increased transparency and accountability in data processing practices.

Additionally, consumers will benefit from enhanced protection when their personal data is transferred to third countries. The EDPB’s opinion ensures that companies provide adequate safeguards for data subjects, which includes enforceable rights and effective legal remedies.

Relevant Stakeholders

The stakeholders affected by this update are:

  • Companies: Those operating within the EU or planning to transfer personal data to third countries must ensure their BCRs meet the EDPB’s guidelines. This may involve revising existing BCRs or implementing new ones.

  • Supervisory Authorities (SAs): SAs will need to review and approve BCRs in accordance with the EDPB’s opinion. This ensures consistency in the application of the GDPR across the EEA.

  • Data Subjects: Individuals whose personal data is processed by companies within the EU or transferred to third countries will benefit from enhanced protection under the GDPR.

Next Steps

To comply with this update, companies must:

  1. Review their BCRs to ensure they meet the requirements of Article 47 GDPR and the Recommendations.

  2. Revise their BCRs if necessary, taking into account the EDPB’s opinion.

  3. Submit revised BCRs for approval by the relevant SA.

  4. Ensure that their BCRs are enforced uniformly across all third countries where personal data is processed.

Any Other Relevant Information

The adoption of this opinion marks an important step in ensuring consistency and accountability in data processing practices within the EU. The EDPB’s guidelines provide a clear framework for companies to follow, which will lead to enhanced protection for natural persons within the EU.

In addition, the opinion provides guidance on supplementary measures that may be required to ensure compliance with the GDPR when transferring personal data to third countries. This includes assessing whether the level of protection required by EU law is respected in the third country concerned and providing adequate safeguards if necessary.

European Data Protection Board

Quick Insight
RADA.AI
RADA.AI
Hello! I'm RADA.AI - Regulatory Analysis and Decision Assistance. Your Intelligent guide for compliance and decision-making. How can i assist you today?
Suggested
Related Documents
How to pay insurance premiums for an employee if he/she quits before the end of the year from the conclusion of the voluntary health insurance contract
Date: 4th Feb, 2025 Source: Federal Tax Service (FTS) Country: Russia
News Financial services Guidance
Busting NFP myths
Date: 3rd Feb, 2025 Source: Australian Taxation Office (ATO) Country: Australia
News Tax & Compliance Guidance
Lodging the NFP self-review return under the correct self-assessing category
Date: 3rd Feb, 2025 Source: Australian Taxation Office (ATO) Country: Australia
News Tax & Compliance Guidance

Form successfully submitted. One of our GRI rep will contact you shortly

Thanking You!

Click here

Enter your Email

Enter your registered username/email id.

Enter your Email

Enter your email id below to signup.

Enter your Email

Enter your email id below to signup.
Individual Plan
  • Designed for Growing Compliance Teams
$125 / month OR $1250 / year
Features
  • • Coverage for 20 jurisdictions
  • • Monitoring from 500+ regulatory authorities
  • • AI compliance summaries
  • • RaDa.ai : Single-Role
Best for: Researchers, Legal professionals, Academics
Subscribe Now
Enterprise Plan
  • Perfect for Global Enterprises
Contact for Pricing
Features
  • • Custom jurisdictional coverage
  • • Custom monitoring of regulatory authorities
  • • RaDa.ai : Customizable multi-role
  • • Custom reporting and dashboard capabilities
  • • API access for seamless integration
Best for: Law Firms, Corporations, Government Bodies
Contact Sales