Opinion 03/2022 on the draft decision of the French Supervisory Authority regarding the Processor Binding Corporate Rules of the WEBHELP Group

Die Antwort auf diese Anfrage ist im Rückstand. Nach gesetzlicher Vorschrift sollte European Data Protection Board umgehend geantwortet haben und von (Details)

Dear European Data Protection Board,

Under the right of access to documents in the EU treaties, as developed in Regulation 1049/2001, I am requesting documents which contain the following information:

1 CONTEXT of my request

A few days ago the EDPB published the "Opinion 03/2022 on the draft decision of the French Supervisory Authority regarding the Processor Binding Corporate Rules of the WEBHELP Group", which is available here: https://edpb.europa.eu/system/files/2022....

My request refers to the following sentence in Sec. No. 6. in this Opinion: "since the draft BCR-P of the WEBHELP Group contains appropriate safeguards to ensure that the level of protection of natural persons guaranteed by the GDPR is not undermined when personal data will be transferred to and processed by the group members based in third countries"

2 Single REQUEST

I am requesting documents which contain the following information:

2.1 Documents provided to the EDPB by the French regulator or by the WEBHELP Group such that the EDPB has concluded, as cited in 1 above, that the BCRs of the WEBHELP Group contain "adequate safeguards" as defined above (e.g., documents comparable to a 'Transfer Impact Assessment').

2.2 Beyond the documents in 2.1, such documents that provide information on how the EDPB has arrived at the assessment by others that WEBHELP Group's BCRs contain "appropriate safeguards" as defined above (e.g., through internal legal opinions of the EDPB).

Yours faithfully,
HR

European Data Protection Board

Thank you for your message and for your interest in data protection. We
will look into your request and get back to you within due time.
The EDPB Secretariat

European Data Protection Board

Dear Mr. Roth,

 

Thank you for your email. The description given in your request does not
enable us to identify concrete documents in order to respond to your
request.

 

We therefore invite you, in accordance with Article 6(2) of Regulation
(EC) No 1049/2001 regarding public access to documents, to provide us with
more detailed information on the document or the documents you request. In
particular, we would like to bring the following to your attention:

 

Regarding point 2.1 of your request (on documents comparable to a "TIA"
that led the EDPB to consider that the BCR contains adequate safeguards),
we would like to clarify that, as stated by the CJEU in the Schrems II
judgement and further elaborated by the EDPB, transfer tools under Article
46 GDPR, including BCRs, do not operate in a vacuum. Thus, the exporters
are responsible for verifying, on a case-by-case basis and, where
appropriate, in collaboration with the importer in the third country, if
the law or practice of the third country impinges on the effectiveness of
the appropriate safeguards contained in the Article 46 GDPR transfer
tools. In those cases, the exporter needs to assess whether supplementary
measures can fill the gaps in the protection. Whether or not the exporter
can transfer personal data on the basis of a specific BCR will depend on
the result of the assessment, taking into account the circumstances of the
transfers, and the supplementary measures in place (if needed).

 

Therefore, when assessing a BCR, the EDPB does not assess the
circumstances of a given transfer, but rather the BCR as a transfer tool
and the safeguards it provides in accordance with the GDPR and the Working
Document setting up a table with the elements and principles to be found
in Binding Corporate Rules (WP 256 rev.01) or the Working Document setting
up a table with the elements and principles to be found in Processor
Binding Corporate Rules (WP 257 rev.01). Whether that is enough or
supplementary measures are necessary in a given case, will depend on the
elements mentioned above and developed in the EDPB [1]Recommendations
01/2020 on supplementary measures. Thus, based on these explanations, we
would kindly advice you to clarify your request and the documents you are
seeking access to.

 

Regarding point 2.2 of your request, we kindly request you to clarify the
meaning of "on how the EDPB has arrived at the assessment by others", in
particular, the reference to others in this context.

 

Kind regards,

The EDPB Secretariat

 

Zitate anzeigen

Dear European Data Protection Board,

Thank you for the first review feedback on this matter. I would like to add to my concerns 2.1 and 2.2: when receiving a BCR, how deeply does the EDPB review the assurances mentioned therein that Recommendations 01/2020 will be complied with when transferring to companies in an unsafe third country? Does the EDPB receive further documentation on the contractual, technical and organizational 'supplementary measures' from the submitting authority or group of companies seeking approval of the BCR? - If yes, then I am concerned with exactly such documentation. If no, then I must assume that only a visual inspection of the BCR takes place and no such documents are requested.

Mit freundlichem Gruß,
HR

European Data Protection Board

Dear Sir/Madam,

Thank you for your message and for your interest in data protection. We
will look into your request and get back to you within due time.

Kind regards,

The EDPB Secretariat  

European Data Protection Board

Dear Mr. Roth,

Indeed, at the moment the EDPB does not assess the supplementary measures that may be potentially necessary for a given transfer carried out on the basis of an approved BCR. Whether there's a need for supplementary measures and if so, which ones are the most appropriate, is a case-by-case assessment that the exporter must carry out taking into account the specific circumstances of the transfer. Therefore, when assessing a BCR, what the EDPB analyses is whether the BCR complies with the requirements established by Article 47 GDPR and elaborated in the WP 256 and WP 257. Once the EDPB has adopted its Opinion on a BCR, the supervisory authority can then approve the BCR. The exporter will have to assess whether, in the specific case, the safeguards provided by the BCR are sufficient to ensure an essentially equivalent level of protection of the personal data or supplementary measures are needed.

Taking this into account, and given your previous e-mail, we understand that you withdraw your request for access to documents. Can you please confirm this understanding?

Kind regards,
The EDPB Secretariat

Zitate anzeigen

Dear European Data Protection Board,

thank you for your clarification. Iam withdrawing my document access request.

Yours sincerely,
H R

European Data Protection Board

Dear Sir/Madam,
Thank you for your email.

The offices of the EDPB Secretariat are closed until and including the 29
May 2022 for the Ascension day.

Please note that your e-mail has not been forwarded.

We will respond to your message as soon as possible upon our return.

Kind regards,

The EDPB Secretariat