Opinion 03/2022 on the draft decision of the French Supervisory Authority regarding the Processor Binding Corporate Rules of the WEBHELP Group

Heiko Roth made this Informationsfreiheit request to European Data Protection Board

Automatic anti-spam measures are in place for this older request. Please let us know if a further response is expected or if you are having trouble responding.

Die Antwort auf diese Anfrage ist lange im Rückstand. Nach gesetzlicher Vorschrift sollte European Data Protection Board Ihnen inzwischen unter allen Umständen geantwortet haben. (Details). Sie können sich beschweren, indem sie Interne Prüfung beantragen .

Dear European Data Protection Board,

Under the right of access to documents in the EU treaties, as developed in Regulation 1049/2001, I am requesting documents which contain the following information:

1 CONTEXT of my request

A few days ago the EDPB published the "Opinion 03/2022 on the draft decision of the French Supervisory Authority regarding the Processor Binding Corporate Rules of the WEBHELP Group", which is available here: https://edpb.europa.eu/system/files/2022....

My request refers to the following sentence in Sec. No. 6. in this Opinion: "since the draft BCR-P of the WEBHELP Group contains appropriate safeguards to ensure that the level of protection of natural persons guaranteed by the GDPR is not undermined when personal data will be transferred to and processed by the group members based in third countries"

2 Single REQUEST

I am requesting documents which contain the following information:

2.1 Documents provided to the EDPB by the French regulator or by the WEBHELP Group such that the EDPB has concluded, as cited in 1 above, that the BCRs of the WEBHELP Group contain "adequate safeguards" as defined above (e.g., documents comparable to a 'Transfer Impact Assessment').

2.2 Beyond the documents in 2.1, such documents that provide information on how the EDPB has arrived at the assessment by others that WEBHELP Group's BCRs contain "appropriate safeguards" as defined above (e.g., through internal legal opinions of the EDPB).

Yours faithfully,
HR

European Data Protection Board

Thank you for your message and for your interest in data protection. We
will look into your request and get back to you within due time.
The EDPB Secretariat

European Data Protection Board

Dear Mr. Roth,

 

Thank you for your email. The description given in your request does not
enable us to identify concrete documents in order to respond to your
request.

 

We therefore invite you, in accordance with Article 6(2) of Regulation
(EC) No 1049/2001 regarding public access to documents, to provide us with
more detailed information on the document or the documents you request. In
particular, we would like to bring the following to your attention:

 

Regarding point 2.1 of your request (on documents comparable to a "TIA"
that led the EDPB to consider that the BCR contains adequate safeguards),
we would like to clarify that, as stated by the CJEU in the Schrems II
judgement and further elaborated by the EDPB, transfer tools under Article
46 GDPR, including BCRs, do not operate in a vacuum. Thus, the exporters
are responsible for verifying, on a case-by-case basis and, where
appropriate, in collaboration with the importer in the third country, if
the law or practice of the third country impinges on the effectiveness of
the appropriate safeguards contained in the Article 46 GDPR transfer
tools. In those cases, the exporter needs to assess whether supplementary
measures can fill the gaps in the protection. Whether or not the exporter
can transfer personal data on the basis of a specific BCR will depend on
the result of the assessment, taking into account the circumstances of the
transfers, and the supplementary measures in place (if needed).

 

Therefore, when assessing a BCR, the EDPB does not assess the
circumstances of a given transfer, but rather the BCR as a transfer tool
and the safeguards it provides in accordance with the GDPR and the Working
Document setting up a table with the elements and principles to be found
in Binding Corporate Rules (WP 256 rev.01) or the Working Document setting
up a table with the elements and principles to be found in Processor
Binding Corporate Rules (WP 257 rev.01). Whether that is enough or
supplementary measures are necessary in a given case, will depend on the
elements mentioned above and developed in the EDPB [1]Recommendations
01/2020 on supplementary measures. Thus, based on these explanations, we
would kindly advice you to clarify your request and the documents you are
seeking access to.

 

Regarding point 2.2 of your request, we kindly request you to clarify the
meaning of "on how the EDPB has arrived at the assessment by others", in
particular, the reference to others in this context.

 

Kind regards,

The EDPB Secretariat

 

-----Original Message-----
From: Heiko Roth <[FOI #10742 email]>
Sent: 19 February 2022 10:28
To: European Data Protection Board <[EDPB request email]>
Subject: access to documents request - Opinion 03/2022 on the draft
decision of the French Supervisory Authority regarding the Processor
Binding Corporate Rules of the WEBHELP Group

 

Dear European Data Protection Board,

 

Under the right of access to documents in the EU treaties, as developed in
Regulation 1049/2001, I am requesting documents which contain the
following information:

 

1 CONTEXT of my request

 

A few days ago the EDPB published the "Opinion 03/2022 on the draft
decision of the French Supervisory Authority regarding the Processor
Binding Corporate Rules of the WEBHELP Group", which is available here:
[2]https://edpb.europa.eu/system/files/2022....

 

My request refers to the following sentence in Sec. No. 6. in this
Opinion: "since the draft BCR-P of the WEBHELP Group contains appropriate
safeguards to ensure that the level of protection of natural persons
guaranteed by the GDPR is not undermined when personal data will be
transferred to and processed by the group members based in third
countries"

 

2 Single REQUEST

 

I am requesting documents which contain the following information:

 

2.1 Documents provided to the EDPB by the French regulator or by the
WEBHELP Group such that the EDPB has concluded, as cited in 1 above, that
the BCRs of the WEBHELP Group contain "adequate safeguards" as defined
above (e.g., documents comparable to a 'Transfer Impact Assessment').

 

2.2 Beyond the documents in 2.1, such documents that provide information
on how the EDPB has arrived at the assessment by others that WEBHELP
Group's BCRs contain "appropriate safeguards" as defined above (e.g.,
through internal legal opinions of the EDPB).

 

Yours faithfully,

HR

 

-------------------------------------------------------------------

 

This is a request for access to information under Article 15 of the TFEU
and, where applicable, Regulation 1049/2001 which has been sent via the
AsktheEU.org website.

 

Please kindly use this email address for all replies to this request:
[3][FOI #10742 email]

 

If [4][EDPB request email] is the wrong address for information requests to
European Data Protection Board, please tell the AsktheEU.org team on email
[5][email address]

 

This message and all replies from European Data Protection Board will be
published on the AsktheEU.org website. For more information see our
dedicated page for EU public officials at
[6]https://www.asktheeu.org/en/help/officers

 

Please note that in some cases publication of requests and responses will
be delayed.

 

 

-------------------------------------------------------------------

References

Visible links
1. https://edpb.europa.eu/our-work-tools/ou...
2. https://edpb.europa.eu/system/files/2022...
3. mailto:[FOI #10742 email]
4. mailto:[EDPB request email]
5. mailto:[AsktheEU.org contact email]
6. https://www.asktheeu.org/en/help/officers

Zitierte Abschnitte verbergen

Dear European Data Protection Board,

Thank you for the first review feedback on this matter. I would like to add to my concerns 2.1 and 2.2: when receiving a BCR, how deeply does the EDPB review the assurances mentioned therein that Recommendations 01/2020 will be complied with when transferring to companies in an unsafe third country? Does the EDPB receive further documentation on the contractual, technical and organizational 'supplementary measures' from the submitting authority or group of companies seeking approval of the BCR? - If yes, then I am concerned with exactly such documentation. If no, then I must assume that only a visual inspection of the BCR takes place and no such documents are requested.

Mit freundlichem Gruß,
HR

European Data Protection Board

Dear Sir/Madam,

Thank you for your message and for your interest in data protection. We
will look into your request and get back to you within due time.

Kind regards,

The EDPB Secretariat  

European Data Protection Board

Dear Mr. Roth,

Indeed, at the moment the EDPB does not assess the supplementary measures that may be potentially necessary for a given transfer carried out on the basis of an approved BCR. Whether there's a need for supplementary measures and if so, which ones are the most appropriate, is a case-by-case assessment that the exporter must carry out taking into account the specific circumstances of the transfer. Therefore, when assessing a BCR, what the EDPB analyses is whether the BCR complies with the requirements established by Article 47 GDPR and elaborated in the WP 256 and WP 257. Once the EDPB has adopted its Opinion on a BCR, the supervisory authority can then approve the BCR. The exporter will have to assess whether, in the specific case, the safeguards provided by the BCR are sufficient to ensure an essentially equivalent level of protection of the personal data or supplementary measures are needed.

Taking this into account, and given your previous e-mail, we understand that you withdraw your request for access to documents. Can you please confirm this understanding?

Kind regards,
The EDPB Secretariat

-----Original Message-----
From: Heiko Roth <[FOI #10742 email]>
Sent: 18 May 2022 08:07
To: European Data Protection Board <[EDPB request email]>
Subject: Re: Your access to documents request - Opinion 03/2022 of WEBHELP BCR - request for clarifications

Dear European Data Protection Board,

Thank you for the first review feedback on this matter. I would like to add to my concerns 2.1 and 2.2: when receiving a BCR, how deeply does the EDPB review the assurances mentioned therein that Recommendations 01/2020 will be complied with when transferring to companies in an unsafe third country? Does the EDPB receive further documentation on the contractual, technical and organizational 'supplementary measures' from the submitting authority or group of companies seeking approval of the BCR? - If yes, then I am concerned with exactly such documentation. If no, then I must assume that only a visual inspection of the BCR takes place and no such documents are requested.

Mit freundlichem Gruß,

HR

-----Original Message-----

Dear Mr. Roth,

 

Thank you for your email. The description given in your request does not

enable us to identify concrete documents in order to respond to your

request.

 

We therefore invite you, in accordance with Article 6(2) of Regulation

(EC) No 1049/2001 regarding public access to documents, to provide us with

more detailed information on the document or the documents you request. In

particular, we would like to bring the following to your attention:

 

Regarding point 2.1 of your request (on documents comparable to a "TIA"

that led the EDPB to consider that the BCR contains adequate safeguards),

we would like to clarify that, as stated by the CJEU in the Schrems II

judgement and further elaborated by the EDPB, transfer tools under Article

46 GDPR, including BCRs, do not operate in a vacuum. Thus, the exporters

are responsible for verifying, on a case-by-case basis and, where

appropriate, in collaboration with the importer in the third country, if

the law or practice of the third country impinges on the effectiveness of

the appropriate safeguards contained in the Article 46 GDPR transfer

tools. In those cases, the exporter needs to assess whether supplementary

measures can fill the gaps in the protection. Whether or not the exporter

can transfer personal data on the basis of a specific BCR will depend on

the result of the assessment, taking into account the circumstances of the

transfers, and the supplementary measures in place (if needed).

 

Therefore, when assessing a BCR, the EDPB does not assess the

circumstances of a given transfer, but rather the BCR as a transfer tool

and the safeguards it provides in accordance with the GDPR and the Working

Document setting up a table with the elements and principles to be found

in Binding Corporate Rules (WP 256 rev.01) or the Working Document setting

up a table with the elements and principles to be found in Processor

Binding Corporate Rules (WP 257 rev.01). Whether that is enough or

supplementary measures are necessary in a given case, will depend on the

elements mentioned above and developed in the EDPB [1]Recommendations

01/2020 on supplementary measures. Thus, based on these explanations, we

would kindly advice you to clarify your request and the documents you are

seeking access to.

 

Regarding point 2.2 of your request, we kindly request you to clarify the

meaning of "on how the EDPB has arrived at the assessment by others", in

particular, the reference to others in this context.

 

Kind regards,

The EDPB Secretariat

 

-------------------------------------------------------------------

Bitte nutzen Sie diese Emailadresse für alle Antworten auf diese Anfrage:

[FOI #10742 email]

Diese Nachricht und alle Antworten von European Data Protection Board werden auf der AsktheEU.org Internetseite veröffentlicht. Für weitere Informationen besuchen Sie bitte unsere speziell für EU-Beamte eingerichtete Seite https://www.asktheeu.org/de/help/officers

Please note that in some cases publication of requests and responses will be delayed.

-------------------------------------------------------------------

Zitierte Abschnitte verbergen

Dear European Data Protection Board,

thank you for your clarification. Iam withdrawing my document access request.

Yours sincerely,
H R

European Data Protection Board

Dear Sir/Madam,
Thank you for your email.

The offices of the EDPB Secretariat are closed until and including the 29
May 2022 for the Ascension day.

Please note that your e-mail has not been forwarded.

We will respond to your message as soon as possible upon our return.

Kind regards,

The EDPB Secretariat