Dear European Data Protection Board,
Under the right of access to documents in the EU treaties, as developed in Regulation 1049/2001, I am requesting documents which contain the following information:
1 CONTEXT of my request
A few days ago the EDPB published the "Opinion 03/2022 on the draft decision of the French Supervisory Authority regarding the Processor Binding Corporate Rules of the WEBHELP Group", which is available here: https://edpb.europa.eu/system/files/2022....
My request refers to the following sentence in Sec. No. 6. in this Opinion: "since the draft BCR-P of the WEBHELP Group contains appropriate safeguards to ensure that the level of protection of natural persons guaranteed by the GDPR is not undermined when personal data will be transferred to and processed by the group members based in third countries"
2 Single REQUEST
I am requesting documents which contain the following information:
2.1 Documents provided to the EDPB by the French regulator or by the WEBHELP Group such that the EDPB has concluded, as cited in 1 above, that the BCRs of the WEBHELP Group contain "adequate safeguards" as defined above (e.g., documents comparable to a 'Transfer Impact Assessment').
2.2 Beyond the documents in 2.1, such documents that provide information on how the EDPB has arrived at the assessment by others that WEBHELP Group's BCRs contain "appropriate safeguards" as defined above (e.g., through internal legal opinions of the EDPB).
Thank you for your message and for your interest in data protection. We
will look into your request and get back to you within due time.
The EDPB Secretariat
Dear Mr. Roth,
Thank you for your email. The description given in your request does not
enable us to identify concrete documents in order to respond to your
We therefore invite you, in accordance with Article 6(2) of Regulation
(EC) No 1049/2001 regarding public access to documents, to provide us with
more detailed information on the document or the documents you request. In
particular, we would like to bring the following to your attention:
Regarding point 2.1 of your request (on documents comparable to a "TIA"
that led the EDPB to consider that the BCR contains adequate safeguards),
we would like to clarify that, as stated by the CJEU in the Schrems II
judgement and further elaborated by the EDPB, transfer tools under Article
46 GDPR, including BCRs, do not operate in a vacuum. Thus, the exporters
are responsible for verifying, on a case-by-case basis and, where
appropriate, in collaboration with the importer in the third country, if
the law or practice of the third country impinges on the effectiveness of
the appropriate safeguards contained in the Article 46 GDPR transfer
tools. In those cases, the exporter needs to assess whether supplementary
measures can fill the gaps in the protection. Whether or not the exporter
can transfer personal data on the basis of a specific BCR will depend on
the result of the assessment, taking into account the circumstances of the
transfers, and the supplementary measures in place (if needed).
Therefore, when assessing a BCR, the EDPB does not assess the
circumstances of a given transfer, but rather the BCR as a transfer tool
and the safeguards it provides in accordance with the GDPR and the Working
Document setting up a table with the elements and principles to be found
in Binding Corporate Rules (WP 256 rev.01) or the Working Document setting
up a table with the elements and principles to be found in Processor
Binding Corporate Rules (WP 257 rev.01). Whether that is enough or
supplementary measures are necessary in a given case, will depend on the
elements mentioned above and developed in the EDPB Recommendations
01/2020 on supplementary measures. Thus, based on these explanations, we
would kindly advice you to clarify your request and the documents you are
seeking access to.
Regarding point 2.2 of your request, we kindly request you to clarify the
meaning of "on how the EDPB has arrived at the assessment by others", in
particular, the reference to others in this context.
The EDPB Secretariat