Processor BCR gets an upgrade: Inside the EDPB’s new draft recommendations

Background

BCR are legally binding internal rules adopted by multinational groups to legitimise transfers of personal data to non-EEA countries under Articles 46(2)(b) and 47 GDPR. Unlike the European Commission’s Standard Contractual Clauses (SCC), BCR-P are expressly approved by supervisory authorities and therefore offer what many consider the “gold standard” for GDPR-compliant international transfers, providing enhanced legal certainty and operational flexibility.

The requirements to achieve approval for BCR-P and the accompanying application form are detailed in the draft EDPB’s Recommendations. They complete the EDPB’s materials for BCR applications and approvals, following the:

• updated recommendations on Controller BCR (BCR-C) in 2022 (see our updates here and here), and
• new guidelines for the cooperation procedure (between the supervisory authorities) for the approval of BCR for controllers and processors in March 2025 (see our summary here).

Once adopted after public consultation, the Recommendations will replace the current recommendations set out in Working Paper 257.rev01, which were last updated in 2018 just before the GDPR came into effect.

A first look at the draft recommendations

• provide a standard form for the application for approval of BCR-P;
• clarify the necessary content of BCR-P;
• distinguish between what must be included in the BCR-P and what must be presented to the BCR Lead Supervisory Authority in the BCR application; and
• clarify and elaborate on the requirements.

The structure of the draft Recommendations mirrors that of the BCR-C Recommendations. It includes a standard application form with clear instructions, as well as a tabular overview of the information and commitments that must, at a minimum, be included in both the application form and the BCR-P. This overview also contains a very useful dedicated section indicating where each requirement is addressed in the BCR-P.

New and Notable

One significant shift in the draft Recommendations is that the EDPB suggests that BCR-P can only be relied on in respect of international transfers of data between group members (i.e. within the same corporate group) as processors or sub-processors. This excludes from the scope of application the initial transfer of personal data from controllers (e.g. customers) to processors, should the controller be located in the EEA and the processor entity which first receives the data in a Third Country. The controller to processor transfer is considered by the EDPB to require a different transfer mechanism, such as the European Commission’s standard contractual clauses (2021 SCC) or reliance on the EU/US Data Privacy Framework.

This new position is contrary to current guidance and official opinions and statements of the EDPB and, previously, the Article 29 Working Party. It also deviates from the accepted position from the UK’s Information Commissioner’s Office which is in line with the previous European approach. It is therefore likely to be subject to extensive debate and pushback from existing and new processor applicants alike. We encourage all affected organisations to engage on this point as part of the consultation process. 

More generally, the new Recommendations are significantly more prescriptive than its predecessor. This aligns with the thinking and approach of the supervisory authorities of late, who have been leaning towards more uniformity and specific wording rather than leaving companies to interpret the requirements in the way they deem fit. 

The draft introduces several notable updates, including the following:

• Developed training programme: The draft Recommendations now expect training materials on the BCR to have been developed to a sufficiently elaborate degree before the BCR-P are approved, and clarify that these materials must be kept up-to-date (Sec. 3.1 Recommendations).
• Detailed audit programme: While the current BCR-P requirements already require implementation of an audit programme and described coverage and access to results, the draft Recommendations add more granular requirements, including audit frequency determined on risk-based approach, and explicit statements that DPOs should not be responsible for audits of BCR-P compliance where it would create a conflict of interest (Sec. 3.3.1 Recommendations).
• Transfer impact assessments: The Recommendations require BCR-P to contain a clear commitment that BCR members will use the BCR-P as a transfer tool only where they have assessed, in agreement with the controller, that third-country laws and practices (including public authority access) do not prevent the data importer from fulfilling its obligations under the BCR-P. It adds an explicit expectation to identify, document, and involve key internal stakeholders in supplementary measures, and to suspend or end transfers where essentially equivalent protection cannot be ensured (see Sec. 8.1 Recommendations).
• Government access requests: As known from the 2021 SCC and BCR-C, the Recommendations specify requirements for the handling of government access requests, including through commitments to (among other things) notify the data exporter and controller (and where possible the data subject), seek waivers of gag orders, provide periodic transparency reporting, preserve and make available records to competent authorities, and, importantly, review legality and challenge requests, seek interim measures, and limit disclosures to the minimum permissible (see Sec. 8.2 Recommendations).
• Data subject transparency and redress: The draft Recommendations detail the specific BCR-P clauses that data subjects must be provided with as part of their right to “easy access” to the BCR-P, explicitly including those commitments related to local laws and government access, implying that the provision of summaries is not sufficient (see Sec. 1.7 Recommendations). It is also specifies, similarly to the BCR-C requirements, that the right to go to court / lodge a complaint with a supervisory authority is not dependent on using the internal complaint handling process first (see Sec. 3.2 Recommendations).
• Consequences of non-compliance: Compared to the current BCR-P requirements, the draft Recommendations specify in more detail on what happens if compliance with the BCR-P fails, including a default expectation that if a transfer is suspended and compliance is not restored within one month, the transfer ends and data is returned or deleted (with certification), subject to third-country law constraints (see Sec. 10 Recommendations).

How the draft aligns with recent BCR-C updates

• The draft BCR-P Recommendations are largely aligned with the themes introduced in the revised BCR-C guidance, particularly around:
• Accountability and governance;
• International transfer impact assessments and government access requests, following Schrems II case law and related expectations;
• Enforceability and redress mechanisms; and
• Application procedures and supervisory authority cooperation.

This approach suggests a broader EDPB effort to harmonise both frameworks and will be welcomed by organisations with both BCR-P and BCR-C who want to consider an integrated approach to compliance. Companies that were waiting for the new BCR-P Recommendations to harmonize the wording of both their BCR-C and BCR-P can now begin their update work to ensure that the wording and provisions are harmonized.

What organisations should do now

We recommend that organisations with approved BCR-P, or who are partway through the approval process, consider the following:

• Approved BCR-P holders: Organisations with approved BCR-P are required to update their binding corporate rules, intra-group agreements, and supporting documentation to align with the new requirements, as was the case when the new BCR-C requirements were published in 2023. The EDPB has helpfully confirmed that the necessary updates can be part of the annual update of the BCR-P and will generally not need a new approval, as the changes are meant to improve the safeguards for data subjects.
• BCR-P applicants: Those who are drafting their BCR-P or part way through the approval process are expected to review and update their BCR documentation to reflect the requirements under the new Recommendations. The EDPB expects applicants to have a consolidated version ready by the time the finalised Recommendations are published.

What to expect

When the EDPB carried out a similar update for BCR-C, the final referential largely preserved the substance of the draft, with refinements focused mainly on sharpening language and adding practical examples. Those changes were editorial rather than structural. The same approach is expected here, considering also the EDPB’s expectations that BCR-P holders and applicants start updating their BCR-P before the final Recommendations are published. This means that organisations can confidently begin reviewing their BCR-P documentation now in anticipation of the final text. However, given that the consultation process is open, there is an opportunity to make representations or seek clarifications before the final version is published.

In any event, we recommend BCR-P holders and applicants to start reviewing and updating their BCR-P and underlying documentation now, and ensure that sufficient time and resources are allocated for this exercise. This is particularly relevant as some existing BCR-P holders have been told to prepare for a time- and resource-intensive exercise, similar to obtaining a new BCR approval. The new streamlined BCR approval procedure and the EDPB’s intention that updates will generally not require a new approval procedure, will hopefully help minimize friction in the DPA’s review process in this connection.

Timeline & next steps

• EDPB plenary adoption: 15 January 2026;
• Public consultation: until 2 March 2026;
• Final adoption: likely expected in Q2 or Q3 2026, based on the fact that the BCR-C requirements took almost 8 months from the draft stage through to public consultation and review, to the final, formally adopted BCR-C requirements. However, considering the overlap of the Recommendations with the BCR-C recommendations, this may result in a smoother approval process of the Recommendations.

We will update this article once the final guidelines are released and the EDPB confirms the transition timelines.

Hogan Lovell’s Data, Privacy and Cybersecurity team has a long track record of advising on BCR-P and BCR-C applications, having supported a significant number of organisations with their applications, updates, and associated compliance programmes. 

Authored by Katie McMullan, Chantal van Dam, Henrik Hanssen, Alexander Bathelt, Julie Schwartz, Eduardo Ustaran and Stefan Schuppert.