ICO publishes a UK BCR Addendum for use with EU Binding Corporate Rules

This blog notes some of the key features of the Addendum. 

At its core, the Addendum can be used in relation to both controller BCRs and processor BCRs. Organisations then have a choice as to whether they use the Addendum in its standard published form or as a template. As the Addendum is considered guidance only, organisations can use it as a template base to amend or add alternative clauses to best suit their business needs. However organisations will need to bear in mind the ICO review and approval process described below when making any changes.

If used in its standard form, the Addendum nonetheless offers some flexibility. For example to refer to BCR member decision making processes (reflecting business approach), to choose applicable UK law, to specify which courts are relevant for claims between BCR members, and to allow for the addition of commercial clauses (to the extent they do not undermine the protections offered by the Addendum). 

An organisation can opt to allow its approved Addendum to automatically update when the ICO makes any changes to the published form. If the Addendum is used as a base template for amendment, the ICO may require an organisation to update its approved Addendum in line with subsequent ICO updates to the standard form. 

The Addendum also assumes that in general, all BCR members will sign the document. However, the ICO does acknowledge that amendments could be made to the Addendum to allow for a deed of accession model to be used for signing. A lead UK BCR member is required to be responsible for breaches of the UK BCR by non-UK BCR members and accept liability for the same. If the lead UK BCR member is a branch (and not a UK legal entity) a parent company guarantee may be required.

The relevant EU BCRs, completed and signed Addendum and a UK BCR summary (providing specified information for data subjects for example), must be submitted to the ICO for approval. It is important to note the ICO approval process may take longer if an organisation chooses to use the Addendum as a template base and amend the same, rather than use it in standard form. The ICO requires organisations to highlight changes made in that case and explain why those amendments do not undermine the protections offered by the Addendum in standard form. The ICO will review the amended Addendum prior to giving any approval and may raise further questions as part of that process.

The ICO notes that if an EU BCR is suspended, withdrawn or revoked, the UK BCR will also be suspended, withdrawn or revoked and an organisation will have to find an alternative international transfer mechanism. The ICO also states that it is the ongoing responsibility of an organisation to update its approved EU BCR in line with any European Data Protection Board requirements and that the ICO will not review its content. 

Guidance published by the ICO on the same day sets out the step-by-step process of completing the Addendum. 

The Guidance is available here, and the Addendum here.