During its latest plenary, on 20 June 2023, the EDPB adopted a Template Complaint Form and a Template Acknowledgment of Receipt aiming to facilitate the submission of individuals’ complaints and their subsequent handling by Data Protection Authorities (“DPAs”) in cross-border cases.
The use of the template complaint form will ease the cross-border exchange of information regarding complaints between DPAs and will help DPAs manage cross-border cases more effectively. The DPAs will use it voluntarily and can adjust it to their respective national requirements. Each DPA will indicate which fields included in the template form (i.e., full name and surname, postal address, email address, telephone/mobile number, and identification details) are mandatory according to the national provisions.
The template acknowledgment of receipt is meant to provide the petitioner with general information on the next steps following the complaint submission, highlighting the right to an effective judicial remedy against the DPA’s legally binding decision. The template stipulates that if the petitioner does not receive information on the complaint within 3 months/or the applicable deadline (depending on the DPA), an update could be requested by contacting the DPA.
Also, on 20 June 2023, the EDPB adopted the final version of the Recommendations on the application for approval and on the elements and principles to be found in Controller Binding Corporate Rules – BCR-C (“Recommendations”), effective on the date of their publication (i.e., 30 June 2023).
In brief, these Recommendations:
- rely on the agreements reached by DPAs throughout the approval procedures on the BCR applications based on the GDPR provisions to date;
- provide a standard application form for the approval of BCR-Cs and aim to ensure equal conditions for all applicants;
- clarify the necessary content of BCR-C and provide explanations and comments on the requirements.
The BCRs are appropriate safeguards for transfers of personal data to third countries, subject to approval by the BCR Lead DPA in accordance with Article 47 (1) of the GDPR. Usually, BCR-Cs are suitable for framing the transfers of personal data outside of the EEA, from controllers subject to the GDPR to other controllers or processors within the same group (i.e., internal controllers/processors).
The EDPB expects all new and ongoing BCR-C applicants to bring their BCR-C in line with the requirements set out in these Recommendations, and all BCR-C holders must also comply with these Recommendations.
Ultimately, the EDPB also notes that a set of recommendations for BCR-processors (BCR-P) is currently being developed.
The press release is available here.