EDPB adopts template complaint form for cross-border cases and recommendations on BCRs

The European Data Protection Board (EDPB) has approved a complaint form designed to simplify the process of complaint submissions and handlings by Data Protection Authorities (DPAs) in cross-border cases. The template considers variations in national laws and practices and can be voluntarily adopted and customized by DPA to meet their specific requirements. It can be used for complaints submitted directly by individuals or on behalf of individuals by legal representatives or entities. Furthermore, the EDPB has also created a template acknowledgment of receipt that informs complainants about the subsequent steps in the complaint process and emphasizes their right to seek legal recourse against a DPA’s binding decision.

The EDPB has also finalized updated recommendations for Controller Binding Corporate Rules (BCR-C), merging the existing BCR-C criteria for approval with the standard application form for BCR-C. The purpose of these recommendations is to provide an updated and standardized application form for BCR-C approval, clarify the necessary content of BCR-Cs, and differentiate between the information included in a BCR-C and what needs to be presented to the BCR lead data protection authority during the application process.

These recommendations are based on the agreements reached by data protection authorities during BCR approval procedures since the implementation of the General Data Protection Regulation (GDPR), while also ensuring alignment with the requirements set by the CJEU’s Schrems II ruling.