What is the UK BCR Addendum?
We know that BCR applicants often want both EU and UK BCRs. If you already have an approved EU BCR and want to apply for a UK BCR, you can use the UK BCR Addendum. You can add the UK BCR Addendum onto your approved EU BCR. Together, they will form your new UK BCR. This means that you do not need to create another set of UK BCR documentation, reducing unnecessary duplication.
Using this option, a UK BCR is formed by:
- your approved EU BCR;
- the UK BCR Addendum, which incorporates and extends the scope of the EU BCR to include UK restricted transfers; and
- a UK BCR Summary, which provides information to people whose personal data is transferred under the UK BCR (and for a UK processor BCR, provides information to third party exporters).
The UK BCR Addendum will become the UK binding instrument, ensuring that the UK BCR is enforceable in the UK. It contains all relevant provisions of Article 47 UK GDPR, meaning that your EU BCR will work in the UK.
Who can apply?
You can apply for a UK BCR using the UK BCR Addendum only if you have an approved EU BCR. You cannot use the UK BCR Addendum if you do not have an approved EU BCR.
Any EU supervisory authority can have approved your existing EU BCR, under either the EU Directive 95/46/EC or the GDPR.
If you are an existing UK BCR applicant, with an approved UK BCR, you can also use the UK BCR Addendum. You can use it if you want to change your existing UK BCR and align it with your EU BCR. You can submit your amended UK BCR using the UK BCR Addendum at any time.
How do I apply?
You need to complete the UK BCR Addendum and send it, with the requested documents set out in the UK BCR Addendum, to the ICO. You can do this by emailing [email protected]. The requested documents include:
- your complete EU BCR;
- your EU BCR approval; and
- a UK BCR Summary document.
You do not have to complete an application form or referential table.
You must submit a separate application for each processor and controller BCR.
You can use the UK BCR Addendum in two ways:
- Use it as a standard form – you do not need to make any amendments to the UK BCR Addendum other than to select options in the part 2 tables.
- Use it as a template – the UK BCR Addendum is guidance only so you can amend it and add alternative clauses to suit your business needs.
How do I complete the UK BCR Addendum?
There are three parts to the UK BCR Addendum.
Part 1: Background
Part 1 confirms that you have an approved EU BCR and explains how the UK BCR Addendum forms a UK BCR which meets the requirements of Article 47.
Part 2: Tables
There are four tables in part 2 of the UK BCR Addendum for you to complete.
Table 1: Start date and BCR Members
In Table 1, you will need to insert details about the following:
- Start date – you will insert the start date after we have approved your UK BCR and all BCR Members have signed the UK BCR Addendum. You can only use the UK BCR Addendum as an international transfer mechanism from the date that the last BCR Member signs it. You should leave this box blank when you first apply to the ICO.
- Your Lead UK BCR Member – this is the UK BCR Member who is responsible for breaches of the UK BCR by non-UK BCR members. If your Lead UK BCR Member is a branch (and not a legal entity in the UK) you may need to submit a parent company guarantee in line with our guidance. If you are using an exporting entity model, you will need to use the UK BCR Addendum as a template and adapt it to include all liable UK entities.
- All other BCR Members – you can either add more rows to the table or add an appendix for all other BCR Members.
We expect all BCR Members to sign the Addendum as this is structured as an intragroup agreement. If you propose an alternative method of execution, please submit your proposal to the ICO for review.
Table 2: EU BCR
In table 2, you must include the documents which form your approved EU BCR.
You must send us electronic copies of your:
- EU BCR application form and referential table;
- EU BCR policy;
- EU BCR binding instrument;
- EU BCR approval(s); and
- other relevant documentation (for example, relevant EU supervisory authority audits or reviews).
Table 3: UK BCR Summary
You must create a new UK BCR Summary document.
This is aimed at people whose personal data is transferred under the UK BCR (and for UK processor BCRs, third party exporters) so that they know how their information is processed, what rights they have under the UK BCR and how to enforce them. We expect you to make your UK BCR Summary concise and easy to read.
A full list of what you should include in your UK BCR Summary is within the UK BCR Addendum guidance notes.
We will review the content of the UK BCR Summary as part of the ICO approval process to ensure that it clearly sets out the minimum requirements set out in the guidance note.
You must publish the UK BCR Summary alongside your EU BCR (or EU BCR summary), after we have approved it.
Table 4: Options
If you use the UK BCR Addendum as a standard form, you must select options from the following:
- Type of UK BCR – you must indicate whether you are applying for a processor or controller BCR.
- BCR Members’ Decision Process – each business has its own internal arrangements, so you can choose which options suit your business.
- Which UK laws apply to the Addendum – you can choose which UK laws apply to the UK BCR Addendum. You may want to choose the same laws which apply to other business agreements.
- Whether future updates to the Addendum will apply to your UK BCR – if you include this section, any updates that the ICO makes to the published version of the UK BCR Addendum will automatically apply to your UK BCR.
- Which courts legal claims can be brought in between BCR Members – this applies to claims between BCR Members only.
- Commercial clauses - you can choose to add in bespoke commercial clauses. This could include, for example, reallocation of costs or payment of compensation incurred by the UK Lead BCR Member. You can add these clauses into the table. Any clauses you add cannot undermine the level of protection provided by the UK BCR Addendum.
If you use the UK BCR Addendum as a template, you can convert these provisions into sections in Part 3.
Part 3: The UK BCR Addendum
Part 3 includes 16 sections which cover all Article 47 UK GDPR requirements, whilst respecting the content of your EU BCR.
If you are using the UK BCR Addendum as a standard form, you can choose to delete all sections in Part 3 and include the following wording:
Alternative Part 3: The UK BCR Addendum
Part 3 of the UK BCR Addendum Version C.1.0 issued by the ICO on 19 December 2023, as it is revised by the ICO from time to time under Table 4(d) of the UK BCR Addendum.
If you are using the UK BCR Addendum as a template, you can adapt the sections in part 3 to suit your business needs.
There are references to ‘Processor BCR’ and ‘Third Party Exporters’ throughout Part 3. If you are applying for a UK controller BCR only, you could delete those references, although you do not need to. The UK BCR Addendum makes it clear that they are disregarded for the purposes of a UK controller BCR.
When will I get an approval from the ICO?
If you use the UK BCR Addendum as a standard form, we expect to issue an approval promptly, assuming the UK BCR Summary content is sufficient.
If you use the UK BCR Addendum as a template, please highlight any amendments you make and explain why the changes do not undermine the protections afforded under the UK BCR Addendum. If your UK BCR Addendum closely aligns with our standard form, we should issue your approval relatively quickly. If it does not closely align, the approval process will take longer as we might need to ask you supplementary questions.
We will not review the content of your approved EU BCR. We will only review the wording of the UK BCR Addendum and UK BCR Summary. If you use the UK BCR Addendum as a template and adapt it considerably, we may check provisions of the EU BCR to ensure that it will provide effective and enforceable rights in the UK. However, we will not ask you to amend your EU BCR. We will only ask you to amend the UK BCR Addendum.
Are there any continuing obligations after we have received the UK BCR approval?
We expect you to update your approved and published EU BCR in future, in line with any EDPB requirements. This includes Recommendations 1/2022 for controllers (adopted 20 June 2023) and the equivalent for processors when published.
If you use the UK BCR Addendum as a template and the ICO makes changes to its published version, we may expect you to update your approved UK BCR Addendum in line with our amendments. We will clarify this at the time. You can submit an updated version as part of your annual update.
What happens if my approved EU BCR is suspended or withdrawn?
Under the terms of the UK BCR Addendum, if your EU BCR is suspended, withdrawn or revoked, this also suspends, withdraws or revokes your UK BCR. This means that you must not transfer personal data under your UK BCR and you must use another international transfer mechanism.
What happens if my EU BCR is amended?
Under the terms of the UK BCR Addendum, your UK BCR will automatically be amended in relation to any UK restricted transfers (as the EU BCR forms part of your UK BCR).
Please email us at [email protected] if you have any questions about the UK BCR Addendum.