The controller/processor dilemma: EDPB consults on guidance

One of the first questions an organisation must ask itself when considering its data protection compliance responsibilities is: “Are we controller or processor?” By Emma Erskine-Fox of TLT.

At the end of July, and so with only five months remaining until the end of the transition period, the European Data Protection Board (EDPB) issued an information note for companies that have the ICO as their lead authority as to the steps that they need to take in order to move their Binding Corporate Rules (BCR) application, or approved BCR, to an European Economic Area (EEA) supervisory authority (SA)(1).

The guidance reflects the rigorous stance of the EDPB in relation to BCR, and its clear message is that the top priority for any company that has the ICO as its lead authority is to set in motion as quickly as possible the move to a new EEA lead SA so that the formalities associated with the move may be completed before the end of the transition period.

UK Report subscribers please login to access the full article.

If you wish to subscribe please see our subscription information.