In July 2020 the CJEU passed judgment on the “Schrems II” case2 which, amongst other things, requires companies to assess whether transfers of personal data from the EU are adequately protected in accordance with the EU GDPR and to put in place such additional safeguards as they consider necessary.
Verizon has considered the legal regimes in the countries to which it transfers personal data from the EU and which are protected by the EU BCRs and is using Transfer Impact Assessments to analyse the risks involved in those transfers. Appropriate steps will be taken to minimise any identified risks.
Following guidance from the Irish supervisory authority received in March 2022, Verizon has further strengthened its EU BCRs3,. This is in addition to existing provisions in Verizon’s EU and UK BCRs which state that Verizon will ensure that any transfers of personal data under the BCR policies that it makes to a public authority are “not massive, disproportionate or indiscriminate in a manner that would go beyond what is necessary in a democratic society”4.
Verizon awaits guidance from the ICO on changes to UK BCRs and will act accordingly once that guidance is issued. In the meantime, the existing provisions of Rule 12B of the UK Processor BCRs and 15C the UK Controller BCRs as outlined above address the core of the issue raised in the CJEU ruling, and Verizon is satisfied that the UK BCRs meet the current requirements.