France: CNIL publishes notice on its management of BCR approval requests
The French data protection authority ('CNIL') published, on 31 July 2020, a notice ('the Notice') on its management of requests for approval of Binding Corporate Rules ('BCRs'). In particular, the Guidance outlines, among other things, the purpose of data processing, which falls under the exercise of the duties of CNIL as a public authority, the categories of data processed, the data subjects, and the data retention period. More specifically, in relation to the categories of data processed, CNIL specifies that, for the purposes of managing requests related to BCRs, it is mandatory to collect some information, including the identification of the person making the request, and the name of their organisation. In addition, in relation to data recipients, the Guidance specifies that there will be no transfers of data outside of the EU and that the recipients concerned include data controllers, sub-processors, or any third parties concerned by the request, as well as CNIL members and staff responsible for processing files. Moreover, the Guidance states that the data collected will be kept for 10 years after the response to the request.
You can read the Notice, only available in French, here.