EDPB Delivers Opinion on Dutch DPA's Draft Decision Regarding AkzoNobel's Binding Corporate Rules

The European Data Protection Board (EDPB) has published Opinion 2/2026, addressing the draft decision of the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) regarding the Controller Binding Corporate Rules (BCRs) of the AkzoNobel Group. This opinion represents a significant development in the interpretation and application of Binding Corporate Rules for international data transfers within corporate groups operating across the European Economic Area.

The opinion focuses on the Dutch DPA's assessment of AkzoNobel's Controller BCRs, which are designed to ensure compliance with the General Data Protection Regulation (GDPR) when personal data is transferred between entities of the AkzoNobel Group located in different countries. Binding Corporate Rules serve as a crucial mechanism for multinational companies to facilitate lawful international data transfers while maintaining consistent data protection standards across their global operations.

In its opinion, the EDPB provides detailed guidance on several key aspects of the Controller BCRs assessment process. The Board emphasizes the importance of ensuring that the rules adequately address the specific risks associated with cross-border data transfers and provide sufficient safeguards for data subjects' rights. The opinion highlights the need for comprehensive documentation, clear accountability mechanisms, and robust oversight procedures within the corporate group's data protection framework.

The EDPB's analysis covers various elements of the Controller BCRs, including the scope of data transfers, the rights of data subjects, the responsibilities of data controllers within the group, and the mechanisms for ensuring compliance with the rules. The opinion also addresses the relationship between the Controller BCRs and other data transfer mechanisms under the GDPR, such as Standard Contractual Clauses and adequacy decisions.

One of the key aspects of the opinion is the EDPB's guidance on the assessment of the adequacy of data protection measures in third countries where AkzoNobel entities are located. The Board emphasizes that Controller BCRs must include provisions that ensure an essentially equivalent level of protection to that guaranteed by the GDPR, regardless of the destination country's data protection framework.

The opinion also addresses the procedural aspects of the BCR approval process, including the role of the lead supervisory authority, the cooperation between supervisory authorities, and the timeline for decision-making. The EDPB provides clarification on how the one-stop-shop mechanism under the GDPR applies to the approval of Controller BCRs and the resolution of potential disputes between supervisory authorities.

For organizations considering implementing Controller BCRs, the EDPB's opinion offers valuable insights into the expectations and requirements of supervisory authorities. The guidance emphasizes the need for thorough documentation, comprehensive risk assessments, and robust compliance mechanisms. Organizations are advised to carefully review the opinion and ensure that their Controller BCRs align with the EDPB's recommendations.

The publication of Opinion 2/2026 comes at a time when many organizations are reassessing their data transfer mechanisms in light of the Schrems II decision and the evolving landscape of international data protection law. The opinion provides much-needed clarity on how Binding Corporate Rules can be effectively utilized as a tool for ensuring GDPR compliance in cross-border data transfers within corporate groups.

Organizations that have already implemented or are planning to implement Controller BCRs should carefully review the EDPB's opinion and consider whether their existing rules or proposed rules align with the Board's recommendations. The opinion may necessitate updates to existing BCRs or influence the design of new BCRs to ensure they meet the EDPB's standards for adequacy and compliance.

The EDPB's opinion also has implications for supervisory authorities involved in the BCR approval process. The guidance provided by the Board can help ensure consistency in the assessment and approval of Controller BCRs across different Member States, promoting a more harmonized approach to the regulation of international data transfers within corporate groups.

As the implementation of the GDPR continues to evolve, opinions such as Opinion 2/2026 play a crucial role in shaping the practical application of data protection rules. The EDPB's guidance on Controller BCRs contributes to the development of a more predictable and consistent regulatory environment for international data transfers, benefiting both organizations and data subjects.

Organizations seeking to implement Controller BCRs or update their existing rules should consider engaging with experienced data protection professionals to ensure compliance with the EDPB's recommendations. The complexity of international data transfers and the high stakes involved in GDPR compliance make expert guidance invaluable in navigating the requirements outlined in Opinion 2/2026.

The full text of Opinion 2/2026 is available on the EDPB website, providing detailed insights into the Board's reasoning and recommendations. Organizations and data protection professionals are encouraged to review the opinion in its entirety to fully understand its implications for Controller BCRs and international data transfers within corporate groups.

As the regulatory landscape continues to evolve, the EDPB's opinions and guidelines remain essential resources for organizations seeking to navigate the complexities of GDPR compliance and international data transfers. Opinion 2/2026 represents another important step in the ongoing development of data protection standards and practices within the European Union and beyond.