European Data Protection Board Issues Opinion on Jacobs Douwe Egberts Binding Corporate Rules

The European Data Protection Board (EDPB) has published Opinion 9/2026, addressing the draft decision of the Dutch Supervisory Authority (Autoriteit Persoonsgegevens) concerning the Controller Binding Corporate Rules (CBCRs) of Jacobs Douwe Egberts Group. This opinion represents a significant development in the ongoing implementation of the General Data Protection Regulation (GDPR) across international data transfers.

Background on Binding Corporate Rules

Binding Corporate Rules (BCRs) are legally binding internal policies and rules that govern the transfer of personal data within a multinational organization. Controller Binding Corporate Rules specifically apply to companies acting as data controllers rather than processors. The EDPB, established under Article 68 of the GDPR, provides guidance on BCRs to ensure consistent application across the European Union.

Jacobs Douwe Egberts, a global coffee and tea company, sought approval for its CBCRs to facilitate legitimate data transfers between its various entities across different jurisdictions. The Dutch Supervisory Authority, as the lead supervisory authority for this process, issued a draft decision that the EDPB has now reviewed and commented upon.

Key Elements of Opinion 9/2026

The EDPB opinion addresses several critical aspects of the draft decision:

1. Lawfulness of Data Transfers: The opinion confirms that properly implemented CBCRs provide an adequate legal basis for international data transfers outside the European Economic Area (EEA), addressing concerns about extraterritorial data processing.

2. Specific Requirements for Jacobs Douwe Egberts: The EDPB has outlined additional requirements that must be included in the final version of the company's CBCRs to ensure full compliance with GDPR principles.

3. Governance Structure: The opinion emphasizes the need for robust governance mechanisms, including designated data protection officers and regular compliance audits.

4. Third Country Adequacy: While not directly addressing adequacy decisions, the opinion reinforces that BCRs remain a critical tool for ensuring adequate protection when transferring to countries without formal adequacy decisions.

Compliance Timeline for Jacobs Douwe Egberts

Based on the EDPB opinion, Jacobs Douwe Egberts must implement the following measures:

• Immediate Actions: Review and update existing data processing documentation to align with the EDPB's guidance
• 30-Day Period: Submit revised CBCRs incorporating the EDPB's recommendations to the Dutch Supervisory Authority
• 90-Day Period: Implement enhanced data protection measures across all international data transfers
• Annual Requirement: Establish a regular reporting schedule to demonstrate ongoing compliance

Practical Implications for Multinational Companies

This opinion serves as an important reference for other multinational organizations implementing CBCRs. Key takeaways include:

1. Enhanced Documentation Requirements: Companies must maintain comprehensive documentation demonstrating how their BCRs align with GDPR principles.

2. Regular Compliance Audits: The EDPB has strengthened its expectations regarding regular auditing and reporting of BCR compliance.

3. Data Subject Rights: Companies must establish clear mechanisms for addressing data subject complaints related to international data transfers.

4. Subsidiary Involvement: Parent companies must ensure all subsidiaries fully understand and commit to implementing the BCRs.

The Dutch Supervisory Authority's Role

The Dutch Supervisory Authority, as the lead supervisory authority for Jacobs Douwe Egberts, plays a crucial role in the BCR approval process. The authority must now consider the EDPB's opinion when finalizing its decision. This collaborative process ensures consistent application of GDPR principles across member states while respecting national supervisory authorities' expertise.

Jacobs Douwe Egberts' International Operations

Jacobs Douwe Egberts operates in numerous countries worldwide, making compliant international data transfers essential for its business operations. The company's CBCRs will govern how personal data is transferred between its European headquarters and international subsidiaries, ensuring that data protection standards remain consistent across the organization.

Future Developments in BCR Implementation

The EDPB's opinion reflects evolving expectations regarding BCR implementation. Organizations should anticipate:

1. Stricter Requirements: Future BCR approvals may face more rigorous scrutiny
2. Enhanced Documentation: Expectations for supporting documentation will continue to increase
3. Regular Updates: BCRs will need to be regularly updated to reflect changes in data processing activities and legal requirements
4. Increased Oversight: Supervisory authorities may conduct more frequent audits of BCR implementation

Recommendations for Organizations

Based on Opinion 9/2026, organizations implementing or updating CBCRs should:

• Conduct thorough gap analyses against the EDPB's latest guidance
• Engage with relevant supervisory authorities early in the process
• Implement robust monitoring and reporting mechanisms
• Ensure all relevant stakeholders understand their responsibilities under the BCRs
• Plan for regular reviews and updates of the BCR documentation

The full text of Opinion 9/2026 is available on the European Data Protection Board website, and organizations implementing BCRs should carefully review this document alongside the Guidelines 07/2020 on transfers of personal data to third countries.

This opinion reinforces the importance of BCRs as a mechanism for legitimate international data transfers while setting a higher standard for implementation and compliance. Organizations should treat this opinion as a critical reference point when developing or updating their own binding corporate rules.