EDPB contributes to the LED evaluation and adopts recommendations on the application for Processor BCR

19 January 2026

During its latest plenary, the European Data Protection Board (EDPB) adopted a report to support the European Commission’s evaluation of the Law Enforcement Directive (LED). 

The Commission has to submit its public report on the evaluation and review of this Directive to the European Parliament and to the Council by 6 May 2026. Ahead of this, the Commission gathered the views of the European Data Protection Authorities (DPAs) on the application and functioning of the LED over the period from January 2022 to 31 August 2025.

“We welcome the European Commission’s regular evaluations of the application of the LED, and we are committed to providing our expertise for these evaluations to ensure that the LED continues to uphold high data protection standards in the law enforcement context,” said EDPB Chair, Anu Talus.

The EDPB facilitates cooperation and coordination between DPAs when supervising law-enforcement processing. The EDPB Secretariat also provides the Secretariat of the Coordinated Supervision Committee (CSC) which ensures coordinated supervision of large-scale IT systems and EU bodies and agencies in the areas of law enforcement and criminal justice. 

In its report, the EDPB highlights the key role of the LED in protecting personal data in the law enforcement context. DPAs have increasingly advised competent national authorities on mitigating data breaches, while many DPAs have also carried out awareness-raising activities and issued guidance.

Next, the EDPB adopted recommendations on the application for approval and on the elements and principles to be found in Processor Binding Corporate Rules (BCR-P).

These recommendations form an update of the existing BCR-P referential, which contains the criteria for BCR-P approval, and merge it with the standard application form for BCR-P. 

BCR-Ps are a transfer tool that can be used by a group of undertakings or enterprises to transfer personal data outside the European Economic Area to processors within the same group. BCRs create enforceable rights and set out commitments to establish a level of data protection essentially equivalent to the one provided by the GDPR. 

The new recommendations build upon the agreements reached and the experience gained by DPAs in the course of approval procedures on concrete BCR-P applications since the entry into application of the GDPR, as well as upon the work carried out in the context of the updated Recommendations on Controller Binding Corporate Rules (BCR-C). 

The recommendations provide clear criteria and explanations to ensure that BCR-P developed by groups of undertakings or enterprises are compliant with the GDPR. The recommendations clarify when BCR-P can be used, namely only for intra-group transfers between processors, when the controller is not part of the group. 

The EDPB members also held an exchange of views on the upcoming joint opinion on the Digital Omnibus, which is scheduled for adoption at the February plenary meeting.

Read more here.