The European Data Protection Board (EDPB) steps into the spotlight on February 5, 2026, with Opinion 3/2026, aimed at vetting the Dutch Supervisory Authority’s draft decision concerning the Controller Binding Corporate Rules (BCR) of the FrieslandCampina Group. This regulatory move is poised to capture the attention of multinational corporations handling cross-border data flows, data protection authorities, and privacy advocates invested in the fine balance between safeguarding personal data and enabling corporate international operations.
This opinion was published by the EDPB, the EU’s central body ensuring consistent application of the General Data Protection Regulation (GDPR) across member states, following a draft decision by the Netherlands’ supervisory authority. The document is categorized as an "Opinion of the Board (Art. 64)," indicating it is a formal advisory stance concerning the compliance of BCRs under the GDPR framework.
As an opinion rather than binding legislation, this document carries significant persuasive weight but does not itself implement mandatory changes. It evaluates the proposed BCRs submitted by FrieslandCampina, which serve as internal policies approved for international data transfers within corporate entities. The EDPB’s assessment likely covers the adequacy of protections embedded in these rules, considering practical enforcement mechanisms and alignment with EU data protection standards.
The policy orientation reflects a commitment to uphold stringent data protection where Binding Corporate Rules are scrutinized meticulously by both national authorities and the EDPB to ensure they meet high standards. This strengthens the supranational supervision of multinational data processing activities, emphasizing increased regulatory oversight and harmonization over internal corporate governance on data transfers. This dynamic may subtly tilt power toward EU institutions and supervisory bodies over national or corporate discretion in managing international data flows.
FrieslandCampina and similar multinational firms benefit from clear, harmonized rules facilitating lawful data transfers, while also facing compliance costs to align internal practices with EDPB expectations. Dutch and other national supervisory authorities are empowered with a consistent framework to assess BCRs, potentially increasing administrative workload but enhancing cross-border enforcement cooperation. EU data subjects, the consumers and employees whose personal data is processed, gain reinforced privacy guarantees through elevated oversight and accountability measures embedded in the BCR approval process.
This opinion marks a pivotal stage in the ongoing regulatory scrutiny of corporate data governance, signalling continued active engagement by the EDPB and member state authorities in refining and enforcing GDPR-consistent frameworks for international data transfers. Next steps will likely involve further coordination between the Dutch authority, the EDPB, and possibly the European Commission, aiming for final approval and implementation of these Binding Corporate Rules, setting precedents for other multinational data controllers.
← Atlas › News