Binding Corporate Rules

Binding Corporate Rules (BCR’s) are a set of rules implemented at corporate level by Multinational Groups of Organisations carrying out international data transfers within the Group. The scope of BCR’s is to allow the carrying out of intra-group data transfers, providing at the same time an adequate level of data protection across the Group. BCR’s are considered a useful tool for Multinational Organisations which by nature of their business operations are likely to carry out similar data transfers on a regular basis. An approval of a BCR implies that personal data may flow within the Group without necessarily having to sign an agreement with every intra-group entity in each and every processing operation involving an international data transfer.

The idea behind BCR’s is to have corporate rules which are both internally and externally binding. Internal commitment is ensured by means of appropriate intra-group agreements, undertakings, other regulatory measures and internal policies applicable between group entities and other rules directly binding upon employees. BCR’s should also be enforceable externally and therefore data subjects should be in a position to exercise third party beneficiary rights and seek compensation for damages even where information is transferred to non-EU jurisdictions.

In principle a BCR is only enforceable for transfers of personal data within the group. Therefore, in the case of data controllers or processors who are not group entities, and who are established in third countries not ensuring an adequate level of data protection, these should still be regulated by the appropriate model contractual clauses issued by the EU Commission.

In order to initiate the coordinated procedure for implementing Binding Corporate Rules, the corporate group should:

Approach a Data Protection Authority to act as lead Supervisory Authority (SA). The criteria for choosing the lead SA are normally the location of the EU Headquarters of the Group or the EU Group Entity with delegated data protection responsibilities;

Submit a standard application form for BCR adopted by means of a recommendation of the Article 29 Working Party.

        • WP265 – BCR for Processors msw8

Initially part I of the application form is submitted;

The selected SA informs other concerned SA’s on the application and acceptance of the lead authority is given within 1 month;

The applicant submits part II of the application together with supporting documents to the lead SA for review and discussion in order to agree on a consolidated draft and application;

A first revised draft is sent to other SA’s (normally one or two concerned SA’s) who act as co-reviewers. The outcome of these discussions will result in a consolidated draft;

The lead DPA circulates the consolidated draft and concerned SA’s are requested to comment and suggest changes to the text within one month (time frame may be prolonged if there are comments/ amendments and a new version is circulated). Where concerned SA’s do not raise a reasoned objection, they shall be considered as in agreement with the BCR;

The lead SA will submit its draft decision based on the final draft BCR to the EDPB for an opinion. In the opinion the EDPB may endorse the decision or propose changes in the BCR. In case of endorsement the BCR Lead will adopt its decision approving the draft BCRs and inform the other SA’s. On the contrary, if the opinion suggests changes to the BCR, the lead SA shall inform Chair of the EDPB whether it intends to follow the opinion of the board or otherwise maintain the previous draft.

The procedure for BCRs is further outlined in the working document WP263.​ 

Transfers by way of Appropriate Safeguards