Binding corporate rules
Binding corporate rules (BCR) are legally binding internal data protection rules that are approved by a supervisory authority under Art. 47 GDPR and serve as an appropriate safeguard for transfers of personal data to third countries within a corporate group.
Binding corporate rules (BCR) are an instrument governed by Art. 47 GDPR that allows multinational corporate groups, or groups of undertakings engaged in a joint economic activity, to transfer personal data internally to group companies located in third countries. Under Art. 46(2)(b) GDPR they count as one of the appropriate safeguards that can justify a third-country transfer in the absence of an adequacy decision, ensuring that the level of protection guaranteed by the GDPR is not undermined for data subjects once their data leaves the EEA.
For BCR to take effect they must be approved by the competent supervisory authority under the consistency mechanism set out in Art. 63 GDPR, with the European Data Protection Board issuing an opinion under Art. 64 GDPR. Art. 47(2) GDPR prescribes a detailed minimum content: legal bindingness and enforceability both internally and externally, enforceable rights for data subjects, information on the structure and contact details of the group, on data categories and processing purposes, on the data protection principles, on liability and compensation, on complaint-handling procedures, on training, and on mechanisms for verifying compliance (audits, a data protection compliance function).
BCR are especially attractive for large, globally structured groups because, once approved, they provide a lasting and uniform basis for intra-group data flows and avoid the need to negotiate standard contractual clauses repeatedly between every individual group company. The approval procedure is, however, demanding and lengthy. Following the CJEU's Schrems II ruling, even where BCR are in place, a case-by-case assessment is required to determine whether the recipient country offers an essentially equivalent level of protection; where necessary, supplementary measures such as a transfer impact assessment and additional technical and organisational measures must be put in place.
Legal Basis
Art. 47 GDPR in conjunction with Art. 46(2)(b) and Art. 49 GDPR; approval under the consistency mechanism pursuant to Art. 63, 64 GDPR
Practical Example
A machinery manufacturer based in Germany operates central HR and customer systems that are accessed by subsidiaries in the United States, India and Brazil. Instead of concluding standard contractual clauses with each foreign entity, the data protection officer opts to introduce binding corporate rules. They draft a group-wide framework containing binding data protection principles, data subject rights, a complaint mechanism and an internal audit programme, submit it to the lead supervisory authority and guide it through the consistency mechanism. Once approved, the DPO documents the BCR in the record of processing activities as the transfer basis and additionally performs a transfer impact assessment for critical countries.