Data Protection Ombudsman confirms Nokia's BCR rules for international data transfers

Publication date 25.4.2025 10.20 | Published in English on 2.5.2025 at 11.29
Type:Press release

The Data Protection Ombudsman has approved two applications by Nokia for binding corporate rules (so-called BCRs). BCRs are legally binding rules for the transfer of personal data within a group of enterprises. They allow companies in the same group to transfer personal data between each other outside the EU and EEA countries.

Nokia's BCR rules were discussed with other EU data protection authorities, and the European Data Protection Board gave a favourable opinion at its plenary session on 8 April. The rules were then confirmed by the Data Protection Ombudsman in its national decisions. These are the first BCR rules to be adopted in Finland.

Nokia's applications concerned two sets of rules, one of which applies to situations where Nokia acts as data controller and transfers personal data within its group outside the EU and EEA. The second set of rules applies where Nokia acts as the processor in a third country on behalf of the controller in the EU and EEA.

The decisions of the Data Protection Ombudsman confirm, among other things, the legally binding nature of Nokia's BCRs, the application of data protection principles, the audit programme for the rules, complaint procedures and appropriate data protection training for staff. 

BCRs safeguard data protection requirements for international data transfers

BCRs are one of the ways of implementing international transfers of personal data provided for in the General Data Protection Regulation (GDPR). They are particularly suitable for multinational companies that regularly transfer personal data outside the EU and EEA countries. BCRs ensure that a corporate group’s data protection practices are consistent and comply with the principles of the GDPR. Thanks to the uniform rules, a group does not need to draw up separate data transfer agreements within the group.

Despite the BCR rules, the company transferring the data must always ensure that each transfer is secure and meets the requirements of data protection legislation. The company must also assess on a case-by-case basis whether it needs to put in place additional safeguards to ensure an adequate level of data protection. 

The group must annually inform the Data Protection Ombudsman of any changes made to its BCRs. A report must be submitted even if no changes are made to the rules.

Further information:

Decisions of the Data Protection Ombudsman in Finlex:

Information about binding corporate rules on our website

Information about international data transfers on our website