Binding corporate rules

Binding Corporate Rules (BCR) refer to common binding rules on the transfer of personal data to third countries within companies in the same group of undertakings or group of enterprises engaged in a joint economic activity. The rules are legally binding on both the companies belonging to the group of enterprises and to the employees of these companies. The competent data protection authority will ratify the binding corporate rules in accordance with the consistency mechanism provided for in Article 63 of the GDPR.

Binding Corporate Rules are particularly appropriate for multinational companies that transfer personal data out of the EU and EEA. The rules provide an alternative data transfer method to, for example, the standard clauses adopted by the Commission.

The Binding Corporate Rules on data protection require the group of undertakings or enterprises to establish, among other things:

  • A division of responsibilities, according to which
    • a head office located in the EU;
    • a member registered in the EU and assigned with data protection responsibilities; or
    • party transferring the data will be liable to compensate damages and rectify violations of the BCR.
  • An audit scheme covering the BCR.
  • A BCR training programme for employees.
  • A procedure for processing appeals concerning the BCR.
  • A network of Data Protection Officers or other adequate personnel to enforce compliance with the rules.

What benefits do the BCR entail?

  • Demonstration of a strong commitment to compliance with data protection regulations.
  • Processing of personal data in compliance with the principles set forth in the GDPR.
  • Avoiding the need to sign numerous data transfer agreements within the group of enterprises.
  • Harmonised data protection practices within the group of undertakings or enterprises.

The BCR applying to the controller's company apply to all intra-group transfers of personal data from controllers within the EU/EEA to controllers and/or processors outside of the EU/EEA.

The BCR applying to the processor’s company apply to all processors based outside the EU/EEA processing the personal data on behalf of (non-group) controllers based in the EU/EEA.

Further information:

For controllers:

For processors of personal data: