What are binding corporate rules?
Binding corporate rules (BCR) are data protection policies adhered to by companies established in the EU for transfers of personal data outside the EU within a group of undertakings or enterprises. Such rules must include all general data protection principles and enforceable rights to ensure appropriate safeguards for data transfers. They must be legally binding and enforced by every member concerned of the group.
Approval of binding corporate rules
Companies must submit binding corporate rules for approval to the competent data protection authority in the EU. The authority will approve the BCRs in accordance with the consistency mechanism set out in Article 63 of the GDPR. This procedure may involve several supervisory authorities since the group applying for approval of its BCRs may have entities in more than one Member State. The competent authority communicates its draft decision to the European Data Protection Board, which will issue its opinion on the binding corporate rules. When the BCRs have been finalised in accordance with the EDPB opinion, the competent authority will approve the BCRs.
A list of BCRs approved under the GDPR is available here.
Authorisations of supervisory authorities on the basis of Directive 95/46/EC remain valid until amended, replaced or repealed, if necessary, by that supervisory authorities. An overview of pre-GDPR BCRs is available here.
The Article 29 Working Party adopted the following documents, which have been endorsed by the EDPB. These documents describe the procedure of approval and provide guidance on the structure and requirements of binding corporate rules.
- Working Document on the approval procedure of the Binding Corporate Rules for controllers and p [...] 263rev.01)
- Recommendations 1/2022 on the Application for Approval and on the elements and principles to be found in Controller Binding Corporate Rules (Art. 47 GDPR)
- Recommendation on the approval of the Processor Binding Corporate Rules form (wp265)
- Working Document on Binding Corporate Rules for Processors (wp257rev.01)