What are binding corporate rules?
Binding corporate rules (BCR) are data protection policies adhered to by companies established in the EU for transfers of personal data outside the EU within a group of undertakings or enterprises. Such rules must include all general data protection principles and enforceable rights to ensure appropriate safeguards for data transfers. They must be legally binding and enforced by every member concerned of the group.
Approval of binding corporate rules
Companies must submit binding corporate rules for approval to the competent data protection authority in the EU. The authority will approve the BCRs in accordance with the consistency mechanism set out in Article 63 of the GDPR. This procedure may involve several supervisory authorities since the group applying for approval of its BCRs may have entities in more than one Member State. The competent authority communicates its draft decision to the European Data Protection Board, which will issue its opinion on the binding corporate rules. When the BCRs have been finalised in accordance with the EDPB opinion, the competent authority will approve the BCRs.
Authorisations of supervisory authorities on the basis of Directive 95/46/EC remain valid until amended, replaced or repealed, if necessary, by that supervisory authorities.
The Article 29 Working Party adopted the following documents, which have been endorsed by the EDPB. These documents describe the procedure of approval and provide guidance on the structure and requirements of binding corporate rules.
- Working Document on the approval procedure of the Binding Corporate Rules for controllers and processors (wp263rev.01)
- Recommendation on the approval of the Controller Binding Corporate Rules form (wp264)
- Recommendation on the approval of the Processor Binding Corporate Rules form (wp265)
- Working Document on Binding Corporate Rules for Controllers (wp256rev.01)
- Working Document on Binding Corporate Rules for Processors (wp257rev.01)