Binding corporate rules
Binding corporate rules (BCRs) are internal rules adopted by multinational groups of companies. They define the group’s global policy with regard to the international transfers of personal data to companies within the same group that are located in countries which do not provide an adequate level of protection. They are legally binding and approved by the competent supervisory authority in accordance with the consistency mechanism.
Binding corporate rules ensure that all data transfers made within a group benefit from an adequate level of protection. This is an alternative to having to sign standard contractual clauses within the group each time a company needs to transfer data to a member of the same group. Binding corporate rules do not provide a basis for transfers made outside the group.
Binding corporate rules are a solution for multinational companies which export personal data from the territory of the EU to other companies within the same group located in third countries which do not ensure an adequate level of protection.
As established in Article 47 GDPR, binding corporate rules must contain in particular:
• The application of the general data protection principles (purpose limitation, data minimisation, limited storage periods, data quality, data protection by design and by default, etc.);
• The rights of data subjects in regard to processing and the means to exercise those rights;
• Tools of effectiveness (audit, training, complaint handling system, etc.);
• Their legally binding nature both internally and externally.
© University of Groningen