Binding Corporate Rules are internal data protection policies adopted by a multinational corporate group — or by a group of enterprises engaged in joint economic activity — that, once approved by a competent supervisory authority, legitimise transfers of personal data among the group's entities even where some are outside the EEA.
What's in a BCR
The European Data Protection Board's Working Document 256 (controllers) and 257 (processors) lay out the required content. The headline elements:
- Binding nature. The rules must be legally binding on every group entity and on every employee handling personal data.
- Enforceable rights for data subjects. Data subjects must be able to enforce the BCR rights against the EU-based group entity, regardless of where the actual processing occurred.
- Mechanisms for handling complaints, audits, and cooperation with supervisory authorities.
- The full content of GDPR's principles as applied across the group.
The approval process
A multinational submits its BCR to a lead supervisory authority, which coordinates with the EDPB. The full approval process typically takes 12–24 months. Once approved, the BCR is published on the EDPB website.
Where BCRs fit vs. SCCs
BCRs are designed for intra-group transfers. They don't cover transfers to third-party processors or subprocessors — for those, the group still uses SCCs. Many large enterprises run both: BCRs for the EU↔US intra-group flow, SCCs for vendor relationships.
For a company evaluating a vendor: noticing a vendor operates under approved BCRs is reassuring, but only for intra-vendor data movement. The vendor still needs SCCs (or another Article 46 tool) for any sub-processing it does, and any BCR approval is no substitute for monitoring the vendor's actual subprocessor list.