Legal

Binding Corporate Rules

Internal data protection policies approved by a supervisory authority for multinational corporations to transfer data within their group.

Binding Corporate Rules (BCRs) are internal data protection policies adopted by a multinational group of companies to allow international transfers of personal data within the group to countries without an adequacy decision.

Key Characteristics

  • Must be legally binding on all members of the corporate group
  • Must be approved by a lead supervisory authority
  • Must confer enforceable rights on data subjects
  • Require significant time and resources to implement (typically 12–24 months)

BCRs vs SCCs

BCRs are preferred by large multinational corporations because they provide a single framework for intra-group transfers, while SCCs must be executed on a transfer-by-transfer basis.

GDPR Articles 46(2)(b) and 47.

Related Terms

Standard Contractual ClausesLegal

Pre-approved contract terms for transferring personal data from the EU to countries without an adequacy decision.

Adequacy DecisionLegal

A determination by the European Commission that a non-EU country provides an adequate level of data protection.

Supervisory AuthorityLegal

An independent public authority responsible for monitoring the application of data protection law in its jurisdiction.

Cross-Border TransferCompliance

The transfer of personal data from one country to another — subject to special rules under the GDPR.

Breach Notification