Binding Corporate Rules: Guide to GDPR Data Transfers
Learn what binding corporate rules are, how they enable lawful international data transfers under GDPR, and the approval process.
Binding corporate rules are one of the primary mechanisms that multinational organizations use to lawfully transfer personal data outside the European Economic Area under the GDPR. If your corporate group operates across jurisdictions and moves personal data between entities in different countries, binding corporate rules provide a comprehensive framework for compliance.
This guide explains what binding corporate rules are, when they are required, how the approval process works, and how they compare to other data transfer mechanisms. This content is educational and does not constitute legal advice. Consult a qualified data protection lawyer for guidance specific to your organization.
What Are Binding Corporate Rules?
Binding corporate rules (BCRs) are internal data protection policies adopted by a multinational group of companies or enterprises that allow the transfer of personal data from entities within the European Economic Area to group entities located in third countries that have not received an adequacy decision from the European Commission.
Article 4(20) of the GDPR defines binding corporate rules as "personal data protection policies which are adhered to by a controller or processor established on the territory of a Member State for transfers or a set of transfers of personal data to a controller or processor in one or more third countries within a group of undertakings, or group of enterprises engaged in a joint economic activity."
The critical characteristics of binding corporate rules are:
- They are legally binding on every member of the corporate group
- They must be approved by a competent supervisory authority through the cooperation procedure under Article 47
- They confer enforceable rights on data subjects whose data is transferred
- They apply only to intra-group transfers, not to transfers to unrelated third parties
- They must include the substantive requirements listed in Article 47(2), covering purpose limitation, data quality, security measures, and complaint handling
BCRs are considered one of the most robust transfer mechanisms because they require organizations to build a comprehensive internal data protection framework that goes beyond individual transfer agreements.
When Are Binding Corporate Rules Required?
Not every international data transfer requires binding corporate rules. The GDPR establishes a hierarchy of transfer mechanisms under Chapter V, and BCRs are one option among several.
The GDPR Transfer Framework
Before considering BCRs, organizations should assess whether a simpler mechanism is available:
- Adequacy decisions (Article 45): The European Commission has determined that certain countries provide an adequate level of data protection. Transfers to these countries require no additional safeguards. As of 2026, adequate countries include the UK, Japan, South Korea, Canada (for commercial organizations), and others.
- Standard contractual clauses (Article 46(2)(c)): Pre-approved contract terms issued by the European Commission that can be used for transfers to any recipient in a third country, regardless of whether they are part of the same corporate group.
- Binding corporate rules (Article 46(2)(b)): The appropriate mechanism when a corporate group regularly transfers personal data between its own entities across jurisdictions and wants a single, unified framework rather than managing individual SCCs between each pair of entities.
- Derogations (Article 49): Specific exceptions that allow transfers in limited circumstances, such as explicit consent, contractual necessity, or important reasons of public interest. These are intended for occasional, non-repetitive transfers.
Scenarios Where BCRs Make Sense
Binding corporate rules are most appropriate when:
- Your organization has multiple entities in non-adequate countries and data flows between them regularly
- You want a single compliance framework rather than managing dozens of bilateral SCC agreements
- Your group processes large volumes of personal data across borders as a routine part of operations
- You want to demonstrate accountability to regulators, customers, and business partners through a supervisory authority-approved framework
- Your group includes entities that act as both controllers and processors for different data flows
For smaller organizations or those with limited international transfers, standard contractual clauses are usually the more practical choice due to the significant time and cost involved in obtaining BCR approval.
Requirements for Binding Corporate Rules Under Article 47
Article 47(2) of the GDPR sets out the minimum content that binding corporate rules must include. Supervisory authorities, particularly the European Data Protection Board (EDPB), have published detailed guidance on what a compliant BCR application should contain.
Mandatory Content
Binding corporate rules must specify:
- Structure and contact details of the corporate group, including the entity responsible for monitoring compliance and handling complaints
- Data transfers covered, including categories of personal data, types of processing, purposes, and the countries involved
- Legal enforceability of the rules, both internally within the group and externally for data subjects
- Application of the general data protection principles, specifically purpose limitation, data minimization, limited storage periods, data quality, data protection by design and by default, legal basis for processing, special category data protections, and measures for onward transfers to entities not covered by the BCRs
- Data subject rights and the means by which individuals can exercise them, including the right to lodge complaints
- Acceptance of liability by the entity established in the EU for breaches committed by group members outside the EU
- Information provided to data subjects about the BCRs, their rights, and how to exercise them
- Compliance mechanisms, including data protection audits, data protection training for staff, and complaint handling procedures
- Cooperation with supervisory authorities, including the obligation to accept audits and comply with the advice of the relevant authority
- Mechanisms for reporting and recording changes to the BCRs and reporting those changes to the supervisory authority
The Role of the Data Protection Officer
Organizations seeking BCR approval must have a Data Protection Officer (DPO) or equivalent function to oversee compliance with the rules. The DPO's responsibilities in the BCR context include monitoring adherence across group entities, managing the complaint process, liaising with the supervisory authority, and coordinating the internal audit program.
The Binding Corporate Rules Approval Process
Obtaining approval for binding corporate rules is a substantial undertaking. The process involves engagement with one or more supervisory authorities and can take 12 to 24 months or longer.
Step 1: Prepare the Application
The first step is drafting the BCRs themselves, along with supporting documentation. This typically includes:
- The full BCR policy document
- A detailed description of data flows within the group
- An overview of the corporate group structure
- Evidence of internal enforceability (board resolutions, employment contracts, intra-group agreements)
- A data protection training program outline
- An audit plan
- A complaint handling procedure
Many organizations engage specialized data protection counsel to draft the BCR application, given the level of detail required and the scrutiny it will receive.
Step 2: Identify the Lead Supervisory Authority
The applicant must identify the lead supervisory authority for the BCR approval. Under the EDPB's cooperation procedure (formerly the Article 29 Working Party's mutual recognition procedure), the lead authority is typically the supervisory authority of the EU/EEA member state where the group's European headquarters or main decision-making entity is located.
Step 3: Cooperation Procedure
Once the lead authority is satisfied with the draft BCRs, it shares the application with other "concerned" supervisory authorities, which are the authorities of member states where group entities are established. These authorities have the opportunity to raise objections or request amendments.
The cooperation procedure ensures that BCRs meet a consistent standard across the EEA. The EDPB has published referential documents (WP256 for controllers and WP257 for processors) that set out the elements each authority will assess.
Step 4: Formal Approval
After the cooperation procedure concludes and all concerned authorities are satisfied, the lead supervisory authority issues a formal approval decision. This decision authorizes the corporate group to transfer personal data under the BCRs without additional safeguards for the covered transfers.
Step 5: Ongoing Obligations
Approval is not the end of the process. Organizations with approved BCRs must:
- Conduct regular compliance audits (typically annual)
- Update the BCRs when the group structure, data flows, or applicable law changes
- Report material changes to the lead supervisory authority
- Maintain records of all transfers made under the BCRs
- Ensure new group entities are brought within the scope of the BCRs promptly
Binding Corporate Rules vs. Standard Contractual Clauses
Both binding corporate rules and standard contractual clauses (SCCs) serve as transfer mechanisms under Chapter V of the GDPR, but they differ in scope, approval process, and practical application.
| Aspect | Binding Corporate Rules | Standard Contractual Clauses |
|---|---|---|
| Scope | Intra-group transfers only | Any transfer, including to third parties |
| Approval | Requires supervisory authority approval | No prior approval needed |
| Time to implement | 12 to 24 months | Weeks to months |
| Cost | Significant (legal, compliance, audit) | Lower (primarily legal review) |
| Flexibility | Covers all group transfers under one framework | Requires separate SCCs per transfer relationship |
| Supplementary measures | May still require transfer impact assessments | Requires transfer impact assessment per Schrems II |
| Enforceability | Legally binding across entire group | Binding between specific contracting parties |
For organizations with complex, multi-directional data flows across many group entities, BCRs provide administrative simplicity at scale. For organizations with a small number of third-country transfers, SCCs are faster and less expensive to implement.
Privacy Policy Generator
Create a comprehensive privacy policy for your website or app. Create yours in minutes with TermsBox.
Generate NowThe Schrems II Impact
The Court of Justice of the European Union's decision in Schrems II (Case C-311/18) affected both BCRs and SCCs. The Court ruled that organizations using any transfer mechanism must assess whether the laws of the recipient country provide equivalent protection to the GDPR. If they do not, supplementary measures must be implemented.
The EDPB's Recommendations 01/2020 provide guidance on conducting transfer impact assessments and identifying appropriate supplementary measures, such as encryption, pseudonymization, or contractual commitments not to comply with government access requests that conflict with the BCRs.
How Binding Corporate Rules Affect Your Privacy Policy
If your organization uses binding corporate rules for international data transfers, this must be reflected in your privacy policy. Articles 13(1)(f) and 14(1)(f) of the GDPR require controllers to inform data subjects about international transfers, including the transfer mechanism used.
Your privacy policy should:
- State that personal data may be transferred to group entities outside the EEA
- Identify the countries or regions where recipient entities are located
- Confirm that transfers are governed by binding corporate rules approved by the relevant supervisory authority
- Explain how data subjects can obtain a copy of the BCRs or a summary of their key provisions
- Describe the complaint process available to data subjects under the BCRs
Using a privacy policy generator can help structure these disclosures correctly, ensuring that your international transfer information meets the transparency requirements of the GDPR.
Organizations With Approved Binding Corporate Rules
The EDPB maintains a public list of organizations that have received BCR approval. As of 2026, over 180 corporate groups have approved BCRs, spanning industries including technology, pharmaceuticals, financial services, manufacturing, and professional services.
Notable organizations with approved BCRs include:
- Technology: Cisco, eBay, HP, Salesforce, Philips
- Financial services: JPMorgan Chase, Deutsche Bank, Allianz, Mastercard
- Pharmaceuticals: Johnson and Johnson, Novartis, Roche, AstraZeneca
- Professional services: Accenture, Deloitte, KPMG, EY
- Manufacturing: General Electric, Schneider Electric, Siemens
The breadth of adoption demonstrates that BCRs are a mature and widely recognized mechanism, though the significant investment required means they remain primarily a tool for large multinational organizations.
Practical Considerations for Implementing Binding Corporate Rules
Before committing to the BCR process, organizations should evaluate several practical factors.
Cost and Resources
BCR development and approval require substantial investment. External legal fees, internal staff time for drafting and coordination, the cost of building audit and training programs, and ongoing compliance monitoring all contribute to a total cost that can reach several hundred thousand euros for large organizations.
Internal Governance
BCRs demand a mature internal data protection governance structure. Organizations need a clear chain of accountability, documented data flows, established audit processes, and trained staff in every jurisdiction covered by the BCRs. Organizations that lack this infrastructure will need to build it before or alongside the BCR application.
Interaction With Other Compliance Obligations
Binding corporate rules do not replace other GDPR obligations. Organizations still need to maintain Records of Processing Activities under Article 30, conduct Data Protection Impact Assessments under Article 35 where required, and comply with data breach notification requirements under Articles 33 and 34. BCRs add a layer of governance specifically for international transfers.
Onward Transfers
A common challenge is handling onward transfers from a BCR-covered entity to an external third party (such as a vendor or service provider) located in a non-adequate country. BCRs do not cover these transfers. Organizations must use SCCs or another approved mechanism for any data flow that leaves the corporate group.
For website operators managing compliance across multiple jurisdictions, tools like TermsBox can help generate and maintain the legal documents, such as privacy policies and cookie policies, that complement your broader data transfer compliance framework.
Frequently Asked Questions
What are binding corporate rules under GDPR?
Binding corporate rules are internal data protection policies adopted by a multinational corporate group to permit the transfer of personal data from the EEA to group entities in countries that lack an EU adequacy decision. They must be approved by a competent supervisory authority under Article 47 of the GDPR and are legally binding on all group members.
How long does it take to get binding corporate rules approved?
The approval process for binding corporate rules typically takes 12 to 24 months, though it can extend longer depending on the complexity of the application and the supervisory authority's workload. The cooperation procedure under Article 47 requires the lead authority to share its draft decision with other concerned supervisory authorities, which adds time.
What is the difference between binding corporate rules and standard contractual clauses?
Binding corporate rules are internal policies approved by a supervisory authority for intra-group transfers, while standard contractual clauses are pre-approved contract terms issued by the European Commission for transfers to any third party. BCRs require regulatory approval and cover an entire corporate group. SCCs can be implemented immediately without prior approval but must be supplemented with a transfer impact assessment.
Do binding corporate rules apply to processors as well as controllers?
Yes. The GDPR recognizes two types of binding corporate rules: BCR for controllers (BCR-C) under Article 47, which cover data transfers where group entities act as controllers, and BCR for processors (BCR-P), which cover transfers where group entities process data on behalf of external clients. Both types require supervisory authority approval.