Binding Corporate Rules

The General Data Protection Regulation

Under the General Data Protection Regulation (‘GDPR’), transfers of personal data outside of the EU are restricted to ensure that the level of protection afforded by the GDPR is not undermined. Personal data may only be transferred to a jurisdiction outside the EU (a ‘third country’) or international organisation in compliance with certain safeguards and conditions for transfers. Binding Corporate Rules (‘BCRs’) are one way that controllers and processors can comply with the GDPR’s third country data transfer requirements. They are explicitly recognised in the GDPR as a mechanism providing appropriate safeguards for third country data transfers (Article 46(2)(b) and 47, GDPR).

What are BCRs?

BCRs are legally binding and enforceable internal rules and policies for data transfers within multinational group companies and work in a way somewhat similar to an internal code of conduct. They allow multinational companies to transfer personal data internationally within the same corporate group to countries that do not provide an adequate level of protection for personal data as required under the GDPR.

BCRs ensure that all data transfers within a corporate group comply with the GDPR and must contain:

  • data protection principles, such as transparency, data quality, and  security;
  • tools of effectiveness (such as audit, training and complaint handling); and
  • an element proving that the BCRs are binding, both internally and externally.

There are two types of BCRs – Controller BCRs and Processor BCR’s – and this article focus on Controller BCRs.

Contact us

Richard Chudzynski

Richard Chudzynski

Data Privacy and Protection Legal Leader, PwC Legal Middle East

Tel: +971 56 417 6591

Follow us