Binding corporate rules (BCRs) for intra-group transfers
BCRs are a global set of internal rules based on European privacy standards that a multinational group adopts voluntarily and a regulator approves, to legitimise intra-group transfers. Developed by EU DPAs in 2003, BCRs are now expressly in the GDPR for both controllers and processors. They are approved via the consistency mechanism, must be legally binding and confer enforceable rights on data subjects, and must contain a long list of specified elements.
Intra-group exports face the same rules as exports outside the group, but a web of contracts between subsidiaries is impractical. BCRs - devised by EU DPAs in 2003 (originating in WP29's WP 74) - are a flexible, tailor-made solution. They are voluntarily adopted by the group and approved by regulators. The GDPR makes them available to both controllers and processors.
DPAs must approve BCRs via the consistency mechanism, provided the rules are legally binding and expressly confer enforceable rights on data subjects. Cooperation evolved into a mutual recognition process now built into the GDPR (see WP 263).
- Structure and contact details of the group and its members
- The transfers: categories of data, processing types and purposes, data subjects, and third countries involved
- Their legally binding nature, internally and externally
- Application of the general principles (purpose limitation, data minimisation, storage limits, security, data protection by design and default, onward-transfer rules)
- Data subjects' rights and the means to exercise them, including complaints and redress
- An EU-based member's acceptance of liability for breaches by non-EU members
- Complaint procedures, compliance verification, DPO tasks, training, and cooperation with the supervisory authority
BCRs are scrutinised against WP 256 (Controller BCRs) and WP 257 (Processor BCRs) - used by DPAs as a rigorous checklist.