Binding corporate rules for processors
Binding corporate rules (BCRs) are internal, legally binding data protection rules adopted by multinationals. The original BCR model applied only where a company was a controller; the WP29 and then the GDPR extended it to processors. Unlike Commission SCCs, processor BCRs can be tailored to the provider's practices. A group with entities or processing outside the EEA undertakes to abide by BCR standards adapted to its processor role; such providers become safe processors regardless of location. Processor BCRs add a direct redress route to the processor for data subjects.
Binding corporate rules are internal, legally binding rules based on European standards, encouraged by EU DPAs as a flexible way to legitimise global processing. The original model applied only to controllers. The WP29 began extending it to processors, and the GDPR explicitly recognised that BCRs may be adhered to by a controller or a processor.
Unlike the Commission's SCCs, processor BCRs can be tailored to the provider's own practices. A group with entities or means of processing outside the EEA undertakes to abide by BCR standards adapted to its processor role. Those providers become safe processors irrespective of geographical location, letting their customers overcome the transfer restriction. For data subjects, processor BCRs add a direct redress route to the processor - an extra layer over the SCCs.
| Feature | Processor BCRs | SCCs |
|---|---|---|
| Origin | Tailored internal rules of the provider | Standard clauses adopted by the Commission |
| Flexibility | Can be tailored to the provider's practices | Fixed wording (modular but standard) |
| Outcome | Provider becomes a 'safe processor' regardless of location | Appropriate safeguards for a specific transfer |
| Redress for data subjects | Direct redress route to the processor | Safeguards, but no direct processor-BCR redress layer |