BCR (Binding Corporate Rules)
Article 47 GDPR — binding corporate data protection rules
Practitioner's note: This article is practice-oriented compliance documentation, not legal advice. We are a compliance specialist, not a law firm. For legally binding information please consult a licensed lawyer.
TL;DR
BCRs are a safeguard instrument for third-country transfers within a corporate group or group of undertakings. They replace SCCs and must be approved by a supervisory authority.
What are BCRs (Binding Corporate Rules)?
Mandatory BCR content (Article 47(2)):
- Structure of the group and member undertakings
- Data categories and processing purposes
- Safeguards for data subject rights
- Liability and sanction rules
- Complaint procedures
- Training obligations
- Audit mechanisms
Approval procedure before the lead supervisory authority — typical duration 18-36 months.
Practical example
A global group with 40 subsidiaries wishes to process worldwide HR data centrally. Concluding SCCs with each recipient would be cumbersome. BCR approval by the BfDI in 2023 enables all intra-group EU-to-non-EU transfers within the corporate group.
Frequently asked questions
What does a BCR cost?
Approval procedure without legal counsel: 50-150k EUR of internal effort. With external advisors: 150-500k EUR. Only economically viable from 1,000+ employees upwards.
Is it sufficient for third-country transfers?
Yes, BCRs replace SCCs for intra-group transfers.
Fine for non-compliance?
Article 83(5)(c) — up to EUR 20 million or 4%.