< Back

Share |

Understanding Binding Corporate Rules

January 2013

Binding corporate rules (BCRs) essentially provide certain rights to employees and other categories of data subjects. In order to use BCRs, a company must appoint a lead data protection authority in the EU who will "broker" the BCRs to their various counterpart data protection supervisory authorities across the EU. The lead data protection authority will therefore gain clearance for the BCRs from all of the other relevant EU data protection authorities.

FilesIn order to be effective, the BCRs will need to be legally binding on all members of the data controller group seeking to use this solution. The individuals whose personal data is being processed will be able to enforce compliance with the rules as they will have become third-party beneficiaries due to the legal enforceability of the rules.

Some of the main advantages and disadvantages of BCRs are outlined below:


  • BCRs represent an ongoing and tailored single solution for the whole group (or as wide or narrow as the group wished to seek approval for).
  • Once approved by the relevant EU regulators, personal data of those data subjects covered by the BCRs can flow freely within the group entities subject to BCRs.
  • BCRs avoid the need for numerous contracts within the corporate group covering different transfers of data.
  • One national authority can be used who will clear the BCRs with all the other national data protection authorities. This avoids the need of having to "clear them" with each national authority.

Key EU documents and opinions on BCR

Date adopted Working party document number Provisions
June 3, 2003 WP 74 The concept of using BCRs was devised by the Art 29 Working Party and set out in this document.
April 14, 2005 WP 107 Explains the co-ordinated approval mechanism — where a code is submitted for approval by the data protection authorities and how they cooperate to come to an opinion on the code.
April 14, 2005 WP 108 This model checklist describes the required content of an application complying with WP 74.
January 10, 2007 WP 133 Standard BCR application form based on the checklist in WP 108.
June 24, 2008 WP 153 Sets out the key elements that must be incorporated into BCR.
June 24, 2008 WP 154 Sets out an example of a BCR structure containing all of the elements of WP 74 and WP 108.
June 24, 2008 Revised and adopted January 21, 2009 WP 155 Sets out frequently asked questions based on the experience of previous BCR applications.
June 6, 2012 WP 195 Sets out the requirements for BCRs for data processors (available for use from 1 January 2013).

See our summary of BCRs for Processors


  • They are still a very new concept and only a select few entities have achieved BCR approval, although interest is growing stronger.
  • The time period taken to obtain clearance from all the authorities can be considerable.
  • NotepadIf they are used, there is a requirement that they are underpinned by a detailed compliance and audit programme. This could place additional demands on internal resources in respect of both costs and time.
  • The BCRs may offer data subjects in certain countries additional protection over and above that which is provided under local laws.
  • If the group structure regularly changes, the effectiveness of using BCRs may diminish, which raises clearance issues for any subsequent changes.

See our summary of adequacy solutions table.

If you have any questions on this article or would like to propose a subject to be addressed by the Global Data Hub please contact us.

Vinod Bange


Sally Annereau

Sally Annereau

Lucy Lyons

Lucy Lyons

Vinod, Sally and Lucy look at how BCRs are used in practice to deliver a lawful basis for personal data transfers.

"The individuals whose personal data is being processed will be able to enforce compliance with the rules as they will have become third-party beneficiaries due to the legal enforceability of the rules."