{{Short description|Standard European data protection protocol for global use}} '''Binding corporate rules''' ('''BCRs''') allow multinational [[corporation]]s, international organizations, and groups of companies to make intra-organizational transfers of [[personal data]] across borders in compliance with EU [[Data Protection Directive|Data Protection Law]]. BCRs, developed by the [[European Union]]'s [[Article 29 Working Party]] (today the [[European Data Protection Board]]), provide a framework for having different elements (internal legal agreements, policies, trainings, audits, etc.) that allow compliance with [[General Data Protection Regulation|EU data protection regulations]] and privacy protection principles. The BCRs were developed as an alternative to the "standard contractual clauses" (SCCs), which apply in cases where more than one organisation contracts for the transfer of personal data,<ref>{{cite web |title=Standard Contractual Clauses (SCC) |url=https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/model-contracts-transfer-personal-data-third-countries_en |website=European Commission |access-date=11 April 2022}}</ref> and the now defunct U.S. [[Department of Commerce]]'s EU [[International Safe Harbor Privacy Principles|Safe Harbor]] (which was for US organizations only, but has been declared invalid).

==Approval== BCRs are required to be approved by the [[national data protection authority|data protection authority]] in each EU member state (such as the [[Commission nationale de l'informatique et des libertés|CNIL]] in France and [[Spanish Data Protection Agency|AEPD]] in Spain) in which the organization will rely on the BCRs.<ref>{{cite web |title=Binding Corporate Rules (BCR) |url=https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/binding-corporate-rules-bcr_en |website=European Commission |access-date=11 April 2022}}</ref> The EU has developed a mutual recognition process under which BCRs approved by one member state's data protection authority (known as the "lead" authority) and two other "co-lead" authorities, may be approved by the other relevant member states who may make comments and ask for amendments.<ref>{{cite web |last1=Dumont |first1=David |last2=Pateraki |first2=Anna |title=A Guide for Binding Corporate Rules |url=https://www.huntonak.com/images/content/7/3/v2/73646/a-guide-for-binding-corporate-rules.pdf |website=huntonak.com |publisher=Bloomberg Law |access-date=11 April 2022}}</ref> Other members states, not part of mutual recognition process, will be also involved by the lead authority and will apply their independent review process within a limited time-frame. The overall process for BCR acceptance takes usually between 6 and 9 months. This time frame does not include the required Data Protection setup, which should be implemented within the company to comply with the current directive and its local implementation.

BCRs typically form stringent, intra-corporate global privacy policies, set of practices, processes and guidelines that satisfy EU standards and may be available as an alternative means of authorizing transfers of personal data (e.g., customer databases, HR information, etc.) outside of Europe. BCRs are considered the most "robust" and accepted regime for data transfers.<ref>{{cite web |last1=Feiler |first1=Lukas |last2=Seinen |first2=Wouter |title=BCRs as a robust alternative to Privacy Shield and SCCs |url=https://iapp.org/news/a/binding-corporate-rules-as-a-robust-alternative-to-privacy-shield-and-sccs/ |website=[[International Association of Privacy Professionals]] |access-date=11 April 2022}}</ref>

The United Kingdom continues (post-[[Brexit]]) to allow BCRs "to provide appropriate safeguards for making restricted transfers" subject to Article 47 of the [[UK GDPR]]. UK BCR's are subject to approval granted by the [[Information Commissioner's Office]].<ref>Information Commissioner's Office, [https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/international-transfers/guide-to-binding-corporate-rules/ Guide to Binding Corporate Rules], last updated on 19 December 2023, accessed on 4 February 2026</ref>

It has to be noticed that, while originally designed for providing legal ground to international transfers, BCRs became de facto a corporation demonstration of its capacity to comply "at large" with personal data processing requirements. A corporation having BCRs applies this framework independently of international transfers and should be seen as part of the "Corporate Governance" or "Data Governance".{{fact|date=April 2022}}

==References== {{reflist}}

== External links == *[[European Commission]], [https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/binding-corporate-rules-bcr_en Binding Corporate Rules (BCR)] * https://edpb.europa.eu/our-work-tools/accountability-tools/bcr_en

[[Category:European Union data protection law]] [[Category:International business]] [[Category:Privacy law]]