Binding corporate rules (BCR)

Companies may draw up data protection policies for transfers of personal data outside the European Economic Area (EEA). These rules are called ‘binding corporate rules’ (BCR). On this page you can read what you have to take into account if you want to start using BCR.

What is a BCR?

Transfer of personal data outside the EEA can take place between various group of undertakings or enterprises Companies can ensure appropriate safeguards for these data transfers by means of a BCR. The BCRs consists a set of rules on data protection principles and enforceable rights to meet appropriate safeguards for the transfers. These rules have to be legally binding. All parties within the group of companies have to adhere to them.

The BCR have to meet the requirements of the General Data Protection Regulation (GDPR). A leading supervisory authorithy within the European data protection authorities has to approvethe BCR first. In the Netherlands, this is the Dutch Data Protection Authority (Dutch DPA). Next, the European Data Protection Board (EDPB) will provide an Opinion on the BCR in accordance with Article 64 of the GDPR.

Guidance for drawing up BCR

The European data protection authorities have adopted a number of guidelines and recommendations for BCRs. These guidelines make a distinction between information for controllers and for processors.

Information for the controller BCR

The following documents are important for the controller BCR:

Information for the processor BCR

The following documents are important for the processor BCR:

Requirements for your BCR

The minimum requirements for BCR have been set out in:

for the controller BCR:Recommendations 1/2022 on the Application for Approval and on the elements and principles to be found in Controller Binding Corporate Rules (Art. 47 GDPR)
for the processor BCR: WP257.

It is your own responsibility to check if other documents are also important to include in your BCR or in the appendices.

Having BCR assessed

Have you drawn up a BCR or amended an existing BCR? And do you want to have it approved by the Dutch DPA?

For assessing a new BCR, the Dutch DPA needs information to determine whether the Dutch DPA is the lead supervisory authority (Lead SA) for your organisation. If so, the Dutch DPA will process your application further.

Have you amended your BCR? Send the new version to the Dutch DPA first, accompanied by a letter in which you specify the amendments and/or additions with an explanation.

Information required for a new BCR

You have to provide the following information:

A substantiation of your request for designating the Dutch DPA as the lead supervisory authority, based on WP263 rev.01.
A completed application form in accordance with Recommendations 1/2022 on the Application for Approval and on the elements and principles to be found in Controller Binding Corporate Rules (Art. 47 GDPR) (controller) and/or WP265 (processor).
Information about the structure of your group and contact details in accordance with article 47 paragraph 2 AVG.
An explanation to your application in accordance with the Recommendations 1/2022 and/or WP265, in which you have included, among other things, proof of the binding nature of your BCR.
A copy of the BCR.
A completed table in accordance with Recommendations 1/2022 / WP257 rev.01 in which you have included detailed references to the BCR and any supplementary documents. With this, you indicate where the relevant statutory requirements have been included in the BCR.

Note: you have to draw up your documents in English. The Dutch DPA assesses your application and then shares it with the other data protection authorities in the EU. Sometimes, you also have to provide a Dutch translation pursuant to the Dutch General Administrative Law Act.

Submitting an application for the assessment of a new BCR

Send you application by post or email to the Dutch DPA quoting ‘Binding corporate rules’:

Autoriteit Persoonsgegevens
Postbus 93374
2509 AJ DEN HAAG, The Netherlands

Email: dutchinternationaltransfers@autoriteitpersoonsgegevens.nl

How soon the Dutch DPA processes your application depends on the specific BCR. All BCR are different, which makes that there is no standard period.

Is your application incomplete? Then you will be given the opportunity to supplement it. Is your application still incomplete after that? Then the AP may decide not to process your application..

Process for updated BCR

After receiving the updated BCR the Dutch DPA will assess whether there are substantive changes in your BCR. And whether a new approval procedure is necessary.

Is a new procedure not necessary? Then the Dutch DPA will send the new version of your BCR to the other data protection authorities in the EU.
Is a new procedure necessary? Then the Dutch DPA will inform you accordingly. You can then start a new procedure for approval of your amended BCR.

Please note it has been generally agreed on EDPB level, that pre-GDPR BCRs need to undergo a new approval procedure because the changes are deemed substantive.

Co-reviewers

Your BCR will also be assessed by co-reviewers. These are supervisory authorities of other European countries. The lead supervisory authority decides which co-reviewers will be approached. When submitting your BCR, you can state a preference for co-reviewers. The Dutch DPA will take your preference into account where possible.

Back to subject Transfer within and outside the EEA

View also

Back to subject Transfer within and outside the EEA