Binding corporate rules (BCR)

Companies may draw up data protection policies for transfers of personal data outside the European Economic Area (EEA). These rules are called ‘binding corporate rules’ (BCR). On this page you can read what you have to take into account if you want to start using BCR.

On this page

What is a BCR?

Transfer of personal data outside the EEA can take place between various group of undertakings or enterprises. Companies can ensure appropriate safeguards for these data transfers by means of a BCR. The BCRs consists a set of rules on data protection principles and enforceable rights to meet appropriate safeguards for the transfers. These rules have to be legally binding. All parties within the group of companies have to adhere to them.

The BCR have to meet the requirements of the General Data Protection Regulation (GDPR).  A leading supervisory authorithy within  the European data protection authorities has to approvethe BCR first. In the Netherlands, this is the Dutch Data Protection Authority (Dutch DPA). Next, the  European Data Protection Board (EDPB) will provide an Opinion on the BCR in accordance with Article 64 of the GDPR. 

Guidance for drawing up  BCR

The European data protection  authorities have adopted a number of guidelines and recommendations for BCRs. These guidelines make a distinction between information for controllers and for processors.

Information for the controller BCR

The following documents are important for the controller BCR:

Information for the processor BCR

The following documents are important for the processor BCR:

Requirements for your BCR

The minimum requirements for BCR have been set out in:

It is your own responsibility to check if other documents are also important to include in your BCR or in the appendices.

Having BCR assessed

Have you drawn up a BCR or amended an existing BCR? And do you want to have it approved by the Dutch DPA?

For assessing a new BCR, the Dutch DPA needs information to determine whether the Dutch DPA is the lead supervisory authority (Lead SA) for your organisation. If so, the Dutch DPA will process your application further.

Have you amended your BCR? Send the new version to the Dutch DPA first, accompanied by a letter in which you specify the amendments and/or additions with an explanation.

Information required for a new BCR

You have to provide the following information:

Submitting an application for the assessment of a new BCR

 Send you application by post or email to the Dutch DPA quoting ‘Binding corporate rules’:

Autoriteit Persoonsgegevens
Postbus 93374
2509 AJ DEN HAAG, The Netherlands

Email: dutchinternationaltransfers@autoriteitpersoonsgegevens.nl

How soon the Dutch DPA processes your application depends on the specific BCR. All BCR are different, which makes that there is no standard period.

Is your application incomplete? Then you will be given the opportunity to supplement it. Is your application still incomplete after that? Then the AP may decide not to process your application..

Process for updated BCR

After receiving the updated BCR the Dutch DPA will assess whether there are substantive changes in your BCR. And whether a new approval procedure is necessary.

  • Is a new procedure not necessary? Then the Dutch DPA will send the new version of your BCR to the other data protection authorities in the EU.
  • Is a new procedure necessary? Then the Dutch DPA will inform you accordingly. You can then start a new procedure for approval of your amended BCR.

    Please note it has been generally agreed on EDPB level, that pre-GDPR BCRs need to undergo a new approval procedure because the changes are deemed substantive. 

Co-reviewers

Your BCR will also be assessed by co-reviewers. These are supervisory authorities of other European countries. The lead supervisory authority decides which co-reviewers will be approached. When submitting your BCR, you can state a preference for co-reviewers. The Dutch DPA will take your preference into account where possible.