Binding corporate rules (BCR)
Companies may draw up data protection policies for transfers of personal data outside the European Economic Area (EEA). These rules are called ‘binding corporate rules’ (BCR). On this page you can read what you have to take into account if you want to start using BCR.
On this page
What is a BCR?
Transfer of personal data outside the EEA can take place between various group of undertakings or enterprises. Companies can ensure appropriate safeguards for these data transfers by means of a BCR. The BCRs consists a set of rules on data protection principles and enforceable rights to meet appropriate safeguards for the transfers. These rules have to be legally binding. All parties within the group of companies have to adhere to them.
The BCR have to meet the requirements of the General Data Protection Regulation (GDPR). A leading supervisory authorithy within the European data protection authorities has to approvethe BCR first. In the Netherlands, this is the Dutch Data Protection Authority (Dutch DPA). Next, the European Data Protection Board (EDPB) will provide an Opinion on the BCR in accordance with Article 64 of the GDPR.
Guidance for drawing up BCR
The European data protection authorities have adopted a number of guidelines and recommendations for BCRs. These guidelines make a distinction between information for controllers and for processors.
Information for the controller BCR
The following documents are important for the controller BCR:
- Recommendations 1/2022 on the Application for Approval and on the elements and principles to be found in Controller Binding Corporate Rules (Art. 47 GDPR)
Note: This document replaces the earlier WP256 and WP264. - WP74:
Transfers of personal data to third countries: Applying Article 26 (2) of the EU Data Protection Directive to Binding Corporate Rules for International Data Transfers - WP108:
Establishing a Model Checklist Application for Approval of Binding Corporate Rules - WP154:
Setting up a framework for the structure of Binding Corporate Rules - WP155:
Frequently Asked Questions (FAQs) related to Binding Corporate Rules - WP263: Setting Forth a Co-Operation Procedure for the approval of “Binding Corporate Rules” for controllers and processors under the GDPR
Information for the processor BCR
The following documents are important for the processor BCR:
- WP257:
Setting up a table with the elements and principles to be found in Processor Binding Corporate Rules - WP265: Recommendation on the Standard Application form for Approval of Processor Binding Corporate Rules for the Transfer of Personal Data
- WP204:
Explanatory Document on the Processor Binding Corporate Rules - WP108:
Establishing a Model Checklist Application for Approval of Binding Corporate Rules - WP154:
Setting up a framework for the structure of Binding Corporate Rules - WP155:
Frequently Asked Questions (FAQs) related to Binding Corporate Rules - WP263: Setting Forth a Co-Operation Procedure for the approval of “Binding Corporate Rules” for controllers and processors under the GDPR
Requirements for your BCR
The minimum requirements for BCR have been set out in:
- for the controller BCR:Recommendations 1/2022 on the Application for Approval and on the elements and principles to be found in Controller Binding Corporate Rules (Art. 47 GDPR)
- for the processor BCR: Setting up a table with the elements and principles to be found in Processor Binding Corporate Rules.
It is your own responsibility to check if other documents are also important to include in your BCR or in the appendices.
Having BCR assessed
Have you drawn up a BCR or amended an existing BCR? And do you want to have it approved by the Dutch DPA?
For assessing a new BCR, the Dutch DPA needs information to determine whether the Dutch DPA is the lead supervisory authority (Lead SA) for your organisation. If so, the Dutch DPA will process your application further.
Have you amended your BCR? Send the new version to the Dutch DPA first, accompanied by a letter in which you specify the amendments and/or additions with an explanation.
Information required for a new BCR
You have to provide the following information:
- A substantiation of your request for designating the Dutch DPA as the lead supervisory authority, based on Setting Forth a Co-Operation Procedure for the approval of “Binding Corporate Rules” for controllers and processors under the GDPR.
- A completed application form in accordance with Recommendations 1/2022 on the Application for Approval and on the elements and principles to be found in Controller Binding Corporate Rules (Art. 47 GDPR) (controller) and/or WP265 (processor).
- Information about the structure of your group and contact details in accordance with article 47 paragraph 2 AVG.
- An explanation to your application in accordance with the Recommendations 1/2022 and/or Recommendation on the Standard Application form for Approval of Processor Binding Corporate Rules for the Transfer of Personal Data, in which you have included, among other things, proof of the binding nature of your BCR.
- A copy of the BCR.
- A completed table in accordance with Recommendations 1/2022 / Setting up a table with the elements and principles to be found in Processor Binding Corporate Rules in which you have included detailed references to the BCR and any supplementary documents. With this, you indicate where the relevant statutory requirements have been included in the BCR.
Note: you have to draw up your documents in English. The Dutch DPA assesses your application and then shares it with the other data protection authorities in the EU. Sometimes, you also have to provide a Dutch translation pursuant to the Dutch General Administrative Law Act.
Submitting an application for the assessment of a new BCR
Send you application by post or email to the Dutch DPA quoting ‘Binding corporate rules’:
Autoriteit Persoonsgegevens
Postbus 93374
2509 AJ DEN HAAG, The Netherlands
Email: dutchinternationaltransfers@remove-this-text.autoriteitpersoonsgegevens.nl
How soon the Dutch DPA processes your application depends on the specific BCR. All BCR are different, which makes that there is no standard period.
Is your application incomplete? Then you will be given the opportunity to supplement it. Is your application still incomplete after that? Then the AP may decide not to process your application..
Process for updated BCR
After receiving the updated BCR the Dutch DPA will assess whether there are substantive changes in your BCR. And whether a new approval procedure is necessary.
- Is a new procedure not necessary? Then the Dutch DPA will send the new version of your BCR to the other data protection authorities in the EU.
- Is a new procedure necessary? Then the Dutch DPA will inform you accordingly. You can then start a new procedure for approval of your amended BCR.
Please note it has been generally agreed on EDPB level, that pre-GDPR BCRs need to undergo a new approval procedure because the changes are deemed substantive.
Co-reviewers
Your BCR will also be assessed by co-reviewers. These are supervisory authorities of other European countries. The lead supervisory authority decides which co-reviewers will be approached. When submitting your BCR, you can state a preference for co-reviewers. The Dutch DPA will take your preference into account where possible.