Glossary · EU-US Data Transfer

Binding Corporate Rules (BCRs)

Internal data protection policies adopted by multinational groups to enable intra-group transfers of personal data outside the EU under approved frameworks.

## What BCRs actually are Binding Corporate Rules (BCRs) are internal data protection policies adopted by multinational corporate groups to enable transfers of personal data between group entities outside the EU. BCRs are a transfer mechanism under GDPR Article 47, alongside adequacy decisions, SCCs, and derogations. Where SCCs are contractual templates between two parties, BCRs are comprehensive internal codes adopted by an entire multinational group. Once approved by EU regulators, BCRs allow data flows across all group entities globally — providing legal basis for transfers without per-transfer SCC execution. ## How BCRs work BCR adoption involves several stages: ### 1. Drafting The multinational group drafts comprehensive data protection rules covering: - Application to all group entities - Data subject rights enforceable globally - Data protection principles (purpose limitation, accuracy, security, etc.) - Procedures for handling data subject complaints - Audit and monitoring mechanisms - Cooperation with EU data protection authorities - Liability and remedies for violations ### 2. Submission for approval The group submits proposed BCRs to a "lead supervisory authority" — typically the data protection authority in the EU member state where the group has its main establishment. The lead authority coordinates approval with other affected DPAs. ### 3. Approval process The approval process includes: - Initial review by lead authority - Cooperation with other concerned DPAs through EDPB consultation - Resolution of any objections from other DPAs - Final approval (typically takes 12-18 months) - Public listing on EDPB website ### 4. Implementation Once approved, the BCRs become binding internal rules across all group entities. Implementation requires: - Communication to all affected employees and entities - Training on BCR requirements - Modification of internal processes to comply - Monitoring and audit programs - Periodic review and updates ## Two types of BCRs GDPR distinguishes two BCR variants: ### Controller BCRs (BCR-C) For groups where the EU entity acts as data controller and group transfers data to non-EU group entities also acting as controllers. Most common for groups using internal employee data, intra-group business operations, etc. ### Processor BCRs (BCR-P) For groups providing data processing services to external customers, where group entities outside the EU act as processors. Used by major cloud providers and SaaS companies offering services to EU customers. The approval process is similar for both types but the substantive content differs based on the role. ## Why BCRs exist BCRs were created to address a specific challenge: multinational corporate groups doing many cross-border data transfers found per-transfer SCC execution operationally cumbersome. BCRs allow: - One-time approval for entire group's intra-group transfers - Consistency in data protection across global operations - Reduced per-transfer compliance overhead - Stronger data subject rights through binding internal commitments For multinational groups with complex global operations, BCRs are typically more efficient than SCC execution between every group entity pair. ## Who actually uses BCRs BCRs are typically appropriate for: ### Major US-headquartered tech companies with EU operations Microsoft, Google, Amazon, Salesforce, IBM, Oracle, and many others have BCRs for both controller (employee data) and processor (customer data) purposes. BCRs allow these groups to transfer data efficiently between US headquarters and EU subsidiaries. ### European multinationals with global operations Companies like Siemens, SAP, Bosch, Volkswagen, BNP Paribas, ING, and others have BCRs for intra-group transfers to subsidiaries worldwide. ### Asian multinationals with European operations Companies like Toyota, Sony, Tata Group, and others use BCRs for intra-group transfers between Asia, Europe, and other regions. For SMEs and most smaller European businesses, BCRs are typically not appropriate — the approval process overhead is too high relative to transfer volume. ## BCRs and Schrems II The Schrems II ruling didn't directly invalidate BCRs but created important implications: ### BCRs face TIA-equivalent assessment Even with approved BCRs, transfers to specific destinations require assessment that local legal frameworks don't undermine BCR protections. If a destination country's surveillance laws can compel data disclosure regardless of BCR provisions, the BCRs may not provide adequate protection. ### Approved BCRs need updating BCRs approved before Schrems II generally need updates to reflect post-ruling requirements: - TIA-equivalent assessment provisions - Supplementary measures consideration - Updated procedures for handling government data access requests - Enhanced transparency about cross-border transfers Most major BCRs have been updated through 2021-2024. ### BCRs alone aren't sufficient for high-risk destinations For countries with extensive surveillance laws (US, China, Russia), BCRs alone don't fully address Schrems II concerns. BCRs + supplementary measures (encryption, access controls, etc.) are required, similar to SCC patterns. ## What approved BCRs typically include Comprehensive BCR documents typically span 50-100+ pages covering: - Group structure and entities covered - Data categories and processing purposes - Data protection principles - Data subject rights - Security measures - Transparency and information requirements - Complaint handling procedures - Cooperation with DPAs - Liability and remedies - Audit and monitoring - Training programs - Periodic review processes - Treatment of government data requests The substantive content is heavily prescribed by EDPB BCR guidelines, with limited flexibility. ## BCRs vs SCCs For organizations choosing between BCRs and SCCs: | Factor | BCRs | SCCs | |---|---|---| | **Coverage** | Intra-group only | Any external recipient | | **Setup time** | 12-18 months approval | Immediate (sign templates) | | **Setup cost** | Substantial (legal, process, training) | Minimal | | **Ongoing compliance** | Distributed across group | Per-transfer documentation | | **Best for** | Multinational groups with many internal transfers | Single transfers or smaller volumes | | **Update process** | Requires re-approval | Update template versions | For multinational groups, BCRs are the better choice once volume justifies the setup cost. For most European businesses, SCCs are simpler. ## What 2026-2027 brings Several developments affect BCR practice: ### EDPB BCR guidance updates The European Data Protection Board periodically updates BCR guidelines. Updates incorporating Schrems II implications, AI Act intersections, and current best practices are ongoing. ### Possible Schrems III implications If the EU-US Data Privacy Framework is invalidated, BCR-based transfers from EU to US become operationally critical. Demand for US-side BCR adoption may increase. ### Cross-border procedural harmonization The proposed GDPR procedural regulation may streamline BCR approval processes, reducing the current 12-18 month timeline. ### Enforcement priorities DPAs are increasingly examining BCR implementation effectiveness rather than just BCR existence. Approved BCRs that aren't actually implemented face enforcement risk. ## Practical implications For European businesses considering BCRs: ### When BCRs make sense - Multinational group with 5+ countries of operation - Significant intra-group personal data flows - Long-term commitment to current corporate structure - Resources for 12-18 month approval process plus ongoing compliance ### When BCRs don't make sense - Smaller organizations with limited cross-border data flows - Frequent corporate restructuring - Limited compliance resources - Primarily transfers to/from external partners (use SCCs instead) ### For organizations using vendors with BCRs When selecting US-based vendors, BCR approval is one favorable factor. Vendors with approved BCRs typically have stronger overall data protection processes than those without. However, BCRs alone don't fully address Schrems II concerns — vendor BCRs should be combined with TIA assessment of specific use cases. ## The strategic context BCRs reflect a particular era of data protection compliance — the assumption that comprehensive corporate self-regulation can substitute for legal jurisdiction differences. Schrems II called this assumption into question. The current direction of European data protection thinking favors structural solutions (EU-resident processing, sovereign cloud) over corporate compliance frameworks. BCRs remain useful but are increasingly one tool among several rather than the primary answer. For European businesses planning data protection strategy through 2027 and beyond, BCRs are appropriate where they fit but shouldn't be over-relied upon. The architectural answer increasingly is choosing [EU-resident providers](/en/compliance/eu-data-residency/) where possible, supplemented by BCRs/SCCs for the residual non-EU footprint.

Related EU alternatives on BetterInEurope

Related glossary terms

← Back to glossary