Guide to Binding Corporate Rules
-
Due to the Data (Use and Access) Act coming into law on 19 June 2025, this guidance is under review and may be subject to change. The Plans for new and updated guidance page will tell you about which guidance will be updated and when this will happen.
Latest updates - last updated 19 December 2023
19 December 2023 - We have updated the Guide to Binding Corporate Rules to include detail about our new UK BCR Addendum.
25 July 2022 - new guidance, application forms and tables for data controllers and processors released.
The concept of using binding corporate rules (BCRs) to provide appropriate safeguards for making restricted transfers was developed under EU law and continues to be part of UK law under the UK GDPR, specifically, Article 47.
You can make a restricted transfer within an international organisation if both you and the receiver have signed up to approved BCRs. UK BCRs are approved by the Commissioner under Article 58.3(j).
BCRs are intended for use by multinational corporate groups, groups of undertakings or a group of enterprises engaged in a joint economic activity such as franchises, joint ventures or professional partnerships.
You can choose to have UK BCRs which are formed by:
- (A) the UK BCR Addendum; or
- (B) bespoke UK BCR documentation approved by the ICO in the traditional way (for controllers and processors).
Both options provide appropriate safeguards under the UK GDPR.