Latest updates - last updated 19 December 2023
19 December 2023 - We have updated the Guide to Binding Corporate Rules to include detail about our new UK BCR Addendum.
25 July 2022 - new guidance, application forms and tables for data controllers and processors released.
The concept of using binding corporate rules (BCRs) to provide appropriate safeguards for making restricted transfers was developed under EU law and continues to be part of UK law under the UK GDPR, specifically, Article 47.
You can make a restricted transfer within an international organisation if both you and the receiver have signed up to approved BCRs. UK BCRs are approved by the Commissioner under Article 58.3(j).
BCRs are intended for use by multinational corporate groups, groups of undertakings or a group of enterprises engaged in a joint economic activity such as franchises, joint ventures or professional partnerships.
You can choose to have UK BCRs which are formed by:
- (A) the UK BCR Addendum; or
- (B) bespoke UK BCR documentation approved by the ICO in the traditional way (for controllers and processors).
Both options provide appropriate safeguards under the UK GDPR.