Binding Corporate Rules (BCRs)
Produced in partnership with Fieldfisher LLP
Binding Corporate Rules (BCRs)

The following Information Law guidance note Produced in partnership with Fieldfisher LLP provides comprehensive and up to date legal information covering:

  • Binding Corporate Rules (BCRs)
  • Development of BCRs
  • Uptake and applications
  • Planning and implementing BCRs
  • Reliability of BCRs
  • Executive level/stakeholder buy-in
  • The role of BCR Lead
  • Co-operation Procedure
  • Preparing the application
  • Who are the rules binding on and in what format?
  • more

Brexit: On 31 January 2020, the UK ceased to be an EU Member State and entered an implementation period, during which it continues to be subject to EU law. During this period, the GDPR applies in the UK and the UK generally continues to be treated as an EU (and EEA) state for EEA and UK data protection law purposes. Any references to EEA or EU states in this Practice Note should therefore be read to also include the UK until the end of the implementation period. For further guidance on that period, its duration and the data protection laws that are anticipated to apply after the end of it, see Practice Note: Brexit—implications for data protection.

The General Data Protection Regulation, Regulation (EU) 2016/679 (GDPR), like its predecessor Directive 95/46/EC (the Data Protection Directive), only allows for the transfer of personal data outside of the EEA on condition that there are appropriate measures in place to ensure that the level of data protection, where the transfer is made to, is essentially equivalent to that provided under the GDPR.

However, in certain circumstances, a restricted international transfer may be permitted where the transfer is:

  1. based on an adequacy decision

  2. subject to appropriate safeguards, or

  3. in accordance with specific derogations

Binding Corporate Rules (BCRs) are one mechanism that allow for data transfers outside of