Art.46.BCR GDPR

GDPR Art.46.BCR: Binding Corporate Rules Implementation and Compliance

What This Control Requires

The appropriate safeguards referred to in paragraph 1 may be provided for, without requiring any specific authorisation from a supervisory authority, by binding corporate rules in accordance with Article 47.

In Plain Language

Getting BCRs approved is only the beginning. The real work is making them stick across every entity in your corporate group, worldwide. Each entity needs to understand and follow the BCR requirements, staff need proper training, compliance must be audited regularly, and the BCRs themselves need updating as the group evolves.

Coordinating this across a multinational group is genuinely hard. Entities in countries with weak or non-existent data protection regimes need to operate at EU standards, which may be completely unfamiliar territory. The challenge is not just legal - it is cultural. You are embedding data protection practices into operations that may never have thought about these issues before.

Sustaining BCR compliance requires a real governance structure: a central privacy team, local privacy coordinators in each entity, a monitoring programme with regular audits, training and awareness efforts, incident management procedures, and a process for updating BCRs when things change. Your lead supervisory authority can request evidence of compliance or run its own audits at any time, so robust documentation is not optional.

How to Implement

Set up a BCR governance structure that spans the entire group. Designate a central BCR coordinator - typically the group DPO or head of privacy - with overall responsibility. Appoint local privacy coordinators in each entity as the on-the-ground contact for BCR matters. Define clear reporting lines, escalation procedures, and communication channels between central and local teams.

Roll out BCRs across all group entities through a structured programme. Create an implementation checklist for each entity covering policy adoption, process alignment, technical measures, training delivery, and documentation. Tackle high-risk entities first (those handling large volumes of personal data or special categories), but make sure every entity reaches compliance. Set milestones and track progress centrally.

Deliver targeted BCR training to all relevant staff. Cover the purpose and content of the BCRs, individual obligations, how to handle personal data properly, data subject rights and how to facilitate them, incident reporting, and where to get help. Tailor the content to different roles and entities, and deliver it in local languages where needed. Run refresher training at least annually.

Implement the audit programme you committed to in the approved BCRs. Audit group entities regularly to verify they actually follow BCR requirements - not just on paper. Cover all entities over a defined cycle, with high-risk entities audited more frequently. Use a consistent methodology and reporting framework. Track findings, require corrective actions, and verify remediation.

Keep the BCRs current. Monitor for changes that trigger updates: new group entities, shifts in processing activities, new regulatory requirements, changes in risk profile. Submit material amendments to the lead supervisory authority for approval. Make sure every entity is notified of and trained on updates. Maintain version control of the BCRs and all supporting documentation.

Evidence Your Auditor Will Request

BCR governance structure documentation with designated coordinators
Implementation progress tracking across all group entities
BCR training records for staff across the group, including completion rates
Compliance audit reports covering group entities with findings and remediation
BCR version control and amendment records submitted to supervisory authority

Common Mistakes

BCRs approved but not effectively implemented at the entity level across the group
Insufficient training leading to staff in non-EEA entities unaware of BCR obligations
Compliance audit programme not delivered as committed in the BCRs
BCR governance structure exists on paper but lacks resources and authority
Material changes in the group not reflected in updated BCRs or reported to the supervisory authority

Related Controls Across Frameworks

Framework	Control ID	Relationship
ISO 27001	A.5.1	Related
ISO 27001	A.5.34	Related

Frequently Asked Questions

How often must we audit BCR compliance across group entities?

Your approved BCRs should define the frequency. The typical expectation is that each entity gets audited at least once every three years, with higher-risk entities on an annual cycle. Your lead supervisory authority can ask to see audit results at any time and may choose to audit group entities directly.

What happens when a new entity joins the group?

Bring them into the BCR framework as part of integration. That means formal BCR adoption, aligning their processing activities with BCR requirements, training their staff, and including them in the audit programme. If they are in a third country, confirm the BCR transfer mechanism covers their processing. Update your BCR documentation and notify the supervisory authority if the changes are material.

Can an entity be excluded from the BCRs?

Every entity that processes personal data transferred under the BCRs must be bound by them. If a specific entity genuinely does not handle any EEA-origin personal data, it might not need to be in scope - but assess that carefully. Excluding an entity that does process EEA data would undermine the entire BCR framework and could lead to its suspension or revocation.

Track GDPR compliance in one place

AuditFront helps you manage every GDPR control, collect evidence, and stay audit-ready.

Start Free Assessment