Art.47 GDPR

GDPR Art.47: Binding Corporate Rules

What This Control Requires

The competent supervisory authority shall approve binding corporate rules in accordance with the consistency mechanism set out in Article 63, provided that they: (a) are legally binding and apply to and are enforced by every member of the group of undertakings, or group of enterprises engaged in a joint economic activity, including their employees; (b) expressly confer enforceable rights on data subjects with regard to the processing of their personal data; and (c) fulfil the requirements laid down in paragraph 2.

In Plain Language

For multinational groups that routinely move personal data between entities across borders, Binding Corporate Rules offer a single, group-wide transfer framework. BCRs are internal rules adopted by the corporate group that set a global standard for processing and transferring personal data, ensuring GDPR-equivalent protection everywhere in the group, regardless of where the data is processed.

BCRs must be legally binding on every group member and enforceable by data subjects. Article 47(2) spells out what they need to cover: group structure and contact details, the transfers in scope, the binding nature of the rules, how GDPR principles are applied, data subject rights and how to exercise them, the organisation's liability for violations, how compliance is demonstrated to supervisory authorities, complaint handling, and the duty of group members to cooperate with authorities.

Getting BCRs approved means going through the lead supervisory authority and the consistency mechanism - a process that typically takes 12 to 24 months and requires significant investment. Once approved, though, BCRs give you a flexible framework for intra-group transfers without needing individual SCCs between each pair of group entities.

How to Implement

First, decide whether BCRs make sense for your organisation. They suit large multinationals with frequent, complex intra-group transfers across many jurisdictions. Weigh the number of transfers involved, the resources the approval process demands, ongoing compliance obligations, and whether the investment is proportionate compared to simply using SCCs for each transfer.

If you proceed, draft comprehensive rules covering every element in Article 47(2): group structure and contacts, scope of transfers, the binding nature of the rules, application of GDPR principles (lawfulness, purpose limitation, data minimisation, accuracy, storage limitation, integrity, security), data subject rights including complaints and remediation, acceptance of liability by the EEA-established entity for violations by non-EEA members, and mechanisms for staff training and compliance auditing.

Engage your lead supervisory authority early. Identify which authority leads based on your main establishment location. Most authorities publish guidance on the BCR application process, required documentation, and expected timelines. Bring in specialist legal counsel with BCR experience - the EDPB referential documents detail exactly what BCRs must contain, and getting the initial submission right saves months.

Start implementing the BCRs across the group before and during the approval process. Formally adopt them as binding policy in every entity. Train all relevant staff. Set up the data subject rights mechanisms and complaint procedures. Establish the compliance audit programme. Designate a BCR contact point and build a privacy coordinator network across the group.

After approval, keep the BCRs current. Report material changes to the lead supervisory authority. Run compliance audits on the schedule committed in the BCRs. Update the rules when the group structure, processing activities, or legal requirements change. Maintain records of all monitoring and compliance activities for accountability.

Evidence Your Auditor Will Request

Approved Binding Corporate Rules with supervisory authority approval documentation
Evidence of BCR implementation across all group entities
Staff training records on BCR requirements and obligations
Compliance audit reports for BCR adherence
Records of BCR updates and notifications to supervisory authority

Common Mistakes

BCRs approved but not effectively implemented across all group entities
No regular compliance auditing of BCR adherence as required by the rules
Material changes to the group structure or processing not reflected in updated BCRs
Data subject rights mechanisms under the BCRs not functioning effectively
Staff in non-EEA entities unaware of or not trained on BCR obligations

Related Controls Across Frameworks

Framework	Control ID	Relationship
ISO 27001	A.5.34	Related

Frequently Asked Questions

How long does the BCR approval process take?

Expect 12 to 24 months, depending on your organisation's complexity, the quality of your submission, and the supervisory authority's workload. The process involves review by the lead authority, coordination with concerned authorities through the consistency mechanism, and potentially the EDPB. Well-prepared documentation and experienced counsel can shave months off the timeline.

Do we still need SCCs if we have approved BCRs?

For intra-group transfers, no - that is what the BCRs cover. But for transfers to external parties like vendors, customers, or partners outside the EEA, you still need SCCs or another mechanism. BCRs and SCCs serve different purposes, and most multinationals with BCRs use both.

Can BCRs cover processor-to-processor transfers?

Yes. There are two flavours: BCR-C for groups acting as controllers, and BCR-P for groups that process data on behalf of external controllers. Both must meet Article 47 requirements, though the specific content differs. Some organisations pursue both BCR-C and BCR-P approvals to cover all their transfer scenarios.

Track GDPR compliance in one place

AuditFront helps you manage every GDPR control, collect evidence, and stay audit-ready.

Start Free Assessment