Binding corporate rules are internal rules for data transfers within multinational companies. An important distinction is that binding corporate rules are put in place between linked companies, for example subsidiaries in different countries, rather than through a commercial contract, which would instead be protected by standard contractual clauses.
Binding corporate rules are similar to a code of conduct. They allow multinational companies to transfer personal data internationally within the same corporate group to countries that do not provide an adequate level of protection.
Binding corporate rules ensure that all data transfers within a corporate group are safe. They must be approved by a supervisory authority and they must contain:
- privacy principles, such as transparency, data quality, security
- tools of effectiveness (such as audit, training, or complaint handling systems)
- an element proving that the rules are binding
The approval of binding corporate rule can be both complex and lengthy, so if they are not currently in place, it will be unlikely that an organisation will be able to rely on them to protect a transfer to a third country.
To learn more about how to apply for the approval of binding corporate rules please read this guidance: https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/binding-corporate-rules_en