What are BCRs?
Binding Corporate Rules (BCRs) are internal data protection rules adopted by multinational groups to legitimise intra-group transfers of personal data from the EU/EEA to third-country group entities (GDPR Article 47). BCRs require approval by the competent lead supervisory authority and consistent EDPB review. BCRs are particularly suited to large groups with frequent intra-group transfers and a mature data governance function.
Two BCR types
- BCR-C (Controller): for intra-group controller-to-controller transfers.
- BCR-P (Processor): for service-provider groups acting as processor on behalf of external controllers.
BCR content requirements (Article 47(2))
- Structure and contact details of the group.
- Data transfers (categories, purposes, recipients, third countries).
- Binding nature internally and externally.
- Data protection principles application.
- Data subject rights and enforceability.
- Acceptance by EU entity of liability for non-EU breaches.
- Training and audit programmes.
- Cooperation duties with DPAs.
BCR vs. SCC
- BCR: intra-group transfers only; high upfront investment (12-24 month approval); strong reputational signal.
- SCC: contractual; faster to deploy; suited to inter-organisation transfers.
Türk şirketleri için
BCR onayı için Türk grup şirketinin AB bağlantılı bir grup üyesi (lead SA jurisdiction’da) olması gerekir. Salt Türk merkezli gruplar için BCR uygulanamaz; bu durumda SCC + TIA + KVKK uyum çerçevesi kullanılır. KVKK Kurulu BCR’a doğrudan eşdeğer bir yapı tanımlamamıştır; ancak Kurul “bağlayıcı şirket kuralları” terimini AB referansıyla kabul eder.
Do: consider BCRs for groups with significant intra-group EEA-to-third-country flows; engage lead SA early; budget 18-24 months.
Don’t: use BCRs for one-off vendor relationships — they are designed for ongoing intra-group transfers.