Insights Binding Corporate Rules: UK Information Commissioner’s Office (“ICO”) publishes consultation on Addendum to EU BCRs


Under UK GDPR, the export of personal data to a recipient located in a third country or international organisation is restricted due to the potential risks posed by personal data being processed outside the UK. Such “restricted transfers” can only take place under certain circumstances such as when the transfer is made to a country which the UK deems to have adequate protection for personal data or, in the absence of such an adequacy decision, where the controller or processor of the data has provided appropriate safeguards together with enforceable rights and legal remedies for data subjects. Appropriate safeguards include the use of contractual approaches by means of standard data protection clauses (known as “standard contractual clauses”) or the use of binding corporate rules (“BCRs”). BCRs, which must be approved in each case by the ICO, are designed for use for data transfers by multinational corporate groups, or a group of enterprises engaged in a joint economic activity (e.g. franchise). EU GDPR provides equivalent mechanisms, such as Standard Contractual Clauses and BCRs, for the transfer of personal data outside of the EU. Some UK organisations will have data processing operations which fall under both regimes.

The ICO has published a draft template Addendum to BCRs which would allow an organisation’s BCRs approved under EU GDPR to satisfy the BCR requirements under UK GDPR (“UK BCR Addendum”). In each case, the Addendum would consist of:

  • the organisation’s approved EU BCRs;
  • an addendum containing terms which extend those EU BCRs to include UK restricted transfers; and
  • a BCR summary containing information for relevant data subjects, such as a brief description of the types of data being transferred, the types of processing and countries to which the data will be transferred.

ICO approval is still required for the use of the UK BCR Addendum if it is to form a set of binding corporate rules that comply with UK GDPR.

The Addendum should reduce compliance burdens as organisations operating in the UK and the EU would only need to put in place and maintain the EU BCRs and the UK BCR Addendum, rather than two separate sets of BCRs. According to reports, the UK BCR Addendum and associated guidance is due to be published soon.

For access to the draft UK BCR Addendum, click here.