Insights Information Commissioner’s Office publishes new guidance on binding corporate rules (BCRs), as well as new application forms and tables for data controllers and processors


The updated guidance on BCRs supersedes all previous guidance and documents.

The concept of using BCRs to provide adequate safeguards for making restricted transfers was developed under EU law and continues to be part of UK law under Article 47 of the UK GDPR.

A restricted transfer can be made within an international organisation if both parties have signed up to approved BCRs. UK BCRs are approved by the Commissioner under Article 58(3)(j) of the UK GDPR.

BCRs are intended for use by multinational corporate groups, groups of undertakings or a group of enterprises engaged in a joint economic activity such as franchises, joint ventures or professional partnerships.

The ICO says that it continues to regard BCRs as the “gold standard” transfer mechanism, as using them demonstrates an organisation’s commitment to implementing appropriate safeguards.

The ICO says that it recognises that BCR applicants may seek both EU and UK BCRs and that Article 47 requirements in both jurisdictions currently overlap. It is mindful of the time BCR applicants take preparing the documents required as part of the approval process in both jurisdictions. Therefore, it has simplified the UK BCR approval process for both controllers and processors. This revised approach means that the ICO only requests supporting documents and commitments once during the UK approval process and that the appropriate requirement appears in the most relevant section of the documentation pack.

The updated guidance takes account of the Schrems II judgment from the Court of Justice of the European Union, which remains applicable to the UK. It complements the revised referential table (which must be completed by all applicants), and the application form. It is intended to assist controllers and processors when preparing the UK BCR pack for approval and clarifies what the ICO expects to see within the BCR policy, the application form, the binding instrument and any supporting documents. It clarifies the UK BCR requirements in Article 47 UK GDPR and sets out the ICO’s expectations when considering issuing a UK BCR approval. To access the updated guidance, click here.