Working document on Binding Corporate Rules and Working document on Processor Binding Corporate Rules The BCR-C and BCR-P 1) adjust the wording so as to be in line with the GDPR, 2) clarify the necessary content of the elements and principles to be found in the BCRs, and 3) make the distinction between what must be included in BCRs and what must be presented to the competent supervisory authority. Both documents also provide guidance to those groups with approved BCRs in implementing the relevant changes to bring them in line with the GDPR.

It should be noted that the BCR-C are suitable for framing transfers of personal data from controllers established in the EU, to other controllers or processors established outside the EU but within the same group. In other words, the BCR-C apply in relation to entities within the same group acting as controllers and to entities acting as ‘internal’ processors.

The BCR-P on the other hand apply in relation to third party personal data that are processed by a member of the group as a processor according to the instructions from a non-group controller. The new elements include: right to lodge a complaint, transparency (only BCR-C), scope of application, data protection principles, accountability, third country legislation and service agreement (only (BCR-P).