The ICO Guidelines On UK BCRs – Privacy Protection

To print this article, all you need is to be registered or login on

The ICO published new guidelines on Binding Corporate Rules
(BCRs) on 25 July 2022. There have been significant delays in
approvals of UK BCRs by the ICO following Brexit. The new
guidelines are aimed at adding clarity to the application

What are UK BCRs?

As a reminder, BCRs are one of the appropriate safeguards for
transferring personal data from the UK to recipients in third
countries under Article 46.2(b) of the UK GDPR. BCRs are
appropriate for use by a group of undertakings or a group of
enterprises engaged in a joint economic activity, such as companies
affiliated with each other. BCRs cover transfers of personal data
from controllers within the group established in the UK to
controllers or processors in third countries (BCR-C) and from
controllers outside the group but established in the UK to
processors within the group in third countries (BCR-P). Companies
with approved UK BCRs can transfer personal data internally within
the group from the UK entities to affiliated entities in third
countries that adhere to the approved UK BCRs.

The ICO labelled the BCRs as “the gold standard”
transfer tool. This is because companies adhering to the BCRs must
provide evidence to the ICO on how they will effectively ensure
data subjects’ rights and comply with the data protection
principles. The internal processes and procedures must be legally
binding and go through intensive review by the ICO before being

UK BCRs are a suite of documents rather than one single BCR
policy and consist of the following:

a completed electronic copy of the application form The application form must show: – the UK entity has sufficient
funds to provide remedies and/or pay compensation for liabilities
arising under the UK BCRs;

– internal audit and verification procedures;

– process for training and awareness raising;

– confirmation that companies adhering to the UK BCRs will
cooperate with the ICO;

– process for reporting and recording changes; and

– maintain the network of DPOs or appropriate staff.

The application form is separate for BCR-C and BCR-P. Although
the applications for BCR-C and BCR-P are separate, for those
organisations applying for both BCR-C and BCR-P can combine the
supporting documents as long as it is clear where a controller and
processor obligations are addressed in the documents.
an electronic copy of the draft binding instrument The ICO’s preference is that this is an intra-group
agreement setting out the binding nature of the UK BCR policy.
BCR-P to include Article 28 GPDR clauses for processors.

To ensure data subjects ‘ rights are effective companies must
confer third-party beneficiary rights to the data subjects and
refer to the application of the Contracts (Rights of Third Parties)
Act 1999 in the intra-group agreement.
a BCR policy This should be one document and expected to be published. The
BCR policy must be easy to understand by the data subjects.
The policy and other UK BCR documents must have a clear UK
focus and not combine EU and UK analysis.
a referential table This table is to show how the UK BCR documents meet the
requirements of Article 47 GDPR on BCRs. It has an additional Annex
for BCR-P purposes, where companies also need to show how they meet
the requirements of Article 28 GDPR.
The requirements are largely the same as in the referential
table issued by the Article 29 Working Party (WP195) in terms of
requirements regarding the binding nature of the BCRs, their
effectiveness, and cooperation obligation, process of updating the
other supporting documents BCR policy can contain copies of other company policies
attached in the annexes, if referenced.
Global policies references in the UK BCR policy must comply
with the UK GDPR.

How is the process simplified?

The ICO provides clarifications to the application process and
what it expects to see in the UK BCRs documents. Considering that
the European Data Protection Board has not yet updated its BCR
guidelines since the GDPR came into force, these guidelines provide
clarity and can save organisations time when preparing the

Request supporting documents only [after the application has
been submitted].

Confirmation of the requirement for the TIA for data

The ICO confirms that a transfer impact assessment (TIA) is
required when using the UK BCRs following Schrems II decision. The
ICO does not need to see the TIA but expects that the TIA has been
conducted and regularly reviewed.

Nevertheless, the guidelines do not specifically cover the
supplementary measures to be applied for transfers reliant on the
BCRs in case local national laws prevent from complying with the

The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.


Previous The cork pub trade has fallen by almost 30% since 2005; nearly 400 pubs have closed across the city and county
Next How to Migrate Windows to SSD Using Disk Genius