Article 47 GDPR (Binding Corporate Rules)

Article 47 of GDPR: Binding Corporate Rules

Article 47 of GDPR provides for organizations, particularly multi-nationals, to set up and establish corporate policies allowing them to transfer personal data outside of the EU but within their organizational group.

The Binding Corporate Rules represent an alternative to the Safe Harbor of the United States.

Approval of binding corporate rules (Article 47(1) GDPR)

The supervisory authority is tasked with approving binding corporate rules submitted to it in accordance with the consistency mechanism so long as the following conditions are met:

  1. They are legally binding on the organization’s group of undertakings or entities (Article 47(1)(a) GDPR)
  2. Provide express rights to individuals with respect to their personal data processing (Article 47(1)(b) GDPR)
  3. Comply with the conditions of Article 47(2) GDPR (Article 47(1)(c) GDPR)

Content of binding corporate rules (Article 47(2) GDPR)

The binding corporate rules must mandatorily contain the following:

  1. The structure of the group of entities along with contact details for the group (Article 47(2)(a) GDPR)
  2. The type of data processing and data transfers intended within the group and third countries (Article 47(2)(b) GDPR)
  3. Must be legally binding internal and external to the group (Article 47(2)(c) GDPR)
  4. The data protection principles outlined in GDPR must be outlined such as purpose limitation, data minimisation, limited storage, data quality, data protection by design, the legal basis for processing, processing of special categories of data, security measures and transfer to organizations not bound by the corporate binding rules (Article 47(2)(d) GDPR)
  5. Data subject rights must be outlined such as the right not be subject to automated decision-making, profiling, filing a complaint with courts or supervisory authority, compensation for breach of the corporate binding rules (Article 47(2)(e) GDPR)
  6. The controller must accept liability for any breach of the terms of the corporate binding rules (Article 47(2)(f) GDPR)
  7. The manner that information related to data subjects are communicated to them (Article 47(2)(g) GDPR)
  8. The duties and role of any data protection officer within the group (Article 47(2)(h) GDPR)
  9. The complaint procedures (Article 47(2)(i) GDPR)
  10. Audit mechanism to ensure compliance of the group with the corporate binding rules (Article 47(2)(j) GDPR)
  11. Procedure on the changes brought to the corporate binding rules (Article 47(2)(k) GDPR)
  12. The cooperation procedures with the supervisory authority to ensure compliance of the group of entities to the corporate binding rules (Article 47(2)(l) GDPR)
  13. Reporting mechanism in case data will be transferred to a third country where the guarantees provided in the binding corporate rules may be affected (Article 47(2)(m) GDPR)
  14. Training of personnel on data protection (Article 47(2)(n) GDPR)

Exchange of information format with the supervisory authority (Article 47(3) GDPR)

The Commission can determine the format and procedure on how the exchange of information will happen between data controllers, data processors and the supervisory authority relating the binding corporate rules.

Recitals applicable to Article 47 of GDPR

Relevant Recitals: 110

GDPR Regulation article-by-article overview

Read our comprehensive overview of the GDPR Regulation, article by article, where we summarize each of the 99 articles contained in GDPR to give you a complete understanding of its content.

Cited Legislation in Article 47 or relevant recitals


GDPR Text: Article 47 of GDPR and Relevant Recitals

GDPR Text Source: EUR-Lex

Official GDPR Text: General Data Protection Regulation 

Official GDPR Title: REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), corrected by Corrigendum, OJL 127, 23.5.2018, p. 2 ((EU) 2016/679)