Data Protection Consultation at KINAST

Binding Corporate Rules

Safeguards that companies can use to protect personal data when transferring it outside of the EU come under the scope of Binding Corporate Rules. They include general data protection provisions, and are binding for all members of the corporate group.

Top 5 Law Firm in Germany

What are Binding Corporate Rules?

Binding Corporate Rules (BCRs) are implemented by companies who transfer personal data outside the EU to ensure appropriate safeguards for data transfers into countries where the GDPR is not applicable. They include the corporate wide general data protection provisions The possibility of implementing BCRs as a potential safeguard is named in Art. 46 (2) lit. b GDPR and specified in Art. 47 GDPR.

Controller BCRs and Processor BCRs

There are two types of Binding Corporate Rules, namely Controller BCRs and Processor BCRs. While Controller BCRs are used within one corporate group with various entitites, Processor BCRs are suitable for cases in which an external controller located in the EU transfers their data to a processor which internally performs a third-country transfer as part of their processing activity.

As your efforts towards digital growth increase, so too does the amount of sensitive data that needs to be protected.

This data can come from a variety of sources, including businesses, governments, employees and individual users. Protecting this information is essential to keeping it safe and secure.

Binding Corporate Rules

Do you need an External Data Protection Officer?

Five steps to compliance:

Introduction of your company and KINAST as well as the relevant contact persons. Discussion of the current data protection setup and most important data protection topics.

We conduct data protection audit on-site or based on questionnaires to evaluate the current data protection status of your company.

Document the current data protection status and define further required actions if necessary.

We carry out all necessary measures identified during the data protection audit.

Designation as External data protection officer and on-going consultation starting from day 1.

When Binding Corporate Rules apply

A company based in Spain contracts a data processor based in the USA. In the case of such a third-country transfer, the company in Spain is under obligation (Art. 44 GDPR) to ensure suitable protective measures for such a data transfer outside the EU.

Since the European Court of Justice’s “Schrems II” decision, in the case of the USA, there is neither an effective adequacy decision nor Standard Contractual Clauses (SSCs) that achieve a sufficient level of protection in the context of the third-country transfer. In this instance, according to Art. 46 GDPR, Binding Corporate Rules can also be chosen as an appropriate measure to safeguard data processing in non-European countries.

Related legal areas:

How do we guarantee your data protection compliance in your international company or corporation?

If required, we can act as your External Data Protection Officer. To guarantee a timely and cost effective execution of necessary data protection measurements, we’ve developed our own concept based on a three-point plan:

As a first step, we carry out a risk assessment in your company. We carry out the risk assessment either on-site or remotely. Based on the findings, we prepare a report that documents the degree of compliance with data protection standards. Furthermore, the report identifies any vulnerabilities, proposes suitable measures to remedy those vulnerabilities, defines responsibilities and sets a timetable for the implementation of these measures.

In a next step, we implement any measures which we identified within the framework of the risk assessment. Whereby great importance is attached to binding your internal resources as little as possible.

Finally, as an External DPO, we permanently support your company regarding all aspects of data protection. Therefore, we ensure an ongoing compliance with legal standards, the adaptation of procedures to the requirements of new laws and the consideration of current changes in internal processes.

Why KINAST should be your first choice for drafting Binding Corporate Rules

At KINAST, we have legal professionals who have both a deep understanding of third-country data transfers and the ability to apply it in a practical way that is specific to our clients‘ needs. Our teams have the skills and experience necessary to handle even the most complex cases of international data flow.

We are committed to providing our clients with the best possible service, and we will work tirelessly to get the best results for them. We even keep up to date on alternatives to the highly controversial Standard Contractiual Clauses (such as PrivacyShield 2.0), and advise your company accordingly.

What makes KINAST one of the top five legal practices for data protection in Germany?


We are an experienced team of lawyers with many years of experience and knowledge in data protection law, data security and as DPOs.

Practical experience

Due to many years of practical experience we know companies "from the inside". In colloquial terms, you should be able to "live what we advise".

IT affinity

Regardless of existing or new IT systems, our attorneys have a profound technical understanding and advise you accordingly.

Cost transparency

We work on the basis of fixed hourly contingents, keeping pricing simple and managable.

Guaranteed legality

We are not only outstanding data protector officers, but also experienced lawyers.

Individual solutions

We do not work "off the peg", but offer tailor-made concepts, specifically for your business.

Efficient organisation und communication

Our soluitions lay high priority on open communication, transparent project management and defined goals.

Drafting of legal documents

We draft guidelines, work instructions, operating and service agreements, declarations of consent and commitment, lists of procedures and contracts on a daily business.

Personality and continuity

We do not provide you with just any resource, but with the right colleague for you – permanently and without unpleasant changes.

Top 5 Legal Practice for Data Protection in Germany
Legal Consultation - Binding Corporate Rules
Binding Corporate Rules - GDPR Law
International Data Protection - Binding Corporate Rules
GDPR - General Data Protection Regulation

Do you need assistance with the implementation of Binding Corporate Rules?

Data protection law, especially on the international stage, can be a complicated subject. Our experienced lawyers and data protection officers are here to help. KINAST Attorneys at Law are specialised soley in data protection law and we’ve been advising international groups and corporations since before GDPR laws came into effect. We guarantee that your company is in the safest hands.

Why not contact us today for a free, no obligation consultation?

Send this page to a colleague?


Frequently asked questions

International Data Flow can be a complicated subject, and we understand that you may still have questions about Binding Corporate Rules. We’ve answered some of the most frequently asked questions here. If you have more specific or specialist questions, feel free to contact us, and one of our Lawyers or Data Protection Officers will get back to you as soon as possible.

BCRs are an essential part of secure transfers and significantly reduce the risk of involuntary disclosure of data. However, the circumstances of the individual case must be taken into account. The transfer of data to an insecure third country, however, entails further risks which, depending on the individual case, place other requirements on the lawfulness of the data transfer.

It is mandatory to appoint a DPO:

  • where the processing is carried out by a public authority or body,
  • where the core activity of the controller or processor is to carry out processing operations which, by their nature, scale and/or purposes, require extensive, regular and systematic supervision of data subjects, or
  • where the core activity of the controller or processor is the processing on a large scale of special categories of data as referred to in Art. 9 GDPR or of personal data relating to criminal convictions and offences as referred to in Art. 10 GDPR.
    For example in Germany, according to § 38 Federal Data Protection Act (BDSG), a DPO must be appointed if:
  • as a general rule, at least 20 persons are permanently involved in the automated processing of personal data,
  • the controller or the processor is subject to a DPIA pursuant to Art. 35 GDPR, or
  • personal data are processed for the purpose of transmission, anonymous transmission or for purposes of market and opinion research.

The BCRs are binding within the corporate group as much as for the employees and the subcontractors your company is working with.

Not all modifications or modifications have to be passed on to the authorities.
The notification of the authorities is in general appropriate when processing activities are affected by the modification of the BCRs. In particular, this is the case if the level of security is affected by the modification. In this instance, the competent authorities should be informed without delay.
BCRs can however be implemented without the need for renewed application to the authorities if:

  • an identified person / department maintains an overall modified list of BCRs and can provide this to the authorities upon request,
  • no transfer is made without a binding effect of the new BCRs between all members,
  • any changes to the BCRs are communicated to the authorities once a year with an explanation.

Ask us for a quote

Please provide our team with a few details about your company. This makes it easier for us to assign the correct expert for your needs

Let's talk

Simply leave your details here and one of our lawyers or data protection experts will get back to you as soon as possible.

Media enquiries

Simply leave your details here and one of our marketing team will get back to you soon.

Partnership enquiries

Simply leave your details here and one of our marketing team will get back to you soon.